public async Task <IEnumerable <string> > GetRequestedClaimTypesAsync(IEnumerable <string> scopes)
{
if (scopes == null || scopes.Count() == 0)
{
return(Enumerable.Empty <string>());
}
var scopeString = string.Join(" ", scopes);
_logger.InformationFormat("Scopes in access token: {0}", scopeString);
var scopeDetails = await _settings.GetScopesAsync();
var scopeClaims = new List <string>();
foreach (var scope in scopes)
{
var scopeDetail = scopeDetails.FirstOrDefault(s => s.Name == scope);
if (scopeDetail != null)
{
if (scopeDetail.IsOpenIdScope)
{
scopeClaims.AddRange(scopeDetail.Claims.Select(c => c.Name));
}
}
}
return(scopeClaims);
}
public async Task <dynamic> GetConfiguration()
{
var baseUrl = Request.GetBaseUrl(_settings.GetPublicHost());
var scopes = await _settings.GetScopesAsync();
return(new
{
issuer = _settings.GetIssuerUri(),
jwks_uri = baseUrl + ".well-known/jwks",
authorization_endpoint = baseUrl + "connect/authorize",
token_endpoint = baseUrl + "connect/token",
userinfo_endpoint = baseUrl + "connect/userinfo",
end_session_endpoint = baseUrl + "connect/logout",
scopes_supported = scopes.Select(s => s.Name),
response_types_supported = Constants.SupportedResponseTypes,
response_modes_supported = Constants.SupportedResponseModes,
grant_types_supported = Constants.SupportedGrantTypes,
subject_types_support = new string[] { "pairwise", "public" },
id_token_signing_alg_values_supported = "RS256"
});
}
private async Task <bool> ValidateRequestedScopesAsync(NameValueCollection parameters)
{
var scopeValidator = new ScopeValidator(_logger);
var requestedScopes = scopeValidator.ParseScopes(parameters.Get(Constants.TokenRequest.Scope));
if (requestedScopes == null)
{
return(false);
}
if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, requestedScopes))
{
return(false);
}
if (!scopeValidator.AreScopesValid(requestedScopes, await _settings.GetScopesAsync()))
{
return(false);
}
_validatedRequest.Scopes = requestedScopes;
_validatedRequest.ValidatedScopes = scopeValidator;
return(true);
}
public async Task <ValidationResult> ValidateClientAsync()
{
if (_validatedRequest.ClientId.IsMissing())
{
throw new InvalidOperationException("ClientId is empty. Validate protocol first.");
}
//////////////////////////////////////////////////////////
// check for valid client
//////////////////////////////////////////////////////////
var client = await _core.FindClientByIdAsync(_validatedRequest.ClientId);
if (client == null)
{
_logger.ErrorFormat("Unknown client: {0}", _validatedRequest.ClientId);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
_logger.InformationFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName);
_validatedRequest.Client = client;
//////////////////////////////////////////////////////////
// check if redirect_uri is valid
//////////////////////////////////////////////////////////
if (!_validatedRequest.Client.RedirectUris.Contains(_validatedRequest.RedirectUri))
{
_logger.ErrorFormat("Invalid redirect_uri: {0}", _validatedRequest.RedirectUri);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
//////////////////////////////////////////////////////////
// check if flow is allowed for client
//////////////////////////////////////////////////////////
if (_validatedRequest.Flow != _validatedRequest.Client.Flow)
{
_logger.ErrorFormat("Invalid flow for client: {0}", _validatedRequest.Flow);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
//////////////////////////////////////////////////////////
// check scopes and scope restrictions
//////////////////////////////////////////////////////////
var scopeValidator = new ScopeValidator(_logger);
if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes))
{
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
//////////////////////////////////////////////////////////
// check if scopes are valid/supported and check for resource scopes
//////////////////////////////////////////////////////////
if (!scopeValidator.AreScopesValid(_validatedRequest.RequestedScopes, await _core.GetScopesAsync()))
{
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest)
{
_logger.Error("Identity related scope requests, but no openid scope");
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (scopeValidator.ContainsResourceScopes)
{
_validatedRequest.IsResourceRequest = true;
}
_validatedRequest.ValidatedScopes = scopeValidator;
//////////////////////////////////////////////////////////
// check id vs resource scopes and response types plausability
//////////////////////////////////////////////////////////
if (!scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType))
{
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
return(await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest, _users));
}
