private ActionResult PerformImplicitGrant(AuthorizeRequest request, Client client)
        {
            var sts = new STS();

            TokenResponse tokenResponse;

            if (sts.TryIssueToken(
                    new EndpointReference(request.scope),
                    ClaimsPrincipal.Current,
                    Configuration.Global.DefaultHttpTokenType,
                    out tokenResponse))
            {
                var tokenString = string.Format("access_token={0}&token_type={1}&expires_in={2}",
                                                tokenResponse.AccessToken,
                                                tokenResponse.TokenType,
                                                tokenResponse.ExpiresIn);

                if (!string.IsNullOrEmpty(request.state))
                {
                    tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state));
                }

                var redirectString = string.Format("{0}#{1}",
                                                   client.RedirectUri.AbsoluteUri,
                                                   tokenString);

                return(Redirect(redirectString));
            }

            // return right error code
            return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type, request.state));
        }
        private ActionResult CheckRequest(AuthorizeRequest request, out Client client)
        {
            // validate client
            if (!Clients.TryGetClient(request.client_id, out client))
            {
                ViewBag.Message = "Invalid client_id : " + request.client_id;
                return View("Error");
            }

            // validate redirect uri
            if (string.IsNullOrEmpty(request.redirect_uri) || !string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase))
            {
                ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri + " did not match a registered redirect URI.";
                return View("Error");
            }

            // validate scope (must be a valid URI)
            Uri uri;
            if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri))
            {
                return Error(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.state);
            }

            return null;
        }
Example #3
0
        private ActionResult CheckRequest(AuthorizeRequest request, out Client client)
        {
            // validate client
            if (!Clients.TryGetClient(request.client_id, out client))
            {
                ViewBag.Message = "Invalid client_id : " + request.client_id;
                return(View("Error"));
            }

            // validate redirect uri
            if (string.IsNullOrEmpty(request.redirect_uri) || !string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase))
            {
                ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri + " did not match a registered redirect URI.";
                return(View("Error"));
            }

            // validate scope (must be a valid URI)
            Uri uri;

            if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri))
            {
                return(Error(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.state));
            }

            return(null);
        }
        public ActionResult HandleConsentResponse(string button, AuthorizeRequest request)
        {
            Client client;
            var    error = CheckRequest(request, out client);

            if (error != null)
            {
                return(error);
            }

            if (button == "no")
            {
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.AccessDenied, request.response_type, request.state));
            }

            if (button == "yes")
            {
                var grantResult = PerformGrant(request, client);
                if (grantResult != null)
                {
                    return(grantResult);
                }
            }

            // todo: return appropiate error
            return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type, request.state));
        }
Example #5
0
        public ActionResult HandleRequest(AuthorizeRequest request)
        {
            //
            // first round of validation:
            // missing, invalid, or mismatching redirection URI or
            // missing or invalid client id
            // show error page to user
            //

            Client client;
            var    error = CheckRequest(request, out client);

            if (error != null)
            {
                return(error);
            }

            // implicit grant
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) ||
                request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                if (Configuration.OAuth2.EnableConsent)
                {
                    RelyingParty rp;
                    if (RPRepository.TryGet(request.scope, out rp))
                    {
                        // show resource name, uri and client name
                        // client is trying to access resource on your behalf
                        var vm = new OAuth2ConsentViewModel
                        {
                            ResourceUri  = rp.Realm.AbsoluteUri,
                            ResourceName = rp.Name,
                            ClientName   = client.ClientId
                        };

                        return(View("ShowConsent", vm));
                    }
                }
                else
                {
                    var grantResult = PerformGrant(request, client);
                    if (grantResult != null)
                    {
                        return(grantResult);
                    }
                }
            }

            // todo: return appropiate error
            return(Error(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.state));
        }
        public ActionResult HandleRequest(AuthorizeRequest request)
        {
            Tracing.Information("OAuth2 HandleRequest endpoint invoked");

            // check client
            Client client;
            var    error = CheckRequest(request, out client);

            if (error != null)
            {
                return(error);
            }

            RelyingParty rp;

            if (!RPRepository.TryGet(request.scope, out rp))
            {
                Tracing.Error("RP not found for scope : " + request.scope);
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type, request.state));
            }

            if (Configuration.OAuth2.EnableConsent)
            {
                // show resource name, uri and client name
                // client is trying to access resource on your behalf
                var vm = new OAuth2ConsentViewModel
                {
                    ResourceUri         = rp.Realm.AbsoluteUri,
                    ResourceName        = rp.Name,
                    ClientName          = client.ClientId,
                    RefreshTokenEnabled = client.AllowRefreshToken
                };

                return(View("ShowConsent", vm));
            }
            else
            {
                var grantResult = PerformGrant(request, client);
                if (grantResult != null)
                {
                    return(grantResult);
                }
            }

