//public DeviceCode DeviceCodeResult { get; set; } = new DeviceCode();
public Task ValidateAsync(BackchannelAuthenticationRequestIdValidationContext context)
{
if (shouldError)
{
context.Result = new TokenRequestValidationResult(context.Request, "error");
}
else
{
context.Result = new TokenRequestValidationResult(context.Request);
}
//context.Request.DeviceCode = DeviceCodeResult;
return(Task.CompletedTask);
}
private async Task <TokenRequestValidationResult> ValidateCibaRequestRequestAsync(NameValueCollection parameters)
{
_logger.LogDebug("Start validation of CIBA request");
/////////////////////////////////////////////
// check if client is authorized for grant type
/////////////////////////////////////////////
if (!_validatedRequest.Client.AllowedGrantTypes.ToList().Contains(OidcConstants.GrantTypes.Ciba))
{
LogError("Client not authorized for CIBA flow");
return(Invalid(OidcConstants.TokenErrors.UnauthorizedClient));
}
LicenseValidator.ValidateCiba();
/////////////////////////////////////////////
// validate authentication request id parameter
/////////////////////////////////////////////
var authRequestId = parameters.Get(OidcConstants.TokenRequest.AuthenticationRequestId);
if (authRequestId.IsMissing())
{
LogError("Authentication request id is missing");
return(Invalid(OidcConstants.TokenErrors.InvalidRequest));
}
if (authRequestId.Length > _options.InputLengthRestrictions.AuthenticationRequestId)
{
LogError("Authentication request id too long");
return(Invalid(OidcConstants.TokenErrors.InvalidGrant));
}
/////////////////////////////////////////////
// validate authentication request id
/////////////////////////////////////////////
var validationContext = new BackchannelAuthenticationRequestIdValidationContext
{
AuthenticationRequestId = authRequestId,
Request = _validatedRequest
};
await _backchannelAuthenticationRequestIdValidator.ValidateAsync(validationContext);
if (validationContext.Result.IsError)
{
return(validationContext.Result);
}
//////////////////////////////////////////////////////////
// resource indicator
//////////////////////////////////////////////////////////
if (_validatedRequest.RequestedResourceIndicator != null &&
_validatedRequest.BackChannelAuthenticationRequest.RequestedResourceIndicators?.Any() == true &&
!_validatedRequest.BackChannelAuthenticationRequest.RequestedResourceIndicators.Contains(_validatedRequest.RequestedResourceIndicator))
{
return(Invalid(OidcConstants.AuthorizeErrors.InvalidTarget, "Resource indicator does not match any resource indicator in the original backchannel authentication request."));
}
//////////////////////////////////////////////////////////
// resource and scope validation
//////////////////////////////////////////////////////////
var validatedResources = await _resourceValidator.ValidateRequestedResourcesAsync(new ResourceValidationRequest
{
Client = _validatedRequest.Client,
Scopes = _validatedRequest.BackChannelAuthenticationRequest.AuthorizedScopes,
ResourceIndicators = _validatedRequest.BackChannelAuthenticationRequest.RequestedResourceIndicators,
// if we are issuing a refresh token, then we need to allow the non-isolated resource
IncludeNonIsolatedApiResources = _validatedRequest.BackChannelAuthenticationRequest.RequestedScopes.Contains(OidcConstants.StandardScopes.OfflineAccess)
});
if (!validatedResources.Succeeded)
{
if (validatedResources.InvalidResourceIndicators.Any())
{
return(Invalid(OidcConstants.AuthorizeErrors.InvalidTarget, "Invalid resource indicator."));
}
if (validatedResources.InvalidScopes.Any())
{
return(Invalid(OidcConstants.AuthorizeErrors.InvalidScope, "Invalid scope."));
}
}
LicenseValidator.ValidateResourceIndicators(_validatedRequest.RequestedResourceIndicator);
_validatedRequest.ValidatedResources = validatedResources.FilterByResourceIndicator(_validatedRequest.RequestedResourceIndicator);
_logger.LogDebug("Validation of CIBA token request success");
return(Valid());
}
/// <inheritdoc/>
public async Task ValidateAsync(BackchannelAuthenticationRequestIdValidationContext context)
{
using var activity = Tracing.BasicActivitySource.StartActivity("BackchannelAuthenticationRequestIdValidator.Validate");
var request = await _backchannelAuthenticationStore.GetByAuthenticationRequestIdAsync(context.AuthenticationRequestId);
if (request == null)
{
_logger.LogError("Invalid authentication request id");
context.Result = new TokenRequestValidationResult(context.Request, OidcConstants.TokenErrors.InvalidGrant);
return;
}
// validate client binding
if (request.ClientId != context.Request.Client.ClientId)
{
_logger.LogError("Client {0} is trying to use a authentication request id from client {1}", context.Request.Client.ClientId, request.ClientId);
context.Result = new TokenRequestValidationResult(context.Request, OidcConstants.TokenErrors.InvalidGrant);
return;
}
if (await _throttlingService.ShouldSlowDown(context.AuthenticationRequestId, request))
{
_logger.LogError("Client {0} is polling too fast", request.ClientId);
context.Result = new TokenRequestValidationResult(context.Request, OidcConstants.TokenErrors.SlowDown);
return;
}
// validate lifetime
if (request.CreationTime.AddSeconds(request.Lifetime) < _systemClock.UtcNow.UtcDateTime)
{
_logger.LogError("Expired authentication request id");
context.Result = new TokenRequestValidationResult(context.Request, OidcConstants.TokenErrors.ExpiredToken);
return;
}
// denied
if (request.IsComplete &&
(request.AuthorizedScopes == null || request.AuthorizedScopes.Any() == false))
{
_logger.LogError("No scopes authorized for backchannel authentication request. Access denied");
context.Result = new TokenRequestValidationResult(context.Request, OidcConstants.TokenErrors.AccessDenied);
await _backchannelAuthenticationStore.RemoveByInternalIdAsync(request.InternalId);
return;
}
// make sure authentication request id is complete
if (!request.IsComplete)
{
context.Result = new TokenRequestValidationResult(context.Request, OidcConstants.TokenErrors.AuthorizationPending);
return;
}
// make sure user is enabled
var isActiveCtx = new IsActiveContext(request.Subject, context.Request.Client, IdentityServerConstants.ProfileIsActiveCallers.BackchannelAuthenticationRequestIdValidation);
await _profile.IsActiveAsync(isActiveCtx);
if (isActiveCtx.IsActive == false)
{
_logger.LogError("User has been disabled: {subjectId}", request.Subject.GetSubjectId());
context.Result = new TokenRequestValidationResult(context.Request, OidcConstants.TokenErrors.InvalidGrant);
return;
}
context.Request.BackChannelAuthenticationRequest = request;
context.Request.Subject = request.Subject;
context.Request.SessionId = request.SessionId;
context.Result = new TokenRequestValidationResult(context.Request);
await _backchannelAuthenticationStore.RemoveByInternalIdAsync(request.InternalId);
_logger.LogDebug("Success validating backchannel authentication request id.");
}