private static void ValidateScopes(AuthorizeRequest request, ValidatedRequest validatedRequest)
        {
            // validate scopes
            if (string.IsNullOrEmpty(request.scope))
            {
                throw new AuthorizeRequestClientException(
                          "Missing scope.",
                          new Uri(validatedRequest.RedirectUri.Uri),
                          OAuthConstants.Errors.InvalidScope,
                          validatedRequest.ResponseType,
                          validatedRequest.State);
            }

            var          requestedScopes = request.scope.Split(' ').ToList();
            List <Scope> resultingScopes;

            if (validatedRequest.Application.Scopes.TryValidateScopes(validatedRequest.Client.ClientId, requestedScopes, out resultingScopes))
            {
                validatedRequest.Scopes = resultingScopes;
                Tracing.InformationFormat("Requested scopes: {0}", request.scope);
            }
            else
            {
                throw new AuthorizeRequestClientException(
                          "Invalid scope.",
                          new Uri(validatedRequest.RedirectUri.Uri),
                          OAuthConstants.Errors.InvalidScope,
                          validatedRequest.ResponseType,
                          validatedRequest.State);
            }
        }
        // GET /{appName}/oauth/authorize
        //
        public ActionResult Index(string appName, AuthorizeRequest request)
        {
            Tracing.Start("OAuth2 Authorize Endoint");

            // make sure application is registered
            var application = _config.FindApplication(appName);
            if (application == null)
            {
                Tracing.Error("Application not found: " + appName);
                return HttpNotFound();
            }

            ValidatedRequest validatedRequest;
            try
            {
                validatedRequest = new AuthorizeRequestValidator().Validate(application, request);
            }
            catch (AuthorizeRequestValidationException ex)
            {
                Tracing.Error("Aborting OAuth2 authorization request");
                return this.AuthorizeValidationError(ex);
            }

            if (validatedRequest.ShowConsent)
            {
                // show consent screen
                Tracing.Verbose("Showing consent screen");

                return View("Consent", validatedRequest);
            }

            Tracing.Verbose("No consent configured for application/client");
            return PerformGrant(validatedRequest);
        }
        private void ValidateCodeResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
        {
            // make sure response type allowed for this client
            if (validatedRequest.Client.Flow != OAuthFlow.Code)
            {
                throw new AuthorizeRequestClientException(
                          "response_type is not allowed: " + request.response_type,
                          new Uri(validatedRequest.RedirectUri.Uri),
                          OAuthConstants.Errors.UnsupportedResponseType,
                          request.response_type,
                          validatedRequest.State);
            }

            if (validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken)
            {
                Tracing.Information("The request allows arefresh token.");
                validatedRequest.RequestingRefreshToken = true;
            }

            if (validatedRequest.Client.RequireConsent || validatedRequest.Application.RequireConsent)
            {
                Tracing.Information("Consent is required.");
                validatedRequest.ShowConsent = true;
            }
        }
        // GET /{appName}/oauth/authorize
        //
        public ActionResult Index(string appName, AuthorizeRequest request)
        {
            Tracing.Start("OAuth2 Authorize Endoint");

            // make sure application is registered
            var application = _config.FindApplication(appName);

            if (application == null)
            {
                Tracing.Error("Application not found: " + appName);
                return(HttpNotFound());
            }

            ValidatedRequest validatedRequest;

            try
            {
                validatedRequest = new AuthorizeRequestValidator().Validate(application, request);
            }
            catch (AuthorizeRequestValidationException ex)
            {
                Tracing.Error("Aborting OAuth2 authorization request");
                return(this.AuthorizeValidationError(ex));
            }

            if (validatedRequest.ShowConsent)
            {
                validatedRequest.RememberOptions = GetRememberOptions(application);

                // todo: check first if a remembered consent decision exists
                if (validatedRequest.ResponseType == OAuthConstants.ResponseTypes.Token)
                {
                    var handle = _handleManager.Find(
                        ClaimsPrincipal.Current.GetSubject(),
                        validatedRequest.Client,
                        validatedRequest.Application,
                        validatedRequest.Scopes,
                        StoredGrantType.ConsentDecision);

                    if (handle != null)
                    {
                        Tracing.Verbose("Stored consent decision found.");

                        return(PerformGrant(validatedRequest));
                    }
                }

                // show consent screen
                Tracing.Verbose("Showing consent screen");
                return(View("Consent", validatedRequest));
            }

