/// <summary>
/// Validates authorize request parameters.
/// </summary>
/// <param name="parameters"></param>
/// <param name="subject"></param>
/// <returns></returns>
public async Task <AuthorizeRequestValidationResult> ValidateAsync(NameValueCollection parameters, ClaimsPrincipal subject = null)
{
if (parameters == null)
{
throw new ArgumentNullException(nameof(parameters));
}
var responseMode = parameters.Get(IdentityModel.OidcConstants.AuthorizeRequest.ResponseMode);
var acrValues = parameters.Get(IdentityModel.OidcConstants.AuthorizeRequest.AcrValues);
if (acrValues == Constants.KnownAcrValues.Anonymous && responseMode == OidcConstants.ResponseModes.Json)
{
// source validator dont support "json" response mode
// the "json" response mode only for anonymous requests
parameters.Remove(IdentityModel.OidcConstants.AuthorizeRequest.ResponseMode);
var result = await _inner.ValidateAsync(parameters, subject);
if (!result.IsError)
{
if (subject == null)
{
// create anon user
var anonUser = await _anonUserFactory.CreateAsync();
await _anonUserManager.CreateAsync(anonUser);
// and sign in with "anon" authentication method
await _anonSignInManager.SignInAsync(anonUser);
// reload the current user
result.ValidatedRequest.Subject = await _userSession.GetUserAsync();
}
// return "json" response mode back
result.ValidatedRequest.ResponseMode = OidcConstants.ResponseModes.Json;
// set anonymous token lifetime
// https://github.com/IdentityServer/IdentityServer4/issues/3578
if (result.ValidatedRequest.Subject.IsAnonymous())
{
result.ValidatedRequest.AccessTokenLifetime = _options.AccessTokenLifetime;
}
}
return(result);
}
return(await _inner.ValidateAsync(parameters, subject));
}
public async Task <IEndpointResult> ProcessAsync(HttpContext context)
{
if (HttpMethods.IsGet(context.Request.Method))
{
var user = await _userSession.GetUserAsync();
var parameters = context.Request.Query.AsNameValueCollection();
var result = await _validator.ValidateAsync(parameters, user);
if (!result.IsError)
{
var request = result.ValidatedRequest;
if (request.IsAnonymous() && request.ResponseMode == OidcConstants.ResponseModes.Json)
{
var response = await _authorizeResponseGenerator.CreateResponseAsync(request);
return(new AuthorizeResult(response));
}
}
}
// call source handler
var innerHandler = _handlerProvider.GetByPath("/connect/authorize");
return(await innerHandler.ProcessAsync(context));
}
public async Task <AuthorizationRequest> ParseAsync(string returnUrl)
{
using var activity = Tracing.ValidationActivitySource.StartActivity("OidcReturnUrlParser.Parse");
if (IsValidReturnUrl(returnUrl))
{
var parameters = returnUrl.ReadQueryStringAsNameValueCollection();
if (_authorizationParametersMessageStore != null)
{
var messageStoreId = parameters[Constants.AuthorizationParamsStore.MessageStoreIdParameterName];
var entry = await _authorizationParametersMessageStore.ReadAsync(messageStoreId);
parameters = entry?.Data.FromFullDictionary() ?? new NameValueCollection();
}
var user = await _userSession.GetUserAsync();
var result = await _validator.ValidateAsync(parameters, user);
if (!result.IsError)
{
_logger.LogTrace("AuthorizationRequest being returned");
return(new AuthorizationRequest(result.ValidatedRequest));
}
}
_logger.LogTrace("No AuthorizationRequest being returned");
return(null);
}
internal async Task <IEndpointResult> ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent, HttpContext context)
{
if (user != null)
{
Logger.LogDebug("User in authorize request: {subjectId}", user.GetSubjectId());
}
else
{
Logger.LogDebug("No user present in authorize request");
}
// validate request
var result = await _validator.ValidateAsync(parameters, user);
if (result.IsError)
{
return(await CreateErrorResultAsync(
"Request validation failed",
result.ValidatedRequest,
result.Error,
result.ErrorDescription));
}
var request = result.ValidatedRequest;
LogRequest(request);
// determine user interaction
