public async Task <IEnumerable <string> > GetRequestedClaimTypesAsync(IEnumerable <string> scopes) { if (scopes == null || scopes.Count() == 0) { return(Enumerable.Empty <string>()); } var scopeString = string.Join(" ", scopes); _logger.InformationFormat("Scopes in access token: {0}", scopeString); var scopeDetails = await _settings.GetScopesAsync(); var scopeClaims = new List <string>(); foreach (var scope in scopes) { var scopeDetail = scopeDetails.FirstOrDefault(s => s.Name == scope); if (scopeDetail != null) { if (scopeDetail.IsOpenIdScope) { scopeClaims.AddRange(scopeDetail.Claims.Select(c => c.Name)); } } } return(scopeClaims); }
public async Task <dynamic> GetConfiguration() { var baseUrl = Request.GetBaseUrl(_settings.GetPublicHost()); var scopes = await _settings.GetScopesAsync(); return(new { issuer = _settings.GetIssuerUri(), jwks_uri = baseUrl + ".well-known/jwks", authorization_endpoint = baseUrl + "connect/authorize", token_endpoint = baseUrl + "connect/token", userinfo_endpoint = baseUrl + "connect/userinfo", end_session_endpoint = baseUrl + "connect/logout", scopes_supported = scopes.Select(s => s.Name), response_types_supported = Constants.SupportedResponseTypes, response_modes_supported = Constants.SupportedResponseModes, grant_types_supported = Constants.SupportedGrantTypes, subject_types_support = new string[] { "pairwise", "public" }, id_token_signing_alg_values_supported = "RS256" }); }
private async Task <bool> ValidateRequestedScopesAsync(NameValueCollection parameters) { var scopeValidator = new ScopeValidator(_logger); var requestedScopes = scopeValidator.ParseScopes(parameters.Get(Constants.TokenRequest.Scope)); if (requestedScopes == null) { return(false); } if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, requestedScopes)) { return(false); } if (!scopeValidator.AreScopesValid(requestedScopes, await _settings.GetScopesAsync())) { return(false); } _validatedRequest.Scopes = requestedScopes; _validatedRequest.ValidatedScopes = scopeValidator; return(true); }
public async Task <ValidationResult> ValidateClientAsync() { if (_validatedRequest.ClientId.IsMissing()) { throw new InvalidOperationException("ClientId is empty. Validate protocol first."); } ////////////////////////////////////////////////////////// // check for valid client ////////////////////////////////////////////////////////// var client = await _core.FindClientByIdAsync(_validatedRequest.ClientId); if (client == null) { _logger.ErrorFormat("Unknown client: {0}", _validatedRequest.ClientId); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } _logger.InformationFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName); _validatedRequest.Client = client; ////////////////////////////////////////////////////////// // check if redirect_uri is valid ////////////////////////////////////////////////////////// if (!_validatedRequest.Client.RedirectUris.Contains(_validatedRequest.RedirectUri)) { _logger.ErrorFormat("Invalid redirect_uri: {0}", _validatedRequest.RedirectUri); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } ////////////////////////////////////////////////////////// // check if flow is allowed for client ////////////////////////////////////////////////////////// if (_validatedRequest.Flow != _validatedRequest.Client.Flow) { _logger.ErrorFormat("Invalid flow for client: {0}", _validatedRequest.Flow); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } ////////////////////////////////////////////////////////// // check scopes and scope restrictions ////////////////////////////////////////////////////////// var scopeValidator = new ScopeValidator(_logger); if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes)) { return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } ////////////////////////////////////////////////////////// // check if scopes are valid/supported and check for resource scopes ////////////////////////////////////////////////////////// if (!scopeValidator.AreScopesValid(_validatedRequest.RequestedScopes, await _core.GetScopesAsync())) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest) { _logger.Error("Identity related scope requests, but no openid scope"); return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (scopeValidator.ContainsResourceScopes) { _validatedRequest.IsResourceRequest = true; } _validatedRequest.ValidatedScopes = scopeValidator; ////////////////////////////////////////////////////////// // check id vs resource scopes and response types plausability ////////////////////////////////////////////////////////// if (!scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType)) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } return(await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest, _users)); }