AuthorizeRequest, IdentityServer.Protocols.OAuth2 C# (CSharp) Code Examples

Example #1

0

Show file

File: OAuth2AuthorizeController.cs Project: azhuang88/IdentityServer

        public ActionResult HandleConsentResponse(string button, AuthorizeRequest request)
        {
            Client client;
            var    error = CheckRequest(request, out client);

            if (error != null)
            {
                return(error);
            }

            if (button == "no")
            {
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.AccessDenied, request.response_type,
                                   request.state));
            }

            if (button == "yes")
            {
                var grantResult = PerformGrant(request, client);
                if (grantResult != null)
                {
                    return(grantResult);
                }
            }

            // todo: return appropiate error
            return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type,
                               request.state));
        }

Example #2

0

Show file

File: OAuth2AuthorizeController.cs Project: azhuang88/IdentityServer

        private ActionResult PerformImplicitGrant(AuthorizeRequest request, Client client)
        {
            var sts = new STS();

            TokenResponse tokenResponse;

            if (sts.TryIssueToken(
                    new EndpointReference(request.scope),
                    ClaimsPrincipal.Current,
                    Configuration.Global.DefaultHttpTokenType,
                    out tokenResponse))
            {
                var tokenString = string.Format("access_token={0}&token_type={1}&expires_in={2}",
                                                tokenResponse.AccessToken,
                                                tokenResponse.TokenType,
                                                tokenResponse.ExpiresIn);

                if (!string.IsNullOrEmpty(request.state))
                {
                    tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state));
                }

                var redirectString = string.Format("{0}#{1}",
                                                   client.RedirectUri.AbsoluteUri,
                                                   tokenString);

                return(Redirect(redirectString));
            }

            // return right error code
            return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type,
                               request.state));
        }

Example #3

0

Show file

File: OAuth2AuthorizeController.cs Project: azhuang88/IdentityServer

        public ActionResult HandleRequest(AuthorizeRequest request)
        {
            Tracing.Information("OAuth2 HandleRequest endpoint invoked");

            // check client
            Client client;
            var    error = CheckRequest(request, out client);

            if (error != null)
            {
                return(error);
            }

            RelyingParty rp;

            if (!RPRepository.TryGet(request.scope, out rp))
            {
                Tracing.Error("RP not found for scope : " + request.scope);
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type,
                                   request.state));
            }

            if (Configuration.OAuth2.EnableConsent)
            {
                // show resource name, uri and client name
                // client is trying to access resource on your behalf
                var vm = new OAuth2ConsentViewModel
                {
                    ResourceUri         = rp.Realm.AbsoluteUri,
                    ResourceName        = rp.Name,
                    ClientName          = client.ClientId,
                    RefreshTokenEnabled = client.AllowRefreshToken
                };

                return(View("ShowConsent", vm));
            }
            var grantResult = PerformGrant(request, client);

            if (grantResult != null)
            {
                return(grantResult);
            }

            // we don't know exactly why, so use ServerError
            Tracing.Error("Authorization Endpoint failed");
            return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type,
                               request.state));
        }

Example #4

0

Show file

File: OAuth2AuthorizeController.cs Project: azhuang88/IdentityServer

        private ActionResult PerformGrant(AuthorizeRequest request, Client client)
        {
            // implicit grant
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal))
            {
                return(PerformImplicitGrant(request, client));
            }

            // authorization code grant
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                return(PerformAuthorizationCodeGrant(request, client));
            }

            return(null);
        }

Example #5

0

Show file

File: OAuth2AuthorizeController.cs Project: azhuang88/IdentityServer

        private ActionResult PerformAuthorizationCodeGrant(AuthorizeRequest request, Client client)
        {
            var code = CodeTokenRepository.AddCode(CodeTokenType.AuthorizationCode, client.ID,
                                                   ClaimsPrincipal.Current.Identity.Name, request.scope);
            var tokenString = string.Format("code={0}", code);

            if (!string.IsNullOrEmpty(request.state))
            {
                tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state));
            }

            var redirectString = string.Format("{0}?{1}",
                                               client.RedirectUri.AbsoluteUri,
                                               tokenString);

            return(Redirect(redirectString));
        }

Example #6

0

Show file

File: OidcAuthorizeController.cs Project: azhuang88/IdentityServer

        public ActionResult HandleConsent(AuthorizeRequest request, string button, string[] selectedScopes)
        {
            Tracing.Start("OIDC consent response");

            ValidatedRequest validatedRequest;
            ActionResult failedResult;
            if (!TryValidateRequest(request, out validatedRequest, out failedResult))
            {
                Tracing.Error("Aborting OIDC consent response");
                return failedResult;
            }

            if (button == "allow")
            {
                var vm = new OidcViewModel(validatedRequest);
                vm.SetScopes(selectedScopes);
                return PerformGrant(vm.ValidatedRequest);
            }
            return DenyGrant(validatedRequest);
        }

