EnableStatusCodePagesIntegration.

Author: maliming

docs/en/Modules/OpenIddict.md

@@ -12,6 +12,14 @@ This module implements the domain logic and database integrations, but not provi
 
 This module is based on the [Identity Module](Identity.md) and have an [integration package](https://www.nuget.org/packages/Volo.Abp.Account.Web.IdentityServer) with the [Account Module](Account.md).
 
+## OpenIddict documentation
+
+For more details about OpenIddict, please refer to its official documentation and Github.
+
+https://documentation.openiddict.com
+
+https://github.com/openiddict/openiddict-core#resources
+
 ## The module
 
 ### Demo projects
@@ -65,6 +73,11 @@ IOpenIddictTokenRepository
 We enabled most of OpenIddict's features in the `AddOpenIddict` method, You can change OpenIddict's related builder options via `PreConfigure`.
 
 ```cs
+PreConfigure<OpenIddictBuilder>(builder =>
+{
+    //builder
+});
+
 PreConfigure<OpenIddictCoreBuilder>(builder =>
 {
     //builder
@@ -154,7 +167,14 @@ Implements the above four repository interfaces.
 Implements the above four repository interfaces.
 
 
-### Principle of OpenIddict
+## OpenIddict
+
+
+### PKCE
+
+https://documentation.openiddict.com/configuration/proof-key-for-code-exchange.html
+
+### Request/Response process
 
 I will briefly introduce the principle of OpenIddict so that everyone can quickly understand it.
 
@@ -166,14 +186,16 @@ It will be executed first in `AuthenticationMiddleware` and can short-circuit th
 
 Example a token request: 
 
-```cs
-POST /connect/token
-    grant_type:password
-    client_id:AbpApp
-    client_secret:1q2w3e*
-    username:admin
-    password:1q2w3E*
-    scope:AbpAPI offline_access 
+```
+POST /connect/token HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+
+    grant_type=password&
+    client_id=AbpApp&
+    client_secret=1q2w3e*&
+    username=admin&
+    password=1q2w3E*&
+    scope=AbpAPI offline_access
 ```
 
 This request will be processed by various handlers. They will confirm the endpoint type of the request, check `http/https`, verify that the request parameters (`client. scope etc`) are valid and exist in the database, etc. Various protocol checks. And build a `OpenIddictRequest` object, If there are any errors, the response content may be set and directly short-circuit the current request.
@@ -190,8 +212,7 @@ If you need to customize OpenIddict, you need to replace/delete/add new handlers
 
 Please refer to:
 https://documentation.openiddict.com/guides/index.html#events-model
-https://kevinchalet.com/2018/07/02/implementing-advanced-scenarios-using-the-new-openiddict-rc3-events-model/
 
 ## Sponsor
 
-Please consider sponsoring this project if OpenIddict helped you: https://github.com/sponsors/kevinchalet
+Please consider sponsoring this project: https://github.com/sponsors/kevinchalet

modules/openiddict/app/OpenIddict.Demo.Client.Mvc/Pages/Index.cshtml

@@ -1,4 +1,5 @@
 @page
+@using Microsoft.AspNetCore.Authentication
 @model IndexModel
 @{
     ViewData["Title"] = "Home page";
@@ -7,17 +8,22 @@
 <div class="text-center">
     <h1 class="display-4">Welcome</h1>
     <p>Learn about <a href="https://docs.microsoft.com/aspnet/core">building Web apps with ASP.NET Core</a>.</p>
-    
+
     <a class="btn btn-primary" href="/Login">Login</a>
     <a class="btn btn-warning" href="/Logout">Loout</a>
-    
+
     @if (HttpContext.User.Identity != null && HttpContext.User.Identity.IsAuthenticated)
     {
         <ul class="list-group mt-3 text-start">
-        @foreach (var claim in HttpContext.User.Claims)   
-        {
-           <li class="list-group-item">@claim.Type : @claim.Value</li>
-        }
+            @foreach (var claim in HttpContext.User.Claims)
+            {
+                <li class="list-group-item">@claim.Type : @claim.Value</li>
+            }
         </ul>
+
+        <p>HttpContext.GetTokenAsync("access_token")
+            <br/>
+            @await HttpContext.GetTokenAsync("access_token")
+        </p>
     }
 </div>

modules/openiddict/app/OpenIddict.Demo.Client.Mvc/Program.cs

@@ -27,7 +27,9 @@
         options.GetClaimsFromUserInfoEndpoint = true;
         options.SaveTokens = true;
 
