/// <summary>
/// Approves an authorization request.
/// </summary>
/// <param name="authorizationRequest">The authorization request to approve.</param>
/// <param name="userDataAndNonce">The username of the account that approved the request (or whose data will be accessed by the client).</param>
/// <param name="nonce">The nonce data.</param>
/// <param name="successAccessTokenResponse">The end user authorization success access token response.</param>
/// <param name="scopes">The scope of access the client should be granted. If <c>null</c>, all scopes in the original request will be granted.</param>
/// <param name="callback">The Client callback URL to use when formulating the redirect to send the user agent back to the Client.</param>
/// <returns>The authorization response message to send to the Client.</returns>
public EndUserAuthorizationSuccessResponseBase PrepareApproveAuthorizationRequest(EndUserAuthorizationRequest authorizationRequest,
string userDataAndNonce, string nonce, out EndUserAuthorizationSuccessAccessTokenResponse successAccessTokenResponse, IEnumerable <string> scopes = null, Uri callback = null)
{
Contract.Ensures(Contract.Result <EndUserAuthorizationSuccessResponseBase>() != null);
if (callback == null)
{
callback = this.GetCallback(authorizationRequest);
}
var client = this.AuthorizationServerServices.GetClientOrThrow(authorizationRequest.ClientIdentifier);
EndUserAuthorizationSuccessResponseBase response;
EndUserAuthorizationSuccessAccessTokenResponse implicitGrantResponse = null;
switch (authorizationRequest.ResponseType)
{
case EndUserAuthorizationResponseType.AccessToken:
IAccessTokenRequestInternal accessRequestInternal = (EndUserAuthorizationImplicitRequest)authorizationRequest;
var accessTokenResult = this.AuthorizationServerServices.CreateAccessToken(accessRequestInternal, nonce);
ErrorUtilities.VerifyHost(accessTokenResult != null, "IAuthorizationServerHost.CreateAccessToken must not return null.");
accessRequestInternal.AccessTokenResult = accessTokenResult;
implicitGrantResponse = new EndUserAuthorizationSuccessAccessTokenResponse(callback, authorizationRequest);
implicitGrantResponse.Lifetime = accessTokenResult.AccessToken.Lifetime;
accessTokenResult.AccessToken.ApplyAuthorization(implicitGrantResponse.Scope, userDataAndNonce, implicitGrantResponse.Lifetime);
IAccessTokenCarryingRequest tokenCarryingResponse = implicitGrantResponse;
tokenCarryingResponse.AuthorizationDescription = accessTokenResult.AccessToken;
response = implicitGrantResponse;
break;
case EndUserAuthorizationResponseType.AuthorizationCode:
var authCodeResponse = new EndUserAuthorizationSuccessAuthCodeResponseAS(callback, authorizationRequest);
IAuthorizationCodeCarryingRequest codeCarryingResponse = authCodeResponse;
codeCarryingResponse.AuthorizationDescription = new AuthorizationCode(
authorizationRequest.ClientIdentifier,
authorizationRequest.Callback,
authCodeResponse.Scope,
userDataAndNonce);
response = authCodeResponse;
break;
default:
throw ErrorUtilities.ThrowInternal("Unexpected response type.");
}
response.AuthorizingUsername = userDataAndNonce;
// Customize the approved scope if the authorization server has decided to do so.
if (scopes != null)
{
response.Scope.ResetContents(scopes);
}
successAccessTokenResponse = implicitGrantResponse;
return(response);
}
/// <summary>
/// Performs any transformation on an incoming message that may be necessary and/or
/// validates an incoming message based on the rules of this channel binding element.
/// </summary>
/// <param name="message">The incoming message to process.</param>
/// <returns>
/// The protections (if any) that this binding element applied to the message.
/// Null if this binding element did not even apply to this binding element.
/// </returns>
/// <exception cref="ProtocolException">
/// Thrown when the binding element rules indicate that this message is invalid and should
/// NOT be processed.
/// </exception>
/// <remarks>
/// Implementations that provide message protection must honor the
/// <see cref="MessagePartAttribute.RequiredProtection"/> properties where applicable.
/// </remarks>
public override MessageProtections?ProcessIncomingMessage(IProtocolMessage message)
{
bool applied = false;
// Check that the client secret is correct for client authenticated messages.
var clientCredentialOnly = message as AccessTokenClientCredentialsRequest;
var authenticatedClientRequest = message as AuthenticatedClientRequestBase;
var accessTokenRequest = authenticatedClientRequest as AccessTokenRequestBase; // currently the only type of message.
var resourceOwnerPasswordCarrier = message as AccessTokenResourceOwnerPasswordCredentialsRequest;
if (authenticatedClientRequest != null)
{
string clientIdentifier;
var result = this.clientAuthenticationModule.TryAuthenticateClient(this.AuthServerChannel.AuthorizationServer, authenticatedClientRequest, out clientIdentifier);
switch (result)
{
case ClientAuthenticationResult.ClientAuthenticated:
break;
case ClientAuthenticationResult.NoAuthenticationRecognized:
case ClientAuthenticationResult.ClientIdNotAuthenticated:
// The only grant type that allows no client credentials is the resource owner credentials grant.