            Tracing.Verbose("No consent configured for application/client");


            // workaround for bug #139
            validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddYears(50);
            return(PerformGrant(validatedRequest));
        }
        // GET /{appName}/oauth/authorize
        //
        public ActionResult Index(string appName, AuthorizeRequest request)
        {
            Tracing.Start("OAuth2 Authorize Endoint");

            // make sure application is registered
            var application = _config.FindApplication(appName);
            if (application == null)
            {
                Tracing.Error("Application not found: " + appName);
                return HttpNotFound();
            }

            ValidatedRequest validatedRequest;
            try
            {
                validatedRequest = new AuthorizeRequestValidator().Validate(application, request);
            }
            catch (AuthorizeRequestValidationException ex)
            {
                Tracing.Error("Aborting OAuth2 authorization request");
                return this.AuthorizeValidationError(ex);
            }

            if (validatedRequest.ShowConsent)
            {
                validatedRequest.RememberOptions = GetRememberOptions(application);

                // todo: check first if a remembered consent decision exists
                if (validatedRequest.ResponseType == OAuthConstants.ResponseTypes.Token)
                {
                    var handle = _handleManager.Find(
                        ClaimsPrincipal.Current.GetSubject(),
                        validatedRequest.Client,
                        validatedRequest.Application,
                        validatedRequest.Scopes,
                        StoredGrantType.ConsentDecision);

                    if (handle != null)
                    {
                        Tracing.Verbose("Stored consent decision found.");

                        return PerformGrant(validatedRequest);
                    }
                }

                // show consent screen
                Tracing.Verbose("Showing consent screen");
                return View("Consent", validatedRequest);
            }

            Tracing.Verbose("No consent configured for application/client");

            
            // workaround for bug #139
            validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddYears(50);
            return PerformGrant(validatedRequest);
        }
 private void ValidateTokenResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
 {
     if (validatedRequest.Client.Flow != OAuthFlow.Implicit)
     {
         throw new AuthorizeRequestClientException(
                   "response_type is not allowed: " + request.response_type,
                   new Uri(validatedRequest.RedirectUri.Uri),
                   OAuthConstants.Errors.UnsupportedResponseType,
                   request.response_type,
                   validatedRequest.State);
     }
 }
        public ActionResult HandleConsentResponse(string appName, string button, string[] scopes, AuthorizeRequest request, int? rememberDuration = null)
        {
            Tracing.Start("OAuth2 Authorize Endoint - Consent response");

            // make sure application is registered
            var application = _config.FindApplication(appName);
            if (application == null)
            {
                Tracing.Error("Application not found: " + appName);
                return HttpNotFound();
            }

            if (button == "no")
            {
                Tracing.Information("User denies access token request.");
                return new ClientErrorResult(new Uri(request.redirect_uri), OAuthConstants.Errors.AccessDenied, request.response_type, request.state);
            }

            if (button == "yes")
            {
                Tracing.Information("User allows access token request.");

                ValidatedRequest validatedRequest;
                try
                {
                    validatedRequest = new AuthorizeRequestValidator().Validate(application, request);
                }
                catch (AuthorizeRequestValidationException ex)
                {
                    Tracing.Error("Aborting OAuth2 authorization request");
                    return this.AuthorizeValidationError(ex);
                }

                if (scopes == null || scopes.Length == 0)
                {
                    ModelState.AddModelError("", "Please choose at least one permission.");
                    return View("Consent", validatedRequest);
                }

                // todo: parse scopes form post and substitue scopes
                validatedRequest.Scopes.RemoveAll(x => !scopes.Contains(x.Name));
                var grantResult = PerformGrant(validatedRequest);
                if (grantResult != null) return grantResult;
            }

            return new ClientErrorResult(
                new Uri(request.redirect_uri), 
                OAuthConstants.Errors.InvalidRequest, 
                request.response_type, 
                request.state);
        }
        public void ValidRequestMultipleScope()
        {
            var validator = new AuthorizeRequestValidator(_clientManager);
            var app = _testConfig.FindApplication("test");
            var request = new AuthorizeRequest
            {
                client_id = "codeclient",
                response_type = "code",
                scope = "read search",
                redirect_uri = "https://prod.local"
            };

            var result = validator.Validate(app, request);
        }
        public void ValidRequestMultipleScope()
        {
            var validator = new AuthorizeRequestValidator();
            var app = _testConfig.FindApplication("test");
            var request = new AuthorizeRequest
            {
                client_id = "implicitclient",
                response_type = "token",
                scope = "read browse",
                redirect_uri = "https://test2.local"
            };

