public async Task ValidateAsync(ExtensionGrantValidationContext context) { _logger.LogDebug("Start token request validation"); if (context == null) { throw new ArgumentNullException(nameof(context)); } var contextClient = (context.Request.Client as ClientExtra).ShallowCopy(); context.Request.Client = contextClient; var raw = context.Request.Raw; _validatedRequest = new ValidatedTokenRequest { Raw = raw ?? throw new ArgumentNullException(nameof(raw)), Options = _options }; var customTokenRequestValidationContext = new CustomTokenRequestValidationContext() { Result = new TokenRequestValidationResult(_validatedRequest) }; await _arbitraryIdentityRequestValidator.ValidateAsync(customTokenRequestValidationContext); if (customTokenRequestValidationContext.Result.IsError) { context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest, customTokenRequestValidationContext.Result.Error); return; } // validate HTTP for clients if (HttpMethods.IsPost(_httpContextAccessor.HttpContext.Request.Method) && _httpContextAccessor.HttpContext.Request.HasFormContentType) { // validate client var clientResult = await _clientValidator.ValidateAsync(_httpContextAccessor.HttpContext); if (!clientResult.IsError) { _validatedRequest.SetClient(clientResult.Client); } } ///////////////////////////////////////////// // check grant type ///////////////////////////////////////////// var grantType = _validatedRequest.Raw.Get(OidcConstants.TokenRequest.GrantType); _validatedRequest.GrantType = grantType; var resource = await _resourceStore.GetAllResourcesAsync(); var subject = ""; if (string.IsNullOrWhiteSpace(subject)) { subject = context.Request.Raw.Get("subject"); } // get user's identity var claims = new List <Claim> { new Claim(ClaimTypes.NameIdentifier, subject), new Claim("sub", subject), new Claim(JwtClaimTypes.IdentityProvider, _arbitraryIdentityExtensionGrantOptions.IdentityProvider) }; var principal = new ClaimsPrincipal(new ClaimsIdentity(claims)); _principalAugmenter.AugmentPrincipal(principal); var userClaimsFinal = new List <Claim>(); // optional stuff; var accessTokenLifetimeOverride = _validatedRequest.Raw.Get(Constants.AccessTokenLifetime); if (!string.IsNullOrWhiteSpace(accessTokenLifetimeOverride)) { int accessTokenLifetime = 0; bool error = true; if (Int32.TryParse(accessTokenLifetimeOverride, out accessTokenLifetime)) { if (accessTokenLifetime > 0 && accessTokenLifetime <= context.Request.AccessTokenLifetime) { context.Request.AccessTokenLifetime = accessTokenLifetime; error = false; } } if (error) { var errorDescription = $"{Constants.AccessTokenLifetime} out of range. Must be > 0 and <= configured AccessTokenLifetime."; LogError(errorDescription); context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest, errorDescription); return; } } // optional stuff; var idTokenLifetimeOverride = _validatedRequest.Raw.Get(Constants.IdTokenLifetime); if (!string.IsNullOrWhiteSpace(idTokenLifetimeOverride)) { int idTokenLifetime = 0; bool error = true; if (Int32.TryParse(idTokenLifetimeOverride, out idTokenLifetime)) { if (idTokenLifetime > 0 && idTokenLifetime <= context.Request.Client.IdentityTokenLifetime) { context.Request.Client.IdentityTokenLifetime = idTokenLifetime; error = false; } } if (error) { var errorDescription = $"{Constants.IdTokenLifetime} out of range. Must be > 0 and <= configured IdentityTokenLifetime."; LogError(errorDescription); context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest, errorDescription); return; } } context.Result = new GrantValidationResult( principal.GetSubjectId(), ArbitraryIdentityExtensionGrant.Constants.ArbitraryIdentity, userClaimsFinal, _arbitraryIdentityExtensionGrantOptions.IdentityProvider); }
