public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
_logger.LogDebug("Start token request validation");
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var contextClient = (context.Request.Client as ClientExtra).ShallowCopy();
context.Request.Client = contextClient;
var raw = context.Request.Raw;
_validatedRequest = new ValidatedTokenRequest
{
Raw = raw ?? throw new ArgumentNullException(nameof(raw)),
Options = _options
};
var customTokenRequestValidationContext = new CustomTokenRequestValidationContext()
{
Result = new TokenRequestValidationResult(_validatedRequest)
};
await _arbitraryIdentityRequestValidator.ValidateAsync(customTokenRequestValidationContext);
if (customTokenRequestValidationContext.Result.IsError)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest,
customTokenRequestValidationContext.Result.Error);
return;
}
// validate HTTP for clients
if (HttpMethods.IsPost(_httpContextAccessor.HttpContext.Request.Method) && _httpContextAccessor.HttpContext.Request.HasFormContentType)
{
// validate client
var clientResult = await _clientValidator.ValidateAsync(_httpContextAccessor.HttpContext);
if (!clientResult.IsError)
{
_validatedRequest.SetClient(clientResult.Client);
}
}
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = _validatedRequest.Raw.Get(OidcConstants.TokenRequest.GrantType);
_validatedRequest.GrantType = grantType;
var resource = await _resourceStore.GetAllResourcesAsync();
var subject = "";
if (string.IsNullOrWhiteSpace(subject))
{
subject = context.Request.Raw.Get("subject");
}
// get user's identity
var claims = new List <Claim>
{
new Claim(ClaimTypes.NameIdentifier, subject),
new Claim("sub", subject),
new Claim(JwtClaimTypes.IdentityProvider, _arbitraryIdentityExtensionGrantOptions.IdentityProvider)
};
var principal = new ClaimsPrincipal(new ClaimsIdentity(claims));
_principalAugmenter.AugmentPrincipal(principal);
var userClaimsFinal = new List <Claim>();
// optional stuff;
var accessTokenLifetimeOverride = _validatedRequest.Raw.Get(Constants.AccessTokenLifetime);
if (!string.IsNullOrWhiteSpace(accessTokenLifetimeOverride))
{
int accessTokenLifetime = 0;
bool error = true;
if (Int32.TryParse(accessTokenLifetimeOverride, out accessTokenLifetime))
{
if (accessTokenLifetime > 0 && accessTokenLifetime <= context.Request.AccessTokenLifetime)
{
context.Request.AccessTokenLifetime = accessTokenLifetime;
error = false;
}
}
if (error)
{
var errorDescription =
$"{Constants.AccessTokenLifetime} out of range. Must be > 0 and <= configured AccessTokenLifetime.";
LogError(errorDescription);
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest, errorDescription);
return;
}
}
// optional stuff;
var idTokenLifetimeOverride = _validatedRequest.Raw.Get(Constants.IdTokenLifetime);
if (!string.IsNullOrWhiteSpace(idTokenLifetimeOverride))
{
int idTokenLifetime = 0;
bool error = true;
if (Int32.TryParse(idTokenLifetimeOverride, out idTokenLifetime))
{
if (idTokenLifetime > 0 && idTokenLifetime <= context.Request.Client.IdentityTokenLifetime)
{
context.Request.Client.IdentityTokenLifetime = idTokenLifetime;
error = false;
}
}
if (error)
{
var errorDescription =
$"{Constants.IdTokenLifetime} out of range. Must be > 0 and <= configured IdentityTokenLifetime.";
LogError(errorDescription);
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest, errorDescription);
return;
}
}
context.Result = new GrantValidationResult(
principal.GetSubjectId(),
ArbitraryIdentityExtensionGrant.Constants.ArbitraryIdentity,
userClaimsFinal,
_arbitraryIdentityExtensionGrantOptions.IdentityProvider);
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
_logger.LogDebug("Start token request validation");
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var raw = context.Request.Raw;
