It should have pretty good descriptions of all the inputs and outputs of the system.

Add a worker that cleans up expired authorization codes, refresh tokens and access tokens.

• Access tokens with used refresh tokens.
• Used refresh tokens.
• Authorization codes that belong to expired access tokens.

We need someplace to register an account.

Create a Dockerfile that runs this project.

Add a a "Logo" field where one can upload a base64 encoded image.

Add an AuditLog controller and log events here, e.g. successful/failed authentications.

A user should be able to fetch his/her own logs.

• RequestAddress - caller IP
• UserId - the account affected by the audit log
• Type - info/warning
• Message - a description of the event
• Body - event data as a json structure
• CreatedDateTime - when the event occurred

n/t

The Application should decide which flows to allow.

When opening the solution in Visual Studio 2019 with ReSharper, there are a lot of errors regarding code style.

We want ReSharper to respect the .editorconfig file. Is it missing settings or can ReSharper be configured to respect it fully?

An Application should be able to have more than one RedirectUri.

1. If the Application has more than 1 RedirectUri, it needs to specify which one to use in the /authorize call
2. When making an /authorize call, the redirect_uri should be validated against the existing RedirectUris.
3. The chosen RedirectUri should be saved in AuthorizationCode and RefreshToken tables.

Allow a client to generate a certificate with a public and private key instead of using a client secret.

Only keep the public key on the server, and return the private key in the response.

Also allow the client itself to upload just a public key for a pre-generated certificate (in case the client does not trust us to generate a certificate).

This is just to be OAuth2 compliant.

It should be disabled by default.

https://tools.ietf.org/html/rfc6749#section-4.2

https://tools.ietf.org/html/rfc6749#section-10.16

Currently only the authorization code flow will generate a refresh token.

Make it work for all flows and let the Application decide which flows to enable refresh token for.

By default, it should only be enabled for authorization code flow.

It should be possible to have different lifetimes depending on grant type.

https://openid.net/specs/openid-connect-frontchannel-1_0.html

https://openid.net/specs/openid-connect-backchannel-1_0.html

When we release v1.0, we want etimo-id to be automatically deployed every time we release a new version.

AWS?

If an auth code or refresh token is used more than once, create an audit log of the incident.

Issuer should be e.g. https://id.etimo.se/my-application

This is needed for e.g. fetching openid connect configuration, since it is not the same for all applications.

When logging in with Blazor, this url gets called:

https://localhost:5011/oauth2/authorize?client_id=11111111-1111-1111-11111111111111111
  &redirect_uri=https%3A%2F%2Flocalhost%3A5012%2Fauthentication%2Flogin-callback
  &response_type=code
  &scope=openid%20profile
  &state=4189f1c5eb134962ab3998ae3e882abd
  &code_challenge=dJBLgGeU1VJt0R55orSTpYhkAl8IIMvSRnDBZrtPLuA
  &code_challenge_method=S256
  &prompt=none
  &response_mode=query

It returns 400 today. Make it work.

Add a GitHub action that creates a code coverage report.

Upload it to codecov.io

While the rate limiter will stop the worst brute forcing, it will still allow an intruder to brute force a single user's account.

Add a "FailedAttempts" field to the user that increments when someone fails to login to that user account.

If the login fails more than X times (according to appsettings.json setting), ban that user from logging into that account for Y minutes (appsettings.json).

Store the banned ip (with the target userId) in distributed memory, and stop the user from logging in early in the request pipeline.

Add support for prompt parameter on GET /authorize request.

none

The Authorization Server MUST NOT display any authentication or consent user interface pages.

An error is returned if:

• an End-User is not already authenticated or
• the Client does not have pre-configured consent for the requested Claims or
• the Client does not fulfill other conditions for processing the request.

The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.

login

The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically login_required.

consent

The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typically consent_required.

select_account

The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typically account_selection_required.

Add CI workflow with GitHub Actions.

• Run tests (requires #10 to be finished).
• Build Docker image (requires #11 to be finished) on Docker Hub.

For GDPR reasons. Even if IP addresses aren't considered personal data, the IP address is likely unusable after 30 days anyway.

Remove the if-statement in controllers where the "admin" role overrides the scopes.

Since roles will not grant access to the appropriate scopes, admins will have the scopes necessary to administer the resources.

