public async Task <ValidationResult> ValidateClientAsync()
{
Logger.Info("Start client validation");
if (_validatedRequest.ClientId.IsMissing())
{
throw new InvalidOperationException("ClientId is empty. Validate protocol first.");
}
//////////////////////////////////////////////////////////
// check for valid client
//////////////////////////////////////////////////////////
var client = await _clients.FindClientByIdAsync(_validatedRequest.ClientId);
if (client == null || client.Enabled == false)
{
Logger.ErrorFormat("Unknown client or not enabled: {0}", _validatedRequest.ClientId);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
Logger.InfoFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName);
_validatedRequest.Client = client;
//////////////////////////////////////////////////////////
// check if redirect_uri is valid
//////////////////////////////////////////////////////////
if (!_validatedRequest.Client.RedirectUris.Contains(_validatedRequest.RedirectUri))
{
Logger.ErrorFormat("Invalid redirect_uri: {0}", _validatedRequest.RedirectUri);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
//////////////////////////////////////////////////////////
// check if flow is allowed for client
//////////////////////////////////////////////////////////
if (_validatedRequest.Flow != _validatedRequest.Client.Flow)
{
Logger.ErrorFormat("Invalid flow for client: {0}", _validatedRequest.Flow);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
var scopeValidator = new ScopeValidator();
//////////////////////////////////////////////////////////
// check if scopes are valid/supported and check for resource scopes
//////////////////////////////////////////////////////////
if (!scopeValidator.AreScopesValid(_validatedRequest.RequestedScopes, await _scopes.GetScopesAsync()))
{
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest)
{
Logger.Error("Identity related scope requests, but no openid scope");
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (scopeValidator.ContainsResourceScopes)
{
_validatedRequest.IsResourceRequest = true;
}
//////////////////////////////////////////////////////////
// check scopes and scope restrictions
//////////////////////////////////////////////////////////
if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes))
{
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
_validatedRequest.ValidatedScopes = scopeValidator;
//////////////////////////////////////////////////////////
// check id vs resource scopes and response types plausability
//////////////////////////////////////////////////////////
if (!scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType))
{
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
var customResult = await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest);
if (customResult.IsError)
{
Logger.Error("Error in custom validation: " + customResult.Error);
}
Logger.Info("Client validation successful");
return(customResult);
}
private async Task <AuthorizeRequestValidationResult> ValidateScopeAsync(ValidatedAuthorizeRequest request)
{
//////////////////////////////////////////////////////////
// scope must be present
//////////////////////////////////////////////////////////
var scope = request.Raw.Get(Constants.AuthorizeRequest.Scope);
if (scope.IsMissing())
{
LogError("scope is missing", request);
return(Invalid(request, ErrorTypes.Client));
}
if (scope.Length > Constants.MaxScopeLength)
{
LogError("scopes too long.", request);
return(Invalid(request, ErrorTypes.Client));
}
request.RequestedScopes = scope.FromSpaceSeparatedString().Distinct().ToList();
if (request.RequestedScopes.Contains(Constants.StandardScopes.OpenId))
{
request.IsOpenIdRequest = true;
}
//////////////////////////////////////////////////////////
// check scope vs response_type plausability
//////////////////////////////////////////////////////////
var requirement = Constants.ResponseTypeToScopeRequirement[request.ResponseType];
if (requirement == Constants.ScopeRequirement.Identity ||
requirement == Constants.ScopeRequirement.IdentityOnly)
{
if (request.IsOpenIdRequest == false)
{
LogError("response_type requires the openid scope", request);
return(Invalid(request, ErrorTypes.Client));
}
}
//////////////////////////////////////////////////////////
// check if scopes are valid/supported and check for resource scopes
//////////////////////////////////////////////////////////
if (await _scopeValidator.AreScopesValidAsync(request.RequestedScopes) == false)
{
return(Invalid(request, ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (_scopeValidator.ContainsOpenIdScopes && !request.IsOpenIdRequest)
{
LogError("Identity related scope requests, but no openid scope", request);
return(Invalid(request, ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (_scopeValidator.ContainsResourceScopes)
{
request.IsResourceRequest = true;
}
//////////////////////////////////////////////////////////
// check scopes and scope restrictions
//////////////////////////////////////////////////////////
if (!_scopeValidator.AreScopesAllowed(request.Client, request.RequestedScopes))
{
return(Invalid(request, ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
request.ValidatedScopes = _scopeValidator;
//////////////////////////////////////////////////////////
// check id vs resource scopes and response types plausability
//////////////////////////////////////////////////////////
if (!_scopeValidator.IsResponseTypeValid(request.ResponseType))
{
return(Invalid(request, ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
return(Valid(request));
}
public async Task <ValidationResult> ValidateClientAsync()
{
Logger.Info("Start authorize request client validation");
if (_validatedRequest.ClientId.IsMissing())
{
throw new InvalidOperationException("ClientId is empty. Validate protocol first.");
}
//////////////////////////////////////////////////////////
// check for valid client
//////////////////////////////////////////////////////////
var client = await _clients.FindClientByIdAsync(_validatedRequest.ClientId);
if (client == null || client.Enabled == false)
{
LogError("Unknown client or not enabled: " + _validatedRequest.ClientId);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
_validatedRequest.Client = client;
//////////////////////////////////////////////////////////
// check if redirect_uri is valid
//////////////////////////////////////////////////////////
if (await _uriValidator.IsRedirectUriValidAsync(_validatedRequest.RedirectUri, _validatedRequest.Client) == false)
{
LogError("Invalid redirect_uri: " + _validatedRequest.RedirectUri);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
//////////////////////////////////////////////////////////
// check if flow is allowed for client
//////////////////////////////////////////////////////////
if (_validatedRequest.Flow != _validatedRequest.Client.Flow)
{
LogError("Invalid flow for client: " + _validatedRequest.Flow);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
//////////////////////////////////////////////////////////
// check if scopes are valid/supported and check for resource scopes
//////////////////////////////////////////////////////////
if (await _scopeValidator.AreScopesValidAsync(_validatedRequest.RequestedScopes) == false)
{
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (_scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest)
{
LogError("Identity related scope requests, but no openid scope");
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (_scopeValidator.ContainsResourceScopes)
{
_validatedRequest.IsResourceRequest = true;
}
//////////////////////////////////////////////////////////
// check scopes and scope restrictions
//////////////////////////////////////////////////////////
if (!_scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes))
{
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
_validatedRequest.ValidatedScopes = _scopeValidator;
//////////////////////////////////////////////////////////
// check id vs resource scopes and response types plausability
//////////////////////////////////////////////////////////
if (!_scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType))
{
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
//////////////////////////////////////////////////////////
// check if sessionId is available and if session management is enabled
//////////////////////////////////////////////////////////
if (_options.Endpoints.EnableCheckSessionEndpoint)
{
if (_validatedRequest.SessionId.IsMissing())
{
Logger.Warn("Session management is enabled, but session id cookie is missing.");
}
}
var customResult = await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest);
if (customResult.IsError)
{
LogError("Error in custom validation: " + customResult.Error);
}
else
{
LogSuccess();
}
return(customResult);
}