Example #7

0

Show file

File: OAuth2AuthorizeController.cs Project: azhuang88/IdentityServer

        public ActionResult HandleConsentResponse(string button, AuthorizeRequest request)
        {
            Client client;
            var error = CheckRequest(request, out client);
            if (error != null) return error;

            if (button == "no")
            {
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.AccessDenied, request.response_type,
                    request.state);
            }

            if (button == "yes")
            {
                var grantResult = PerformGrant(request, client);
                if (grantResult != null) return grantResult;
            }

            // todo: return appropiate error
            return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type,
                request.state);
        }

Example #8

0

Show file

File: OAuth2AuthorizeController.cs Project: azhuang88/IdentityServer

        private ActionResult PerformImplicitGrant(AuthorizeRequest request, Client client)
        {
            var sts = new STS();

            TokenResponse tokenResponse;
            if (sts.TryIssueToken(
                new EndpointReference(request.scope),
                ClaimsPrincipal.Current,
                Configuration.Global.DefaultHttpTokenType,
                out tokenResponse))
            {
                var tokenString = string.Format("access_token={0}&token_type={1}&expires_in={2}",
                    tokenResponse.AccessToken,
                    tokenResponse.TokenType,
                    tokenResponse.ExpiresIn);

                if (!string.IsNullOrEmpty(request.state))
                {
                    tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state));
                }

                var redirectString = string.Format("{0}#{1}",
                    client.RedirectUri.AbsoluteUri,
                    tokenString);

                return Redirect(redirectString);
            }

            // return right error code
            return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type,
                request.state);
        }

Example #9

0

Show file

File: OAuth2AuthorizeController.cs Project: azhuang88/IdentityServer

        private ActionResult PerformGrant(AuthorizeRequest request, Client client)
        {
            // implicit grant
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal))
            {
                return PerformImplicitGrant(request, client);
            }

            // authorization code grant
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                return PerformAuthorizationCodeGrant(request, client);
            }

            return null;
        }

Example #10

0

Show file

File: OAuth2AuthorizeController.cs Project: azhuang88/IdentityServer

        private ActionResult PerformAuthorizationCodeGrant(AuthorizeRequest request, Client client)
        {
            var code = CodeTokenRepository.AddCode(CodeTokenType.AuthorizationCode, client.ID,
                ClaimsPrincipal.Current.Identity.Name, request.scope);
            var tokenString = string.Format("code={0}", code);

            if (!string.IsNullOrEmpty(request.state))
            {
                tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state));
            }

            var redirectString = string.Format("{0}?{1}",
                client.RedirectUri.AbsoluteUri,
                tokenString);

            return Redirect(redirectString);
        }

Example #11

0

Show file

File: OAuth2AuthorizeController.cs Project: azhuang88/IdentityServer

        private ActionResult CheckRequest(AuthorizeRequest request, out Client client)
        {
            if (request == null)
            {
                client = null;
                ViewBag.Message = "Invalid request parameters";
                Tracing.Error(ViewBag.Message);
                return View("Error");
            }

            // validate client
            if (!Clients.TryGetClient(request.client_id, out client))
            {
                ViewBag.Message = "Invalid client_id : " + request.client_id;
                Tracing.Error(ViewBag.Message);
                return View("Error");
            }

            // validate redirect uri
            if (client.RedirectUri == null)
            {
                ViewBag.Message = "A redirect uri for client_id " + request.client_id + " was not configured.";
                Tracing.Error(ViewBag.Message);
                return View("Error");
            }

            if (string.IsNullOrEmpty(request.redirect_uri) ||
                !string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase))
            {
                ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri +
                                  " did not match a registered redirect URI.";
                Tracing.Error(ViewBag.Message);
                return View("Error");
            }

            Uri redirectUrl;
            if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUrl))
            {
                if (redirectUrl.Scheme == Uri.UriSchemeHttp)
                {
                    Tracing.Error("Redirect URI not over SSL : " + request.redirect_uri);
                    return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty,
                        request.state);
                }
            }
            else
            {
                Tracing.Error("Redirect URI not a valid URI : " + request.redirect_uri);
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty,
                    request.state);
            }

            if (string.IsNullOrWhiteSpace(request.response_type))
            {
                Tracing.Error("response_type is null or empty");
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty,
                    request.state);
            }

            // check response type (only code and token are supported)
            if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) &&
                !request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                Tracing.Error("response_type is not token or code: " + request.response_type);
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, string.Empty,
                    request.state);
            }

            // validate scope (must be a valid URI)
            Uri uri;
            if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri))
            {
                Tracing.Error("scope is not a URI: " + request.scope);
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type,
                    request.state);
            }

