protected void ValidateClientCredentialsRequest(TClient client, TokenRequest tokenRequest)
{
tokenRequest.Validate();
if (!client.ClientId.Equals(tokenRequest.ClientId, StringComparison.InvariantCultureIgnoreCase))
{
throw new OAuthRequestException($"Invalid client id '{tokenRequest.ClientId}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidClient
};
}
if (!tokenRequest.Scope.IsNullOrEmpty())
{
var resourceScopes = oauthResourceScopeDownLogic.GetResourceScopes(client as TClient);
var invalidScope = tokenRequest.Scope.ToSpaceList().Where(s => !(resourceScopes.Select(rs => rs).Contains(s) || (client.Scopes != null && client.Scopes.Select(ps => ps.Scope).Contains(s))));
if (invalidScope.Count() > 0)
{
throw new OAuthRequestException($"Invalid scope '{tokenRequest.Scope}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidScope
};
}
}
}
private void ValidateAuthenticationRequest(OidcDownClient client, AuthenticationRequest authenticationRequest, CodeChallengeSecret codeChallengeSecret)
{
try
{
var responseTypes = authenticationRequest.ResponseType.ToSpaceList();
bool isImplicitFlow = !responseTypes.Where(rt => rt.Contains(IdentityConstants.ResponseTypes.Code)).Any();
authenticationRequest.Validate(isImplicitFlow);
if (client.RequirePkce)
{
if (responseTypes.Where(rt => !rt.Equals(IdentityConstants.ResponseTypes.Code)).Any())
{
throw new OAuthRequestException($"Require '{IdentityConstants.ResponseTypes.Code}' flow with PKCE.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidRequest
};
}
}
if (!client.RedirectUris.Any(u => u.Equals(authenticationRequest.RedirectUri, StringComparison.InvariantCultureIgnoreCase)))
{
throw new OAuthRequestException($"Invalid redirect Uri '{authenticationRequest.RedirectUri}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidRequest
};
}
if (!client.ClientId.Equals(authenticationRequest.ClientId, StringComparison.InvariantCultureIgnoreCase))
{
throw new OAuthRequestException($"Invalid client id '{authenticationRequest.ClientId}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidClient
};
}
if (!authenticationRequest.Scope.Contains(IdentityConstants.DefaultOidcScopes.OpenId))
{
throw new OAuthRequestException($"Require '{IdentityConstants.DefaultOidcScopes.OpenId}' scope.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidScope
};
}
var resourceScopes = oauthResourceScopeDownLogic.GetResourceScopes(client as TClient);
var invalidScope = authenticationRequest.Scope.ToSpaceList().Where(s => !(resourceScopes.Select(rs => rs).Contains(s) || (client.Scopes != null && client.Scopes.Select(ps => ps.Scope).Contains(s))) && IdentityConstants.DefaultOidcScopes.OpenId != s);
if (invalidScope.Count() > 0)
{
throw new OAuthRequestException($"Invalid scope '{authenticationRequest.Scope}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidScope
};
}
ValidateResponseType(client, authenticationRequest, responseTypes);
if (!authenticationRequest.ResponseMode.IsNullOrEmpty())
{
var invalidResponseMode = !(new[] { IdentityConstants.ResponseModes.Fragment, IdentityConstants.ResponseModes.Query, IdentityConstants.ResponseModes.FormPost }.Contains(authenticationRequest.ResponseMode));
if (invalidResponseMode)
{
throw new OAuthRequestException($"Invalid response mode '{authenticationRequest.ResponseMode}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidRequest
};
}
}
if (client.RequirePkce)
{
codeChallengeSecret.Validate();
}
}
catch (ArgumentException ex)
{
throw new OAuthRequestException(ex.Message, ex)
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidRequest
};
}
}