AuthServerUtilities.TokenEndpointVerify(resourceOwnerPasswordCarrier != null, accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.InvalidClient, this.clientAuthenticationModule, AuthServerStrings.ClientSecretMismatch);
break;
default:
AuthServerUtilities.TokenEndpointVerify(false, accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.InvalidClient, this.clientAuthenticationModule, AuthServerStrings.ClientSecretMismatch);
break;
}
authenticatedClientRequest.ClientIdentifier = result == ClientAuthenticationResult.NoAuthenticationRecognized ? null : clientIdentifier;
accessTokenRequest.ClientAuthenticated = result == ClientAuthenticationResult.ClientAuthenticated;
applied = true;
}
// Check that any resource owner password credential is correct.
if (resourceOwnerPasswordCarrier != null)
{
try {
var authorizeResult =
this.AuthorizationServer.CheckAuthorizeResourceOwnerCredentialGrant(
resourceOwnerPasswordCarrier.UserName, resourceOwnerPasswordCarrier.Password, resourceOwnerPasswordCarrier);
if (authorizeResult.IsApproved)
{
resourceOwnerPasswordCarrier.CredentialsValidated = true;
resourceOwnerPasswordCarrier.UserName = authorizeResult.CanonicalUserName;
resourceOwnerPasswordCarrier.Scope.ResetContents(authorizeResult.ApprovedScope);
}
else
{
Logger.OAuth.ErrorFormat(
"Resource owner password credential for user \"{0}\" rejected by authorization server host.",
resourceOwnerPasswordCarrier.UserName);
throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.InvalidGrant, AuthServerStrings.InvalidResourceOwnerPasswordCredential);
}
} catch (NotSupportedException) {
throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.UnsupportedGrantType);
} catch (NotImplementedException) {
throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.UnsupportedGrantType);
}
applied = true;
}
else if (clientCredentialOnly != null)
{
try {
var authorizeResult = this.AuthorizationServer.CheckAuthorizeClientCredentialsGrant(clientCredentialOnly);
if (!authorizeResult.IsApproved)
{
Logger.OAuth.ErrorFormat(
"Client credentials grant access request for client \"{0}\" rejected by authorization server host.",
clientCredentialOnly.ClientIdentifier);
throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.UnauthorizedClient);
}
clientCredentialOnly.Scope.ResetContents(authorizeResult.ApprovedScope);
} catch (NotSupportedException) {
throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.UnsupportedGrantType);
} catch (NotImplementedException) {
throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.UnsupportedGrantType);
}
}
else
{
// Check that authorization requests come with an acceptable callback URI.
var authorizationRequest = message as EndUserAuthorizationRequest;
if (authorizationRequest != null)
{
var client = this.AuthorizationServer.GetClientOrThrow(authorizationRequest.ClientIdentifier);
ErrorUtilities.VerifyProtocol(authorizationRequest.Callback == null || client.IsCallbackAllowed(authorizationRequest.Callback), AuthServerStrings.ClientCallbackDisallowed, authorizationRequest.Callback);
ErrorUtilities.VerifyProtocol(authorizationRequest.Callback != null || client.DefaultCallback != null, AuthServerStrings.NoCallback);
applied = true;
}
// Check that the callback URI in a direct message from the client matches the one in the indirect message received earlier.
var request = message as AccessTokenAuthorizationCodeRequestAS;
if (request != null)
{
IAuthorizationCodeCarryingRequest tokenRequest = request;
tokenRequest.AuthorizationDescription.VerifyCallback(request.Callback);
applied = true;
}
var authCarrier = message as IAuthorizationCarryingRequest;
if (authCarrier != null)
{
var accessRequest = authCarrier as AccessTokenRequestBase;
if (accessRequest != null)
{
// Make sure the client sending us this token is the client we issued the token to.
AuthServerUtilities.TokenEndpointVerify(string.Equals(accessRequest.ClientIdentifier, authCarrier.AuthorizationDescription.ClientIdentifier, StringComparison.Ordinal), accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.InvalidClient);
var scopedAccessRequest = accessRequest as ScopedAccessTokenRequest;
if (scopedAccessRequest != null)
{
// Make sure the scope the client is requesting does not exceed the scope in the grant.
if (!this.AuthServerChannel.ScopeSatisfiedCheck.IsScopeSatisfied(requiredScope: scopedAccessRequest.Scope, grantedScope: authCarrier.AuthorizationDescription.Scope))
{
Logger.OAuth.ErrorFormat("The requested access scope (\"{0}\") exceeds the grant scope (\"{1}\").", scopedAccessRequest.Scope, authCarrier.AuthorizationDescription.Scope);
throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.InvalidScope, AuthServerStrings.AccessScopeExceedsGrantScope);
}
}
}
// Make sure the authorization this token represents hasn't already been revoked.
if (!this.AuthorizationServer.IsAuthorizationValid(authCarrier.AuthorizationDescription))
{
Logger.OAuth.Error("Rejecting access token request because the IAuthorizationServerHost.IsAuthorizationValid method returned false.");
throw new TokenEndpointProtocolException(accessTokenRequest, Protocol.AccessTokenRequestErrorCodes.InvalidGrant);
}
applied = true;
}
}
return(applied ? (MessageProtections?)MessageProtections.None : null);
}