var interactionResult = await _interactionGenerator.ProcessInteractionAsync(request, consent);
if (interactionResult.IsError)
{
return(await CreateErrorResultAsync("Interaction generator error", request, interactionResult.Error, interactionResult.ErrorDescription, false));
}
if (interactionResult.IsLogin)
{
return(new LoginPageResult(request, _loginUrlProcessor));
}
if (interactionResult.IsConsent)
{
return(new ConsentPageResult(request));
}
if (interactionResult.IsRedirect)
{
return(new CustomRedirectResult(request, interactionResult.RedirectUrl));
}
request.ClientIp = context.GetRequestIp();
request.Device = context
.GetHeaderValueAs <string>("User-Agent")
.GetDevice();
var response = await _authorizeResponseGenerator.CreateResponseAsync(request);
await RaiseResponseEventAsync(response);
LogResponse(response);
return(new AuthorizeResult(response));
}
public void ValidateAsync_ParametersEqNull_Throws()
{
NameValueCollection parameters = null;
Func <Task> act = async() => await _sut.ValidateAsync(parameters);
act.Should().Throw <ArgumentNullException>();
}
internal async Task <IActionResult> ProcessAuthorizeRequestAsync(NameValueCollection parameters)
{
var result = await _authorizeRequestValidator.ValidateAsync(parameters);
if (result.IsError)
{
return(BadRequest(result.ErrorDescription));
}
return(Ok());
}
public async Task<AuthorizationRequest> ParseAsync(string returnUrl)
{
if (IsValidReturnUrl(returnUrl))
{
var parameters = returnUrl.ReadQueryStringAsNameValueCollection();
var user = await _userSession.GetUserAsync();
var result = await _validator.ValidateAsync(parameters, user);
if (!result.IsError)
{
_logger.LogTrace("AuthorizationRequest being returned");
return result.ValidatedRequest.ToAuthorizationRequest();
}
}
_logger.LogTrace("No AuthorizationRequest being returned");
return null;
}
internal async Task <IEndpointResult> ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent)
{
if (user != null)
{
_logger.LogTrace("User in authorize request: name:{0}, sub:{1}", user.GetName(), user.GetSubjectId());
}
else
{
_logger.LogTrace("No user present in authorize request");
}
// validate request
var result = await _validator.ValidateAsync(parameters, user);
if (result.IsError)
{
return(await ErrorPageAsync(
result.ErrorType,
result.Error,
result.ValidatedRequest));
}
var request = result.ValidatedRequest;
// determine user interaction
var interactionResult = await _interactionGenerator.ProcessInteractionAsync(request, consent);
if (interactionResult.IsError)
{
return(await ErrorPageAsync(
interactionResult.Error.ErrorType,
interactionResult.Error.Error,
request));
}
if (interactionResult.IsLogin)
{
return(await LoginPageAsync(request));
}
if (interactionResult.IsConsent)
{
return(await ConsentPageAsync(request));
}
// issue response
return(await SuccessfulAuthorizationAsync(request));
}
public async Task <AuthorizationRequest> ParseAsync(string returnUrl)
{
if (IsValidReturnUrl(returnUrl))
{
var parameters = returnUrl.ReadQueryStringAsNameValueCollection();
var user = await _userSession.GetUserAsync();
var result = await _validator.ValidateAsync(parameters, user);
if (!result.IsError)
{
return(result.ValidatedRequest.ToAuthorizatonRequest());
}
}
return(null);
}
public async Task <AuthorizationRequest> GetAuthorizationContextAsync(string returnUrl)
{
if (returnUrl != null && IsValidReturnUrl(returnUrl))
{
var parameters = returnUrl.ReadQueryStringAsNameValueCollection();
var user = await _context.HttpContext.GetIdentityServerUserAsync();
var result = await _validator.ValidateAsync(parameters, user);
if (!result.IsError)
{
_logger.LogTrace("AuthorizationRequest being returned");
return(new AuthorizationRequest(result.ValidatedRequest));
}
}
_logger.LogTrace("No AuthorizationRequest being returned");
return(null);
}
protected async Task <IEndpointResult> ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent)
{
// validate request
var result = await _validator.ValidateAsync(parameters, user);
