Update the Cordova sample to use the authorization code flow

Author: pierrej

samples/Cordova/Backend/Backend.xproj

@@ -15,4 +15,4 @@
     <SchemaVersion>2.0</SchemaVersion>
   </PropertyGroup>
   <Import Project="$(VSToolsPath)\DotNet.Web\Microsoft.DotNet.Web.targets" Condition="'$(VSToolsPath)' != ''" />
-</Project>
+</Project>

samples/Cordova/Backend/Extensions/AppBuilderExtensions.cs

@@ -1,5 +1,6 @@
 using System;
 using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
 
 namespace Backend.Extensions {

samples/Cordova/Backend/Providers/AuthorizationProvider.cs

@@ -11,11 +11,13 @@ namespace Backend.Providers {
     public sealed class AuthorizationProvider : OpenIdConnectServerProvider {
         public override async Task ValidateAuthorizationRequest(ValidateAuthorizationRequestContext context) {
             // Note: the OpenID Connect server middleware supports the authorization code, implicit and hybrid flows
-            // but this authorization provider only accepts response_type=token authorization/authentication requests.
-            if (!context.Request.IsImplicitFlow()) {
+            // but this authorization provider only accepts response_type=code authorization/authentication requests.
+            // You may consider relaxing it to support the implicit or hybrid flows. In this case, consider adding
+            // checks rejecting implicit/hybrid authorization requests when the client is a confidential application.
+            if (!context.Request.IsAuthorizationCodeFlow()) {
                 context.Reject(
                     error: OpenIdConnectConstants.Errors.UnsupportedResponseType,
-                    description: "Only the implicit flow is supported by this authorization server.");
+                    description: "Only the authorization code flow is supported by this authorization server.");
 
                 return;
             }
@@ -43,7 +45,7 @@ public override async Task ValidateAuthorizationRequest(ValidateAuthorizationReq
             if (application == null) {
                 context.Reject(
                     error: OpenIdConnectConstants.Errors.InvalidClient,
-                    description: "Application not found in the database: ensure that your client_id is correct");
+                    description: "Application not found in the database: ensure that your client_id is correct.");
 
                 return;
             }
@@ -52,14 +54,56 @@ public override async Task ValidateAuthorizationRequest(ValidateAuthorizationReq
                 !string.Equals(context.RedirectUri, application.RedirectUri, StringComparison.Ordinal)) {
                 context.Reject(
                     error: OpenIdConnectConstants.Errors.InvalidClient,
-                    description: "Invalid redirect_uri");
+                    description: "Invalid redirect_uri.");
 
                 return;
             }
 
             context.Validate(application.RedirectUri);
         }
 
+        public override async Task ValidateTokenRequest(ValidateTokenRequestContext context) {
+            // Note: the OpenID Connect server middleware supports authorization code, refresh token, client credentials
+            // and resource owner password credentials grant types but this authorization provider uses a safer policy
+            // rejecting the last two ones. You may consider relaxing it to support the ROPC or client credentials grant types.
+            if (!context.Request.IsAuthorizationCodeGrantType() && !context.Request.IsRefreshTokenGrantType()) {
+                context.Reject(
+                    error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
+                    description: "Only authorization code and refresh token grant types " +
+                                 "are accepted by this authorization server.");
+
+                return;
+            }
+
+            // Reject the request if the client identifier is missing.
+            if (string.IsNullOrEmpty(context.ClientId)) {
+                context.Reject(
+                    error: OpenIdConnectConstants.Errors.InvalidRequest,
+                    description: "The mandatory client_id parameter was missing");
+
+                return;
+            }
+
+            var database = context.HttpContext.RequestServices.GetRequiredService<ApplicationContext>();
+
+            // Retrieve the application details corresponding to the requested client_id.
+            var application = await (from entity in database.Applications
+                                     where entity.ApplicationID == context.ClientId
+                                     select entity).SingleOrDefaultAsync(context.HttpContext.RequestAborted);
+
+            if (application == null) {
+                context.Reject(
+                    error: OpenIdConnectConstants.Errors.InvalidClient,
+                    description: "Application not found in the database: ensure that your client_id is correct.");
+
+                return;
+            }
+
+            // Note: the client credentials cannot be safely stored in the Cordova application.
+            // In this case, context.Skip() is called to inform the OIDC server that the client is not trusted.
+            context.Skip();
+        }
+
         public override async Task ValidateLogoutRequest(ValidateLogoutRequestContext context) {
             var database = context.HttpContext.RequestServices.GetRequiredService<ApplicationContext>();
 
