public async Task <IntrospectionRequestValidationResult> ValidateAsync(NameValueCollection parameters, ApiResource apiResource)
        {
            _logger.LogDebug("Introspection request validation started.");

            var fail = new IntrospectionRequestValidationResult {
                IsError = true
            };

            // retrieve required token
            var token = parameters.Get("token");

            if (token == null)
            {
                _logger.LogError("Token is missing");

                fail.IsActive      = false;
                fail.FailureReason = IntrospectionRequestValidationFailureReason.MissingToken;
                return(fail);
            }

            // validate token
            var tokenValidationResult = await _tokenValidator.ValidateAccessTokenAsync(token);

            // invalid or unknown token
            if (tokenValidationResult.IsError)
            {
                _logger.LogDebug("Token is invalid.");

                fail.IsActive      = false;
                fail.FailureReason = IntrospectionRequestValidationFailureReason.InvalidToken;
                fail.Token         = token;
                return(fail);
            }

            // check expected scopes
            var supportedScopes = apiResource.Scopes.Select(x => x.Name);
            var expectedScopes  = tokenValidationResult.Claims.Where(
                c => c.Type == JwtClaimTypes.Scope && supportedScopes.Contains(c.Value));

            // expected scope not present
            if (!expectedScopes.Any())
            {
                _logger.LogError("Expected scope {scopes} is missing in token", supportedScopes);

                fail.IsActive      = false;
                fail.IsError       = true;
                fail.FailureReason = IntrospectionRequestValidationFailureReason.InvalidScope;
                fail.Token         = token;
                return(fail);
            }

            var claims = tokenValidationResult.Claims;

            // filter out scopes that this API resource does not own
            claims = claims.Where(x => x.Type != JwtClaimTypes.Scope ||
                                  (x.Type == JwtClaimTypes.Scope && supportedScopes.Contains(x.Value)));

            // all is good
            var success = new IntrospectionRequestValidationResult
            {
                IsActive = true,
                IsError  = false,
                Token    = token,
                Claims   = claims
            };

            _logger.LogDebug("Introspection request validation successful.");
            return(success);
        }
Example #2
0
        public async Task <IntrospectionRequestValidationResult> ValidateAsync(NameValueCollection parameters, Scope scope)
        {
            _logger.LogDebug("Introspection request validation started.");

            var fail = new IntrospectionRequestValidationResult {
                IsError = true
            };

            // retrieve required token
            var token = parameters.Get("token");

            if (token == null)
            {
                _logger.LogError("Token is missing");

                fail.IsActive      = false;
                fail.FailureReason = IntrospectionRequestValidationFailureReason.MissingToken;
                return(fail);
            }

            // validate token
            var tokenValidationResult = await _tokenValidator.ValidateAccessTokenAsync(token);

            // invalid or unknown token
            if (tokenValidationResult.IsError)
            {
                _logger.LogError("Token is invalid.");

                fail.IsActive      = false;
                fail.FailureReason = IntrospectionRequestValidationFailureReason.InvalidToken;
                fail.Token         = token;
                return(fail);
            }

            // check expected scope
            var expectedScope = tokenValidationResult.Claims.FirstOrDefault(
                c => c.Type == JwtClaimTypes.Scope && c.Value == scope.Name);

            // expected scope not present
            if (expectedScope == null)
            {
                _logger.LogError("Expected scope of {scope} is missing", scope.Name);

                fail.IsActive      = false;
                fail.IsError       = true;
                fail.FailureReason = IntrospectionRequestValidationFailureReason.InvalidScope;
                fail.Token         = token;
                return(fail);
            }

            // all is good
            var success = new IntrospectionRequestValidationResult
            {
                IsActive = true,
                IsError  = false,
                Token    = token,
                Claims   = tokenValidationResult.Claims
            };

            _logger.LogInformation("Introspection request validation successful.");
            return(success);
        }