public async Task Unknown_Grant_Type()
{
var client = await _settings.FindClientByIdAsync("codeclient");
var store = new TestAuthorizationCodeStore();
var code = new AuthorizationCode
{
Client = client,
IsOpenId = true,
RedirectUri = new Uri("https://server/cb"),
};
await store.StoreAsync("valid", code);
var validator = ValidatorFactory.CreateTokenValidator(_settings, _logger,
authorizationCodeStore: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, "unknown");
parameters.Add(Constants.TokenRequest.Code, "valid");
parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb");
var result = await validator.ValidateRequestAsync(parameters, client);
Assert.IsTrue(result.IsError);
Assert.AreEqual(Constants.TokenErrors.UnsupportedGrantType, result.Error);
}
public async Task Invalid_GrantType_For_Client()
{
var client = await _settings.FindClientByIdAsync("client");
var validator = ValidatorFactory.CreateTokenValidator(_settings, _logger);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, "assertionType");
parameters.Add(Constants.TokenRequest.Assertion, "assertion");
parameters.Add(Constants.TokenRequest.Scope, "resource");
var result = await validator.ValidateRequestAsync(parameters, client);
Assert.IsTrue(result.IsError);
Assert.AreEqual(Constants.TokenErrors.UnauthorizedClient, result.Error);
}
public async Task Valid_Code_Request()
{
var client = await _settings.FindClientByIdAsync("codeclient");
var store = new TestAuthorizationCodeStore();
var code = new AuthorizationCode
{
Client = client,
IsOpenId = true,
RedirectUri = new Uri("https://server/cb"),
};
await store.StoreAsync("valid", code);
var validator = ValidatorFactory.CreateTokenValidator(_settings, _logger,
authorizationCodeStore: store,
customRequestValidator: _customRequestValidator);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, Constants.GrantTypes.AuthorizationCode);
parameters.Add(Constants.TokenRequest.Code, "valid");
parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb");
var result = await validator.ValidateRequestAsync(parameters, client);
Assert.IsFalse(result.IsError);
}
public async Task <Client> ValidateClientCredentialsAsync(ClientCredential credential)
{
if (credential == null || credential.ClientId == null || credential.Secret == null)
{
throw new InvalidOperationException("credential is null");
}
var client = await _settings.FindClientByIdAsync(credential.ClientId);
if (client == null)
{
_logger.Error("Client not found in registry: " + credential.ClientId);
return(null);
}
if (!ObfuscatingComparer.IsEqual(client.ClientSecret, credential.Secret))
{
_logger.Error("Invalid client secret: " + client.ClientId);
return(null);
}
_logger.InformationFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName);
return(client);
}
public async Task <ValidationResult> ValidateClientAsync()
{
if (_validatedRequest.ClientId.IsMissing())
{
throw new InvalidOperationException("ClientId is empty. Validate protocol first.");
}
//////////////////////////////////////////////////////////
// check for valid client
//////////////////////////////////////////////////////////
var client = await _core.FindClientByIdAsync(_validatedRequest.ClientId);
if (client == null)
{
_logger.ErrorFormat("Unknown client: {0}", _validatedRequest.ClientId);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
_logger.InformationFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName);
_validatedRequest.Client = client;
//////////////////////////////////////////////////////////
// check if redirect_uri is valid
//////////////////////////////////////////////////////////
if (!_validatedRequest.Client.RedirectUris.Contains(_validatedRequest.RedirectUri))
{
_logger.ErrorFormat("Invalid redirect_uri: {0}", _validatedRequest.RedirectUri);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
//////////////////////////////////////////////////////////
// check if flow is allowed for client
//////////////////////////////////////////////////////////
if (_validatedRequest.Flow != _validatedRequest.Client.Flow)
{
_logger.ErrorFormat("Invalid flow for client: {0}", _validatedRequest.Flow);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
//////////////////////////////////////////////////////////
// check scopes and scope restrictions
//////////////////////////////////////////////////////////
var scopeValidator = new ScopeValidator(_logger);
if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes))
{
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
//////////////////////////////////////////////////////////
// check if scopes are valid/supported and check for resource scopes
//////////////////////////////////////////////////////////
if (!scopeValidator.AreScopesValid(_validatedRequest.RequestedScopes, await _core.GetScopesAsync()))
{
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest)
{
_logger.Error("Identity related scope requests, but no openid scope");
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (scopeValidator.ContainsResourceScopes)
{
_validatedRequest.IsResourceRequest = true;
}
_validatedRequest.ValidatedScopes = scopeValidator;
//////////////////////////////////////////////////////////
// check id vs resource scopes and response types plausability
//////////////////////////////////////////////////////////
if (!scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType))
{
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
return(await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest, _users));
}
