public TokenRequestValidationLog(ValidatedTokenRequest request)
{
const string scrubValue = "******";
Raw = request.Raw.ToDictionary();
if (Raw.ContainsKey(OidcConstants.TokenRequest.Password))
{
Raw[OidcConstants.TokenRequest.Password] = scrubValue;
}
if (request.Client != null)
{
ClientId = request.Client.ClientId;
ClientName = request.Client.ClientName;
}
if (request.Scopes != null)
{
Scopes = request.Scopes.ToSpaceSeparatedString();
}
if (request.SignInMessage != null)
{
IdP = request.SignInMessage.IdP;
Tenant = request.SignInMessage.Tenant;
AuthenticationContextReferenceClasses = request.SignInMessage.AcrValues;
}
GrantType = request.GrantType;
AuthorizationCode = request.AuthorizationCodeHandle;
RefreshToken = request.RefreshTokenHandle;
UserName = request.UserName;
}
public async Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var validator = _validators.FirstOrDefault(v => v.GrantType.Equals(request.GrantType, StringComparison.Ordinal));
if (validator == null)
{
return new CustomGrantValidationResult
{
IsError = true,
Error = "No validator found for grant type"
};
}
try
{
return await validator.ValidateAsync(request);
}
catch (Exception e)
{
_logger.LogError("Grant validation error", e);
return new CustomGrantValidationResult
{
IsError = true,
Error = "Grant validation error",
};
}
}
public async Task <CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var validator = _validators.FirstOrDefault(v => v.GrantType.Equals(request.GrantType, StringComparison.Ordinal));
if (validator == null)
{
return(new CustomGrantValidationResult
{
IsError = true,
Error = "No validator found for grant type"
});
}
try
{
return(await validator.ValidateAsync(request));
}
catch (Exception e)
{
_logger.LogError("Grant validation error", e);
return(new CustomGrantValidationResult
{
IsError = true,
Error = "Grant validation error",
});
}
}
public Task<CustomGrantValidationResult> ValidateAsync(string userName, string password, ValidatedTokenRequest request)
{
if (userName == password)
{
var result = new CustomGrantValidationResult(request.UserName, "password");
return Task.FromResult(result);
}
else
{
var result = new CustomGrantValidationResult("Username and/or password incorrect");
return Task.FromResult(result);
}
}
public Task<CustomGrantValidationResult> ValidateAsync(string userName, string password, ValidatedTokenRequest request)
{
var query =
from u in _users
where u.Username == userName && u.Password == password
select u;
var user = query.SingleOrDefault();
if (user != null)
{
return Task.FromResult(new CustomGrantValidationResult(user.Subject, "password"));
}
return Task.FromResult(new CustomGrantValidationResult("Invalid username or password"));
}
public Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var credential = request.Raw.Get("custom_credential");
if (credential != null)
{
// valid credential
return Task.FromResult(new CustomGrantValidationResult("818727", "custom"));
}
else
{
// custom error message
return Task.FromResult(new CustomGrantValidationResult("invalid_custom_credential"));
}
}
public async Task<TokenResponse> ProcessAsync(ValidatedTokenRequest request)
{
_logger.LogVerbose("Creating token response");
if (request.GrantType == OidcConstants.GrantTypes.AuthorizationCode)
{
return await ProcessAuthorizationCodeRequestAsync(request);
}
if (request.GrantType == OidcConstants.GrantTypes.RefreshToken)
{
return await ProcessRefreshTokenRequestAsync(request);
}
return await ProcessTokenRequestAsync(request);
}
private async Task<TokenResponse> ProcessAuthorizationCodeRequestAsync(ValidatedTokenRequest request)
{
_logger.LogVerbose("Processing authorization code request");
//////////////////////////
// access token
/////////////////////////
var accessToken = await CreateAccessTokenAsync(request);
var response = new TokenResponse
{
AccessToken = accessToken.Item1,
AccessTokenLifetime = request.Client.AccessTokenLifetime
};
//////////////////////////
// refresh token
/////////////////////////
if (accessToken.Item2.IsPresent())
{
response.RefreshToken = accessToken.Item2;
}
//////////////////////////
// id token
/////////////////////////
if (request.AuthorizationCode.IsOpenId)
{
var tokenRequest = new TokenCreationRequest
{
Subject = request.AuthorizationCode.Subject,
Client = request.AuthorizationCode.Client,
Scopes = request.AuthorizationCode.RequestedScopes,
Nonce = request.AuthorizationCode.Nonce,
ValidatedRequest = request
};
var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest);
var jwt = await _tokenService.CreateSecurityTokenAsync(idToken);
response.IdentityToken = jwt;
}
return response;
}
/// <summary>
/// Custom validation logic for the token request.