@@ -74,7 +118,7 @@ public override async Task ValidateLogoutRequest(ValidateLogoutRequestContext co
             if (!await database.Applications.AnyAsync(application => application.LogoutRedirectUri == context.PostLogoutRedirectUri)) {
                 context.Reject(
                     error: OpenIdConnectConstants.Errors.InvalidClient,
-                    description: "Invalid post_logout_redirect_uri");
+                    description: "Invalid post_logout_redirect_uri.");
 
                 return;
             }

samples/Cordova/Backend/Startup.cs

@@ -1,6 +1,4 @@
-using System;
-using System.IdentityModel.Tokens.Jwt;
-using System.Reflection;
+using System;
 using AspNet.Security.OAuth.Validation;
 using Backend.Extensions;
 using Backend.Models;
@@ -80,9 +78,10 @@ public void Configure(IApplicationBuilder app) {
             app.UseOpenIdConnectServer(options => {
                 options.Provider = new AuthorizationProvider();
 
-                // Enable the authorization and logout endpoints.
+                // Enable the authorization, logout and token endpoints.
                 options.AuthorizationEndpointPath = "/connect/authorize";
                 options.LogoutEndpointPath = "/connect/logout";
+                options.TokenEndpointPath = "/connect/token";
 
                 // Register a new ephemeral key, that is discarded when the application
                 // shuts down. Tokens signed using this key are automatically invalidated.

samples/Cordova/Backend/project.json

@@ -46,10 +46,7 @@
 
     "netcoreapp1.0": {
       "dependencies": {
-        "Microsoft.NETCore.App": {
-          "type": "platform",
-          "version": "1.0.0"
-        }
+        "Microsoft.NETCore.App": { "type": "platform", "version": "1.0.0" }
       },
 
       "imports": [

samples/Cordova/MobileApp/config.xml

@@ -104,7 +104,8 @@
   <platform name="wp8">
     <splash src="res/screens/wp8/SplashScreenImage.jpg" width="480" height="800" />
   </platform>
-  <vs:plugin name="cordova-plugin-inappbrowser" version="1.1.1" />
   <vs:plugin name="cordova-plugin-whitelist" version="1.2.0" />
   <access origin="localhost:54540" />
+  <plugin name="cordova-plugin-inappbrowser" version="1.1.1" />
+  <access origin="127.0.0.1:80" />
 </widget>

samples/Cordova/MobileApp/www/index.html

@@ -3,7 +3,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
     <meta charset="utf-8" />
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self' data: gap: https://ssl.gstatic.com http://localhost:54540 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self' https://ssl.gstatic.com http://localhost:54540 http://192.168.11.100:54540 * data: gap: 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *">
     <title>MobileApp</title>
 
     <!-- Load stylesheets -->

samples/Cordova/MobileApp/www/scripts/controllers/authController.js

@@ -5,7 +5,7 @@ app.controller('authController', ['$sce', '$scope', '$location', 'authService',
 
     $scope.logIn = function () {
         authService.logIn().then(function (response) {
-            authService.confirmMessage().then(function (response) { $scope.message = response });
+            authService.confirmMessage().then(function (response) { $scope.message = response; });
         }, function (err) {
             $scope.message = err;
         });
@@ -20,7 +20,7 @@ app.controller('authController', ['$sce', '$scope', '$location', 'authService',
     };
 
