Validate prompt values specified in authorization requests and update the configuration endpoint to return "prompt_values_supported"

Author: kevinchalet

.editorconfig

@@ -97,6 +97,7 @@ csharp_using_directive_placement = outside_namespace
 dotnet_code_quality_unused_parameters = all
 dotnet_diagnostic.CA1510.severity = none
 dotnet_diagnostic.CA2254.severity = none
+dotnet_diagnostic.IDE0002.severity = none
 dotnet_diagnostic.IDE0305.severity = none
 dotnet_naming_rule.interface_should_be_begins_with_i.severity = suggestion
 dotnet_naming_rule.interface_should_be_begins_with_i.style = begins_with_i

sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthorizationController.cs

@@ -139,7 +139,7 @@ public async Task<ActionResult> Authorize()
             // return an authorization response without displaying the consent form.
             case ConsentTypes.Implicit:
             case ConsentTypes.External when authorizations.Count is not 0:
-            case ConsentTypes.Explicit when authorizations.Count is not 0 && !request.HasPrompt(Prompts.Consent):
+            case ConsentTypes.Explicit when authorizations.Count is not 0 && !request.HasPrompt(PromptValues.Consent):
                 // Create the claims-based identity that will be used by OpenIddict to generate tokens.
                 var identity = new ClaimsIdentity(
                     authenticationType: OpenIddictServerOwinDefaults.AuthenticationType,
@@ -178,8 +178,8 @@ public async Task<ActionResult> Authorize()
 
             // At this point, no authorization was found in the database and an error must be returned
             // if the client application specified prompt=none in the authorization request.
-            case ConsentTypes.Explicit   when request.HasPrompt(Prompts.None):
-            case ConsentTypes.Systematic when request.HasPrompt(Prompts.None):
+            case ConsentTypes.Explicit   when request.HasPrompt(PromptValues.None):
+            case ConsentTypes.Systematic when request.HasPrompt(PromptValues.None):
                 context.Authentication.Challenge(
                     authenticationTypes: OpenIddictServerOwinDefaults.AuthenticationType,
                     properties: new AuthenticationProperties(new Dictionary<string, string>

sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthorizationController.cs

@@ -71,13 +71,13 @@ public async Task<IActionResult> Authorize()
         // For scenarios where the default authentication handler configured in the ASP.NET Core
         // authentication options shouldn't be used, a specific scheme can be specified here.
         var result = await HttpContext.AuthenticateAsync();
-        if (result == null || !result.Succeeded || request.HasPrompt(Prompts.Login) ||
+        if (result == null || !result.Succeeded || request.HasPrompt(PromptValues.Login) ||
            (request.MaxAge != null && result.Properties?.IssuedUtc != null &&
             DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value)))
         {
             // If the client application requested promptless authentication,
             // return an error indicating that the user is not logged in.
-            if (request.HasPrompt(Prompts.None))
+            if (request.HasPrompt(PromptValues.None))
             {
                 return Forbid(
                     authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
@@ -90,7 +90,7 @@ public async Task<IActionResult> Authorize()
 
             // To avoid endless login -> authorization redirects, the prompt=login flag
             // is removed from the authorization request payload before redirecting the user.
-            var prompt = string.Join(" ", request.GetPrompts().Remove(Prompts.Login));
+            var prompt = string.Join(" ", request.GetPrompts().Remove(PromptValues.Login));
 
             var parameters = Request.HasFormContentType ?
                 Request.Form.Where(parameter => parameter.Key != Parameters.Prompt).ToList() :
@@ -173,7 +173,7 @@ public async Task<IActionResult> Authorize()
             // return an authorization response without displaying the consent form.
             case ConsentTypes.Implicit:
             case ConsentTypes.External when authorizations.Count is not 0:
-            case ConsentTypes.Explicit when authorizations.Count is not 0 && !request.HasPrompt(Prompts.Consent):
+            case ConsentTypes.Explicit when authorizations.Count is not 0 && !request.HasPrompt(PromptValues.Consent):
                 // Create the claims-based identity that will be used by OpenIddict to generate tokens.
                 var identity = new ClaimsIdentity(
                     authenticationType: TokenValidationParameters.DefaultAuthenticationType,
@@ -210,8 +210,8 @@ public async Task<IActionResult> Authorize()
 