            // we don't know exactly why, so use ServerError
            Tracing.Error("Authorization Endpoint failed");
            return(ClientError(client.RedirectUri, OAuth2Constants.Errors.ServerError, request.response_type, request.state));
        }
        private ActionResult PerformGrant(AuthorizeRequest request, Client client)
        {
            // implicit grant
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal))
            {
                return(PerformImplicitGrant(request, client));
            }

            // authorization code grant
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                return(PerformAuthorizationCodeGrant(request, client));
            }

            return(null);
        }
        private ActionResult PerformAuthorizationCodeGrant(AuthorizeRequest request, Client client)
        {
            var code        = CodeTokenRepository.AddCode(CodeTokenType.AuthorizationCode, client.ID, ClaimsPrincipal.Current.Identity.Name, request.scope);
            var tokenString = string.Format("code={0}", code);

            if (!string.IsNullOrEmpty(request.state))
            {
                tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state));
            }

            var redirectString = string.Format("{0}?{1}",
                                               client.RedirectUri.AbsoluteUri,
                                               tokenString);

            return(Redirect(redirectString));
        }
        public ActionResult HandleRequest(AuthorizeRequest request)
        {
            //
            // first round of validation:
            // missing, invalid, or mismatching redirection URI or
            // missing or invalid client id
            // show error page to user
            //

            Client client;
            var error = CheckRequest(request, out client);
            if (error != null) return error;

            // implicit grant
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) ||
                request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                if (Configuration.OAuth2.EnableConsent)
                {
                    RelyingParty rp;
                    if (RPRepository.TryGet(request.scope, out rp))
                    {
                        // show resource name, uri and client name
                        // client is trying to access resource on your behalf
                        var vm = new OAuth2ConsentViewModel
                        {
                            ResourceUri = rp.Realm.AbsoluteUri,
                            ResourceName = rp.Name,
                            ClientName = client.ClientId
                        };

                        return View("ShowConsent", vm);
                    }
                }
                else
                {
                    var grantResult = PerformGrant(request, client);
                    if (grantResult != null) return grantResult;
                }
            }

            // todo: return appropiate error
            return Error(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.state);
        }
        protected bool TryValidateRequest(AuthorizeRequest request, 
            out ValidatedRequest validatedRequest, 
            out ActionResult failedResult)
        {
            validatedRequest = null;
            failedResult = null;

            try
            {
                var validator = new AuthorizeRequestValidator(Clients);
                validatedRequest = validator.Validate(request);
                return true;
            }
            catch (AuthorizeRequestValidationException ex)
            {
                failedResult = this.AuthorizeValidationError(ex);
                return false;
            }
        }
        public ActionResult Index(AuthorizeRequest request)
        {
            Tracing.Start("OIDC Authorize Endpoint");

            ValidatedRequest validatedRequest;
            ActionResult failedResult;
            if (!TryValidateRequest(request, out validatedRequest, out failedResult))
            {
                Tracing.Error("Aborting OAuth2 authorization request");
                return failedResult;
            }

            if (validatedRequest.Client.RequireConsent)
            {
                return ShowConsent(validatedRequest);
            }

            return PerformGrant(validatedRequest);
        }
        public ActionResult HandleRequest(AuthorizeRequest request)
        {
            logger.Info("OAuth2 HandleRequest endpoint invoked");

            // check client
            Client client;
            var error = CheckRequest(request, out client);
            if (error != null) return error;

            RelyingParty rp;
            if (!RPRepository.TryGet(request.scope, out rp))
            {

                logger.Error("RP not found for scope : " + request.scope);
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type, request.state);
            }

            if (Configuration.OAuth2.EnableConsent)
            {
                // show resource name, uri and client name
                // client is trying to access resource on your behalf
                var vm = new OAuth2ConsentViewModel
                {
                    ResourceUri = rp.Realm.AbsoluteUri,
                    ResourceName = rp.Name,
                    ClientName = client.ClientId,
                    RefreshTokenEnabled = client.AllowRefreshToken
                };

                return View("ShowConsent", vm);
            }
            else
            {
                var grantResult = PerformGrant(request, client);
                if (grantResult != null) return grantResult;
            }

