public async Task Unknown_Grant_Type() { var client = await _settings.FindClientByIdAsync("codeclient"); var store = new TestAuthorizationCodeStore(); var code = new AuthorizationCode { Client = client, IsOpenId = true, RedirectUri = new Uri("https://server/cb"), }; await store.StoreAsync("valid", code); var validator = ValidatorFactory.CreateTokenValidator(_settings, _logger, authorizationCodeStore: store); var parameters = new NameValueCollection(); parameters.Add(Constants.TokenRequest.GrantType, "unknown"); parameters.Add(Constants.TokenRequest.Code, "valid"); parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb"); var result = await validator.ValidateRequestAsync(parameters, client); Assert.IsTrue(result.IsError); Assert.AreEqual(Constants.TokenErrors.UnsupportedGrantType, result.Error); }
public async Task Invalid_GrantType_For_Client() { var client = await _settings.FindClientByIdAsync("client"); var validator = ValidatorFactory.CreateTokenValidator(_settings, _logger); var parameters = new NameValueCollection(); parameters.Add(Constants.TokenRequest.GrantType, "assertionType"); parameters.Add(Constants.TokenRequest.Assertion, "assertion"); parameters.Add(Constants.TokenRequest.Scope, "resource"); var result = await validator.ValidateRequestAsync(parameters, client); Assert.IsTrue(result.IsError); Assert.AreEqual(Constants.TokenErrors.UnauthorizedClient, result.Error); }
public async Task Valid_Code_Request() { var client = await _settings.FindClientByIdAsync("codeclient"); var store = new TestAuthorizationCodeStore(); var code = new AuthorizationCode { Client = client, IsOpenId = true, RedirectUri = new Uri("https://server/cb"), }; await store.StoreAsync("valid", code); var validator = ValidatorFactory.CreateTokenValidator(_settings, _logger, authorizationCodeStore: store, customRequestValidator: _customRequestValidator); var parameters = new NameValueCollection(); parameters.Add(Constants.TokenRequest.GrantType, Constants.GrantTypes.AuthorizationCode); parameters.Add(Constants.TokenRequest.Code, "valid"); parameters.Add(Constants.TokenRequest.RedirectUri, "https://server/cb"); var result = await validator.ValidateRequestAsync(parameters, client); Assert.IsFalse(result.IsError); }
public async Task <Client> ValidateClientCredentialsAsync(ClientCredential credential) { if (credential == null || credential.ClientId == null || credential.Secret == null) { throw new InvalidOperationException("credential is null"); } var client = await _settings.FindClientByIdAsync(credential.ClientId); if (client == null) { _logger.Error("Client not found in registry: " + credential.ClientId); return(null); } if (!ObfuscatingComparer.IsEqual(client.ClientSecret, credential.Secret)) { _logger.Error("Invalid client secret: " + client.ClientId); return(null); } _logger.InformationFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName); return(client); }
public async Task <ValidationResult> ValidateClientAsync() { if (_validatedRequest.ClientId.IsMissing()) { throw new InvalidOperationException("ClientId is empty. Validate protocol first."); } ////////////////////////////////////////////////////////// // check for valid client ////////////////////////////////////////////////////////// var client = await _core.FindClientByIdAsync(_validatedRequest.ClientId); if (client == null) { _logger.ErrorFormat("Unknown client: {0}", _validatedRequest.ClientId); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } _logger.InformationFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName); _validatedRequest.Client = client; ////////////////////////////////////////////////////////// // check if redirect_uri is valid ////////////////////////////////////////////////////////// if (!_validatedRequest.Client.RedirectUris.Contains(_validatedRequest.RedirectUri)) { _logger.ErrorFormat("Invalid redirect_uri: {0}", _validatedRequest.RedirectUri); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } ////////////////////////////////////////////////////////// // check if flow is allowed for client ////////////////////////////////////////////////////////// if (_validatedRequest.Flow != _validatedRequest.Client.Flow) { _logger.ErrorFormat("Invalid flow for client: {0}", _validatedRequest.Flow); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } ////////////////////////////////////////////////////////// // check scopes and scope restrictions ////////////////////////////////////////////////////////// var scopeValidator = new ScopeValidator(_logger); if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes)) { return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } ////////////////////////////////////////////////////////// // check if scopes are valid/supported and check for resource scopes ////////////////////////////////////////////////////////// if (!scopeValidator.AreScopesValid(_validatedRequest.RequestedScopes, await _core.GetScopesAsync())) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest) { _logger.Error("Identity related scope requests, but no openid scope"); return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (scopeValidator.ContainsResourceScopes) { _validatedRequest.IsResourceRequest = true; } _validatedRequest.ValidatedScopes = scopeValidator; ////////////////////////////////////////////////////////// // check id vs resource scopes and response types plausability ////////////////////////////////////////////////////////// if (!scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType)) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } return(await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest, _users)); }