public override async Task ValidateAuthorizationRequest(ValidateAuthorizationRequestContext context)
{
_vService = context.HttpContext.RequestServices.GetRequiredService <ValidationService>();
if (!context.Request.IsAuthorizationCodeFlow() && !context.Request.IsImplicitFlow())
{
context.Reject(OpenIdConnectConstants.Errors.UnsupportedResponseType,
"Only authorization code, refresh token, and token grant types are accepted by this authorization server.");
return;
}
var clientId = context.ClientId;
var rdi = context.Request.RedirectUri;
var state = context.Request.State;
var scope = context.Request.Scope;
if (string.IsNullOrWhiteSpace(clientId))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_id cannot be empty");
return;
}
if (string.IsNullOrWhiteSpace(rdi))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "redirect_uri cannot be empty");
return;
}
if (!await _vService.CheckClientIdIsValid(clientId))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id does not exist");
return;
}
if (!await _vService.CheckRedirectUriMatchesClientId(clientId, rdi))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied redirect uri is incorrect");
return;
}
if (!_vService.CheckScopesAreValid(scope))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidRequest, "One or all of the supplied scopes are invalid");
return;
}
context.Validate();
}
public override async Task ValidateTokenRequest(ValidateTokenRequestContext context)
{
_vService = context.HttpContext.RequestServices.GetRequiredService <ValidationService>();
// We only accept "authorization_code", "refresh", "token" for this endpoint.
if (!context.Request.IsAuthorizationCodeGrantType() &&
!context.Request.IsRefreshTokenGrantType() &&
!context.Request.IsClientCredentialsGrantType())
{
context.Reject(OpenIdConnectConstants.Errors.UnsupportedGrantType,
"Only authorization code, refresh token, and token grant types are accepted by this authorization server.");
}
var clientId = context.ClientId;
var clientSecret = context.ClientSecret;
var redirectUri = context.Request.RedirectUri;
var codeVerifier = context.Request.CodeVerifier;
// Validating the Authorization Code Token Request
if (context.Request.IsAuthorizationCodeGrantType())
{
if (string.IsNullOrWhiteSpace(clientId))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_id cannot be empty");
return;
}
if (string.IsNullOrWhiteSpace(clientSecret) && string.IsNullOrEmpty(codeVerifier))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_secret cannot be empty");
return;
}
if (string.IsNullOrWhiteSpace(redirectUri))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "redirect_uri cannot be empty");
return;
}
if (!await _vService.CheckClientIdIsValid(clientId))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id was does not exist");
return;
}
if (string.IsNullOrEmpty(codeVerifier) && !await _vService.CheckClientIdAndSecretIsValid(clientId, clientSecret))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client secret is invalid");
return;
}
if (!await _vService.CheckRedirectUriMatchesClientId(clientId, redirectUri))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied redirect uri is incorrect");
return;
}
context.Validate();
return;
}
// Validating the Refresh Code Token Request
if (context.Request.IsRefreshTokenGrantType())
{
clientId = context.Request.ClientId;
clientSecret = context.Request.ClientSecret;
var refreshToken = context.Request.RefreshToken;
if (string.IsNullOrWhiteSpace(clientId))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_id cannot be empty");
return;
}
if (string.IsNullOrWhiteSpace(clientSecret))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_secret cannot be empty");
return;
}
if (!await _vService.CheckClientIdIsValid(clientId))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id does not exist");
return;
}
if (!await _vService.CheckClientIdAndSecretIsValid(clientId, clientSecret))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client secret is invalid");
return;
}
if (!await _vService.CheckRefreshTokenIsValid(refreshToken))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied refresh token is invalid");
return;
}
context.Validate();
return;
}
// Validating Client Credentials Request, aka, 'token'
if (context.Request.IsClientCredentialsGrantType())
{
clientId = context.ClientId;
clientSecret = context.ClientSecret;
if (string.IsNullOrWhiteSpace(clientId))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_id cannot be empty");
return;
}
if (string.IsNullOrWhiteSpace(clientSecret))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_secret cannot be empty");
return;
}
if (!await _vService.CheckClientIdIsValid(clientId))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id does not exist");
return;
}
if (!await _vService.CheckClientIdAndSecretIsValid(clientId, clientSecret))
{
context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client secret is invalid");
return;
}
context.Validate();
return;
}
context.Reject(OpenIdConnectConstants.Errors.ServerError, "Could not validate the token request");
}
