private static bool CreateUser(string authToken, string userName, string password, string emailAddress,
SimpleNameValueCollection profile, bool updateIfExists)
{
var service = new UserManagementServiceClient();
var result = service.CreateUser(authToken, userName, password, emailAddress, profile, updateIfExists);
if (result.CallSuccess) return true;
Console.WriteLine(result.FailureMessage);
return false;
}
public static SimpleNameValueCollection AsNameValueCollection(this IDictionary <string, StringValues> collection)
{
var nv = new SimpleNameValueCollection();
foreach (var field in collection)
{
nv.Add(field.Key, field.Value.First());
}
return(nv);
}
public async Task <TokenRequestValidationResult> ValidateRequestAsync(SimpleNameValueCollection parameters)
{
_logger.LogDebug("Start token request validation");
_validatedRequest = new ValidatedTokenRequest
{
Raw = parameters ?? throw new ArgumentNullException(nameof(parameters))
};
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var clientId = parameters.Get(OidcConstants.TokenRequest.ClientId);
if (clientId.IsMissing())
{
LogError("ClientId is missing");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
_validatedRequest.ClientId = clientId;
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = parameters.Get(OidcConstants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
_validatedRequest.GrantType = grantType;
switch (grantType)
{
case OidcConstants.GrantTypes.AuthorizationCode:
return(await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters));
default:
return(Invalid(OidcConstants.TokenErrors.InvalidGrant));
}
}
/// <summary>
/// A utility method used to construct a user's profile.
/// </summary>
/// <param name="profile">A list of profile properties.</param>
/// <returns></returns>
private static SimpleNameValueCollection BuildProfile(IList<KeyValuePair<string, string>> profile)
{
SimpleNameValueCollection userProfile = null;
if (profile != null)
{
var profileProperties = new SimpleNameValue[profile.Count()];
for (var i = 0; i < profile.Count(); i++)
{
var property = profile[i];
profileProperties[i] = new SimpleNameValue { Name = property.Key, Value = property.Value };
}
userProfile = new SimpleNameValueCollection { NameValueList = profileProperties };
}
return userProfile;
}
public static Dictionary <string, string> ToScrubbedDictionary(this SimpleNameValueCollection collection, params string[] nameFilter)
{
var dict = new Dictionary <string, string>();
if (collection == null || collection.Count == 0)
{
return(dict);
}
foreach (string name in collection.AllKeys)
{
var value = collection.Get(name);
if (value != null)
{
if (nameFilter.Contains(name))
{
value = "***REDACTED***";
}
dict.Add(name, value);
}
}
return(dict);
}
public static Dictionary <string, string> ToDictionary(this SimpleNameValueCollection collection)
{
return(collection.ToScrubbedDictionary());
}
private async Task <TokenRequestValidationResult> ValidateAuthorizationCodeRequestAsync(SimpleNameValueCollection parameters)
{
_logger.LogDebug("Start validation of authorization code token request");
/////////////////////////////////////////////
// validate authorization code
/////////////////////////////////////////////
var code = parameters.Get(OidcConstants.TokenRequest.Code);
if (code.IsMissing())
{
LogError("Authorization code is missing");
return(Invalid(OidcConstants.TokenErrors.InvalidGrant));
}
if (code.Length > _options.InputLengthRestrictions.AuthorizationCode)
{
LogError("Authorization code is too long");
return(Invalid(OidcConstants.TokenErrors.InvalidGrant));
}
_validatedRequest.AuthorizationCodeHandle = code;
_validatedRequest.IdTokenResponse = await _oidcPipelineStore.GetDownstreamIdTokenResponseAsync(code);
if (_validatedRequest.IdTokenResponse == null)
{
LogError("Invalid authorization code", new { code });
