private async Task _validateAuthorizationCodeFlow(ValidateAuthorizationRequestContext context)
{
authservice = context.HttpContext.RequestServices.GetRequiredService <IValidateAuthorizationService>();
if (authservice == null)
{
context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request");
return;
}
if (string.IsNullOrEmpty(context.RedirectUri))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The required redirect_uri parameter was missing.");
return;
}
if (!(await authservice.CheckClientIdExists(context.ClientId)))
{
context.Reject(error: OpenIdConnectConstants.Errors.InvalidClient, description: "Supplied Client Id was not a valid application Client Id.");
return;
}
if (!(await authservice.CheckRedirectURIMatches(context.RedirectUri, context.ClientId)))
{
context.Reject(error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Supplied Redirect URI was not valid for the supplied Client Id.");
return;
}
if (!(await authservice.CheckScopesAreValid(context.Request.Scope)))
{
context.Reject(error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Supplied scopes were was not valid Spotify Scopes.");
return;
}
context.Validate();
}
private async Task _validateClientCredentialsTokenRequest(ValidateTokenRequestContext context)
{
// TODO increment user rate limit (nb this increment only happens in Validate)
authservice = context.HttpContext.RequestServices.GetRequiredService <IValidateAuthorizationService>();
if (authservice == null)
{
context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request");
return;
}
if (String.IsNullOrWhiteSpace(context.ClientId))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "Missing credentials: ensure that you specified a client_id.");
return;
}
else if (String.IsNullOrWhiteSpace(context.ClientSecret))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "Missing credentials: ensure that you specified a client_secret.");
return;
}
else if (!(await authservice.CheckClientIdExists(context.ClientId)))
{
context.Reject(error: OpenIdConnectConstants.Errors.InvalidClient, description: "Supplied Client Id was not a valid application Client Id.");
return;
}
else if (!(await authservice.CheckSecretMatchesId(context.ClientId, context.ClientSecret)))
{
context.Reject(error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Supplied Secret was not correct for the Client Id.");
return;
}
context.Validate();
}
public override async Task HandleTokenRequest(HandleTokenRequestContext context)
{
authservice = context.HttpContext.RequestServices.GetRequiredService <IValidateAuthorizationService>();
if (authservice == null)
{
context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request");
return;
}
if (context.Request.IsRefreshTokenGrantType())
{
await _handleRefreshToken(context);
return;
}
else if (context.Request.IsAuthorizationCodeGrantType())
{
await _handleAuthorizationToken(context);
return;
}
else if (context.Request.IsImplicitFlow())
{
await _handleImplicitCredentialsToken(context);
return;
}
else if (context.Request.IsClientCredentialsGrantType())
{
await _handleClientCredentialsToken(context);
return;
}
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "Only authorization code, client credentials, and implicit grants " +
"are accepted by this authorization server");
return;
}
private async Task _validateRefreshTokenRequest(ValidateTokenRequestContext context)
{
authservice = context.HttpContext.RequestServices.GetRequiredService <IValidateAuthorizationService>();
if (authservice == null)
{
context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request");
return;
}
IRateLimitService rls = context.HttpContext.RequestServices.GetRequiredService <IRateLimitService>();
if (rls == null)
{
context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request");
return;
}
// TODO increment user rate limit (nb this increment only happens in Validate)
if (String.IsNullOrWhiteSpace(context.Request.RefreshToken))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "Missing parameter: ensure that you specified a refresh_token.");
}
AuthenticateResult ar = await context.HttpContext.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme);
AuthenticationTicket at = ar.Ticket;
if (ar == null)
{
context.Reject();
return;
}
else if (ar.Principal == null)
{
context.Reject(error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Supplied refresh token was not valid");
return;
}
else if (ar.Principal.Identity == null)
{
context.Reject();
return;
}
else if (!ar.Principal.Identity.IsAuthenticated)
{
context.Reject();
return;
}
/** here we do the legwork of validating that:
* the client application still exists,
* the supplied secret still matches,
* the user's refresh and access tokens haven't been revoked,
* the user isn't rate limited
*/
List <Claim> claims = ar.Principal.Claims.ToList();
var gtype = claims.Find(x => x.Type == "grant_type");
var userid = claims.Find(x => x.Type == "sub");
var clientSecret = context.ClientSecret;
if (gtype == null || string.IsNullOrWhiteSpace(gtype.Value))
{
context.Reject();
}
if (userid == null || string.IsNullOrWhiteSpace(userid.Value))
{
context.Reject();
}
if (!await authservice.CheckClientIdExists(context.ClientId))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id no longer exists.");
return;
}
else if (!await authservice.CheckSecretMatchesId(context.ClientId, context.ClientSecret))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client secret is no longer valid.");
return;
}
else if (!await authservice.CheckTokenNotRevoked(gtype.Value, context.Request.RefreshToken))
{
context.Reject(OpenIdConnectConstants.Errors.AccessDenied, "The supplied token has been revoked. Please re-authenticate.");
}
//TODO come back to this - rls is no longer our preferred service. _mc.RateLimits should be our goto
else if (!(await rls.UserWithinRateLimit(userid.Value)) && !(await rls.UserWithinAppRateLimit(context.ClientId, userid.Value, gtype.Value)))
{
context.Reject(RateLimits.RateLimitExceededError, RateLimits.RateLimitExceededErrorDescription);
return;
}
await rls.IncrementUserAPICallCount(userid.Value, context.ClientId);
context.Validate();
}
