From 293bf9e5bfa1137dbf5b7c8ef18f104f89e686f3 Mon Sep 17 00:00:00 2001 From: OpenIddict Bot <32257313+openiddict-bot@users.noreply.github.com> Date: Wed, 13 Jan 2021 04:15:13 +0000 Subject: [PATCH] Update the documentation pages --- configuration/application-permissions.html | 127 ++++++++++++++++----- manifest.json | 2 +- 2 files changed, 98 insertions(+), 31 deletions(-) diff --git a/configuration/application-permissions.html b/configuration/application-permissions.html index 36f4f32..7058639 100644 --- a/configuration/application-permissions.html +++ b/configuration/application-permissions.html @@ -68,21 +68,15 @@

Application permissions

-

Starting with RC2, OpenIddict includes a built-in feature codenamed "application permissions" that -allows controlling and limiting the OAuth2/OpenID Connect features a client application is able to use.

-

3 categories of permissions are currently supported:

+

OpenIddict includes a built-in feature codenamed "application permissions" that +allows controlling and limiting the OAuth 2.0/OpenID Connect features each registered client application is able to use.

+

4 categories of permissions are currently supported:

-
Warning

Note: prior to OpenIddict RC3, application permissions were mostly optional and OpenIddict had a fallback mechanism -called "implicit permissions" it used to determine whether an application could perform the requested action.

-

If no permission was explicitly attached to the application, it was considered fully trusted and was granted all the permissions. -Similarly, if you granted the "token endpoint" permission to an application but NO "grant type" permission, -it was assumed the client application was allowed to use the password or client credentials grants.

-

Retrospectively, this logic was too complex and was removed in RC3: application permissions MUST now be explicitly granted.

-

Endpoint permissions

Definition

Endpoint permissions limit the endpoints a client application can use.

@@ -96,23 +90,23 @@ it was assumed the client application was allowed to use the password or client -Authorization endpoint +Authorization OpenIddictConstants.Permissions.Endpoints.Authorization -Introspection endpoint +Introspection OpenIddictConstants.Permissions.Endpoints.Introspection -Logout/end session endpoint +Logout/end session OpenIddictConstants.Permissions.Endpoints.Logout -Revocation endpoint +Revocation OpenIddictConstants.Permissions.Endpoints.Revocation -Token endpoint +Token OpenIddictConstants.Permissions.Endpoints.Token @@ -120,7 +114,7 @@ it was assumed the client application was allowed to use the password or client

Example

In the following example, the mvc application is allowed to use the authorization, logout and token endpoints but will get an error when trying to send an introspection or revocation request:

-
if (await manager.FindByClientIdAsync("mvc") == null)
+
if (await manager.FindByClientIdAsync("mvc") is null)
 {
     await manager.CreateAsync(new OpenIddictApplicationDescriptor
     {
@@ -146,7 +140,7 @@ token endpoints but will get an error when trying to send an introspection or re
     });
 
Grant type permissions

 
Definition

-
Grant type permissions limit the flows a client application is allowed to use.

+
Grant type permissions limit the grant types a client application is allowed to use.

 
Supported permissions

 
@@ -157,33 +151,33 @@ token endpoints but will get an error when trying to send an introspection or re
 
-
+
-
+
-
+
-
+
-
+

 
 
 
Authorization code flowAuthorization code
 OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode
 

 
Client credentials flowClient credentials
 OpenIddictConstants.Permissions.GrantTypes.ClientCredentials
 

 
Implicit flowImplicit
 OpenIddictConstants.Permissions.GrantTypes.Implicit
 

 
Password flowPassword
 OpenIddictConstants.Permissions.GrantTypes.Password
 

 
Refresh token flowRefresh token
 OpenIddictConstants.Permissions.GrantTypes.RefreshToken
 

 
 

-
To add a custom flow permission, you can use the following pattern:

+
To add a custom grant type permission, you can use the following pattern:

 
OpenIddictConstants.Permissions.Prefixes.GrantType + "custom_flow_name"
 
Example

-
In the following example, the postman application can only use the authorization code flow
-while console is restricted to the password and refresh_token flows:

-
if (await manager.FindByClientIdAsync("postman") == null)
+
In the following example, the postman application can only use the authorization code grant
+while console is restricted to the password and refresh_token grants:

+
if (await manager.FindByClientIdAsync("postman") is null)
 {
     await manager.CreateAsync(new OpenIddictApplicationDescriptor
     {
@@ -200,7 +194,7 @@ while console is restricted to the password and 
     });
 }
 
-if (await manager.FindByClientIdAsync("console") == null)
+if (await manager.FindByClientIdAsync("console") is null)
 {
     await manager.CreateAsync(new OpenIddictApplicationDescriptor
     {
@@ -263,7 +257,7 @@ if (await manager.FindByClientIdAsync("console") == null)
 
Example

 
In the following sample, the angular client is allowed to request the address,
 profile and marketing_api scopes: any other scope will result in an error being returned.

-
if (await manager.FindByClientIdAsync("angular") == null)
+
if (await manager.FindByClientIdAsync("angular") is null)
 {
     await manager.CreateAsync(new OpenIddictApplicationDescriptor
     {
@@ -288,6 +282,79 @@ if (await manager.FindByClientIdAsync("console") == null)
     {
         options.IgnoreScopePermissions();
     });
+
Response type permissions (introduced in OpenIddict 3.0)

+
Definition

+
Response type permissions limit the response types a client application is allowed to use when implementing an interactive flow like code, implicit or hybrid.

+
Supported permissions

+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Response typeConstant
codeOpenIddictConstants.Permissions.ResponseTypes.Code
code id_tokenOpenIddictConstants.Permissions.ResponseTypes.CodeIdToken
code id_token tokenOpenIddictConstants.Permissions.ResponseTypes.CodeIdTokenToken
code tokenOpenIddictConstants.Permissions.ResponseTypes.CodeToken
id_tokenOpenIddictConstants.Permissions.ResponseTypes.IdToken
id_token tokenOpenIddictConstants.Permissions.ResponseTypes.IdTokenToken
noneOpenIddictConstants.Permissions.ResponseTypes.None
tokenOpenIddictConstants.Permissions.ResponseTypes.Token

+
Example

+
In the following example, the postman application can only use the code id_token response type:

+
if (await manager.FindByClientIdAsync("postman") is null)
+{
+    await manager.CreateAsync(new OpenIddictApplicationDescriptor
+    {
+        ClientId = "postman",
+        DisplayName = "Postman",
+        RedirectUris = { new Uri("https://www.getpostman.com/oauth2/callback") },
+        Permissions =
+        {
+            OpenIddictConstants.Permissions.Endpoints.Authorization,
+            OpenIddictConstants.Permissions.Endpoints.Token,
+
+            OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
+
+            OpenIddictConstants.Permissions.ResponseTypes.CodeIdToken
+        }
+    });
+}
+
Disabling response type permissions

+
If you don't want to use response type permissions, call options.IgnoreResponseTypePermissions() to ignore them:

+
services.AddOpenIddict()
+    .AddServer(options =>
+    {
+        options.IgnoreResponseTypePermissions();
+    });
diff --git a/manifest.json b/manifest.json index 6891da1..5fc93b6 100644 --- a/manifest.json +++ b/manifest.json @@ -21,7 +21,7 @@ "output": { ".html": { "relative_path": "configuration/application-permissions.html", - "hash": "0jbu1DB7pHLv6DBPTUB39g==" + "hash": "tXsJ6tTvLKNbcuYucWXqxQ==" } }, "is_incremental": false,