            // we don't know exactly why, so use ServerError
            logger.Error("Authorization Endpoint failed");
            return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type, request.state);
        }
        public ActionResult Index(AuthorizeRequest request)
        {
            Tracing.Start("OIDC Authorize Endpoint");

            ValidatedRequest validatedRequest;

            try
            {
                var validator = new AuthorizeRequestValidator(Clients);
                validatedRequest = validator.Validate(request);
            }
            catch (AuthorizeRequestValidationException ex)
            {
                Tracing.Error("Aborting OAuth2 authorization request");
                return this.AuthorizeValidationError(ex);
            }

            // consent - todo

            return PerformGrant(validatedRequest);
        }
        public ActionResult HandleRequest(AuthorizeRequest request)
        {
            // check client
            Client client;
            var error = CheckRequest(request, out client);
            if (error != null) return error;

            if (Configuration.OAuth2.EnableConsent)
            {
                RelyingParty rp;
                if (RPRepository.TryGet(request.scope, out rp))
                {
                    // show resource name, uri and client name
                    // client is trying to access resource on your behalf
                    var vm = new OAuth2ConsentViewModel
                    {
                        ResourceUri = rp.Realm.AbsoluteUri,
                        ResourceName = rp.Name,
                        ClientName = client.ClientId,
                        RefreshTokenEnabled = client.AllowRefreshToken
                    };

                    return View("ShowConsent", vm);
                }
                else
                {
                    // unknown RP - error out
                    return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type, request.state);
                }
            }
            else
            {
                var grantResult = PerformGrant(request, client);
                if (grantResult != null) return grantResult;
            }

            return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type, request.state);
        }
        public ActionResult HandleConsent(AuthorizeRequest request, string button, string[] selectedScopes)
        {
            Tracing.Start("OIDC consent response");

            ValidatedRequest validatedRequest;
            ActionResult failedResult;
            if (!TryValidateRequest(request, out validatedRequest, out failedResult))
            {
                Tracing.Error("Aborting OIDC consent response");
                return failedResult;
            }

            if (button == "allow")
            {
                var vm = new OidcViewModel(validatedRequest);
                vm.SetScopes(selectedScopes);
                return PerformGrant(vm.ValidatedRequest);
            }
            else
            {
                return DenyGrant(validatedRequest);
            }
        }
        private ActionResult CheckRequest(AuthorizeRequest request, out Client client)
        {
            if (request == null)
            {
                client          = null;
                ViewBag.Message = "Invalid request parameters";
                Tracing.Error(ViewBag.Message);
                return(View("Error"));
            }

            // validate client
            if (!Clients.TryGetClient(request.client_id, out client))
            {
                ViewBag.Message = "Invalid client_id : " + request.client_id;
                Tracing.Error(ViewBag.Message);
                return(View("Error"));
            }

            // validate redirect uri
            if (string.IsNullOrEmpty(request.redirect_uri) ||
                !string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase))
            {
                ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri + " did not match a registered redirect URI.";
                Tracing.Error(ViewBag.Message);
                return(View("Error"));
            }

            Uri redirectUrl;

            if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUrl))
            {
                if (redirectUrl.Scheme == Uri.UriSchemeHttp)
                {
                    Tracing.Error("Redirect URI not over SSL : " + request.redirect_uri);
                    return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty, request.state));
                }
            }
            else
            {
                Tracing.Error("Redirect URI not a valid URI : " + request.redirect_uri);
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty, request.state));
            }

            if (String.IsNullOrWhiteSpace(request.response_type))
            {
                Tracing.Error("response_type is null or empty");
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty, request.state));
            }

            // check response type (only code and token are supported)
            if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) &&
                !request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                Tracing.Error("response_type is not token or code: " + request.response_type);
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, string.Empty, request.state));
            }

            // validate scope (must be a valid URI)
            Uri uri;

            if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri))
            {
                Tracing.Error("scope is not a URI: " + request.scope);
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type, request.state));
            }

            // validate if request grant type is allowed for client (implicit vs code flow)
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token) &&
                !client.AllowImplicitFlow)
            {
                Tracing.Error("response_type is token and client does not allow implicit flow. client: " + client.Name);
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, request.state));
            }