return(Invalid(OidcConstants.TokenErrors.InvalidGrant));
}
await _oidcPipelineStore.DeleteStoredCacheAsync(code);
/////////////////////////////////////////////
// validate client binding
/////////////////////////////////////////////
if (_validatedRequest.IdTokenResponse.Request.ClientId != _validatedRequest.ClientId)
{
LogError("Client is trying to use a code from a different client",
new { clientId = _validatedRequest.ClientId, codeClient = _validatedRequest.IdTokenResponse.Request.ClientId });
return(Invalid(OidcConstants.TokenErrors.InvalidGrant));
}
/////////////////////////////////////////////
// validate redirect_uri
/////////////////////////////////////////////
var redirectUri = parameters.Get(OidcConstants.TokenRequest.RedirectUri);
if (redirectUri.IsMissing())
{
LogError("Redirect URI is missing");
return(Invalid(OidcConstants.TokenErrors.UnauthorizedClient));
}
if (redirectUri.Equals(_validatedRequest.IdTokenResponse.Request.RedirectUri, StringComparison.Ordinal) == false)
{
LogError("Invalid redirect_uri", new { redirectUri, expectedRedirectUri = _validatedRequest.IdTokenResponse.Request.RedirectUri });
return(Invalid(OidcConstants.TokenErrors.UnauthorizedClient));
}
/////////////////////////////////////////////
// validate PKCE parameters
/////////////////////////////////////////////
var codeVerifier = parameters.Get(OidcConstants.TokenRequest.CodeVerifier);
if (_validatedRequest.IdTokenResponse.Request.CodeChallenge.IsPresent())
{
_logger.LogDebug("Client required a proof key for code exchange. Starting PKCE validation");
var proofKeyResult = ValidateAuthorizationCodeWithProofKeyParameters(codeVerifier, _validatedRequest.IdTokenResponse);
if (proofKeyResult.IsError)
{
return(proofKeyResult);
}
_validatedRequest.CodeVerifier = codeVerifier;
}
else
{
if (codeVerifier.IsPresent())
{
LogError("Unexpected code_verifier: {codeVerifier}. This happens when the client is trying to use PKCE, but it is not enabled. Set RequirePkce to true.", codeVerifier);
return(Invalid(OidcConstants.TokenErrors.InvalidGrant));
}
}
_logger.LogDebug("Validation of authorization code token request success");
return(Valid());
}
private async Task <TokenRequestValidationResult> RunValidationAsync(Func <SimpleNameValueCollection, Task <TokenRequestValidationResult> > validationFunc, SimpleNameValueCollection parameters)
{
// run standard validation
var result = await validationFunc(parameters);
if (!result.IsError)
{
LogSuccess();
}
return(result);
}
public static DownstreamAuthorizationRequest ToDownstreamAuthorizationRequest(this SimpleNameValueCollection values)
{
var extraNames = new List <string>();
foreach (var item in values.AllKeys)
{
if (!WellKnownOIDCValues.Contains(item))
{
extraNames.Add(item);
}
}
var idTokenAuthorizationRequest = new DownstreamAuthorizationRequest
{
client_id = values.Get(OidcConstants.AuthorizeRequest.ClientId),
client_secret = values.Get("client_secret"),
nonce = values.Get(OidcConstants.AuthorizeRequest.Nonce),
response_mode = values.Get(OidcConstants.AuthorizeRequest.ResponseMode),
redirect_uri = values.Get(OidcConstants.AuthorizeRequest.RedirectUri),
response_type = values.Get(OidcConstants.AuthorizeRequest.ResponseType),
state = values.Get(OidcConstants.AuthorizeRequest.State),
scope = values.Get(OidcConstants.AuthorizeRequest.Scope)
};
if (extraNames.Any())
{
idTokenAuthorizationRequest.ExtraValues = new NameValueCollection();
}
foreach (var extraName in extraNames)
{
idTokenAuthorizationRequest.ExtraValues.Set(extraName, values.Get(extraName));
}
return(idTokenAuthorizationRequest);
}
private static void UpdateUserProfile(string authToken, string userIdentity, SimpleNameValueCollection profile)
{
var service = new UserManagementServiceClient();
var result = service.UpdateUserProfile(authToken, userIdentity, profile);
}
