private async Task ValidateRequestAsync(IRefreshTokenRequest request)
{
_request = request;
if (_request.ClientId == Guid.Empty || _request.ClientSecret == null)
{
throw new InvalidClientException("Invalid client credentials.");
}
if (_request.RefreshToken == null)
{
throw new InvalidGrantException("Refresh token could not be found");
}
_refreshToken = await _refreshTokenRepository.FindAsync(request.RefreshToken);
if (_refreshToken == null || _refreshToken.IsExpired || _refreshToken.Application.ClientId != request.ClientId)
{
throw new InvalidGrantException("Refresh token could not be found.");
}
// If someone tries to use the same refresh token twice, disable the access token.
if (_refreshToken.Used)
{
if (_refreshToken.AccessToken != null && !_refreshToken.AccessToken.IsExpired)
{
_refreshToken.AccessToken.Disabled = true;
await _accessTokenRepository.SaveAsync();
}
throw new InvalidGrantException("Refresh token could not be found.");
}
await _authenticateClientService.AuthenticateAsync(_request.ClientId, _request.ClientSecret);
// Make sure all requested scopes were requested in the original refresh token.
if (request.Scope != null)
{
var scopes = request.Scope.Split(" ");
foreach (var scope in scopes)
{
// Only allow the refreshed token to use the scopes issued with the
// original token as per https://tools.ietf.org/html/rfc6749#section-6
var originalScopes = _refreshToken.AuthorizationCode.Scope.Split(" ");
if (originalScopes.All(scopeName => scopeName != scope))
{
throw new InvalidScopeException("The provided scope is invalid.");
}
}
}
_scope = request.Scope ?? _refreshToken.Scope;
}
private async Task ValidateRequestAsync(IAuthorizationCodeTokenRequest request)
{
_request = request;
if (_request.ClientId == Guid.Empty)
{
throw new InvalidClientException("Invalid client credentials.");
}
if (_request.Code == null)
{
throw new InvalidGrantException("Invalid authorization code.");
}
_code = await _authorizationCodeRepository.FindAsync(_request.Code);
if (_code?.UserId == null || _code.IsExpired)
{
throw new InvalidGrantException("Invalid authorization code.");
}
// If someone tries to use the same authorization code twice, disable the access token.
if (_code.Used)
{
if (_code.AccessToken != null)
{
_code.AccessToken.Disabled = true;
await _accessTokenRepository.SaveAsync();
}
throw new InvalidGrantException("Invalid authorization code.");
}
if (_code.ClientId != _request.ClientId)
{
throw new InvalidGrantException("Invalid client id.");
}
_application = await _findApplicationService.FindByClientIdAsync(request.ClientId);
if (_application.Type == ClientTypes.Confidential)
{
await _authenticateClientService.AuthenticateAsync(request.ClientId, request.ClientSecret);
}
_redirectUri = request.RedirectUri ?? _application.RedirectUri;
if (_redirectUri != _application.RedirectUri)
{
throw new InvalidGrantException("The provided redirect URI does not match the one on record.");
}
}
private async Task ValidateRequestAsync(IClientCredentialsTokenRequest request)
{
_request = request;
if (_request.ClientId == Guid.Empty || _request.ClientSecret == null)
{
throw new InvalidClientException("Invalid client credentials.");
}
_application = await _authenticateClientService.AuthenticateAsync(_request.ClientId, _request.ClientSecret);
if (_application.Type == ClientTypes.Public)
{
throw new UnauthorizedClientException("Public clients cannot use the client credentials grant.");
}
}
private async Task ValidateRequestAsync(IResourceOwnerPasswordCredentialsTokenRequest request)
{
_request = request;
if (_request.ClientId == Guid.Empty || _request.ClientSecret == null)
{
throw new InvalidClientException("Invalid client credentials.");
}
if (_request.Username == null || _request.Password == null)
{
throw new InvalidGrantException("Invalid resource owner credentials.");
}
_user = await _authenticateUserService.AuthenticateAsync(request.Username, request.Password);
_application = await _authenticateClientService.AuthenticateAsync(request.ClientId, request.ClientSecret);
}