            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code) &&
                !client.AllowCodeFlow)
            {
                Tracing.Error("response_type is code and client does not allow code flow. client: " + client.Name);
                return(ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, request.state));
            }

            return(null);
        }
 private void ValidateCodeResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
 {
     if (validatedRequest.Client.Flow != OpenIdConnectFlows.AuthorizationCode)
     {
         throw new AuthorizeRequestClientException(
            "response_type is not allowed: " + request.response_type,
            new Uri(validatedRequest.RedirectUri),
            OAuth2Constants.Errors.UnsupportedResponseType,
            request.response_type,
            validatedRequest.State);
     }
 }
        private ActionResult HandleImplicitGrant(AuthorizeRequest request, Client client)
        {
            var sts = new STS();
            
            TokenResponse tokenResponse;
            if (sts.TryIssueToken(
                    new EndpointReference(request.scope),
                    ClaimsPrincipal.Current,
                    Configuration.Global.DefaultHttpTokenType,
                    out tokenResponse))
            {
                var redirectString = string.Format("{0}#access_token={1}&token_type={2}&expires_in={3}",
                        client.RedirectUri.AbsoluteUri,
                        tokenResponse.AccessToken,
                        tokenResponse.TokenType,
                        tokenResponse.ExpiresIn);

                if (!string.IsNullOrEmpty(request.state))
                {
                    redirectString = string.Format("{0}&state={1}", redirectString, request.state);
                }

                return Redirect(redirectString);
            }

            // return right error code
            return Error(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.state);
        }
Example #19
0
 private ActionResult HandleAuthorizationCodeGrant(AuthorizeRequest request, Client client)
 {
     throw new System.NotImplementedException();
 }
        private ActionResult PerformAuthorizationCodeGrant(AuthorizeRequest request, Client client)
        {
            var code = CodeTokenRepository.AddCode(CodeTokenType.AuthorizationCode, client.ID, ClaimsPrincipal.Current.Identity.Name, request.scope);
            var tokenString = string.Format("code={0}", code);

            if (!string.IsNullOrEmpty(request.state))
            {
                tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state));
            }

            var redirectString = string.Format("{0}?{1}",
                        client.RedirectUri.AbsoluteUri,
                        tokenString);

            return Redirect(redirectString);
        }
        private ActionResult PerformGrant(AuthorizeRequest request, Client client)
        {
            // implicit grant
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal))
            {
                return HandleImplicitGrant(request, client);
            }

            // authorization code grant
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                return HandleAuthorizationCodeGrant(request, client);
            }

            return null;
        }
        public ActionResult HandleResponse(string button, AuthorizeRequest request)
        {
            Client client;
            var error = CheckRequest(request, out client);
            if (error != null) return error;

            if (button == "no")
            {
                return Error(client.RedirectUri, OAuth2Constants.Errors.AccessDenied, request.state);
            }

            if (button == "yes")
            {
                var grantResult = PerformGrant(request, client);
                if (grantResult != null) return grantResult;
            }