             // At this point, no authorization was found in the database and an error must be returned
             // if the client application specified prompt=none in the authorization request.
-            case ConsentTypes.Explicit   when request.HasPrompt(Prompts.None):
-            case ConsentTypes.Systematic when request.HasPrompt(Prompts.None):
+            case ConsentTypes.Explicit   when request.HasPrompt(PromptValues.None):
+            case ConsentTypes.Systematic when request.HasPrompt(PromptValues.None):
                 return Forbid(
                     authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
                     properties: new AuthenticationProperties(new Dictionary<string, string>

src/OpenIddict.Abstractions/OpenIddictConstants.cs

@@ -295,6 +295,7 @@ public static class Metadata
         public const string MtlsEndpointAliases = "mtls_endpoint_aliases";
         public const string OpPolicyUri = "op_policy_uri";
         public const string OpTosUri = "op_tos_uri";
+        public const string PromptValuesSupported = "prompt_values_supported";
         public const string RequestObjectEncryptionAlgValuesSupported = "request_object_encryption_alg_values_supported";
         public const string RequestObjectEncryptionEncValuesSupported = "request_object_encryption_enc_values_supported";
         public const string RequestObjectSigningAlgValuesSupported = "request_object_signing_alg_values_supported";
@@ -430,9 +431,10 @@ public static class Scopes
         }
     }
 
-    public static class Prompts
+    public static class PromptValues
     {
         public const string Consent = "consent";
+        public const string Create = "create";
         public const string Login = "login";
         public const string None = "none";
         public const string SelectAccount = "select_account";

src/OpenIddict.Abstractions/OpenIddictResources.resx

@@ -365,12 +365,6 @@ Consider using 'options.AddSigningCredentials(SigningCredentials)' instead.</val
   <data name="ID0072" xml:space="preserve">
     <value>Endpoint URIs must be valid URIs.</value>
   </data>
-  <data name="ID0073" xml:space="preserve">
-    <value>Claims cannot be null or empty.</value>
-  </data>
-  <data name="ID0074" xml:space="preserve">
-    <value>Scopes cannot be null or empty.</value>
-  </data>
   <data name="ID0075" xml:space="preserve">
     <value>The security token handler cannot be null.</value>
   </data>
@@ -1704,6 +1698,9 @@ To apply post-logout redirection responses, create a class implementing 'IOpenId
   <data name="ID0456" xml:space="preserve">
     <value>The specified client authentication method/token binding methods combination is not valid.</value>
   </data>
+  <data name="ID0457" xml:space="preserve">
+    <value>The '{0}' parameter cannot contain null or empty values.</value>
+  </data>
   <data name="ID2000" xml:space="preserve">
     <value>The security token is missing.</value>
   </data>
@@ -2379,7 +2376,7 @@ The principal used to create the token contained the following claims: {Claims}.
     <value>The authorization request was rejected because the '{Scope}' scope was missing.</value>
   </data>
   <data name="ID6040" xml:space="preserve">
-    <value>The authorization request was rejected because an invalid prompt parameter was specified.</value>
+    <value>The authorization request was rejected because an invalid prompt combination was specified.</value>
   </data>
   <data name="ID6041" xml:space="preserve">
     <value>The authorization request was rejected because the specified code challenge method was not supported.</value>
@@ -2892,6 +2889,9 @@ This may indicate that the hashed entry is corrupted or malformed.</value>
   <data name="ID6232" xml:space="preserve">
     <value>An error was returned by ASWebAuthenticationSession while trying to start a sign-out operation.</value>
   </data>
+  <data name="ID6233" xml:space="preserve">
+    <value>The authorization request was rejected because an unsupported prompt parameter was specified.</value>
+  </data>
   <data name="ID8000" xml:space="preserve">
     <value>https://documentation.openiddict.com/errors/{0}</value>
   </data>

src/OpenIddict.Server/OpenIddictServerBuilder.cs

@@ -1634,12 +1634,33 @@ public OpenIddictServerBuilder RegisterClaims(params string[] claims)
 
