private async Task <DeviceAuthorizationRequestValidationResult> ValidateScopeAsync(ValidatedDeviceAuthorizationRequest request)
{
//////////////////////////////////////////////////////////
// scope must be present
//////////////////////////////////////////////////////////
var scope = request.Raw.Get(OidcConstants.AuthorizeRequest.Scope);
if (scope.IsMissing())
{
_logger.LogTrace("Client provided no scopes - checking allowed scopes list");
if (!request.Client.AllowedScopes.IsNullOrEmpty())
{
var clientAllowedScopes = new List <string>(request.Client.AllowedScopes);
if (request.Client.AllowOfflineAccess)
{
clientAllowedScopes.Add(IdentityServerConstants.StandardScopes.OfflineAccess);
}
scope = clientAllowedScopes.ToSpaceSeparatedString();
_logger.LogTrace("Defaulting to: {scopes}", scope);
}
else
{
LogError("No allowed scopes configured for client", request);
return(Invalid(request, OidcConstants.AuthorizeErrors.InvalidScope));
}
}
if (scope.Length > _options.InputLengthRestrictions.Scope)
{
LogError("scopes too long.", request);
return(Invalid(request, description: "Invalid scope"));
}
request.RequestedScopes = scope.FromSpaceSeparatedString().Distinct().ToList();
if (request.RequestedScopes.Contains(IdentityServerConstants.StandardScopes.OpenId))
{
request.IsOpenIdRequest = true;
}
//////////////////////////////////////////////////////////
// check if scopes are valid/supported
//////////////////////////////////////////////////////////
if (await _scopeValidator.AreScopesValidAsync(request.RequestedScopes) == false)
{
return(Invalid(request, OidcConstants.AuthorizeErrors.InvalidScope));
}
if (_scopeValidator.ContainsOpenIdScopes && !request.IsOpenIdRequest)
{
LogError("Identity related scope requests, but no openid scope", request);
return(Invalid(request, OidcConstants.AuthorizeErrors.InvalidScope));
}
//////////////////////////////////////////////////////////
// check scopes and scope restrictions
//////////////////////////////////////////////////////////
if (await _scopeValidator.AreScopesAllowedAsync(request.Client, request.RequestedScopes) == false)
{
return(Invalid(request, OidcConstants.AuthorizeErrors.UnauthorizedClient, "Invalid scope"));
}
request.ValidatedScopes = _scopeValidator;
return(Valid(request));
}
private async Task <bool> ValidateRequestedScopesAsync(NameValueCollection parameters, bool ignoreImplicitIdentityScopes = false, bool ignoreImplicitOfflineAccess = false)
{
var ignoreIdentityScopes = false;
var scopes = parameters.Get(OidcConstants.TokenRequest.Scope);
if (scopes.IsMissing())
{
if (ignoreImplicitIdentityScopes)
{
ignoreIdentityScopes = true;
}
_logger.LogTrace("Client provided no scopes - checking allowed scopes list");
if (!_validatedRequest.Client.AllowedScopes.IsNullOrEmpty())
{
var clientAllowedScopes = new List <string>(_validatedRequest.Client.AllowedScopes);
if (!ignoreImplicitOfflineAccess)
{
if (_validatedRequest.Client.AllowOfflineAccess)
{
clientAllowedScopes.Add(IdentityServerConstants.StandardScopes.OfflineAccess);
}
}
scopes = clientAllowedScopes.ToSpaceSeparatedString();
_logger.LogTrace("Defaulting to: {scopes}", scopes);
}
else
{
LogError("No allowed scopes configured for client", new { clientId = _validatedRequest.Client.ClientId });
return(false);
}
}
if (scopes.Length > _options.InputLengthRestrictions.Scope)
{
LogError("Scope parameter exceeds max allowed length");
return(false);
}
var requestedScopes = scopes.ParseScopesString();
if (requestedScopes == null)
{
LogError("No scopes found in request");
return(false);
}
if (!await _scopeValidator.AreScopesAllowedAsync(_validatedRequest.Client, requestedScopes))
{
LogError();
return(false);
}
if (!(await _scopeValidator.AreScopesValidAsync(requestedScopes, ignoreIdentityScopes)))
{
LogError();
return(false);
}
_validatedRequest.Scopes = requestedScopes;
_validatedRequest.ValidatedScopes = _scopeValidator;
return(true);
}
private async Task <AuthorizeRequestValidationResult> ValidateScopeAsync(ValidatedAuthorizeRequest request)
{
//////////////////////////////////////////////////////////
// scope must be present
//////////////////////////////////////////////////////////
var scope = request.Raw.Get(OidcConstants.AuthorizeRequest.Scope);
if (scope.IsMissing())
{
LogError("scope is missing", request);
return(Invalid(request, description: "Invalid scope"));
}
if (scope.Length > _options.InputLengthRestrictions.Scope)
{
LogError("scopes too long.", request);
return(Invalid(request, description: "Invalid scope"));
}
request.RequestedScopes = scope.FromSpaceSeparatedString().Distinct().ToList();
if (request.RequestedScopes.Contains(IdentityServerConstants.StandardScopes.OpenId))
{
request.IsOpenIdRequest = true;
}
//////////////////////////////////////////////////////////
// check scope vs response_type plausability
//////////////////////////////////////////////////////////
var requirement = Constants.ResponseTypeToScopeRequirement[request.ResponseType];
if (requirement == Constants.ScopeRequirement.Identity ||
requirement == Constants.ScopeRequirement.IdentityOnly)
{
if (request.IsOpenIdRequest == false)
{
LogError("response_type requires the openid scope", request);
return(Invalid(request, description: "Missing openid scope"));
}
}
//////////////////////////////////////////////////////////
// check if scopes are valid/supported and check for resource scopes
//////////////////////////////////////////////////////////
if (await _scopeValidator.AreScopesValidAsync(request.RequestedScopes) == false)
{
return(Invalid(request, OidcConstants.AuthorizeErrors.InvalidScope, "Invalid scope"));
}
if (_scopeValidator.ContainsOpenIdScopes && !request.IsOpenIdRequest)
{
LogError("Identity related scope requests, but no openid scope", request);
return(Invalid(request, OidcConstants.AuthorizeErrors.InvalidScope, "Identity scopes requested, but openid scope is missing"));
}
if (_scopeValidator.ContainsApiResourceScopes)
{
request.IsApiResourceRequest = true;
}
//////////////////////////////////////////////////////////
// check scopes and scope restrictions
//////////////////////////////////////////////////////////
if (await _scopeValidator.AreScopesAllowedAsync(request.Client, request.RequestedScopes) == false)
{
return(Invalid(request, OidcConstants.AuthorizeErrors.UnauthorizedClient, description: "Invalid scope for client"));
}
request.ValidatedScopes = _scopeValidator;
//////////////////////////////////////////////////////////
// check id vs resource scopes and response types plausability
//////////////////////////////////////////////////////////
if (!_scopeValidator.IsResponseTypeValid(request.ResponseType))
{
return(Invalid(request, OidcConstants.AuthorizeErrors.InvalidScope, "Invalid scope for response type"));
}
return(Valid(request));
}
