| | | 1 | | using Microsoft.AspNetCore.Authentication; |
| | | 2 | | using Microsoft.AspNetCore.Authentication.Cookies; |
| | | 3 | | using Microsoft.AspNetCore.Authorization; |
| | | 4 | | using Microsoft.AspNetCore.Mvc; |
| | | 5 | | |
| | | 6 | | namespace ProjectTemplate.Web.Controllers; |
| | | 7 | | |
| | | 8 | | /// <summary> |
| | | 9 | | /// Provides controller actions for initiating external authentication challenges using configured authentication |
| | | 10 | | /// schemes. |
| | | 11 | | /// </summary> |
| | | 12 | | /// <remarks>This controller is intended for use with external authentication providers such as OAuth or OpenID |
| | | 13 | | /// Connect. It ensures that only local return URLs are accepted to mitigate open redirect vulnerabilities. The |
| | | 14 | | /// controller should be used in scenarios where users need to authenticate via third-party identity |
| | | 15 | | /// providers.</remarks> |
| | | 16 | | /// <param name="schemeProvider">The authentication scheme provider used to retrieve available external authentication s |
| | 8 | 17 | | public sealed class ExternalController(IAuthenticationSchemeProvider schemeProvider) : Controller |
| | | 18 | | { |
| | 8 | 19 | | private readonly IAuthenticationSchemeProvider _schemeProvider = schemeProvider; |
| | | 20 | | |
| | | 21 | | /// <summary> |
| | | 22 | | /// Initiates an external authentication challenge using the specified provider. |
| | | 23 | | /// </summary> |
| | | 24 | | /// <remarks>This method is typically used to start an OAuth or other external login flow. Only local |
| | | 25 | | /// return URLs are permitted to prevent open redirect vulnerabilities.</remarks> |
| | | 26 | | /// <param name="provider">The name of the external authentication provider to use. Cannot be null, empty, or whites |
| | | 27 | | /// <param name="returnUrl">The URL to redirect the user to after successful authentication. If null or empty, defau |
| | | 28 | | /// root ('/'). Must be a local URL.</param> |
| | | 29 | | /// <returns>An IActionResult that initiates the external authentication challenge or returns a BadRequest result if |
| | | 30 | | /// input is invalid.</returns> |
| | | 31 | | [HttpGet("/External/Challenge")] |
| | | 32 | | [AllowAnonymous] |
| | | 33 | | public async Task<IActionResult> Challenge(string provider, string? returnUrl = null) |
| | | 34 | | { |
| | 8 | 35 | | if (string.IsNullOrWhiteSpace(provider)) |
| | | 36 | | { |
| | 0 | 37 | | return BadRequest(); |
| | | 38 | | } |
| | | 39 | | |
| | 8 | 40 | | string safeReturnUrl = string.IsNullOrWhiteSpace(returnUrl) ? "/" : returnUrl; |
| | | 41 | | |
| | 8 | 42 | | if (!Url.IsLocalUrl(safeReturnUrl)) |
| | | 43 | | { |
| | 2 | 44 | | return BadRequest(); |
| | | 45 | | } |
| | | 46 | | |
| | 6 | 47 | | AuthenticationScheme? scheme = await _schemeProvider.GetSchemeAsync(provider); |
| | | 48 | | |
| | 6 | 49 | | if (scheme is null || |
| | 6 | 50 | | string.Equals(scheme.Name, CookieAuthenticationDefaults.AuthenticationScheme, StringComparison.Ordinal)) |
| | | 51 | | { |
| | 4 | 52 | | return BadRequest(); |
| | | 53 | | } |
| | | 54 | | |
| | 2 | 55 | | AuthenticationProperties properties = new() |
| | 2 | 56 | | { |
| | 2 | 57 | | RedirectUri = safeReturnUrl |
| | 2 | 58 | | }; |
| | | 59 | | |
| | 2 | 60 | | return Challenge(properties, scheme.Name); |
| | 8 | 61 | | } |
| | | 62 | | } |