Skip to content

Commit 9e79b68

Browse files
committed
chore: update docs for auth controller
1 parent 63a98af commit 9e79b68

1 file changed

Lines changed: 12 additions & 10 deletions

File tree

user-management/src/Stickerlandia.UserManagement.Api/Controllers/AuthorizationController.cs

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,12 @@ public AuthorizationController(
4545
_userManager = userManager;
4646
}
4747

48+
/// <summary>
49+
/// This action is invoked when a GET/POST is sent to the authorization endpoint
50+
/// (e.g when the user agent is redirected to the authorization endpoint by the client application
51+
/// The IgnoreAntiforgeryToken attribute is used to disable the CSRF protection for this endpoint,
52+
/// as the connect endpoints are going to be called by an external client, which won't be able to provide an anti-forgery token.
53+
/// </summary>
4854
[HttpGet("~/connect/authorize")]
4955
[HttpPost("~/connect/authorize")]
5056
[IgnoreAntiforgeryToken]
@@ -53,16 +59,6 @@ public async Task<IActionResult> Authorize()
5359
var request = HttpContext.GetOpenIddictServerRequest() ??
5460
throw new InvalidOperationException("The OpenID Connect request cannot be retrieved.");
5561

56-
// Try to retrieve the user principal stored in the authentication cookie and redirect
57-
// the user agent to the login page (or to an external provider) in the following cases:
58-
//
59-
// - If the user principal can't be extracted or the cookie is too old.
60-
// - If prompt=login was specified by the client application.
61-
// - If max_age=0 was specified by the client application (max_age=0 is equivalent to prompt=login).
62-
// - If a max_age parameter was provided and the authentication cookie is not considered "fresh" enough.
63-
//
64-
// For scenarios where the default authentication handler configured in the ASP.NET Core
65-
// authentication options shouldn't be used, a specific scheme can be specified here.
6662
var result = await HttpContext.AuthenticateAsync();
6763
if (result is not { Succeeded: true } ||
6864
((request.HasPromptValue(OpenIddictConstants.PromptValues.Login) || request.MaxAge is 0 ||
@@ -316,6 +312,12 @@ public IActionResult Deny()
316312
return Forbid(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
317313
}
318314

315+
/// <summary>
316+
/// This action is invoked when a POST is sent to the token endpoint as part of the OAuth 2.0
317+
/// authorization code or refresh token flows, to exchange an authorization code or a refresh token
318+
/// The IgnoreAntiforgeryToken attribute is used to disable the CSRF protection for this endpoint,
319+
/// as the endpoints is going to be called by an external client, which won't be able to provide an anti-forgery token.
320+
/// </summary>
319321
[HttpPost("~/connect/token")]
320322
[IgnoreAntiforgeryToken]
321323
[Produces("application/json")]

0 commit comments

Comments
 (0)