Migrate the OpenID module to OpenIddict 4.0

OrchardCMS · Dec 23, 2022 · 48ecaea · 48ecaea
1 parent 231cb19
commit 48ecaea
Show file tree

Hide file tree

Showing 6 changed files with 110 additions and 120 deletions.
diff --git a/src/OrchardCore.Build/Dependencies.props b/src/OrchardCore.Build/Dependencies.props
@@ -45,8 +45,8 @@
     <PackageManagement Include="NJsonSchema" Version="10.8.0" />
     <PackageManagement Include="NLog.Web.AspNetCore" Version="5.2.0" />
     <PackageManagement Include="NodaTime" Version="3.1.6" />
-    <PackageManagement Include="OpenIddict.AspNetCore" Version="3.1.1" />
-    <PackageManagement Include="OpenIddict.Core" Version="3.1.1" />
+    <PackageManagement Include="OpenIddict.AspNetCore" Version="4.0.0" />
+    <PackageManagement Include="OpenIddict.Core" Version="4.0.0" />
     <PackageManagement Include="OrchardCore.Translations.All" Version="1.5.0" />
     <PackageManagement Include="PdfPig" Version="0.1.6" />
     <PackageManagement Include="Serilog.AspNetCore" Version="6.1.0" />

diff --git a/src/OrchardCore.Modules/OrchardCore.OpenId/Configuration/OpenIdServerConfiguration.cs b/src/OrchardCore.Modules/OrchardCore.OpenId/Configuration/OpenIdServerConfiguration.cs
@@ -75,34 +75,46 @@ public void Configure(OpenIddictServerOptions options)
                 options.SigningCredentials.Add(new SigningCredentials(key, SecurityAlgorithms.RsaSha256));
             }
 
+            // Note: while endpoint paths in OrchardCore are stored as PathString instances,
+            // OpenIddict uses System.Uri. To ensure the System.Uri instances created from
+            // a PathString don't represent root-relative URIs (which would break path-based
+            // multi-tenancy support), the leading '/' that is always present in PathString
+            // instances is manually removed from the endpoint path before URIs are created.
+
             if (settings.AuthorizationEndpointPath.HasValue)
             {
-                options.AuthorizationEndpointUris.Add(new Uri(settings.AuthorizationEndpointPath.Value, UriKind.Relative));
+                options.AuthorizationEndpointUris.Add(new Uri(
+                    settings.AuthorizationEndpointPath.ToUriComponent()[1..], UriKind.Relative));
             }
 
             if (settings.LogoutEndpointPath.HasValue)
             {
-                options.LogoutEndpointUris.Add(new Uri(settings.LogoutEndpointPath.Value, UriKind.Relative));
+                options.LogoutEndpointUris.Add(new Uri(
+                    settings.LogoutEndpointPath.ToUriComponent()[1..], UriKind.Relative));
             }
 
             if (settings.TokenEndpointPath.HasValue)
             {
-                options.TokenEndpointUris.Add(new Uri(settings.TokenEndpointPath.Value, UriKind.Relative));
+                options.TokenEndpointUris.Add(new Uri(
+                    settings.TokenEndpointPath.ToUriComponent()[1..], UriKind.Relative));
             }
 
             if (settings.UserinfoEndpointPath.HasValue)
             {
-                options.UserinfoEndpointUris.Add(new Uri(settings.UserinfoEndpointPath.Value, UriKind.Relative));
+                options.UserinfoEndpointUris.Add(new Uri(
+                    settings.UserinfoEndpointPath.ToUriComponent()[1..], UriKind.Relative));
             }
 
             if (settings.IntrospectionEndpointPath.HasValue)
             {
-                options.IntrospectionEndpointUris.Add(new Uri(settings.IntrospectionEndpointPath.Value, UriKind.Relative));
+                options.IntrospectionEndpointUris.Add(new Uri(
+                    settings.IntrospectionEndpointPath.ToUriComponent()[1..], UriKind.Relative));
             }
 
             if (settings.RevocationEndpointPath.HasValue)
             {
-                options.RevocationEndpointUris.Add(new Uri(settings.RevocationEndpointPath.Value, UriKind.Relative));
+                options.RevocationEndpointUris.Add(new Uri(
+                    settings.RevocationEndpointPath.ToUriComponent()[1..], UriKind.Relative));
             }
 
             // For now, response types and response modes are not directly

diff --git a/src/OrchardCore.Modules/OrchardCore.OpenId/Configuration/OpenIdValidationConfiguration.cs b/src/OrchardCore.Modules/OrchardCore.OpenId/Configuration/OpenIdValidationConfiguration.cs
@@ -9,8 +9,8 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
-using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using Microsoft.IdentityModel.Tokens;
+using OpenIddict.Abstractions;
 using OpenIddict.Validation;
 using OpenIddict.Validation.AspNetCore;
 using OpenIddict.Validation.DataProtection;
@@ -105,7 +105,7 @@ public void Configure(OpenIddictValidationOptions options)
             if (settings.Authority != null)
             {
                 options.Issuer = settings.Authority;
-                options.MetadataAddress = settings.MetadataAddress;
+                options.ConfigurationEndpoint = settings.MetadataAddress;
                 options.Audiences.Add(settings.Audience);
 
                 // Note: OpenIddict 3.0 only accepts tokens issued with a non-empty token type (e.g "at+jwt")
@@ -140,9 +140,9 @@ public void Configure(OpenIddictValidationOptions options)
                     return;
                 }
 
-                options.Configuration = new OpenIdConnectConfiguration
+                options.Configuration = new OpenIddictConfiguration
                 {
-                    Issuer = configuration.Authority?.AbsoluteUri
+                    Issuer = configuration.Authority
                 };
 
                 // Import the signing keys from the OpenID server configuration.