            // todo: return appropiate error
            return Error(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.state);
        }
 public ActionResult HandleRequest(AuthorizeRequest request)
 {
   Client client;
   ActionResult actionResult1 = this.CheckRequest(request, out client);
   if (actionResult1 != null)
     return actionResult1;
   if (request.response_type.Equals("token", StringComparison.Ordinal) || request.response_type.Equals("code", StringComparison.Ordinal))
   {
     if (this.Configuration.OAuth2.EnableConsent)
     {
       RelyingParty relyingParty;
       if (this.RPRepository.TryGet(request.scope, out relyingParty))
         return (ActionResult) this.View("ShowConsent", (object) new OAuth2ConsentViewModel()
         {
           ResourceUri = relyingParty.Realm.AbsoluteUri,
           ResourceName = relyingParty.Name,
           ClientName = client.ClientId
         });
     }
     else
     {
       ActionResult actionResult2 = this.PerformGrant(request, client);
       if (actionResult2 != null)
         return actionResult2;
     }
   }
   return this.Error(client.RedirectUri, "unsupported_response_type", request.state);
 }
 private ActionResult HandleAuthorizationCodeGrant(AuthorizeRequest request, Client client)
 {
     throw new System.NotImplementedException();
 }
 public ActionResult HandleResponse(string button, AuthorizeRequest request)
 {
   Client client;
   ActionResult actionResult1 = this.CheckRequest(request, out client);
   if (actionResult1 != null)
     return actionResult1;
   if (button == "no")
     return this.Error(client.RedirectUri, "access_denied", request.state);
   if (button == "yes")
   {
     ActionResult actionResult2 = this.PerformGrant(request, client);
     if (actionResult2 != null)
       return actionResult2;
   }
   return this.Error(client.RedirectUri, "unsupported_response_type", request.state);
 }
 private ActionResult PerformGrant(AuthorizeRequest request, Client client)
 {
   if (request.response_type.Equals("token", StringComparison.Ordinal))
     return this.HandleImplicitGrant(request, client);
   if (request.response_type.Equals("code", StringComparison.Ordinal))
     return this.HandleAuthorizationCodeGrant(request, client);
   else
     return (ActionResult) null;
 }
 private ActionResult HandleImplicitGrant(AuthorizeRequest request, Client client)
 {
   TokenResponse response;
   if (!new STS().TryIssueToken(new EndpointReference(request.scope), ClaimsPrincipal.Current, this.Configuration.Global.DefaultHttpTokenType, out response))
     return this.Error(client.RedirectUri, "invalid_request", request.state);
   string str = string.Format("access_token={0}&token_type={1}&expires_in={2}", (object) response.AccessToken, (object) response.TokenType, (object) response.ExpiresIn);
   if (!string.IsNullOrEmpty(request.state))
     str = string.Format("{0}&state={1}", (object) str, (object) request.state);
   return (ActionResult) this.Redirect(string.Format("{0}#{1}", (object) client.RedirectUri.AbsoluteUri, (object) str));
 }
 private void ValidateTokenResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
 {
     throw new NotImplementedException();
 }
    private ActionResult CheckRequest(AuthorizeRequest request, out Client client)
    {
        if (request == null)
        {
            client = null;
            ViewBag.Message = "Invalid request parameters";
            Tracing.Error(ViewBag.Message);
            return View("Error");
        }

        // validate client
        if (!Clients.TryGetClient(request.client_id, out client))
        {
            ViewBag.Message = "Invalid client_id : " + request.client_id;
            Tracing.Error(ViewBag.Message);
            return View("Error");
        }

        // validate redirect uri
        if (string.IsNullOrEmpty(request.redirect_uri) ||
            !string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase))
        {
            ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri + " did not match a registered redirect URI.";
            Tracing.Error(ViewBag.Message);
            return View("Error");
        }

        Uri redirectUrl;
        if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUrl))
        {
            if (redirectUrl.Scheme == Uri.UriSchemeHttp)
            {
                Tracing.Error("Redirect URI not over SSL : " + request.redirect_uri);
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty, request.state);
            }
        }
        else
        {
            Tracing.Error("Redirect URI not a valid URI : " + request.redirect_uri);
            return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty, request.state);
        }

        if (String.IsNullOrWhiteSpace(request.response_type))
        {
            Tracing.Error("response_type is null or empty");
            return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty, request.state);
        }

        // check response type (only code and token are supported)
        if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) &&
            !request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
        {
            Tracing.Error("response_type is not token or code: " + request.response_type);
            return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, string.Empty, request.state);
        }

        // validate scope (must be a valid URI)
        Uri uri;
        if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri))
        {
            Tracing.Error("scope is not a URI: " + request.scope);
            return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type, request.state);
        }

        // validate if request grant type is allowed for client (implicit vs code flow)
        if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token) &&
            !client.AllowImplicitFlow)
        {
            Tracing.Error("response_type is token and client does not allow implicit flow. client: " + client.Name);
            return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, request.state);
        }

        if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code) &&
            !client.AllowCodeFlow)
        {
            Tracing.Error("response_type is code and client does not allow code flow. client: " + client.Name);
            return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, request.state);
        }

        return null;
    }
        public ValidatedRequest Validate(AuthorizeRequest request)
        {
            var validatedRequest = new ValidatedRequest();

            // validate request model binding
            if (request == null)
            {
                throw new AuthorizeRequestResourceOwnerException("Invalid request parameters.");
            }

            // make sure redirect uri is present
            if (string.IsNullOrWhiteSpace(request.redirect_uri))
            {
                throw new AuthorizeRequestResourceOwnerException("Missing redirect URI");
            }

            // validate client
            if (string.IsNullOrWhiteSpace(request.client_id))
            {
                throw new AuthorizeRequestResourceOwnerException("Missing client identifier");
            }


            var client = Clients.Get(request.client_id);
            
            if (client == null)
            {
                throw new AuthorizeRequestResourceOwnerException("Invalid client: " + request.client_id);
            }

            validatedRequest.Client = client;
            Tracing.InformationFormat("Client: {0} ({1})",
                validatedRequest.Client.Name,
                validatedRequest.Client.ClientId);