-        options.ResponseType = OidcConstants.ResponseTypes.CodeIdToken;
+        options.UsePkce = true;
+
+        options.ResponseType = OidcConstants.ResponseTypes.Code;
 
         options.SignOutScheme = "Cookies";
 

modules/openiddict/app/OpenIddict.Demo.Server/EntityFrameworkCore/ServerDataSeedContributor.cs

@@ -91,7 +91,6 @@ await _applicationManager.CreateAsync(new OpenIddictApplicationDescriptor
                     OpenIddictConstants.Permissions.Scopes.Email,
                     OpenIddictConstants.Permissions.Scopes.Address,
                     OpenIddictConstants.Permissions.Scopes.Phone,
-
                     OpenIddictConstants.Permissions.Prefixes.Scope + "AbpAPI"
                 }
             });

modules/openiddict/app/OpenIddict.Demo.Server/Program.cs

@@ -1,4 +1,5 @@
 using OpenIddict.Demo.Server;
+using Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared;
 using Volo.Abp.Localization;
 using Volo.Abp.OpenIddict.Jwt;
 
@@ -41,12 +42,17 @@
 var app = builder.Build();
 await app.InitializeApplicationAsync();
 
+if (app.Environment.IsDevelopment())
+{
+    app.UseDeveloperExceptionPage();
+}
+
 app.UseAbpRequestLocalization();
 
 // Configure the HTTP request pipeline.
 if (!app.Environment.IsDevelopment())
 {
-    app.UseExceptionHandler("/Error");
+    app.UseErrorPage();
     // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
     app.UseHsts();
 }

modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/AbpOpenIddictAspNetCoreModule.cs

@@ -25,7 +25,8 @@ public override void PreConfigureServices(ServiceConfigurationContext context)
                 .EnableTokenEndpointPassthrough()
                 .EnableUserinfoEndpointPassthrough()
                 .EnableLogoutEndpointPassthrough()
-                .EnableVerificationEndpointPassthrough();
+                .EnableVerificationEndpointPassthrough()
+                .EnableStatusCodePagesIntegration();
         });
     }
 

modules/openiddict/src/Volo.Abp.OpenIddict.Domain/Volo/Abp/OpenIddict/AbpOpenIddictDomainModule.cs

@@ -54,7 +54,7 @@ private static void AddOpenIddict(IServiceCollection services)
             })
             .AddServer(builder =>
             {
-                // Can be enable by Configure OpenIddictServerOptions.DisableAccessTokenEncryption = false
+                // Access token encryption can only be disabled when using JWT tokens.
                 builder.DisableAccessTokenEncryption();
 
                 builder
@@ -84,20 +84,23 @@ private static void AddOpenIddict(IServiceCollection services)
 
                 builder.RegisterScopes(new[]
                 {
-                    OpenIddictConstants.Scopes.OpenId, OpenIddictConstants.Scopes.Email,
-                    OpenIddictConstants.Scopes.Profile, OpenIddictConstants.Scopes.Phone,
-                    OpenIddictConstants.Scopes.Roles, OpenIddictConstants.Scopes.Address,
+                    OpenIddictConstants.Scopes.OpenId,
+                    OpenIddictConstants.Scopes.Email,
+                    OpenIddictConstants.Scopes.Profile,
+                    OpenIddictConstants.Scopes.Phone,
+                    OpenIddictConstants.Scopes.Roles,
+                    OpenIddictConstants.Scopes.Address,
                     OpenIddictConstants.Scopes.OfflineAccess
                 });
 
                 if (builderOptions.AddDevelopmentEncryptionAndSigningCertificate)
                 {
-                    builder.AddDevelopmentEncryptionCertificate()
+                    builder
+                        .AddDevelopmentEncryptionCertificate()
                         .AddDevelopmentSigningCertificate();
                 }
 
                 services.ExecutePreConfiguredActions(builder);
-
             });
 
         services.Configure<OpenIddictCoreOptions>(options =>