            // validate if request grant type is allowed for client (implicit vs code flow)
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token) &&
                !client.AllowImplicitFlow)
            {
                Tracing.Error("response_type is token and client does not allow implicit flow. client: " + client.Name);
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType,
                    request.response_type, request.state);
            }

            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code) &&
                !client.AllowCodeFlow)
            {
                Tracing.Error("response_type is code and client does not allow code flow. client: " + client.Name);
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType,
                    request.response_type, request.state);
            }

            return null;
        }

Example #12

0

Show file

File: OAuth2AuthorizeController.cs Project: azhuang88/IdentityServer

        public ActionResult HandleRequest(AuthorizeRequest request)
        {
            Tracing.Information("OAuth2 HandleRequest endpoint invoked");

            // check client
            Client client;
            var error = CheckRequest(request, out client);
            if (error != null) return error;

            RelyingParty rp;
            if (!RPRepository.TryGet(request.scope, out rp))
            {
                Tracing.Error("RP not found for scope : " + request.scope);
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type,
                    request.state);
            }

            if (Configuration.OAuth2.EnableConsent)
            {
                // show resource name, uri and client name
                // client is trying to access resource on your behalf
                var vm = new OAuth2ConsentViewModel
                {
                    ResourceUri = rp.Realm.AbsoluteUri,
                    ResourceName = rp.Name,
                    ClientName = client.ClientId,
                    RefreshTokenEnabled = client.AllowRefreshToken
                };

                return View("ShowConsent", vm);
            }
            var grantResult = PerformGrant(request, client);
            if (grantResult != null) return grantResult;

            // we don't know exactly why, so use ServerError
            Tracing.Error("Authorization Endpoint failed");
            return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type,
                request.state);
        }

Example #13

0

Show file

File: OAuth2AuthorizeController.cs Project: azhuang88/IdentityServer

        private ActionResult CheckRequest(AuthorizeRequest request, out Client client)
        {
            if (request == null)
            {
                client          = null;
                ViewBag.Message = "Invalid request parameters";
                Tracing.Error(ViewBag.Message);
                return(View("Error"));
            }

            // validate client
            if (!Clients.TryGetClient(request.client_id, out client))
            {
                ViewBag.Message = "Invalid client_id : " + request.client_id;
                Tracing.Error(ViewBag.Message);
                return(View("Error"));
            }

            // validate redirect uri
            if (client.RedirectUri == null)
            {
                ViewBag.Message = "A redirect uri for client_id " + request.client_id + " was not configured.";
                Tracing.Error(ViewBag.Message);
                return(View("Error"));
            }

            if (string.IsNullOrEmpty(request.redirect_uri) ||
                !string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase))
            {
                ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri +
                                  " did not match a registered redirect URI.";
                Tracing.Error(ViewBag.Message);
                return(View("Error"));
            }

            Uri redirectUrl;

            if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUrl))
            {
                if (redirectUrl.Scheme == Uri.UriSchemeHttp)
                {
                    Tracing.Error("Redirect URI not over SSL : " + request.redirect_uri);
                    return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty,
                                       request.state));
                }
            }
            else
            {
                Tracing.Error("Redirect URI not a valid URI : " + request.redirect_uri);
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty,
                                   request.state));
            }

            if (string.IsNullOrWhiteSpace(request.response_type))
            {
                Tracing.Error("response_type is null or empty");
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty,
                                   request.state));
            }

            // check response type (only code and token are supported)
            if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) &&
                !request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                Tracing.Error("response_type is not token or code: " + request.response_type);
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, string.Empty,
                                   request.state));
            }

            // validate scope (must be a valid URI)
            Uri uri;

            if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri))
            {
                Tracing.Error("scope is not a URI: " + request.scope);
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type,
                                   request.state));
            }

            // validate if request grant type is allowed for client (implicit vs code flow)
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token) &&
                !client.AllowImplicitFlow)
            {
                Tracing.Error("response_type is token and client does not allow implicit flow. client: " + client.Name);
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType,
                                   request.response_type, request.state));
            }

            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code) &&
                !client.AllowCodeFlow)
            {
                Tracing.Error("response_type is code and client does not allow code flow. client: " + client.Name);
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType,
                                   request.response_type, request.state));
            }

            return(null);
        }

Example #14

0

Show file

File: AuthorizeRequestValidator.cs Project: azhuang88/IdentityServer

        public ValidatedRequest Validate(AuthorizeRequest request)
        {
            var validatedRequest = new ValidatedRequest();

            // validate request model binding
            if (request == null)
            {
                throw new AuthorizeRequestResourceOwnerException("Invalid request parameters.");
            }