We should be able to add roles.

User N-N Role

Roles should be used when issuing JWT tokens.

Built-in roles:
Admin -> admin: scopes
User -> read: + write: scopes

As per https://tools.ietf.org/html/rfc6749#section-4.1.2.1

When using authorization code flow, the client needs to be informed about errors by way of query parameters instead of using exceptions and json responses.

Create a new Required attribute called "OAuthRequiredAttribute" that takes a parameter "ErrorInQueryComponent = true".

If true, we will not throw a 400 bad request if the parameter is missing, but instead return the error as part of the query component.

• Create a user
• Create an application
  • Create roles
  • Create scopes
  • Enable/disable authorization grant flows
• Generate application secret
• Create access tokens using the different flows
  • Authorization code flow
  • Refresh token flow
  • Client credentials flow
  • Resource owner password credentials flow
  • Implicit flow

Use PlantUML images for the flow pages.

https://tools.ietf.org/html/rfc7517#section-4

https://auth0.com/blog/navigating-rs256-and-jwks/

When opening the solution in Visual Studio 2019 with ReSharper, there are a lot of errors regarding code style.

We want ReSharper to respect the .editorconfig file. Is it missing settings or can ReSharper be configured to respect it fully?

It should contain information about how to write bug reports, how to format commit messages, etc.

Add Scope support to Applications.

Asking for a specific Scope in an auth request should validate against the Application.

The asked for Scope should be saved in the AuthorizationCode and the RefreshToken.

Make frontend with Blazor.

This is needed for Blazor to be able to login.

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

Add a test project. Anything to get us started with testing.

Currently, we only return the scope if the scope was specified.

Always return the scope that was granted. It is extractable from the access token itself, so we should include the information in the response as well.

Applications should be allowed to explicitly allow the use of client_id/client_secret in the request body.

This is for clients that have problems with using basic authentication in headers.

We want to restructure the project into the following:

./
  certs/       # development certificates
  components/  # our nuget packages
  docs/        # documentation files
    uml/       # uml diagrams
  samples/     # samples / examples
  scripts/     # helper scripts for developing / running
  src/         # source code for main project
  test/        # test projects

It seems scopes are doubled when scope is not specified in authorization code flow.

When login fails more than 3 times -- create an audit log of the incident.

It should be possible to limit the scope of these flows as well.

It should propagate into refresh_tokens also, if they are set to generate.

Update endpoints to not include child objects when you get all resources.

If the request does not contain a state, the redirect uri should not contain a state either.

The scopes must be unique to etimo-id.

Otherwise, if "admin:user" is also used by a client, we could potentially create problems.

After cloning the project (i.e. no artifacts folder), you run the update-database.csx script.

It won't work.

You have to do the following:

dotnet build
dotnet ef database update -v -p src/Etimo.Id.Data -s src/Etimo.Id.Api --msbuildprojectextensionspath artifacts/obj/Etimo.Id.Data
dotnet ef database update -v -p src/Etimo.Id.Data -s src/Etimo.Id.Api --msbuildprojectextensionspath artifacts/obj/Etimo.Id.Api

The first update will fail, the second will succeed. Then you only need to run the second one for it to succeed.

In the case of the Application resource, create ApplicationQueryOptions that inherits from QueryOptions.

QueryOptions should contain information about pagination (skip, take).

ApplicationQueryOptions should contain filtering information that is specific to the Application entity.

There might not be any filtering options for Applications right now, but there might be later and best to keep it consequential.

Do this for all resources.

Some response parameters are generated by the server. It should be obvious on swagger what length these parameters have:

• client_id
• client_secret
• refresh_token
• code (authorization code)

If a user gets locked, it should be possible for an admin (or the user itself, with a valid token) to unlock it.

PUT /users/{id}/unlock

It should be PUT since we are updating a state, and the call is idempotent.

• Add basic css to make it look ok.
• Use application logo.
• Add descriptions of what scopes the client is asking for.

GET /auditlogs

Should return a list of all auditlogs (if admin), or a list of all auditlogs belonging to the caller (user), if the caller is missing the admin scope.

GET /users/<id>/auditlogs

Should return a list of all the auditlogs related to that user.

GET /applications/<id>/auditlogs

Should return a list of all auditlogs for the application.