public override async Task ValidateAuthorizationRequest(ValidateAuthorizationRequestContext context) {
// Note: the OpenID Connect server middleware supports the authorization code, implicit and hybrid flows
// but this authorization provider only accepts response_type=code authorization/authentication requests.
// You may consider relaxing it to support the implicit or hybrid flows. In this case, consider adding
// checks rejecting implicit/hybrid authorization requests when the client is a confidential application.
if (!context.Request.IsAuthorizationCodeFlow()) {
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedResponseType,
description: "Only the authorization code flow is supported by this authorization server");
return;
}
// Note: to support custom response modes, the OpenID Connect server middleware doesn't
// reject unknown modes before the ApplyAuthorizationResponse event is invoked.
// To ensure invalid modes are rejected early enough, a check is made here.
if (!string.IsNullOrEmpty(context.Request.ResponseMode) && !context.Request.IsFormPostResponseMode() &&
!context.Request.IsFragmentResponseMode() &&
!context.Request.IsQueryResponseMode()) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The specified response_mode is unsupported.");
return;
}
var database = context.HttpContext.RequestServices.GetRequiredService<ApplicationContext>();
// Retrieve the application details corresponding to the requested client_id.
var application = await (from entity in database.Applications
where entity.ApplicationID == context.ClientId
select entity).SingleOrDefaultAsync(context.HttpContext.RequestAborted);
if (application == null) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "Application not found in the database: ensure that your client_id is correct");
return;
}
if (!string.IsNullOrEmpty(context.RedirectUri) &&
!string.Equals(context.RedirectUri, application.RedirectUri, StringComparison.Ordinal)) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "Invalid redirect_uri");
return;
}
context.Validate(application.RedirectUri);
}
public override Task ValidateAuthorizationRequest(ValidateAuthorizationRequestContext context) {
// Note: the OpenID Connect server middleware supports the authorization code, implicit and hybrid flows
// but this authorization provider only accepts response_type=code authorization/authentication requests.
// You may consider relaxing it to support the implicit or hybrid flows. In this case, consider adding
// checks rejecting implicit/hybrid authorization requests when the client is a confidential application.
if (!context.Request.IsAuthorizationCodeFlow()) {
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedResponseType,
description: "Only the authorization code flow is supported by this authorization server.");
return Task.FromResult(0);
}
// Note: to support custom response modes, the OpenID Connect server middleware doesn't
// reject unknown modes before the ApplyAuthorizationResponse event is invoked.
// To ensure invalid modes are rejected early enough, a check is made here.
if (!string.IsNullOrEmpty(context.Request.ResponseMode) && !context.Request.IsFormPostResponseMode() &&
!context.Request.IsFragmentResponseMode() &&
!context.Request.IsQueryResponseMode()) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The specified response_mode is unsupported.");
return Task.FromResult(0);
}
// Ensure the client_id parameter corresponds to the Postman client.
if (!string.Equals(context.Request.ClientId, "postman", StringComparison.Ordinal)) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "The specified client_id is unknown.");
return Task.FromResult(0);
}
// Ensure the redirect_uri parameter corresponds to the Postman client.
if (!string.Equals(context.Request.RedirectUri, "https://www.getpostman.com/oauth2/callback", StringComparison.Ordinal)) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "The specified redirect_uri is invalid.");
return Task.FromResult(0);
}
context.Validate();
return Task.FromResult(0);
}