            // make sure redirect uri is present
            if (string.IsNullOrWhiteSpace(request.redirect_uri))
            {
                throw new AuthorizeRequestResourceOwnerException("Missing redirect URI");
            }

            // validate client
            if (string.IsNullOrWhiteSpace(request.client_id))
            {
                throw new AuthorizeRequestResourceOwnerException("Missing client identifier");
            }

            var client = Clients.Get(request.client_id);

            if (client == null)
            {
                throw new AuthorizeRequestResourceOwnerException("Invalid client: " + request.client_id);
            }

            validatedRequest.Client = client;
            Tracing.InformationFormat("Client: {0} ({1})",
                validatedRequest.Client.Name,
                validatedRequest.Client.ClientId);

            // make sure redirect_uri is a valid uri, and in case of http is over ssl
            Uri redirectUri;
            if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri))
            {
                if (redirectUri.Scheme == Uri.UriSchemeHttp)
                {
                    throw new AuthorizeRequestClientException(
                        "Redirect URI not over SSL : " + request.redirect_uri,
                        new Uri(request.redirect_uri),
                        OAuth2Constants.Errors.InvalidRequest,
                        string.Empty,
                        validatedRequest.State);
                }

                // make sure redirect uri is registered with client
                if (!validatedRequest.Client.RedirectUris.Contains(request.redirect_uri))
                {
                    throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
                }

                validatedRequest.RedirectUri = request.redirect_uri;
                Tracing.InformationFormat("Redirect URI: {0}",
                    validatedRequest.RedirectUri);
            }
            else
            {
                throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
            }

            // check state
            if (!string.IsNullOrWhiteSpace(request.state))
            {
                validatedRequest.State = request.state;
                Tracing.Information("State: " + validatedRequest.State);
            }
            else
            {
                Tracing.Information("No state supplied.");
            }

            // validate response type
            if (string.IsNullOrWhiteSpace(request.response_type))
            {
                throw new AuthorizeRequestClientException(
                    "response_type is null or empty",
                    new Uri(validatedRequest.RedirectUri),
                    OAuth2Constants.Errors.InvalidRequest,
                    string.Empty,
                    validatedRequest.State);
            }

            // check response type (only code and token are supported)
            if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) &&
                !request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                throw new AuthorizeRequestClientException(
                    "response_type is not token or code: " + request.response_type,
                    new Uri(validatedRequest.RedirectUri),
                    OAuth2Constants.Errors.UnsupportedResponseType,
                    string.Empty,
                    validatedRequest.State);
            }

            validatedRequest.ResponseType = request.response_type;
            Tracing.Information("Response type: " + validatedRequest.ResponseType);

            // scope is required
            if (string.IsNullOrWhiteSpace(request.scope))
            {
                throw new AuthorizeRequestClientException(
                    "Missing scope",
                    new Uri(validatedRequest.RedirectUri),
                    OAuth2Constants.Errors.InvalidScope,
                    validatedRequest.ResponseType,
                    validatedRequest.State);
            }

            // validate scopes
            if (!request.scope.StartsWith("openid"))
            {
                throw new AuthorizeRequestClientException(
                    "Invalid scope: " + request.scope,
                    new Uri(validatedRequest.RedirectUri),
                    OAuth2Constants.Errors.InvalidScope,
                    validatedRequest.ResponseType,
                    validatedRequest.State);
            }

            validatedRequest.Scopes = request.scope;

            if (request.response_type == OAuth2Constants.ResponseTypes.Code)
            {
                ValidateCodeResponseType(validatedRequest, request);
            }
            else if (request.response_type == OAuth2Constants.ResponseTypes.Token)
            {
                ValidateTokenResponseType(validatedRequest, request);
            }
            else
            {
                throw new AuthorizeRequestClientException(
                    "Invalid response_type: " + request.response_type,
                    new Uri(validatedRequest.RedirectUri),
                    OAuth2Constants.Errors.UnsupportedResponseType,
                    request.response_type,
                    validatedRequest.State);
            }

            return validatedRequest;
        }

Example #15

0

Show file

File: AuthorizeRequestValidator.cs Project: azhuang88/IdentityServer

 private void ValidateTokenResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
 {
     throw new NotImplementedException();
 }

Example #16

0

Show file

File: AuthorizeRequestValidator.cs Project: azhuang88/IdentityServer

 private void ValidateCodeResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
 {
     if (validatedRequest.Client.Flow != OpenIdConnectFlows.AuthorizationCode)
     {
         throw new AuthorizeRequestClientException(
             "response_type is not allowed: " + request.response_type,
             new Uri(validatedRequest.RedirectUri),
             OAuth2Constants.Errors.UnsupportedResponseType,
             request.response_type,
             validatedRequest.State);
     }
 }

C# (CSharp) IdentityServer.Protocols.OAuth2 AuthorizeRequest Examples