Update the OpenIddict Saml idp sample.

Author: SeanFarrow-RSK

.gitignore

@@ -197,7 +197,6 @@ ClientBin/
 *.dbmdl
 *.dbproj.schemaview
 *.jfm
-*.pfx
 *.publishsettings
 orleans.codegen.cs
 

OpenIddict/OpenIddictIdP/Controllers/AuthorizationController.cs

@@ -62,13 +62,13 @@ public async Task<IActionResult> Authorize()
         //  - If prompt=login was specified by the client application.
         //  - If a max_age parameter was provided and the authentication cookie is not considered "fresh" enough.
         var result = await HttpContext.AuthenticateAsync(IdentityConstants.ApplicationScheme);
-        if (result == null || !result.Succeeded || request.HasPrompt(Prompts.Login) ||
+        if (result == null || !result.Succeeded || request.HasPromptValue(PromptValues.Login) ||
            request.MaxAge != null && result.Properties?.IssuedUtc != null &&
             DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value))
         {
             // If the client application requested promptless authentication,
             // return an error indicating that the user is not logged in.
-            if (request.HasPrompt(Prompts.None))
+            if (request.HasPromptValue(PromptValues.None))
             {
                 return Forbid(
                     authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
@@ -81,7 +81,7 @@ public async Task<IActionResult> Authorize()
 
             // To avoid endless login -> authorization redirects, the prompt=login flag
             // is removed from the authorization request payload before redirecting the user.
-            var prompt = string.Join(" ", request.GetPrompts().Remove(Prompts.Login));
+            var prompt = string.Join(" ", request.GetPromptValues().Remove(PromptValues.Login));
 
             var parameters = Request.HasFormContentType ?
                 Request.Form.Where(parameter => parameter.Key != Parameters.Prompt).ToList() :
@@ -142,7 +142,7 @@ public async Task<IActionResult> Authorize()
             // return an authorization response without displaying the consent form.
             case ConsentTypes.Implicit:
             case ConsentTypes.External when authorizations.Any():
-            case ConsentTypes.Explicit when authorizations.Any() && !request.HasPrompt(Prompts.Consent):
+            case ConsentTypes.Explicit when authorizations.Any() && !request.HasPromptValue(PromptValues.Consent):
                 // Create the claims-based identity that will be used by OpenIddict to generate tokens.
                 var identity = new ClaimsIdentity(
                         authenticationType: TokenValidationParameters.DefaultAuthenticationType,
@@ -178,8 +178,8 @@ public async Task<IActionResult> Authorize()
 
             // At this point, no authorization was found in the database and an error must be returned
             // if the client application specified prompt=none in the authorization request.
-            case ConsentTypes.Explicit when request.HasPrompt(Prompts.None):
-            case ConsentTypes.Systematic when request.HasPrompt(Prompts.None):
+            case ConsentTypes.Explicit when request.HasPromptValue(PromptValues.None):
+            case ConsentTypes.Systematic when request.HasPromptValue(PromptValues.None):
                 return Forbid(
                     authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
                     properties: new AuthenticationProperties(new Dictionary<string, string>

OpenIddict/OpenIddictIdP/JwtClaimTypes.cs

@@ -0,0 +1,9 @@
+namespace openiddictidp;
+
+public class JwtClaimTypes
+{
+    public const string Subject = "sub";
+    public const string Name = "name";
+    public const string  Role = "role";
+    public const string Email = "email";
+}

OpenIddict/OpenIddictIdP/Startup.cs

@@ -1,5 +1,4 @@
 using Rsk.Saml.OpenIddict.Quartz.Configuration.DependencyInjection;
-using IdentityModel;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Identity;
@@ -15,6 +14,7 @@
 using Rsk.Saml.OpenIddict.EntityFrameworkCore.Configuration.DependencyInjection;
 using Rsk.Saml.Samples;
 using static OpenIddict.Abstractions.OpenIddictConstants;
+using Microsoft.Extensions.Options;
 
 namespace openiddictidp;
 
@@ -92,9 +92,9 @@ public void ConfigureServices(IServiceCollection services)
 
                 // Enable the authorization, logout, token and userinfo endpoints.
                 options.SetAuthorizationEndpointUris("connect/authorize")
-                       .SetLogoutEndpointUris("connect/logout")
+                       .SetEndSessionEndpointUris("connect/logout")
                        .SetTokenEndpointUris("connect/token")
-                       .SetUserinfoEndpointUris("connect/userinfo");
+                       .SetUserInfoEndpointUris("connect/userinfo");
 
                 // Mark the "email", "profile" and "roles" scopes as supported scopes.
                 options.RegisterScopes(Scopes.Email, Scopes.Profile, Scopes.Roles);
@@ -110,9 +110,9 @@ public void ConfigureServices(IServiceCollection services)
                 // Register the ASP.NET Core host and configure the ASP.NET Core-specific options.
                 options.UseAspNetCore()
                     .EnableAuthorizationEndpointPassthrough()
-                       .EnableLogoutEndpointPassthrough()
+                       .EnableEndSessionEndpointPassthrough()
                        .EnableTokenEndpointPassthrough()
-                       .EnableUserinfoEndpointPassthrough()
+                       .EnableUserInfoEndpointPassthrough()
                        .EnableStatusCodePagesIntegration();
 
                 options.AddSamlPlugin(builder =>
@@ -122,18 +122,9 @@ public void ConfigureServices(IServiceCollection services)
 
                     //Already added the DbContext above
                     builder.UseSamlEntityFrameworkCore()
-                        .AddSamlMessageDbContext(optionsBuilder =>
-                        {
-                            //Configure the database provider to use.
-                            optionsBuilder.UseSqlServer(defaultConnectionString, x =>x.MigrationsAssembly(typeof(Startup).Assembly.FullName));
-                        })
-                        .AddSamlConfigurationDbContext(optionsBuilder =>
-                        {
-                            //Configure the database provider to use.
-                            optionsBuilder.UseSqlServer(defaultConnectionString,
-                                x => x.MigrationsAssembly(typeof(Startup).Assembly.FullName));
-                        });
-
+                        .AddSamlDbContexts(optionsBuilder => optionsBuilder.UseSqlServer(defaultConnectionString,
+                            x => x.MigrationsAssembly(typeof(Startup).Assembly.FullName)));
+                        
                     builder.ConfigureSamlOpenIddictServerOptions(serverOptions =>
                         {
                             serverOptions.HostOptions = new SamlHostUserInteractionOptions()
@@ -202,4 +193,4 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             endpoints.MapRazorPages();
         });
     }
-}
+}

OpenIddict/OpenIddictIdP/Worker.cs

@@ -154,7 +154,7 @@ private Task CreateMvcClientIfNotExists(IServiceScope scope)
             ocd.Permissions.UnionWith(new[]
             {
                 Permissions.Endpoints.Authorization,
-                Permissions.Endpoints.Logout,
+                Permissions.Endpoints.EndSession,
                 Permissions.Endpoints.Token,
                 Permissions.GrantTypes.AuthorizationCode,
                 Permissions.ResponseTypes.Code,