Added Device Id Support For PKCE Login

Author: mckaragoz

samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/Home.razor.cs

@@ -26,7 +26,7 @@ protected override async Task OnParametersSetAsync()
             return;
         }
 
-        if (!HubSessionId.TryParse(HubKey, out var hubSessionId))
+        if (HubSessionId.TryParse(HubKey, out var hubSessionId))
             _state = await HubFlowReader.GetStateAsync(hubSessionId);
     }
 

samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/NotAuthorized.razor

@@ -0,0 +1,27 @@
+@inject NavigationManager Nav
+
+<MudPage Class="d-flex align-center justify-center" FullScreen="FullScreen.FullWithoutAppbar" Column="1" Row="1">
+    <MudPaper Class="pa-8" Elevation="4" Style="max-width: 520px; width: 100%;">
+        <MudStack Spacing="3" AlignItems="AlignItems.Center">
+            <UAuthLogo Size="72" />
+
+            <MudText Typo="Typo.h5"><b>Access Denied</b></MudText>
+
+            <MudText Typo="Typo.body2" Align="Align.Center" Color="Color.Secondary">
+                You don’t have permission to view this page.
+                If you think this is a mistake, sign in with a different account or request access.
+            </MudText>
+
+            <MudStack Row="true" Spacing="2" Class="mt-2">
+                <MudButton Href="@LoginHref" Color="Color.Primary" Variant="Variant.Filled">Sign In</MudButton>
+                <MudButton OnClick="@GoBack" Color="Color.Primary" Variant="Variant.Outlined">Go Back</MudButton>
+            </MudStack>
+
+            <MudDivider Class="my-2" />
+
+            <MudText Typo="Typo.caption" Color="Color.Secondary">
+                UltimateAuth protects this resource based on your session and permissions.
+            </MudText>
+        </MudStack>
+    </MudPaper>
+</MudPage>

samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Pages/NotAuthorized.razor.cs

@@ -0,0 +1,15 @@
+namespace CodeBeam.UltimateAuth.Sample.UAuthHub.Components.Pages;
+
+public partial class NotAuthorized
+{
+    private string LoginHref
+    {
+        get
+        {
+            var returnUrl = Uri.EscapeDataString(Nav.ToBaseRelativePath(Nav.Uri));
+            return $"/login?returnUrl=/{returnUrl}";
+        }
+    }
+
+    private void GoBack() => Nav.NavigateTo("/", replace: false);
+}

samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Components/Routes.razor

@@ -1,14 +1,59 @@
-<UAuthApp>
-
-    <MudThemeProvider />
-    <MudPopoverProvider />
-    <MudDialogProvider />
-    <MudSnackbarProvider />
-
-    <Router AppAssembly="typeof(Program).Assembly" NotFoundPage="typeof(Pages.NotFound)">
-        <Found Context="routeData">
-            <AuthorizeRouteView RouteData="routeData" DefaultLayout="typeof(Layout.MainLayout)" />
-            <FocusOnNavigate RouteData="routeData" Selector="h1" />
-        </Found>
-    </Router>
+@using CodeBeam.UltimateAuth.Sample.UAuthHub.Components.Pages
+@using CodeBeam.UltimateAuth.Sample.UAuthHub.Infrastructure
+@inject ISnackbar Snackbar
+@inject DarkModeManager DarkModeManager
+
+<UAuthApp OnReauthRequired="HandleReauth">
+    <CascadingValue Value="DarkModeManager" IsFixed="true">
+        <MudThemeProvider IsDarkMode="@DarkModeManager.IsDarkMode" />
+        <MudPopoverProvider />
+        <MudDialogProvider />
+        <MudSnackbarProvider />
+
+        <Router AppAssembly="typeof(Program).Assembly" AdditionalAssemblies="new[] { typeof(UAuthClientMarker).Assembly }">
+            <Found Context="routeData">
+                <AuthorizeRouteView RouteData="routeData" DefaultLayout="typeof(Layout.MainLayout)">
+                    <NotAuthorized>
+                        <NotAuthorized />
+                    </NotAuthorized>
+                </AuthorizeRouteView>
+                <FocusOnNavigate RouteData="routeData" Selector="h1" />
+            </Found>
+        </Router>
+    </CascadingValue>
 </UAuthApp>
+
+@code {
+    private async Task HandleReauth()
+    {
+        Snackbar.Add("Reauthentication required. Please log in again.", Severity.Warning);
+    }
+
+    #region DarkMode
+
+    protected override void OnInitialized()
+    {
+        DarkModeManager.Changed += OnThemeChanged;
+    }
+
+    private void OnThemeChanged()
+    {
+        InvokeAsync(StateHasChanged);
+    }
+
+    protected override async Task OnAfterRenderAsync(bool firstRender)
+    {
+        if (firstRender)
+        {
+            await DarkModeManager.InitializeAsync();
+            StateHasChanged();
+        }
+    }
+
+    public void Dispose()
+    {
+        DarkModeManager.Changed -= OnThemeChanged;
+    }
+
+    #endregion
+}

samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Infrastructure/DarkModeManager.cs