            var result = validator.Validate(app, request);
        }
        public void DisabledClient()
        {
            var validator = new AuthorizeRequestValidator();
            var app = _testConfig.FindApplication("test");
            var request = new AuthorizeRequest
            {
                client_id = "disabledclient",
                response_type = "code",
                scope = "read",
                redirect_uri = "https://prod.local"
            };

            try
            {
                var result = validator.Validate(app, request);
            }
            catch (AuthorizeRequestResourceOwnerException ex)
            {
                return;
            }

            Assert.Fail("No exception thrown.");
        }
        public void MissingRedirectUri()
        {
            var validator = new AuthorizeRequestValidator();
            var app = _testConfig.FindApplication("test");
            var request = new AuthorizeRequest
            {
                client_id = "codeclient",
                response_type = "code",
                scope = "read"
            };

            try
            {
                var result = validator.Validate(app, request);
            }
            catch (AuthorizeRequestResourceOwnerException ex)
            {
                // todo: check error code
                return;
            }

            Assert.Fail("No exception thrown.");
        }
        public void UnauthorizedResponseType()
        {
            var validator = new AuthorizeRequestValidator();
            var app = _testConfig.FindApplication("test");
            var request = new AuthorizeRequest
            {
                client_id = "implicitclient",
                response_type = "code",
                scope = "read",
                redirect_uri = "https://test2.local"
            };

            try
            {
                var result = validator.Validate(app, request);
            }
            catch (AuthorizeRequestClientException ex)
            {
                Assert.IsTrue(ex.Error == OAuthConstants.Errors.UnsupportedResponseType);
                return;
            }

            Assert.Fail("No exception thrown.");
        }
        public void UnauthorizedRedirectUri()
        {
            var validator = new AuthorizeRequestValidator();
            var app = _testConfig.FindApplication("test");
            var request = new AuthorizeRequest
            {
                client_id = "implicitclient",
                response_type = "token",
                scope = "read",
                redirect_uri = "https://unauthorized.com"
            };

            try
            {
                var result = validator.Validate(app, request);
            }
            catch (AuthorizeRequestResourceOwnerException ex)
            {
                // todo: check error code
                return;
            }

            Assert.Fail("No exception thrown.");
        }
 private void ValidateTokenResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
 {
     if (validatedRequest.Client.Flow != OAuthFlow.Implicit)
     {
         throw new AuthorizeRequestClientException(
             "response_type is not allowed: " + request.response_type,
             new Uri(validatedRequest.RedirectUri.Uri),
             OAuthConstants.Errors.UnsupportedResponseType,
             request.response_type,
             validatedRequest.State);
     }
 }
        public ActionResult HandleConsentResponse(string appName, string button, string[] scopes, AuthorizeRequest request, int? rememberDuration = null)
        {
            Tracing.Start("OAuth2 Authorize Endoint - Consent response");

            // make sure application is registered
            var application = _config.FindApplication(appName);
            if (application == null)
            {
                Tracing.Error("Application not found: " + appName);
                return HttpNotFound();
            }

            if (button == "no")
            {
                Tracing.Information("User denies access token request.");
                return new ClientErrorResult(new Uri(request.redirect_uri), OAuthConstants.Errors.AccessDenied, request.response_type, request.state);
            }

            if (button == "yes")
            {
                Tracing.Information("User allows access token request.");

                ValidatedRequest validatedRequest;
                try
                {
                    validatedRequest = new AuthorizeRequestValidator().Validate(application, request);
                }
                catch (AuthorizeRequestValidationException ex)
                {
                    Tracing.Error("Aborting OAuth2 authorization request");
                    return this.AuthorizeValidationError(ex);
                }

                if (scopes == null || scopes.Length == 0)
                {
                    ModelState.AddModelError("", "Please choose at least one permission.");
                    return View("Consent", validatedRequest);
                }

                // parse scopes form post and substitue scopes
                validatedRequest.Scopes.RemoveAll(x => !scopes.Contains(x.Name));

