Skip to content

Commit

Permalink
Override the default TLS client certificate selectors to support usin…
Browse files Browse the repository at this point in the history
…g certificates that don't meet the default requirements for specific providers
  • Loading branch information
kevinchalet committed Nov 1, 2024
1 parent 6f68ef7 commit 0794d06
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,10 @@
*/

using System.ComponentModel;
using System.Security.Cryptography.X509Certificates;
using Microsoft.Extensions.Options;
using OpenIddict.Client.SystemNetHttp;
using static OpenIddict.Client.WebIntegration.OpenIddictClientWebIntegrationConstants;

namespace OpenIddict.Client.WebIntegration;

Expand All @@ -14,7 +17,8 @@ namespace OpenIddict.Client.WebIntegration;
/// </summary>
[EditorBrowsable(EditorBrowsableState.Advanced)]
public sealed partial class OpenIddictClientWebIntegrationConfiguration : IConfigureOptions<OpenIddictClientOptions>,
IPostConfigureOptions<OpenIddictClientOptions>
IPostConfigureOptions<OpenIddictClientOptions>,
IPostConfigureOptions<OpenIddictClientSystemNetHttpOptions>
{
/// <inheritdoc/>
public void Configure(OpenIddictClientOptions options)
Expand Down Expand Up @@ -47,6 +51,38 @@ public void PostConfigure(string? name, OpenIddictClientOptions options)
});
}

/// <inheritdoc/>
public void PostConfigure(string? name, OpenIddictClientSystemNetHttpOptions options)
{
if (options is null)
{
throw new ArgumentNullException(nameof(options));
}

// Override the default/user-defined selectors to support attaching TLS client
// certificates that don't meet the requirements enforced by default by OpenIddict.
options.SelfSignedTlsClientAuthenticationCertificateSelector = CreateSelector(options.SelfSignedTlsClientAuthenticationCertificateSelector);
options.TlsClientAuthenticationCertificateSelector = CreateSelector(options.TlsClientAuthenticationCertificateSelector);

static Func<OpenIddictClientRegistration, X509Certificate2?> CreateSelector(Func<OpenIddictClientRegistration, X509Certificate2?> selector)
=> registration =>
{
var certificate = registration.ProviderType switch
{
ProviderTypes.ProSantéConnect => registration.GetProSantéConnectSettings().SigningCertificate,
_ => null
};
if (certificate is not null)
{
return certificate;
}
return selector(registration);
};
}

/// <summary>
/// Amends the registration with the provider-specific configuration logic.
/// </summary>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
using Microsoft.Extensions.DependencyInjection.Extensions;
using Microsoft.Extensions.Options;
using OpenIddict.Client;
using OpenIddict.Client.SystemNetHttp;
using OpenIddict.Client.WebIntegration;

namespace Microsoft.Extensions.DependencyInjection;
Expand Down Expand Up @@ -40,6 +41,8 @@ public static OpenIddictClientWebIntegrationBuilder UseWebProviders(this OpenIdd
// Note: TryAddEnumerable() is used here to ensure the initializers are registered only once.
builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton<
IConfigureOptions<OpenIddictClientOptions>, OpenIddictClientWebIntegrationConfiguration>());
builder.Services.TryAddEnumerable(ServiceDescriptor.Singleton<
IPostConfigureOptions<OpenIddictClientSystemNetHttpOptions>, OpenIddictClientWebIntegrationConfiguration>());

// Note: the IPostConfigureOptions<OpenIddictClientOptions> service responsible for populating
// the client registrations MUST be registered before OpenIddictClientConfiguration to ensure
Expand Down

0 comments on commit 0794d06

Please sign in to comment.