@@ -0,0 +1,45 @@
+using CodeBeam.UltimateAuth.Client.Contracts;
+using CodeBeam.UltimateAuth.Client.Infrastructure;
+
+namespace CodeBeam.UltimateAuth.Sample.UAuthHub.Infrastructure;
+
+public sealed class DarkModeManager
+{
+    private const string StorageKey = "uauth:theme:dark";
+
+    private readonly IBrowserStorage _storage;
+
+    public DarkModeManager(IBrowserStorage storage)
+    {
+        _storage = storage;
+    }
+
+    public async Task InitializeAsync()
+    {
+        var value = await _storage.GetAsync(StorageScope.Local, StorageKey);
+
+        if (bool.TryParse(value, out var parsed))
+            IsDarkMode = parsed;
+    }
+
+    public bool IsDarkMode { get; set; }
+
+    public event Action? Changed;
+
+    public async Task ToggleAsync()
+    {
+        IsDarkMode = !IsDarkMode;
+
+        await _storage.SetAsync(StorageScope.Local, StorageKey, IsDarkMode.ToString());
+        Changed?.Invoke();
+    }
+
+    public void Set(bool value)
+    {
+        if (IsDarkMode == value)
+            return;
+
+        IsDarkMode = value;
+        Changed?.Invoke();
+    }
+}

samples/UAuthHub/CodeBeam.UltimateAuth.Sample.UAuthHub/Program.cs

@@ -1,5 +1,4 @@
 using CodeBeam.UltimateAuth.Authentication.InMemory;
-using CodeBeam.UltimateAuth.Authorization.InMemory;
 using CodeBeam.UltimateAuth.Authorization.InMemory.Extensions;
 using CodeBeam.UltimateAuth.Authorization.Reference.Extensions;
 using CodeBeam.UltimateAuth.Client;
@@ -10,6 +9,7 @@
 using CodeBeam.UltimateAuth.Credentials.InMemory.Extensions;
 using CodeBeam.UltimateAuth.Credentials.Reference;
 using CodeBeam.UltimateAuth.Sample.UAuthHub.Components;
+using CodeBeam.UltimateAuth.Sample.UAuthHub.Infrastructure;
 using CodeBeam.UltimateAuth.Security.Argon2;
 using CodeBeam.UltimateAuth.Server.Extensions;
 using CodeBeam.UltimateAuth.Sessions.InMemory;
@@ -62,6 +62,7 @@
 });
 
 builder.Services.AddSingleton<IUAuthHubMarker, DefaultUAuthHubMarker>();
+builder.Services.AddScoped<DarkModeManager>();
 
 builder.Services.AddCors(options =>
 {

samples/blazor-standalone-wasm/CodeBeam.UltimateAuth.Sample.BlazorStandaloneWasm/Program.cs

@@ -20,6 +20,7 @@
     o.Endpoints.BasePath = "https://localhost:6110/auth";
     o.Reauth.Behavior = ReauthBehavior.RaiseEvent;
     o.Login.AllowCredentialPost = true;
+    o.Pkce.ReturnUrl = "https://localhost:6130/home";
 });
 
 //builder.Services.AddScoped<AuthenticationStateProvider, UAuthAuthenticationStateProvider>();

src/CodeBeam.UltimateAuth.Client/Options/UAuthClientPkceLoginFlowOptions.cs

@@ -9,17 +9,17 @@ public sealed class UAuthClientPkceLoginFlowOptions
     /// </summary>
     public bool Enabled { get; set; } = true;
 
-    public string? ReturnUrl { get; init; }
+    public string? ReturnUrl { get; set; }
 
     /// <summary>
     /// Called after authorization_code is issued,
     /// before redirecting to the Hub.
     /// </summary>
-    public Func<PkceAuthorizeResponse, Task>? OnAuthorized { get; init; }
+    public Func<PkceAuthorizeResponse, Task>? OnAuthorized { get; set; }
 
