public Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
{
var fail = Task.FromResult(new SecretValidationResult {
Success = false
});
var success = Task.FromResult(new SecretValidationResult {
Success = true
});
if (parsedSecret.Type != IdentityServerConstants.ParsedSecretTypes.JwtBearer)
{
return(fail);
}
if (!(parsedSecret.Credential is string jwtTokenString))
{
_logger.LogError("ParsedSecret.Credential is not a string.");
return(fail);
}
if (!_genericJwtValidator.Validate(jwtTokenString, parsedSecret.Id, _partyDetailsOptions.ClientId))
{
_logger.LogError("ParsedSecret.Credential is not a valid JWT.");
return(fail);
}
return(success);
}
public async Task <IdentityResult> Validate(DelegationMask mask)
{
try
{
if (mask.PreviousSteps != null)
{
foreach (var step in mask.PreviousSteps)
{
var assertion = _assertionParser.Parse(step);
var result = await _assertionParser.ValidateAsync(assertion);
if (!result.Success || !_defaultJwtValidator.Validate(step,
mask.DelegationRequest.Target.AccessSubject, // client id should be access subject
_context.HttpContext.User.GetRequestingClientId() // audience should be the requester id
))
{
return(IdentityResult.Failed(new IdentityError {
Code = "previous_steps_validation_error"
}));
}
if (mask.DelegationRequest.Target.AccessSubject != assertion.JwtToken.Issuer)
{
return(IdentityResult.Failed(new IdentityError {
Code = "invalid_delegation_assertion_pair"
}));
}
}
}
return(IdentityResult.Success);
}
catch (Exception ex)
{
_logger.LogWarning(ex, "Exception while authorizing previous steps");
return(IdentityResult.Failed(new IdentityError {
Code = "previous_steps_validation_error", Description = ex.Message
}));
}
}
