public override async Task ValidateAuthorizationRequest(ValidateAuthorizationRequestContext context) { _vService = context.HttpContext.RequestServices.GetRequiredService <ValidationService>(); if (!context.Request.IsAuthorizationCodeFlow() && !context.Request.IsImplicitFlow()) { context.Reject(OpenIdConnectConstants.Errors.UnsupportedResponseType, "Only authorization code, refresh token, and token grant types are accepted by this authorization server."); return; } var clientId = context.ClientId; var rdi = context.Request.RedirectUri; var state = context.Request.State; var scope = context.Request.Scope; if (string.IsNullOrWhiteSpace(clientId)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_id cannot be empty"); return; } if (string.IsNullOrWhiteSpace(rdi)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "redirect_uri cannot be empty"); return; } if (!await _vService.CheckClientIdIsValid(clientId)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id does not exist"); return; } if (!await _vService.CheckRedirectUriMatchesClientId(clientId, rdi)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied redirect uri is incorrect"); return; } if (!_vService.CheckScopesAreValid(scope)) { context.Reject(OpenIdConnectConstants.Errors.InvalidRequest, "One or all of the supplied scopes are invalid"); return; } context.Validate(); }
public override async Task ValidateTokenRequest(ValidateTokenRequestContext context) { _vService = context.HttpContext.RequestServices.GetRequiredService <ValidationService>(); // We only accept "authorization_code", "refresh", "token" for this endpoint. if (!context.Request.IsAuthorizationCodeGrantType() && !context.Request.IsRefreshTokenGrantType() && !context.Request.IsClientCredentialsGrantType()) { context.Reject(OpenIdConnectConstants.Errors.UnsupportedGrantType, "Only authorization code, refresh token, and token grant types are accepted by this authorization server."); } var clientId = context.ClientId; var clientSecret = context.ClientSecret; var redirectUri = context.Request.RedirectUri; var codeVerifier = context.Request.CodeVerifier; // Validating the Authorization Code Token Request if (context.Request.IsAuthorizationCodeGrantType()) { if (string.IsNullOrWhiteSpace(clientId)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_id cannot be empty"); return; } if (string.IsNullOrWhiteSpace(clientSecret) && string.IsNullOrEmpty(codeVerifier)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_secret cannot be empty"); return; } if (string.IsNullOrWhiteSpace(redirectUri)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "redirect_uri cannot be empty"); return; } if (!await _vService.CheckClientIdIsValid(clientId)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id was does not exist"); return; } if (string.IsNullOrEmpty(codeVerifier) && !await _vService.CheckClientIdAndSecretIsValid(clientId, clientSecret)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client secret is invalid"); return; } if (!await _vService.CheckRedirectUriMatchesClientId(clientId, redirectUri)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied redirect uri is incorrect"); return; } context.Validate(); return; } // Validating the Refresh Code Token Request if (context.Request.IsRefreshTokenGrantType()) { clientId = context.Request.ClientId; clientSecret = context.Request.ClientSecret; var refreshToken = context.Request.RefreshToken; if (string.IsNullOrWhiteSpace(clientId)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_id cannot be empty"); return; } if (string.IsNullOrWhiteSpace(clientSecret)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_secret cannot be empty"); return; } if (!await _vService.CheckClientIdIsValid(clientId)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id does not exist"); return; } if (!await _vService.CheckClientIdAndSecretIsValid(clientId, clientSecret)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client secret is invalid"); return; } if (!await _vService.CheckRefreshTokenIsValid(refreshToken)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied refresh token is invalid"); return; } context.Validate(); return; } // Validating Client Credentials Request, aka, 'token' if (context.Request.IsClientCredentialsGrantType()) { clientId = context.ClientId; clientSecret = context.ClientSecret; if (string.IsNullOrWhiteSpace(clientId)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_id cannot be empty"); return; } if (string.IsNullOrWhiteSpace(clientSecret)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_secret cannot be empty"); return; } if (!await _vService.CheckClientIdIsValid(clientId)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id does not exist"); return; } if (!await _vService.CheckClientIdAndSecretIsValid(clientId, clientSecret)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client secret is invalid"); return; } context.Validate(); return; } context.Reject(OpenIdConnectConstants.Errors.ServerError, "Could not validate the token request"); }