                // store consent decision if 
                //  checkbox was checked
                //  and storage is allowed 
                //  and flow == implicit
                if (validatedRequest.Application.AllowRememberConsentDecision &&
                    validatedRequest.ResponseType == OAuthConstants.ResponseTypes.Token &&
                    rememberDuration == -1)
                {
                    var handle = StoredGrant.CreateConsentDecision(
                        ClaimsPrincipal.Current.GetSubject(),
                        validatedRequest.Client,
                        validatedRequest.Application,
                        validatedRequest.Scopes);

                    _handleManager.Add(handle);

                    Tracing.Information("Consent decision stored.");
                }

                // parse refresh token lifetime if 
                // code flow is used 
                // and refresh tokens are allowed
                if (validatedRequest.RequestingRefreshToken &&
                    rememberDuration != null &&
                    validatedRequest.Client.Flow == OAuthFlow.Code)
                {
                    if (rememberDuration == -1)
                    {
                        validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddYears(50);
                    }
                    else
                    {
                        validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddHours(rememberDuration.Value);
                    }

                    Tracing.Information("Selected refresh token lifetime in hours: " + rememberDuration);
                }

                var grantResult = PerformGrant(validatedRequest);
                if (grantResult != null) return grantResult;
            }

            return new ClientErrorResult(
                new Uri(request.redirect_uri),
                OAuthConstants.Errors.InvalidRequest,
                request.response_type,
                request.state);
        }
        public void UnauthorizedResponseType()
        {
            var validator = new AuthorizeRequestValidator(_clientManager);
            var app = _testConfig.FindApplication("test");
            var request = new AuthorizeRequest
            {
                client_id = "codeclient",
                response_type = "token",
                scope = "read",
                redirect_uri = "https://prod.local"
            };

            try
            {
                var result = validator.Validate(app, request);
            }
            catch (AuthorizeRequestClientException ex)
            {
                Assert.AreEqual(OAuthConstants.Errors.UnsupportedResponseType, ex.Error);
                return;
            }

            Assert.Fail("No exception thrown.");
        }
        public void UnauthorizedScopeMultiple()
        {
            var validator = new AuthorizeRequestValidator();
            var app = _testConfig.FindApplication("test");
            var request = new AuthorizeRequest
            {
                client_id = "implicitclient",
                response_type = "token",
                scope = "read write",
                redirect_uri = "https://test2.local"
            };

            try
            {
                var result = validator.Validate(app, request);
            }
            catch (AuthorizeRequestClientException ex)
            {
                Assert.AreEqual(OAuthConstants.Errors.InvalidScope, ex.Error);
                return;
            }

            Assert.Fail("No exception thrown.");
        }
        private static void ValidateScopes(AuthorizeRequest request, ValidatedRequest validatedRequest)
        {
            // validate scopes
            if (string.IsNullOrEmpty(request.scope))
            {
                throw new AuthorizeRequestClientException(
                    "Missing scope.",
                    new Uri(validatedRequest.RedirectUri.Uri),
                    OAuthConstants.Errors.InvalidScope,
                    validatedRequest.ResponseType,
                    validatedRequest.State);
            }

            var requestedScopes = request.scope.Split(' ').ToList();
            List<Scope> resultingScopes;

            if (validatedRequest.Application.Scopes.TryValidateScopes(validatedRequest.Client.ClientId, requestedScopes, out resultingScopes))
            {
                validatedRequest.Scopes = resultingScopes;
                Tracing.InformationFormat("Requested scopes: {0}", request.scope);
            }
            else
            {
                throw new AuthorizeRequestClientException(
                    "Invalid scope.",
                    new Uri(validatedRequest.RedirectUri.Uri),
                    OAuthConstants.Errors.InvalidScope,
                    validatedRequest.ResponseType,
                    validatedRequest.State);
            }
        }
        private void ValidateCodeResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
        {
            // make sure response type allowed for this client
            if (validatedRequest.Client.Flow != OAuthFlow.Code)
            {
                throw new AuthorizeRequestClientException(
                   "response_type is not allowed: " + request.response_type,
                   new Uri(validatedRequest.RedirectUri.Uri),
                   OAuthConstants.Errors.UnsupportedResponseType,
                   request.response_type,
                   validatedRequest.State);
            }

            if (validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken)
            {
                Tracing.Information("The request allows arefresh token.");
                validatedRequest.RequestingRefreshToken = true;
            }

            if (validatedRequest.Client.RequireConsent || validatedRequest.Application.RequireConsent)
            {
                Tracing.Information("Consent is required.");
                validatedRequest.ShowConsent = true;
            }
        }
        public ValidatedRequest Validate(Application application, AuthorizeRequest request)
        {
            // If the request fails due to a missing, invalid, or mismatching
            // redirection URI, or if the client identifier is missing or invalid,
            // the authorization server SHOULD inform the resource owner of the
            // error and MUST NOT automatically redirect the user-agent to the
            // invalid redirection URI.

