Add OpenIddict module.

[maliming]

https://github.com/abpframework/abp/blob/dev/docs/en/Modules/OpenIddict.md

I can merge these commits into one to beautify the commit.

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (rel-6.0@793b071). Click here to learn what that means.
The diff coverage is 100.00%.

❗ Current head c7bf5a4 differs from pull request most recent head 407d5db. Consider uploading reports for the commit 407d5db to get more accurate results

@@            Coverage Diff             @@
##             rel-6.0   #12084   +/-   ##
==========================================
  Coverage           ?   48.13%           
==========================================
  Files              ?     3147           
  Lines              ?    94563           
  Branches           ?        0           
==========================================
  Hits               ?    45521           
  Misses             ?    49042           
  Partials           ?        0           

Impacted Files	Coverage Δ
...omain/Volo/Abp/Identity/AbpIdentityDomainModule.cs	100.00% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 793b071...407d5db. Read the comment docs.

[maliming]

DisableAccessTokenEncryption has been removed, I updated the documentation to explain it.

https://github.com/abpframework/abp/blob/Module-OpenIddict/docs/en/Modules/OpenIddict.md#token-encryption

[kevinchalet]

👋🏻

@hikalkan sent me the link to this PR so I took a (very) brief look 😄

Three things worth noting:

• For token validation, the OpenIddict validation handler is the recommended option, as it uses a more recent JWT stack and comes with additional security checks that are not implemented by the MSFT JWT bearer handler (e.g token type validation, to ensure identity tokens are not treated as valid access tokens).

• I see you're trying to localize error messages eventually returned by OpenIddict: I did that in OpenIddict 3.0 beta4 (we even supported Turkish!) and it didn't end well for the reasons explained in this post: https://kevinchalet.com/2020/11/17/introducing-openiddict-3-0-s-first-release-candidate-version/

• In OpenIddictSupportedLoginModel.cs, you use a dangerous approach that consists in faking an "OpenIddict request" and injecting it in the OpenIddict context to force it to consider the HTTP request as an authorization request. It's not 100% clear to me what this class does but I suspect it's basically a login page that needs to be aware of certain OIDC parameters initially sent as part of the authorization request. If so, you may want to consider a different approach: in your authorization controller, when calling Challenge("scheme of your cookie handler"), add the parameters you need to flow from the authorization endpoint to the login page to AuthenticationProperties and customize the RedirectToLogin event to add them to the query string: https://github.com/dotnet/aspnetcore/blob/main/src/Security/Authentication/Cookies/src/CookieAuthenticationHandler.cs#L474. Then, you'll be able to extract them without even using any OpenIddict type in your login stuff.

Cheers.

[kevinchalet]

In your most recent commit, I see you implemented wildcard support for (post_logout_)redirect_uris. As it goes against the OIDC specification - that requires using simple string comparisons - you need to be extremely careful when implementing that. I see two potential issues:

• I don't see context.Reject() ever called in your handlers so I don't think invalid redirect_uris will be blocked (I suspect your handlers will basically no-op).
• When using wildcard support, it seems a single domain is considered valid for all clients.

It's important to get this part right as these two issues can basically ruin the entire security of your authorization server, as it allows stealing authorization codes/access tokens by redirecting the user agent to an untrusted domain (or to the trusted redirect_uri of a different client).

[maliming]

Thank you so much @kevinchalet, You made a great project.

I will make some changes based on your review, thank you for following ABP.

[beriniwlew]

Amazing work, keep it up!