     $scope.queryServer = function () {
-        authService.confirmMessage().then(function (response) { $scope.message = response });
+        authService.confirmMessage().then(function (response) { $scope.message = response; });
     };
 
     $scope.authentication = authService.authentication;

samples/Cordova/MobileApp/www/scripts/init.js

@@ -4,6 +4,8 @@ app.constant('authConfig', {
     clientId: 'myClient',
     logInApi: 'http://localhost:54540/connect/authorize',
     logOutApi: 'http://localhost:54540/connect/logout',
+    tokenApi: 'http://localhost:54540/connect/token',
+    messageApi: 'http://localhost:54540/api/message',
     redirect_uri: 'http://localhost/callback',
     post_logout_redirect_uri: 'http://localhost/callback'
 });

samples/Cordova/MobileApp/www/scripts/services/authService.js

@@ -9,30 +9,36 @@ app.factory('authService', ['$http', '$q', 'localStorageService', 'utilitiesServ
     };
 
     var _logIn = function () {
-        var deferred = $q.defer()
-        var ref = window.open(authConfig.logInApi + '?client_id=' + authConfig.clientId + '&redirect_uri=' + authConfig.redirect_uri + '&response_type=token', '_blank', 'location=no');
+        var deferred = $q.defer();
+        var ref = window.open(authConfig.logInApi + '?client_id=' + authConfig.clientId + '&redirect_uri=' + authConfig.redirect_uri + '&response_type=code&scope=openid', '_blank', 'location=no');
         ref.addEventListener('loadstart', function (event) {
             if (utilitiesService.startsWith(event.url, authConfig.redirect_uri)) {
-                var requestToken = utilitiesService.getURLParameter(event.url, "access_token");
-                var userName = jwtHelper.decodeToken(requestToken).unique_name;
+                var authorizationCode = utilitiesService.getURLParameter(event.url, "code");
+                $http.post(authConfig.tokenApi,
+                    'grant_type=authorization_code&code=' + authorizationCode + '&client_id=' + authConfig.clientId + '&redirect_uri=' + authConfig.redirect_uri,
+                    { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }).then(function successCallback(response) {
+                    var requestToken = response.data.access_token;
+                    var idToken = response.data.id_token;
+                    var userName = jwtHelper.decodeToken(idToken).unique_name;
                 localStorageService.set('authorizationData', { token: requestToken, userName: userName });
                 _fillAuthData();
                 deferred.resolve(ref.close());
-            };
+                });
+            }
         });
         return deferred.promise;
     };
 
     var _logOut = function () {
-        var deferred = $q.defer()
+        var deferred = $q.defer();
         var ref = window.open(authConfig.logOutApi + '?post_logout_redirect_uri=' + authConfig.post_logout_redirect_uri, '_blank', 'location=no');
         ref.addEventListener('loadstart', function (event) {
             if (utilitiesService.startsWith(event.url, authConfig.post_logout_redirect_uri)) {
                 localStorageService.remove('authorizationData');
                 _authentication.isAuth = false;
                 _authentication.userName = "";
                 deferred.resolve(ref.close());
-            };
+            }
         });
         return deferred.promise;
     };
@@ -46,7 +52,7 @@ app.factory('authService', ['$http', '$q', 'localStorageService', 'utilitiesServ
     };
 
     var _confirmMessage = function () {
-        return $http.get("http://localhost:54540/api/message").then(function successCallback(response) {
+        return $http.get(authConfig.messageApi).then(function successCallback(response) {
             return response.data;
         });
     };

samples/Mvc/Mvc.Server/Controllers/AuthorizationController.cs

@@ -22,7 +22,7 @@ public class AuthorizationController : Controller {
         public AuthorizationController(ApplicationContext database) {
             this.database = database;
         }
-        
+
         [Authorize, HttpGet("~/connect/authorize")]
         public async Task<IActionResult> Authorize(CancellationToken cancellationToken) {
             // Note: when a fatal error occurs during the request processing, an OpenID Connect response