            // make sure redirect_uri is a valid uri, and in case of http is over ssl
            Uri redirectUri;
            if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri))
            {
                if (redirectUri.Scheme == Uri.UriSchemeHttp)
                {
                    throw new AuthorizeRequestClientException(
                        "Redirect URI not over SSL : " + request.redirect_uri,
                        new Uri(request.redirect_uri),
                        OAuth2Constants.Errors.InvalidRequest,
                        string.Empty,
                        validatedRequest.State);
                }

                // make sure redirect uri is registered with client
                if (!validatedRequest.Client.RedirectUris.Contains(request.redirect_uri))
                {
                    throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
                }

                validatedRequest.RedirectUri = request.redirect_uri;
                Tracing.InformationFormat("Redirect URI: {0}",
                    validatedRequest.RedirectUri);                    
            }
            else
            {
                throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
            }

            // check state
            if (!string.IsNullOrWhiteSpace(request.state))
            {
                validatedRequest.State = request.state;
                Tracing.Information("State: " + validatedRequest.State);
            }
            else
            {
                Tracing.Information("No state supplied.");
            }

            // validate response type
            if (String.IsNullOrWhiteSpace(request.response_type))
            {
                throw new AuthorizeRequestClientException(
                    "response_type is null or empty",
                    new Uri(validatedRequest.RedirectUri),
                    OAuth2Constants.Errors.InvalidRequest,
                    string.Empty,
                    validatedRequest.State);
            }

            // check response type (only code and token are supported)
            if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) &&
                !request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                throw new AuthorizeRequestClientException(
                    "response_type is not token or code: " + request.response_type,
                    new Uri(validatedRequest.RedirectUri),
                    OAuth2Constants.Errors.UnsupportedResponseType,
                    string.Empty,
                    validatedRequest.State);
            }

            validatedRequest.ResponseType = request.response_type;
            Tracing.Information("Response type: " + validatedRequest.ResponseType);

            // scope is required
            if (string.IsNullOrWhiteSpace(request.scope))
            {
                throw new AuthorizeRequestClientException(
                    "Missing scope",
                    new Uri(validatedRequest.RedirectUri),
                    OAuth2Constants.Errors.InvalidScope,
                    validatedRequest.ResponseType,
                    validatedRequest.State);
            }

            // validate scopes
            if (!request.scope.StartsWith("openid"))
            {
                throw new AuthorizeRequestClientException(
                    "Invalid scope: " + request.scope,
                    new Uri(validatedRequest.RedirectUri),
                    OAuth2Constants.Errors.InvalidScope,
                    validatedRequest.ResponseType,
                    validatedRequest.State);
            }

            validatedRequest.Scopes = request.scope; 

            if (request.response_type == OAuth2Constants.ResponseTypes.Code)
            {
                ValidateCodeResponseType(validatedRequest, request);
            }
            else if (request.response_type == OAuth2Constants.ResponseTypes.Token)
            {
                ValidateTokenResponseType(validatedRequest, request);
            }
            else
            {
                throw new AuthorizeRequestClientException(
                    "Invalid response_type: " + request.response_type,
                    new Uri(validatedRequest.RedirectUri),
                    OAuth2Constants.Errors.UnsupportedResponseType,
                    request.response_type,
                    validatedRequest.State);
            }

            return validatedRequest;
        }
        private ActionResult CheckRequest(AuthorizeRequest request, out Client client)
        {
            // validate client
            if (!Clients.TryGetClient(request.client_id, out client))
            {
                ViewBag.Message = "Invalid client_id : " + request.client_id;
                return View("Error");
            }

            // validate redirect uri
            if (string.IsNullOrEmpty(request.redirect_uri) || !string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase))
            {
                ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri + " did not match a registered redirect URI.";
                return View("Error");
            }

            // check response type (only code and token are supported)
            if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) &&
                !request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
            {
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, string.Empty, request.state);
            }

            // validate scope (must be a valid URI)
            Uri uri;
            if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri))
            {
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type, request.state);
            }

            // validate if request grant type is allowed for client (implicit vs code flow)
            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token) &&
                !client.AllowImplicitFlow)
            {
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, request.state);
            }

            if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code) &&
                !client.AllowCodeFlow)
            {
                return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, request.state);
            }

            return null;
        }