            var validatedRequest = new ValidatedRequest();

            // validate request model binding
            if (request == null)
            {
                throw new AuthorizeRequestResourceOwnerException("Invalid request parameters.");
            }

            validatedRequest.Application = application;
            Tracing.InformationFormat("OAuth2 application: {0} ({1})",
                validatedRequest.Application.Name,
                validatedRequest.Application.Namespace);

            validatedRequest.ShowRememberConsent = application.AllowRememberConsentDecision;

            // make sure redirect uri is present
            if (string.IsNullOrWhiteSpace(request.redirect_uri))
            {
                throw new AuthorizeRequestResourceOwnerException("Missing redirect URI");
            }

            // validate client
            if (string.IsNullOrWhiteSpace(request.client_id))
            {
                throw new AuthorizeRequestResourceOwnerException("Missing client identifier");
            }


            var client = _clientManager.Get(request.client_id);
            if (client == null)
            {
                throw new AuthorizeRequestResourceOwnerException("Invalid client: " + request.client_id);
            }

            validatedRequest.Client = client;
            Tracing.InformationFormat("Client: {0} ({1})",
                validatedRequest.Client.Name,
                validatedRequest.Client.ClientId);

            // make sure redirect_uri is a valid uri, and in case of http is over ssl
            Uri redirectUri;
            if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri))
            {
                if (redirectUri.Scheme == Uri.UriSchemeHttp)
                {
                    throw new AuthorizeRequestClientException(
                        "Redirect URI not over SSL : " + request.redirect_uri,
                        new Uri(request.redirect_uri),
                        OAuthConstants.Errors.InvalidRequest,
                        string.Empty,
                        validatedRequest.State);
                }

                // make sure redirect uri is registered with client
                var validUri = validatedRequest.Client.RedirectUris.Get(request.redirect_uri);

                if (validUri == null)
                {
                    throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
                }

                validatedRequest.RedirectUri = validUri;
                Tracing.InformationFormat("Redirect URI: {0} ({1})",
                    validatedRequest.RedirectUri.Uri,
                    validatedRequest.RedirectUri.Description);
            }
            else
            {
                var message = "Invalid redirect URI: " + request.redirect_uri;
                Tracing.Error(message);

                throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
            }

            // check state
            if (!string.IsNullOrWhiteSpace(request.state))
            {
                validatedRequest.State = request.state;
                Tracing.Information("State: " + validatedRequest.State);
            }
            else
            {
                Tracing.Information("No state supplied.");
            }

            // validate response type
            if (String.IsNullOrWhiteSpace(request.response_type))
            {
                throw new AuthorizeRequestClientException(
                    "response_type is null or empty",
                    new Uri(validatedRequest.RedirectUri.Uri),
                    OAuthConstants.Errors.InvalidRequest,
                    string.Empty,
                    validatedRequest.State);
            }

            // check response type (only code and token are supported)
            if (!request.response_type.Equals(OAuthConstants.ResponseTypes.Token, StringComparison.Ordinal) &&
                !request.response_type.Equals(OAuthConstants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                throw new AuthorizeRequestClientException(
                    "response_type is not token or code: " + request.response_type,
                    new Uri(validatedRequest.RedirectUri.Uri),
                    OAuthConstants.Errors.UnsupportedResponseType,
                    string.Empty,
                    validatedRequest.State);
            }

            validatedRequest.ResponseType = request.response_type;
            Tracing.Information("Response type: " + validatedRequest.ResponseType);

            if (request.response_type == OAuthConstants.ResponseTypes.Code)
            {
                ValidateCodeResponseType(validatedRequest, request);
            }
            else if (request.response_type == OAuthConstants.ResponseTypes.Token)
            {
                ValidateTokenResponseType(validatedRequest, request);
            }
            else
            {
                throw new AuthorizeRequestClientException(
                    "Invalid response_type: " + request.response_type,
                    new Uri(validatedRequest.RedirectUri.Uri),
                    OAuthConstants.Errors.UnsupportedResponseType,
                    request.response_type,
                    validatedRequest.State);
            }

            ValidateScopes(request, validatedRequest);