_validatedRequest = new ValidatedTokenRequest
{
Raw = raw ?? throw new ArgumentNullException(nameof(raw)),
Options = _options
};
var customTokenRequestValidationContext = new CustomTokenRequestValidationContext()
{
Result = new TokenRequestValidationResult(_validatedRequest)
};
await _arbitraryIdentityRequestValidator.ValidateAsync(customTokenRequestValidationContext);
if (customTokenRequestValidationContext.Result.IsError)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest,
customTokenRequestValidationContext.Result.Error);
return;
}
var clientValidationResult = await _clientSecretValidator.ValidateAsync(_validatedRequest.Raw);
if (clientValidationResult == null)
{
throw new ArgumentNullException(nameof(clientValidationResult));
}
_validatedRequest.SetClient(clientValidationResult.Client, clientValidationResult.Secret);
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = _validatedRequest.Raw.Get(OidcConstants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing");
context.Result = new GrantValidationResult(TokenRequestErrors.UnsupportedGrantType);
return;
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long");
context.Result = new GrantValidationResult(TokenRequestErrors.UnsupportedGrantType);
return;
}
_validatedRequest.GrantType = grantType;
var resource = await _resourceStore.GetAllResourcesAsync();
var subject = "";
Claim originAuthTimeClaim = null;
// if access_token exists, it wins.
var accessToken = context.Request.Raw.Get("access_token");
if (!string.IsNullOrWhiteSpace(accessToken))
{
var validateAccessToken = await _tokenValidator.ValidateAccessTokenAsync(accessToken);
var queryClaims = from item in validateAccessToken.Claims
where item.Type == JwtClaimTypes.Subject
select item.Value;
subject = queryClaims.FirstOrDefault();
originAuthTimeClaim = (from item in validateAccessToken.Claims
where item.Type == $"origin_{JwtClaimTypes.AuthenticationTime}"
select item).FirstOrDefault();
if (originAuthTimeClaim == null)
{
var authTimeClaim = (from item in validateAccessToken.Claims
where item.Type == JwtClaimTypes.AuthenticationTime
select item).FirstOrDefault();
originAuthTimeClaim = new
Claim($"origin_{JwtClaimTypes.AuthenticationTime}",
authTimeClaim.Value);
}
}
if (string.IsNullOrWhiteSpace(subject))
{
subject = context.Request.Raw.Get("subject");
}
// get user's identity
var claims = new List <Claim>
{
new Claim(ClaimTypes.NameIdentifier, subject),
new Claim("sub", subject)
};
var principal = new ClaimsPrincipal(new ClaimsIdentity(claims));
_principalAugmenter.AugmentPrincipal(principal);
var userClaimsFinal = new List <Claim>()
{
new Claim(ArbitraryIdentityExtensionGrant.Constants.ArbitraryClaims,
raw[ArbitraryIdentityExtensionGrant.Constants.ArbitraryClaims])
};
// optional stuff;
var accessTokenLifetimeOverride = _validatedRequest.Raw.Get(Constants.AccessTokenLifetime);
if (!string.IsNullOrWhiteSpace(accessTokenLifetimeOverride))
{
var accessTokenLifetime = Int32.Parse(accessTokenLifetimeOverride);
if (accessTokenLifetime > 0 && accessTokenLifetime < context.Request.AccessTokenLifetime)
{
context.Request.AccessTokenLifetime = accessTokenLifetime;
}
else
{
var errorDescription =
$"{Constants.AccessTokenLifetime} out of range. Must be > 0 and less than configured AccessTokenLifetime.";
LogError(errorDescription);
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest, errorDescription);
return;
}
}
//userClaimsFinal.Add(new Claim(ProfileServiceManager.Constants.ClaimKey, Constants.ArbitraryIdentityProfileService));
if (originAuthTimeClaim != null)
{
userClaimsFinal.Add(originAuthTimeClaim);
}
context.Result = new GrantValidationResult(principal.GetSubjectId(), ArbitraryIdentityExtensionGrant.Constants.ArbitraryIdentity, userClaimsFinal);
}