if (result.IsError)
{
return(await CreateErrorResultAsync(
"Request validation failed",
result.ValidatedRequest,
result.Error,
result.ErrorDescription));
}
var request = result.ValidatedRequest;
// determine user interaction
var interactionResult = await _interactionGenerator.ProcessInteractionAsync(request, consent);
if (interactionResult.IsError)
{
return(await CreateErrorResultAsync("Interaction generator error", request, interactionResult.Error));
}
if (interactionResult.IsLogin)
{
return(new LoginPageResult(request));
}
if (interactionResult.IsConsent)
{
return(new ConsentPageResult(request));
}
if (interactionResult.IsRedirect)
{
return(new CustomRedirectResult(request, interactionResult.RedirectUrl));
}
var response = await _authorizeResponseGenerator.CreateResponseAsync(request);
await RaiseResponseEventAsync(response);
return(new AuthorizeResult(response));
}
async Task <AuthorizationRequest> GetAuthorizeRequest(string paramName, string paramValue)
{
if (paramValue == null)
{
paramValue = _context.HttpContext.Request.Query[paramName].FirstOrDefault();
}
if (paramValue != null && IsValidReturnUrl(paramValue))
{
var parameters = paramValue.ReadQueryStringAsNameValueCollection();
var user = await _context.GetIdentityServerUserAsync();
var result = await _validator.ValidateAsync(parameters, user);
if (!result.IsError)
{
return(new AuthorizationRequest(result.ValidatedRequest));
}
}
return(null);
}
public async Task <IEndpointResult> ProcessAsync(HttpContext context)
{
string key = null;
try
{
var request = new ValidatedAuthorizeRequest();
_logger.LogInformation("Process AuthorizeEndpoint Start.._signinManager.SignOutAsync() ");
await _signinManager.SignOutAsync();
/*
* https://localhost:44305/connect/authorize?
* client_id=mvc
* &redirect_uri=https%3A%2F%2Fp7core.127.0.0.1.xip.io%3A44311%2Fsignin-oidc
* &response_type=id_token
* &scope=openid%20profile
* &response_mode=form_post
* &nonce=636973229335838266.ZWJhM2U4M2YtYWNiYi00YjZkLTkwMWYtNjRmMjM3MWRiYTk5OWNkNDIzMWUtZmY4OS00YWE0LTk4MGUtMTdiMjYxNmNmZjRk&state=CfDJ8KOz5LEySMhBtqpccMk4UVhA1PvGQQvpqQBUyR-97TDZvaPuNquTLJIUxKMYzF-Ov_HHCnnmcTForzd5RJ4jmLONvcZLY3XCHnrhh9Sc2oR2Lv2HACvPVBMy2oYmmPBtNIoXroQ9WePE_KtPyFw8ntRsHIYMmT5a0fLKGeJcwK3ewoiRHxjKpOr9hXZau9f7CVVqMvtWC2ngWrFsEeh8S0YtRZQFT-7XyjE9dNiyKp_Z-4iBUbbqzVnT4GmEmErZXUjmBhmVsMLz5h9y_F3usRT3lg7LxUNamnJuROnYIqmJzf0fYVJq1mcB5hcUipo2SNcILG3xkUikc84VznSGvD7V_qFjOHVPtOEX02JH9M4ymb3iZtZSE9dDr2RkwTU7StoKgM-x195bBULpwms8weJO-kx5I6UrY_lmWl0SFqYN
* &x-client-SKU=ID_NETSTANDARD2_0
* &x-client-ver=5.4.0.0
*
*/
SimpleNameValueCollection values;
if (HttpMethods.IsGet(context.Request.Method))
{
values = context.Request.Query.AsNameValueCollection();
}
else if (HttpMethods.IsPost(context.Request.Method))
{
if (!context.Request.HasFormContentType)
{
return(new OIDCPipeline.Core.Endpoints.Results.StatusCodeResult((int)HttpStatusCode.UnsupportedMediaType));
}
values = context.Request.Form.AsNameValueCollection();
}
else
{
return(new OIDCPipeline.Core.Endpoints.Results.StatusCodeResult((int)HttpStatusCode.MethodNotAllowed));
}
request.Raw = values;
var result = await _authorizeRequestValidator.ValidateAsync(request);
_logger.LogInformation($"Method:{context.Request.Method} ValidateAsync Error:{result.IsError}");
string redirectUrl = null;
if (!result.IsError)
{
if (string.IsNullOrWhiteSpace(request.Nonce))
{
request.Nonce = GenerateNonce();
values["OidcConstants.AuthorizeRequest.Nonce"] = request.Nonce;
}
var downstreamAuthorizationRequest = values.ToDownstreamAuthorizationRequest();
key = _oidcPipeLineKey.GetOIDCPipeLineKey();
if (!string.IsNullOrWhiteSpace(key))
{
_logger.LogInformation($"DeleteStoredCacheAsync previouse if it exists");
await _oidcPipelineStore.DeleteStoredCacheAsync(key);
}
// Initially was using the NONCE as the key, but we can't trust that clients will not hardcode a nonce
// The key has to be generated on our side and subsequently stored as a cookie.