            // TODO: fix based upon past "remember me" settings
            validatedRequest.ShowConsent = client.RequireConsent || application.RequireConsent;

            Tracing.Information("Authorize request validation successful.");
            return validatedRequest;
        }
Example #21
0
        public ActionResult HandleConsentResponse(string appName, string button, string[] scopes, AuthorizeRequest request, int?rememberDuration = null)
        {
            Tracing.Start("OAuth2 Authorize Endoint - Consent response");

            // make sure application is registered
            var application = _config.FindApplication(appName);

            if (application == null)
            {
                Tracing.Error("Application not found: " + appName);
                return(HttpNotFound());
            }

            if (button == "no")
            {
                Tracing.Information("User denies access token request.");
                return(new ClientErrorResult(new Uri(request.redirect_uri), OAuthConstants.Errors.AccessDenied, request.response_type, request.state));
            }

            if (button == "yes")
            {
                Tracing.Information("User allows access token request.");

                ValidatedRequest validatedRequest;
                try
                {
                    validatedRequest = new AuthorizeRequestValidator().Validate(application, request);
                }
                catch (AuthorizeRequestValidationException ex)
                {
                    Tracing.Error("Aborting OAuth2 authorization request");
                    return(this.AuthorizeValidationError(ex));
                }

                if (scopes == null || scopes.Length == 0)
                {
                    ModelState.AddModelError("", "Please choose at least one permission.");
                    return(View("Consent", validatedRequest));
                }

                // parse scopes form post and substitue scopes
                validatedRequest.Scopes.RemoveAll(x => !scopes.Contains(x.Name));

                // store consent decision if
                //  checkbox was checked
                //  and storage is allowed
                //  and flow == implicit
                if (validatedRequest.Application.AllowRememberConsentDecision &&
                    validatedRequest.ResponseType == OAuthConstants.ResponseTypes.Token &&
                    rememberDuration == -1)
                {
                    var handle = StoredGrant.CreateConsentDecision(
                        ClaimsPrincipal.Current.GetSubject(),
                        validatedRequest.Client,
                        validatedRequest.Application,
                        validatedRequest.Scopes);

                    _handleManager.Add(handle);

                    Tracing.Information("Consent decision stored.");
                }

                // parse refresh token lifetime if
                // code flow is used
                // and refresh tokens are allowed
                if (validatedRequest.RequestingRefreshToken &&
                    rememberDuration != null &&
                    validatedRequest.Client.Flow == OAuthFlow.Code)
                {
                    if (rememberDuration == -1)
                    {
                        validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddYears(50);
                    }
                    else
                    {
                        validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddHours(rememberDuration.Value);
                    }

                    Tracing.Information("Selected refresh token lifetime in hours: " + rememberDuration);
                }

                var grantResult = PerformGrant(validatedRequest);
                if (grantResult != null)
                {
                    return(grantResult);
                }
            }

            return(new ClientErrorResult(
                       new Uri(request.redirect_uri),
                       OAuthConstants.Errors.InvalidRequest,
                       request.response_type,
                       request.state));
        }
        public ValidatedRequest Validate(Application application, AuthorizeRequest request)
        {
            // If the request fails due to a missing, invalid, or mismatching
            // redirection URI, or if the client identifier is missing or invalid,
            // the authorization server SHOULD inform the resource owner of the
            // error and MUST NOT automatically redirect the user-agent to the
            // invalid redirection URI.

            var validatedRequest = new ValidatedRequest();

            // validate request model binding
            if (request == null)
            {
                throw new AuthorizeRequestResourceOwnerException("Invalid request parameters.");
            }

            validatedRequest.Application = application;
            Tracing.InformationFormat("OAuth2 application: {0} ({1})",
                                      validatedRequest.Application.Name,
                                      validatedRequest.Application.Namespace);

            validatedRequest.ShowRememberConsent = application.AllowRememberConsentDecision;

            // make sure redirect uri is present
            if (string.IsNullOrWhiteSpace(request.redirect_uri))
            {
                throw new AuthorizeRequestResourceOwnerException("Missing redirect URI");
            }

            // validate client
            if (string.IsNullOrWhiteSpace(request.client_id))
            {
                throw new AuthorizeRequestResourceOwnerException("Missing client identifier");
            }

            var client = validatedRequest.Application.Clients.Get(request.client_id);

            if (client == null || client.Enabled == false)
            {
                throw new AuthorizeRequestResourceOwnerException("Invalid client or not enabled: " + request.client_id);
            }

            validatedRequest.Client = client;
            Tracing.InformationFormat("Client: {0} ({1})",
                                      validatedRequest.Client.Name,
                                      validatedRequest.Client.ClientId);