public async Task ValidateAsync(ExtensionGrantValidationContext context) { _logger.LogDebug("Start token request validation"); if (context == null) { throw new ArgumentNullException(nameof(context)); } var raw = context.Request.Raw; _validatedRequest = new ValidatedTokenRequest { Raw = raw ?? throw new ArgumentNullException(nameof(raw)), Options = _options }; var customTokenRequestValidationContext = new CustomTokenRequestValidationContext() { Result = new TokenRequestValidationResult(_validatedRequest) }; await _arbitraryIdentityRequestValidator.ValidateAsync(customTokenRequestValidationContext); if (customTokenRequestValidationContext.Result.IsError) { context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest, customTokenRequestValidationContext.Result.Error); return; } var clientValidationResult = await _clientSecretValidator.ValidateAsync(_validatedRequest.Raw); if (clientValidationResult == null) { throw new ArgumentNullException(nameof(clientValidationResult)); } _validatedRequest.SetClient(clientValidationResult.Client, clientValidationResult.Secret); ///////////////////////////////////////////// // check grant type ///////////////////////////////////////////// var grantType = _validatedRequest.Raw.Get(OidcConstants.TokenRequest.GrantType); if (grantType.IsMissing()) { LogError("Grant type is missing"); context.Result = new GrantValidationResult(TokenRequestErrors.UnsupportedGrantType); return; } if (grantType.Length > _options.InputLengthRestrictions.GrantType) { LogError("Grant type is too long"); context.Result = new GrantValidationResult(TokenRequestErrors.UnsupportedGrantType); return; } _validatedRequest.GrantType = grantType; var resource = await _resourceStore.GetAllResourcesAsync(); var subject = ""; Claim originAuthTimeClaim = null; // if access_token exists, it wins. var accessToken = context.Request.Raw.Get("access_token"); if (!string.IsNullOrWhiteSpace(accessToken)) { var validateAccessToken = await _tokenValidator.ValidateAccessTokenAsync(accessToken); var queryClaims = from item in validateAccessToken.Claims where item.Type == JwtClaimTypes.Subject select item.Value; subject = queryClaims.FirstOrDefault(); originAuthTimeClaim = (from item in validateAccessToken.Claims where item.Type == $"origin_{JwtClaimTypes.AuthenticationTime}" select item).FirstOrDefault(); if (originAuthTimeClaim == null) { var authTimeClaim = (from item in validateAccessToken.Claims where item.Type == JwtClaimTypes.AuthenticationTime select item).FirstOrDefault(); originAuthTimeClaim = new Claim($"origin_{JwtClaimTypes.AuthenticationTime}", authTimeClaim.Value); } } if (string.IsNullOrWhiteSpace(subject)) { subject = context.Request.Raw.Get("subject"); } // get user's identity var claims = new List <Claim> { new Claim(ClaimTypes.NameIdentifier, subject), new Claim("sub", subject) }; var principal = new ClaimsPrincipal(new ClaimsIdentity(claims)); _principalAugmenter.AugmentPrincipal(principal); var userClaimsFinal = new List <Claim>() { new Claim(ArbitraryIdentityExtensionGrant.Constants.ArbitraryClaims, raw[ArbitraryIdentityExtensionGrant.Constants.ArbitraryClaims]) }; // optional stuff; var accessTokenLifetimeOverride = _validatedRequest.Raw.Get(Constants.AccessTokenLifetime); if (!string.IsNullOrWhiteSpace(accessTokenLifetimeOverride)) { var accessTokenLifetime = Int32.Parse(accessTokenLifetimeOverride); if (accessTokenLifetime > 0 && accessTokenLifetime < context.Request.AccessTokenLifetime) { context.Request.AccessTokenLifetime = accessTokenLifetime; } else { var errorDescription = $"{Constants.AccessTokenLifetime} out of range. Must be > 0 and less than configured AccessTokenLifetime."; LogError(errorDescription); context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest, errorDescription); return; } } //userClaimsFinal.Add(new Claim(ProfileServiceManager.Constants.ClaimKey, Constants.ArbitraryIdentityProfileService)); if (originAuthTimeClaim != null) { userClaimsFinal.Add(originAuthTimeClaim); } context.Result = new GrantValidationResult(principal.GetSubjectId(), ArbitraryIdentityExtensionGrant.Constants.ArbitraryIdentity, userClaimsFinal); }