         if (Array.Exists(claims, string.IsNullOrEmpty))
         {
-            throw new ArgumentException(SR.GetResourceString(SR.ID0073), nameof(claims));
+            throw new ArgumentException(SR.FormatID0457(nameof(claims)), nameof(claims));
         }
 
         return Configure(options => options.Claims.UnionWith(claims));
     }
 
+    /// <summary>
+    /// Registers the specified prompt values as supported scopes so
+    /// they can be returned as part of the discovery document.
+    /// </summary>
+    /// <param name="values">The supported prompt values.</param>
+    /// <returns>The <see cref="OpenIddictServerBuilder"/> instance.</returns>
+    public OpenIddictServerBuilder RegisterPromptValues(params string[] values)
+    {
+        if (values is null)
+        {
+            throw new ArgumentNullException(nameof(values));
+        }
+
+        if (Array.Exists(values, string.IsNullOrEmpty))
+        {
+            throw new ArgumentException(SR.FormatID0457(nameof(values)), nameof(values));
+        }
+
+        return Configure(options => options.PromptValues.UnionWith(values));
+    }
+
     /// <summary>
     /// Registers the specified scopes as supported scopes so
     /// they can be returned as part of the discovery document.
@@ -1655,7 +1676,7 @@ public OpenIddictServerBuilder RegisterScopes(params string[] scopes)
 
         if (Array.Exists(scopes, string.IsNullOrEmpty))
         {
-            throw new ArgumentException(SR.GetResourceString(SR.ID0074), nameof(scopes));
+            throw new ArgumentException(SR.FormatID0457(nameof(scopes)), nameof(scopes));
         }
 
         return Configure(options => options.Scopes.UnionWith(scopes));

src/OpenIddict.Server/OpenIddictServerEvents.Discovery.cs

@@ -166,6 +166,11 @@ public OpenIddictRequest Request
         /// </summary>
         public HashSet<string> IntrospectionEndpointAuthenticationMethods { get; } = new(StringComparer.Ordinal);
 
+        /// <summary>
+        /// Gets the list of prompt values supported by the authorization server.
+        /// </summary>
+        public HashSet<string> PromptValues { get; } = new(StringComparer.Ordinal);
+
         /// <summary>
         /// Gets the list of response modes
         /// supported by the authorization server.

src/OpenIddict.Server/OpenIddictServerHandlers.Authentication.cs

@@ -875,10 +875,33 @@ public ValueTask HandleAsync(ValidateAuthorizationRequestContext context)
                     throw new ArgumentNullException(nameof(context));
                 }
 
+                if (string.IsNullOrEmpty(context.Request.Prompt))
+                {
+                    return default;
+                }
+
+                // Reject requests specifying an unsupported prompt value.
+                // See https://openid.net/specs/openid-connect-prompt-create-1_0.html#section-4.1 for more information.
+                foreach (var value in context.Request.GetPrompts().ToHashSet(StringComparer.Ordinal))
+                {
+                    if (!context.Options.PromptValues.Contains(value))
+                    {
+                        context.Logger.LogInformation(SR.GetResourceString(SR.ID6233));
+
+                        context.Reject(
+                            error: Errors.InvalidRequest,
+                            description: SR.FormatID2032(Parameters.Prompt),
+                            uri: SR.FormatID8000(SR.ID2032));
+
+                        return default;
+                    }
+                }
+
                 // Reject requests specifying prompt=none with consent/login or select_account.
-                if (context.Request.HasPrompt(Prompts.None) && (context.Request.HasPrompt(Prompts.Consent) ||
-                                                                context.Request.HasPrompt(Prompts.Login) ||
-                                                                context.Request.HasPrompt(Prompts.SelectAccount)))
+                // See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
+                if (context.Request.HasPrompt(PromptValues.None) && (context.Request.HasPrompt(PromptValues.Consent) ||
+                                                                     context.Request.HasPrompt(PromptValues.Login) ||
+                                                                     context.Request.HasPrompt(PromptValues.SelectAccount)))
                 {
                     context.Logger.LogInformation(SR.GetResourceString(SR.ID6040));
 

src/OpenIddict.Server/OpenIddictServerHandlers.Discovery.cs

@@ -41,6 +41,7 @@ public static class Discovery
             AttachScopes.Descriptor,
             AttachClaims.Descriptor,
             AttachSubjectTypes.Descriptor,
+            AttachPromptValues.Descriptor,
             AttachSigningAlgorithms.Descriptor,
             AttachAdditionalMetadata.Descriptor,
 