            // make sure redirect_uri is a valid uri, and in case of http is over ssl
            Uri redirectUri;

            if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri))
            {
                if (redirectUri.Scheme == Uri.UriSchemeHttp)
                {
                    throw new AuthorizeRequestResourceOwnerException("Redirect URI not over SSL : " + request.redirect_uri);
                }

                // make sure redirect uri is registered with client
                var validUri = validatedRequest.Client.RedirectUris.Get(request.redirect_uri);

                if (validUri == null)
                {
                    throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
                }

                validatedRequest.RedirectUri = validUri;
                Tracing.InformationFormat("Redirect URI: {0} ({1})",
                                          validatedRequest.RedirectUri.Uri,
                                          validatedRequest.RedirectUri.Description);
            }
            else
            {
                var message = "Invalid redirect URI: " + request.redirect_uri;
                Tracing.Error(message);

                throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
            }

            // check state
            if (!string.IsNullOrWhiteSpace(request.state))
            {
                validatedRequest.State = request.state;
                Tracing.Information("State: " + validatedRequest.State);
            }
            else
            {
                Tracing.Information("No state supplied.");
            }

            // validate response type
            if (String.IsNullOrWhiteSpace(request.response_type))
            {
                throw new AuthorizeRequestClientException(
                          "response_type is null or empty",
                          new Uri(validatedRequest.RedirectUri.Uri),
                          OAuthConstants.Errors.InvalidRequest,
                          string.Empty,
                          validatedRequest.State);
            }

            // check response type (only code and token are supported)
            if (!request.response_type.Equals(OAuthConstants.ResponseTypes.Token, StringComparison.Ordinal) &&
                !request.response_type.Equals(OAuthConstants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                throw new AuthorizeRequestClientException(
                          "response_type is not token or code: " + request.response_type,
                          new Uri(validatedRequest.RedirectUri.Uri),
                          OAuthConstants.Errors.UnsupportedResponseType,
                          string.Empty,
                          validatedRequest.State);
            }

            validatedRequest.ResponseType = request.response_type;
            Tracing.Information("Response type: " + validatedRequest.ResponseType);

            if (request.response_type == OAuthConstants.ResponseTypes.Code)
            {
                ValidateCodeResponseType(validatedRequest, request);
            }
            else if (request.response_type == OAuthConstants.ResponseTypes.Token)
            {
                ValidateTokenResponseType(validatedRequest, request);
            }
            else
            {
                throw new AuthorizeRequestClientException(
                          "Invalid response_type: " + request.response_type,
                          new Uri(validatedRequest.RedirectUri.Uri),
                          OAuthConstants.Errors.UnsupportedResponseType,
                          request.response_type,
                          validatedRequest.State);
            }

            ValidateScopes(request, validatedRequest);

            // TODO: fix based upon past "remember me" settings
            validatedRequest.ShowConsent = client.RequireConsent || application.RequireConsent;

            Tracing.Information("Authorize request validation successful.");
            return(validatedRequest);
        }
        public void MalformedRedirectUri1()
        {
            var validator = new AuthorizeRequestValidator(_clientManager);
            var app = _testConfig.FindApplication("test");
            var request = new AuthorizeRequest
            {
                client_id = "codeclient",
                response_type = "code",
                scope = "read",
                redirect_uri = "https:/prod.local"
            };

            try
            {
                var result = validator.Validate(app, request);
            }
            catch (AuthorizeRequestResourceOwnerException ex)
            {
                // todo: check error code
                return;
            }

            Assert.Fail("No exception thrown.");
        }
        public void NonSslRedirectUri()
        {
            var validator = new AuthorizeRequestValidator();
            var app = _testConfig.FindApplication("test");
            var request = new AuthorizeRequest
            {
                client_id = "codeclient",
                response_type = "code",
                scope = "read",
                redirect_uri = "http://prod.local"
            };

            try
            {
                var result = validator.Validate(app, request);
            }
            catch (AuthorizeRequestClientException ex)
            {
                Assert.IsTrue(ex.Error == OAuthConstants.Errors.InvalidRequest);
                return;
            }

            Assert.Fail("No exception thrown.");
        }