public override async Task ValidateClientAuthentication(ValidateClientAuthenticationContext context)
{
// Note: client authentication is not mandatory for non-confidential client applications like mobile apps
// (except when using the client credentials grant type) but this authorization server uses a safer policy
// that makes client authentication mandatory and returns an error if client_id or client_secret is missing.
// You may consider relaxing it to support the resource owner password credentials grant type
// with JavaScript or desktop applications, where client credentials cannot be safely stored.
// In this case, call context.Skip() to inform the server middleware the client is not trusted.
if (string.IsNullOrEmpty(context.ClientId) || string.IsNullOrEmpty(context.ClientSecret))
{
context.Reject(
error: "invalid_request",
description: "Missing credentials: ensure that your credentials were correctly " +
"flowed in the request body or in the authorization header");
return;
}
var database = context.HttpContext.RequestServices.GetRequiredService <ApplicationContext>();
// Retrieve the application details corresponding to the requested client_id.
var application = await(from entity in database.Applications
where entity.ApplicationID == context.ClientId
select entity).SingleOrDefaultAsync(context.HttpContext.RequestAborted);
if (application == null)
{
context.Reject(
error: "invalid_client",
description: "Application not found in the database: ensure that your client_id is correct");
return;
}
if (!string.Equals(context.ClientSecret, application.Secret, StringComparison.Ordinal))
{
context.Reject(
error: "invalid_client",
description: "Invalid credentials: ensure that you specified a correct client_secret");
return;
}
context.Validate();
}
