@@ -45,6 +45,12 @@ public AuthorizationController(
4545 _userManager = userManager ;
4646 }
4747
48+ /// <summary>
49+ /// This action is invoked when a GET/POST is sent to the authorization endpoint
50+ /// (e.g when the user agent is redirected to the authorization endpoint by the client application
51+ /// The IgnoreAntiforgeryToken attribute is used to disable the CSRF protection for this endpoint,
52+ /// as the connect endpoints are going to be called by an external client, which won't be able to provide an anti-forgery token.
53+ /// </summary>
4854 [ HttpGet ( "~/connect/authorize" ) ]
4955 [ HttpPost ( "~/connect/authorize" ) ]
5056 [ IgnoreAntiforgeryToken ]
@@ -53,16 +59,6 @@ public async Task<IActionResult> Authorize()
5359 var request = HttpContext . GetOpenIddictServerRequest ( ) ??
5460 throw new InvalidOperationException ( "The OpenID Connect request cannot be retrieved." ) ;
5561
56- // Try to retrieve the user principal stored in the authentication cookie and redirect
57- // the user agent to the login page (or to an external provider) in the following cases:
58- //
59- // - If the user principal can't be extracted or the cookie is too old.
60- // - If prompt=login was specified by the client application.
61- // - If max_age=0 was specified by the client application (max_age=0 is equivalent to prompt=login).
62- // - If a max_age parameter was provided and the authentication cookie is not considered "fresh" enough.
63- //
64- // For scenarios where the default authentication handler configured in the ASP.NET Core
65- // authentication options shouldn't be used, a specific scheme can be specified here.
6662 var result = await HttpContext . AuthenticateAsync ( ) ;
6763 if ( result is not { Succeeded : true } ||
6864 ( ( request . HasPromptValue ( OpenIddictConstants . PromptValues . Login ) || request . MaxAge is 0 ||
@@ -316,6 +312,12 @@ public IActionResult Deny()
316312 return Forbid ( OpenIddictServerAspNetCoreDefaults . AuthenticationScheme ) ;
317313 }
318314
315+ /// <summary>
316+ /// This action is invoked when a POST is sent to the token endpoint as part of the OAuth 2.0
317+ /// authorization code or refresh token flows, to exchange an authorization code or a refresh token
318+ /// The IgnoreAntiforgeryToken attribute is used to disable the CSRF protection for this endpoint,
319+ /// as the endpoints is going to be called by an external client, which won't be able to provide an anti-forgery token.
320+ /// </summary>
319321 [ HttpPost ( "~/connect/token" ) ]
320322 [ IgnoreAntiforgeryToken ]
321323 [ Produces ( "application/json" ) ]
0 commit comments