/// </summary>
/// <param name="request">The validated request.</param>
/// <returns>
/// The validation result
/// </returns>
public Task <TokenRequestValidationResult> ValidateTokenRequestAsync(ValidatedTokenRequest request)
{
return(Task.FromResult(new TokenRequestValidationResult(request)));
}
private async Task<TokenResponse> ProcessTokenRequestAsync(ValidatedTokenRequest request)
{
_logger.LogVerbose("Processing token request");
var accessToken = await CreateAccessTokenAsync(request);
var response = new TokenResponse
{
AccessToken = accessToken.Item1,
AccessTokenLifetime = request.Client.AccessTokenLifetime
};
if (accessToken.Item2.IsPresent())
{
response.RefreshToken = accessToken.Item2;
}
return response;
}
private async Task<Tuple<string, string>> CreateAccessTokenAsync(ValidatedTokenRequest request)
{
TokenCreationRequest tokenRequest;
bool createRefreshToken;
if (request.AuthorizationCode != null)
{
createRefreshToken = request.AuthorizationCode.RequestedScopes.Select(s => s.Name).Contains(Constants.StandardScopes.OfflineAccess);
tokenRequest = new TokenCreationRequest
{
Subject = request.AuthorizationCode.Subject,
Client = request.AuthorizationCode.Client,
Scopes = request.AuthorizationCode.RequestedScopes,
ValidatedRequest = request
};
}
else
{
createRefreshToken = request.ValidatedScopes.ContainsOfflineAccessScope;
tokenRequest = new TokenCreationRequest
{
Subject = request.Subject,
Client = request.Client,
Scopes = request.ValidatedScopes.GrantedScopes,
ValidatedRequest = request
};
}
Token accessToken = await _tokenService.CreateAccessTokenAsync(tokenRequest);
string refreshToken = "";
if (createRefreshToken)
{
refreshToken = await _refreshTokenService.CreateRefreshTokenAsync(tokenRequest.Subject, accessToken, request.Client);
}
var securityToken = await _tokenService.CreateSecurityTokenAsync(accessToken);
return Tuple.Create(securityToken, refreshToken);
}
public Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
return Task.FromResult(new CustomGrantValidationResult("bob", "CustomGrant"));
}
/// <summary>
/// Custom validation logic for the token request.
/// </summary>
/// <param name="request">The validated request.</param>
/// <returns>
/// The validation result
/// </returns>
public Task<TokenRequestValidationResult> ValidateTokenRequestAsync(ValidatedTokenRequest request)
{
return Task.FromResult(new TokenRequestValidationResult(request));
}
public async Task <TokenRequestValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client)
{
_logger.LogVerbose("Start token request validation");
_validatedRequest = new ValidatedTokenRequest();
if (client == null)
{
throw new ArgumentNullException("client");
}
if (parameters == null)
{
throw new ArgumentNullException("parameters");
}
_validatedRequest.Raw = parameters;
_validatedRequest.Client = client;
_validatedRequest.Options = _options;
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = parameters.Get(OidcConstants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing.");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long.");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
_validatedRequest.GrantType = grantType;
// standard grant types
switch (grantType)
{
case OidcConstants.GrantTypes.AuthorizationCode:
return(await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters));
case OidcConstants.GrantTypes.ClientCredentials:
return(await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters));
case OidcConstants.GrantTypes.Password:
return(await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters));
case OidcConstants.GrantTypes.RefreshToken:
return(await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters));
}
// custom grant type
var result = await RunValidationAsync(ValidateCustomGrantRequestAsync, parameters);
if (result.IsError)
{
if (result.Error.IsPresent())
{
return(result);
}
LogError("Unsupported grant_type: " + grantType);
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
return(result);
}
public Task<CustomGrantValidationResult> ValidateAsync(string userName, string password, ValidatedTokenRequest request)
{
var result = new CustomGrantValidationResult("unsupported_grant_type");
return Task.FromResult(result);
}
private async Task<TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request)
{
_logger.LogVerbose("Processing refresh token request");
var oldAccessToken = request.RefreshToken.AccessToken;
string accessTokenString;
if (request.Client.UpdateAccessTokenClaimsOnRefresh)
{
var subject = request.RefreshToken.GetOriginalSubject();
var creationRequest = new TokenCreationRequest
{
Client = request.Client,
Subject = subject,
ValidatedRequest = request,
Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes)
};
var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest);
accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken);
}
else
{
oldAccessToken.CreationTime = DateTimeOffsetHelper.UtcNow;
oldAccessToken.Lifetime = request.Client.AccessTokenLifetime;
accessTokenString = await _tokenService.CreateSecurityTokenAsync(oldAccessToken);
}
var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client);
return new TokenResponse
{
AccessToken = accessTokenString,
AccessTokenLifetime = request.Client.AccessTokenLifetime,
RefreshToken = handle
};
}
public async Task<TokenRequestValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client)
{
_logger.LogTrace("Start token request validation");
_validatedRequest = new ValidatedTokenRequest();
if (client == null)
{
throw new ArgumentNullException("client");
}
if (parameters == null)
{
throw new ArgumentNullException("parameters");
}
_validatedRequest.Raw = parameters;
_validatedRequest.Client = client;
_validatedRequest.Options = _options;
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = parameters.Get(OidcConstants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing.");
return Invalid(OidcConstants.TokenErrors.UnsupportedGrantType);
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long.");
return Invalid(OidcConstants.TokenErrors.UnsupportedGrantType);
}
_validatedRequest.GrantType = grantType;
// standard grant types
switch (grantType)
{
case OidcConstants.GrantTypes.AuthorizationCode:
return await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters);
case OidcConstants.GrantTypes.ClientCredentials:
return await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters);
case OidcConstants.GrantTypes.Password:
return await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters);
case OidcConstants.GrantTypes.RefreshToken:
return await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters);
}
// custom grant type
var result = await RunValidationAsync(ValidateCustomGrantRequestAsync, parameters);
if (result.IsError)
{
if (result.Error.IsPresent())
{
return result;
}
LogError("Unsupported grant_type: " + grantType);
return Invalid(OidcConstants.TokenErrors.UnsupportedGrantType);
}
return result;
}
public Task <CustomGrantValidationResult> ValidateAsync(string userName, string password, ValidatedTokenRequest request)
{
var result = new CustomGrantValidationResult("unsupported_grant_type");
return(Task.FromResult(result));
}