key = Guid.NewGuid().ToString("N");
// context.SetOIDCPipeLineKey(key);
_logger.LogInformation($"StoreOriginalIdTokenRequestAsync clientid:{downstreamAuthorizationRequest.client_id}");
await _oidcPipelineStore.StoreOriginalAuthorizeRequestAsync(key, result.ValidatedAuthorizeRequest);
redirectUrl = $"{context.Request.Scheme}://{context.Request.Host}{_options.PostAuthorizeHookRedirectUrl}";
}
else
{
redirectUrl = $"{context.Request.Scheme}://{context.Request.Host}{_options.PostAuthorizeHookErrorRedirectUrl}";
}
_logger.LogInformation($"redirecting to:{redirectUrl}");
return(new Results.OriginalAuthorizeResult(_oidcPipeLineKey, redirectUrl, key));
}
catch (Exception ex)
{
string redirectUrl = $"{context.Request.Scheme}://{context.Request.Host}{_options.PostAuthorizeHookErrorRedirectUrl}";
return(new Results.OriginalAuthorizeResult(_oidcPipeLineKey, redirectUrl, key));
}
}
internal async Task <IEndpointResult> ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, bool checkConsentResponse = false)
{
if (user != null)
{
Logger.LogDebug("User in authorize request: {subjectId}", user.GetSubjectId());
}
else
{
Logger.LogDebug("No user present in authorize request");
}
if (checkConsentResponse && _authorizationParametersMessageStore != null)
{
var messageStoreId = parameters[Constants.AuthorizationParamsStore.MessageStoreIdParameterName];
var entry = await _authorizationParametersMessageStore.ReadAsync(messageStoreId);
parameters = entry?.Data.FromFullDictionary() ?? new NameValueCollection();
await _authorizationParametersMessageStore.DeleteAsync(messageStoreId);
}
// validate request
var result = await _validator.ValidateAsync(parameters, user);
if (result.IsError)
{
return(await CreateErrorResultAsync(
"Request validation failed",
result.ValidatedRequest,
result.Error,
result.ErrorDescription));
}
string consentRequestId = null;
try
{
Message <ConsentResponse> consent = null;
if (checkConsentResponse)
{
var consentRequest = new ConsentRequest(result.ValidatedRequest.Raw, user?.GetSubjectId());
consentRequestId = consentRequest.Id;
consent = await _consentResponseStore.ReadAsync(consentRequestId);
if (consent != null && consent.Data == null)
{
return(await CreateErrorResultAsync("consent message is missing data"));
}
}
var request = result.ValidatedRequest;
LogRequest(request);
// determine user interaction
var interactionResult = await _interactionGenerator.ProcessInteractionAsync(request, consent?.Data);
if (interactionResult.IsError)
{
return(await CreateErrorResultAsync("Interaction generator error", request, interactionResult.Error, interactionResult.ErrorDescription, false));
}
if (interactionResult.IsLogin)
{
return(new LoginPageResult(request));
}
if (interactionResult.IsConsent)
{
return(new ConsentPageResult(request));
}
if (interactionResult.IsRedirect)
{
return(new CustomRedirectResult(request, interactionResult.RedirectUrl));
}
var response = await _authorizeResponseGenerator.CreateResponseAsync(request);
await RaiseResponseEventAsync(response);
LogResponse(response);
return(new AuthorizeResult(response));
}
finally
{
if (consentRequestId != null)
{
await _consentResponseStore.DeleteAsync(consentRequestId);
}
}
}