     /// <summary>
     /// If false, BeginPkceAsync will NOT redirect automatically.
     /// Caller is responsible for navigation.
     /// </summary>
-    public bool AutoRedirect { get; init; } = true;
+    public bool AutoRedirect { get; set; } = true;
 }

src/CodeBeam.UltimateAuth.Client/Services/UAuthFlowClient.cs

@@ -22,14 +22,16 @@ internal class UAuthFlowClient : IFlowClient
 {
     private readonly IUAuthRequestClient _post;
     private readonly IUAuthClientEvents _events;
+    private readonly IDeviceIdProvider _deviceIdProvider;
     private readonly UAuthClientOptions _options;
     private readonly UAuthClientDiagnostics _diagnostics;
     private readonly NavigationManager _nav;
 
-    public UAuthFlowClient(IUAuthRequestClient post, IUAuthClientEvents events, IOptions<UAuthClientOptions> options, UAuthClientDiagnostics diagnostics, NavigationManager nav)
+    public UAuthFlowClient(IUAuthRequestClient post, IUAuthClientEvents events, IDeviceIdProvider deviceIdProvider, IOptions<UAuthClientOptions> options, UAuthClientDiagnostics diagnostics, NavigationManager nav)
     {
         _post = post;
         _events = events;
+        _deviceIdProvider = deviceIdProvider;
         _options = options.Value;
         _diagnostics = diagnostics;
         _nav = nav;
@@ -168,6 +170,7 @@ public async Task<AuthValidationResult> ValidateAsync()
     public async Task BeginPkceAsync(string? returnUrl = null)
     {
         var pkce = _options.Pkce;
+        var deviceId = await _deviceIdProvider.GetOrCreateAsync();
 
         if (!pkce.Enabled)
             throw new InvalidOperationException("PKCE login is disabled by configuration.");
@@ -182,7 +185,8 @@ public async Task BeginPkceAsync(string? returnUrl = null)
             new Dictionary<string, string>
             {
                 ["code_challenge"] = challenge,
-                ["challenge_method"] = "S256"
+                ["challenge_method"] = "S256",
+                ["device_id"] = deviceId.Value
             });
 
         if (!raw.Ok || raw.Body is null)
@@ -205,7 +209,7 @@ public async Task BeginPkceAsync(string? returnUrl = null)
 
         if (pkce.AutoRedirect)
         {
-            await NavigateToHubLoginAsync(response.AuthorizationCode, verifier, resolvedReturnUrl);
+            await NavigateToHubLoginAsync(response.AuthorizationCode, verifier, resolvedReturnUrl, deviceId.Value);
         }
     }
 
@@ -229,7 +233,7 @@ public async Task CompletePkceLoginAsync(PkceLoginRequest request)
             ["return_url"] = request.ReturnUrl,
 
             ["Identifier"] = request.Identifier ?? string.Empty,
-            ["Secret"] = request.Secret ?? string.Empty
+            ["Secret"] = request.Secret ?? string.Empty,
         };
 
         await _post.NavigateAsync(url, payload);
@@ -289,7 +293,7 @@ public async Task<UAuthResult> LogoutAllDevicesAdminAsync(UserKey userKey)
     }
 
 
-    private Task NavigateToHubLoginAsync(string authorizationCode, string codeVerifier, string returnUrl)
+    private Task NavigateToHubLoginAsync(string authorizationCode, string codeVerifier, string returnUrl, string deviceId)
     {
         var hubLoginUrl = Url(_options.Endpoints.HubLoginPath);
 
@@ -298,7 +302,8 @@ private Task NavigateToHubLoginAsync(string authorizationCode, string codeVerifi
             ["authorization_code"] = authorizationCode,
             ["code_verifier"] = codeVerifier,
             ["return_url"] = returnUrl,
-            ["client_profile"] = _options.ClientProfile.ToString()
+            ["client_profile"] = _options.ClientProfile.ToString(),
+            ["device_id"] = deviceId
         };
 
         return _post.NavigateAsync(hubLoginUrl, data);

src/CodeBeam.UltimateAuth.Server/Auth/Context/AuthExecutionContext.cs

@@ -1,8 +1,10 @@
-using CodeBeam.UltimateAuth.Core.Options;
+using CodeBeam.UltimateAuth.Core.Domain;
+using CodeBeam.UltimateAuth.Core.Options;
 
 namespace CodeBeam.UltimateAuth.Server.Auth;
 
 public sealed record AuthExecutionContext
 {
     public required UAuthClientProfile? EffectiveClientProfile { get; init; }
+    public DeviceContext? Device { get; init; }
 }