/// <summary>
/// Checks if consent is required.
/// </summary>
/// <param name="subject">The user.</param>
/// <param name="client">The client.</param>
/// <param name="scopes">The scopes.</param>
/// <returns>
/// Boolean if consent is required.
/// </returns>
/// <exception cref="System.ArgumentNullException">
/// client
/// or
/// subject
/// </exception>
public virtual async Task <bool> RequiresConsentAsync(ClaimsPrincipal subject, Client client, IEnumerable <string> scopes)
{
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (subject == null)
{
throw new ArgumentNullException(nameof(subject));
}
if (!client.RequireConsent)
{
return(false);
}
if (!client.AllowRememberConsent)
{
return(true);
}
if (scopes == null || !scopes.Any())
{
return(false);
}
// we always require consent for offline access if
// the client has not disabled RequireConsent
if (scopes.Contains(IdentityServerConstants.StandardScopes.OfflineAccess))
{
return(true);
}
var consent = await _userConsentStore.GetUserConsentAsync(subject.GetSubjectId(), client.ClientId);
if (consent == null)
{
return(true);
}
if (consent.Expiration.HasExpired(_options.UtcNow))
{
await _userConsentStore.RemoveUserConsentAsync(consent.SubjectId, consent.ClientId);
return(true);
}
if (consent.Scopes != null)
{
var intersect = scopes.Intersect(consent.Scopes);
return(!(scopes.Count() == intersect.Count()));
}
return(true);
}
/// <summary>
/// Updates the consent asynchronous.
/// </summary>
/// <param name="client">The client.</param>
/// <param name="subject">The subject.</param>
/// <param name="scopes">The scopes.</param>
/// <returns></returns>
/// <exception cref="System.ArgumentNullException">
/// client
/// or
/// subject
/// </exception>
public virtual async Task UpdateConsentAsync(ClaimsPrincipal subject, Client client, IEnumerable <string> scopes)
{
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (subject == null)
{
throw new ArgumentNullException(nameof(subject));
}
if (client.AllowRememberConsent)
{
var subjectId = subject.GetSubjectId();
var clientId = client.ClientId;
if (scopes != null && scopes.Any())
{
var consent = new Consent
{
SubjectId = subjectId,
ClientId = clientId,
Scopes = scopes
};
await _userConsentStore.StoreUserConsentAsync(consent);
}
else
{
await _userConsentStore.RemoveUserConsentAsync(subjectId, clientId);
}
}
}
public async Task RemoveUserConsentAsync_should_remove_grant()
{
var consent1 = new Consent()
{
ClientId = "client",
SubjectId = "123",
Scopes = new string[] { "foo", "bar" }
};
await _userConsent.StoreUserConsentAsync(consent1);
await _userConsent.RemoveUserConsentAsync("123", "client");
var consent2 = await _userConsent.GetUserConsentAsync("123", "client");
consent2.Should().BeNull();
}
/// <summary>
/// Checks if consent is required.
/// </summary>
/// <param name="subject">The user.</param>
/// <param name="client">The client.</param>
/// <param name="parsedScopes">The parsed scopes.</param>
/// <returns>
/// Boolean if consent is required.
/// </returns>
/// <exception cref="System.ArgumentNullException">
/// client
/// or
/// subject
/// </exception>
public virtual async Task <bool> RequiresConsentAsync(ClaimsPrincipal subject, Client client, IEnumerable <ParsedScopeValue> parsedScopes)
{
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (subject == null)
{
throw new ArgumentNullException(nameof(subject));
}
if (!client.RequireConsent)
{
Logger.LogDebug("Client is configured to not require consent, no consent is required");
return(false);
}
if (parsedScopes == null || !parsedScopes.Any())
{
Logger.LogDebug("No scopes being requested, no consent is required");
return(false);
}
if (!client.AllowRememberConsent)
{
Logger.LogDebug("Client is configured to not allow remembering consent, consent is required");
return(true);
}
if (parsedScopes.Any(x => x.Name != x.Value))
{
Logger.LogDebug("Scopes contains parameterized values, consent is required");
return(true);
}
var scopes = parsedScopes.Select(x => x.Value).ToArray();
// we always require consent for offline access if
// the client has not disabled RequireConsent
if (scopes.Contains(IdentityServerConstants.StandardScopes.OfflineAccess))
{
Logger.LogDebug("Scopes contains offline_access, consent is required");
return(true);
}
var consent = await UserConsentStore.GetUserConsentAsync(subject.GetSubjectId(), client.ClientId);
if (consent == null)
{
Logger.LogDebug("Found no prior consent from consent store, consent is required");
return(true);
}
if (consent.Expiration.HasExpired(Clock.UtcNow.UtcDateTime))
{
Logger.LogDebug("Consent found in consent store is expired, consent is required");
await UserConsentStore.RemoveUserConsentAsync(consent.SubjectId, consent.ClientId);
return(true);
}
if (consent.Scopes != null)
{
var intersect = scopes.Intersect(consent.Scopes);
var different = scopes.Count() != intersect.Count();
if (different)
{
Logger.LogDebug("Consent found in consent store is different than current request, consent is required");
}
else
{
Logger.LogDebug("Consent found in consent store is same as current request, consent is not required");
}
return(different);
}
Logger.LogDebug("Consent found in consent store has no scopes, consent is required");
return(true);
}
/// <summary> /// Removes all grants for a given subject id and client id combination. /// </summary> /// <param name="subjectId">The subject identifier.</param> /// <param name="clientId">The client identifier.</param> /// <returns></returns> public Task RemoveAllGrantsAsync(string subjectId, string clientId) => _userConsentStore.RemoveUserConsentAsync(subjectId, clientId);