private async Task <bool> ValidateRequestedScopesAsync(NameValueCollection parameters)
{
var scopes = parameters.Get(OidcConstants.TokenRequest.Scope);
if (scopes.IsMissingOrTooLong(_options.InputLengthRestrictions.Scope))
{
_logger.LogWarning("Scopes missing or too long");
return(false);
}
var requestedScopes = scopes.ParseScopesString();
if (requestedScopes == null)
{
return(false);
}
if (!_scopeValidator.AreScopesAllowed(_validatedRequest.Client, requestedScopes))
{
return(false);
}
if (!await _scopeValidator.AreScopesValidAsync(requestedScopes))
{
return(false);
}
_validatedRequest.Scopes = requestedScopes;
_validatedRequest.ValidatedScopes = _scopeValidator;
return(true);
}
private async Task <AuthorizeRequestValidationResult> ValidateScopeAsync(ValidatedAuthorizeRequest request)
{
//////////////////////////////////////////////////////////
// scope must be present
//////////////////////////////////////////////////////////
var scope = request.Raw.Get(OidcConstants.AuthorizeRequest.Scope);
if (scope.IsMissing())
{
LogError("scope is missing", request);
return(Invalid(request, ErrorTypes.Client));
}
if (scope.Length > _options.InputLengthRestrictions.Scope)
{
LogError("scopes too long.", request);
return(Invalid(request, ErrorTypes.Client));
}
request.RequestedScopes = scope.FromSpaceSeparatedString().Distinct().ToList();
if (request.RequestedScopes.Contains(Constants.StandardScopes.OpenId))
{
request.IsOpenIdRequest = true;
}
//////////////////////////////////////////////////////////
// check scope vs response_type plausability
//////////////////////////////////////////////////////////
var requirement = Constants.ResponseTypeToScopeRequirement[request.ResponseType];
if (requirement == Constants.ScopeRequirement.Identity ||
requirement == Constants.ScopeRequirement.IdentityOnly)
{
if (request.IsOpenIdRequest == false)
{
LogError("response_type requires the openid scope", request);
return(Invalid(request, ErrorTypes.Client));
}
}
//////////////////////////////////////////////////////////
// check if scopes are valid/supported and check for resource scopes
//////////////////////////////////////////////////////////
if (await _scopeValidator.AreScopesValidAsync(request.RequestedScopes) == false)
{
return(Invalid(request, ErrorTypes.Client, OidcConstants.AuthorizeErrors.InvalidScope));
}
if (_scopeValidator.ContainsOpenIdScopes && !request.IsOpenIdRequest)
{
LogError("Identity related scope requests, but no openid scope", request);
return(Invalid(request, ErrorTypes.Client, OidcConstants.AuthorizeErrors.InvalidScope));
}
if (_scopeValidator.ContainsResourceScopes)
{
request.IsResourceRequest = true;
}
//////////////////////////////////////////////////////////
// check scopes and scope restrictions
//////////////////////////////////////////////////////////
if (!_scopeValidator.AreScopesAllowed(request.Client, request.RequestedScopes))
{
return(Invalid(request, ErrorTypes.User, OidcConstants.AuthorizeErrors.UnauthorizedClient));
}
request.ValidatedScopes = _scopeValidator;
//////////////////////////////////////////////////////////
// check id vs resource scopes and response types plausability
//////////////////////////////////////////////////////////
if (!_scopeValidator.IsResponseTypeValid(request.ResponseType))
{
return(Invalid(request, ErrorTypes.Client, OidcConstants.AuthorizeErrors.InvalidScope));
}
return(Valid(request));
}