@@ -250,6 +251,7 @@ public async ValueTask HandleAsync(ProcessRequestContext context)
                     [Metadata.IdTokenSigningAlgValuesSupported] = notification.IdTokenSigningAlgorithms.ToArray(),
                     [Metadata.CodeChallengeMethodsSupported] = notification.CodeChallengeMethods.ToArray(),
                     [Metadata.SubjectTypesSupported] = notification.SubjectTypes.ToArray(),
+                    [Metadata.PromptValuesSupported] = notification.PromptValues.ToArray(),
                     [Metadata.TokenEndpointAuthMethodsSupported] = notification.TokenEndpointAuthenticationMethods.ToArray(),
                     [Metadata.IntrospectionEndpointAuthMethodsSupported] = notification.IntrospectionEndpointAuthenticationMethods.ToArray(),
                     [Metadata.RevocationEndpointAuthMethodsSupported] = notification.RevocationEndpointAuthenticationMethods.ToArray(),
@@ -673,6 +675,35 @@ public ValueTask HandleAsync(HandleConfigurationRequestContext context)
             }
         }
 
+        /// <summary>
+        /// Contains the logic responsible for attaching the supported prompt values to the provider discovery document.
+        /// </summary>
+        public sealed class AttachPromptValues : IOpenIddictServerHandler<HandleConfigurationRequestContext>
+        {
+            /// <summary>
+            /// Gets the default descriptor definition assigned to this handler.
+            /// </summary>
+            public static OpenIddictServerHandlerDescriptor Descriptor { get; }
+                = OpenIddictServerHandlerDescriptor.CreateBuilder<HandleConfigurationRequestContext>()
+                    .UseSingletonHandler<AttachPromptValues>()
+                    .SetOrder(AttachSubjectTypes.Descriptor.Order + 1_000)
+                    .SetType(OpenIddictServerHandlerType.BuiltIn)
+                    .Build();
+
+            /// <inheritdoc/>
+            public ValueTask HandleAsync(HandleConfigurationRequestContext context)
+            {
+                if (context is null)
+                {
+                    throw new ArgumentNullException(nameof(context));
+                }
+
+                context.PromptValues.UnionWith(context.Options.PromptValues);
+
+                return default;
+            }
+        }
+
         /// <summary>
         /// Contains the logic responsible for attaching the supported signing algorithms to the provider discovery document.
         /// </summary>
@@ -684,7 +715,7 @@ public sealed class AttachSigningAlgorithms : IOpenIddictServerHandler<HandleCon
             public static OpenIddictServerHandlerDescriptor Descriptor { get; }
                 = OpenIddictServerHandlerDescriptor.CreateBuilder<HandleConfigurationRequestContext>()
                     .UseSingletonHandler<AttachSigningAlgorithms>()
-                    .SetOrder(AttachSubjectTypes.Descriptor.Order + 1_000)
+                    .SetOrder(AttachPromptValues.Descriptor.Order + 1_000)
                     .SetType(OpenIddictServerHandlerType.BuiltIn)
                     .Build();
 

src/OpenIddict.Server/OpenIddictServerOptions.cs

@@ -375,6 +375,19 @@ public sealed class OpenIddictServerOptions
     /// </summary>
     public HashSet<string> GrantTypes { get; } = new(StringComparer.Ordinal);
 
+    /// <summary>
+    /// Gets the OpenID Connect prompt values enabled for this application.
+    /// </summary>
+    public HashSet<string> PromptValues { get; } = new(StringComparer.Ordinal)
+    {
+        // By default, only include the mandatory values defined in the core OpenID Connect specification.
+        // See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest for more information.
+        OpenIddictConstants.PromptValues.Consent,
+        OpenIddictConstants.PromptValues.Login,
+        OpenIddictConstants.PromptValues.None,
+        OpenIddictConstants.PromptValues.SelectAccount
+    };
+
     /// <summary>
     /// Gets or sets a boolean indicating whether PKCE must be used by client applications
     /// when requesting an authorization code (e.g when using the code or hybrid flows).