public Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
Check.NotNull(context, nameof(context));
var audience = context.Result.ValidatedRequest.Raw["aud"];
if (audience is { } && (!_fhirServerConfig.Value?.FHIR_BASE_URL.Equals(audience) ?? false))
public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
_logger.LogInformation("Start token request validator");
var validatedRequest = context.Result.ValidatedRequest;
if (validatedRequest.Client.ClientId.Contains("SPA", StringComparison.OrdinalIgnoreCase))
{
_logger.LogInformation("ClientId is SPA, no further validation required");
return;
}
var parameters = context.Result.ValidatedRequest.Raw;
const string requestParam = "request";
var requestFromParameters = parameters.Get("request");
if (string.IsNullOrWhiteSpace(requestFromParameters))
{
_logger.LogError($"{requestParam} is missing from the request parameters.");
context.Result.IsError = true;
context.Result.Error = OidcConstants.TokenErrors.InvalidRequest;
return;
}
var requestValidationResult = await _assertionManager.ValidateAsync(requestFromParameters);
if (!requestValidationResult.Success)
{
context.Result.IsError = true;
context.Result.Error = OidcConstants.TokenErrors.InvalidClient;
}
var jwt = _assertionManager.Parse(requestFromParameters);
_logger.LogInformation("TokenRequestValidator is valid for {client}", validatedRequest.Client.ClientId);
}
public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
var scopeTask = _scopeQuery.Get(new GetScopeByNameRequest
{
Name = context.Result.ValidatedRequest.RequestedScopes.First()
});
var applicationTask = _query.Get(new GetApplicationByIdRequest()
{
ClientId = context.Result.ValidatedRequest.ClientId
});
Task.WaitAll(scopeTask, applicationTask);
if (scopeTask.Result == null || applicationTask.Result == null)
{
context.Result.IsError = true;
context.Result.Error = scopeTask.Result == null ? "unknown scope" : "unknown client id";
}
var result = await _authCommand.Execute(new InsertAuthRequestRequest
{
AuthRequest = new Domain.AuthRequest
{
ClientId = context.Result.ValidatedRequest.ClientId,
Scope = context.Result.ValidatedRequest.RequestedScopes.First(),
RedirectUri = context.Result.ValidatedRequest.RedirectUri,
CreationDate = DateTime.Now
}
});
context.Result.ValidatedRequest.Options.UserInteraction.LoginUrl = context.Result.ValidatedRequest.Options.UserInteraction.LoginUrl.Replace("auth_id=0", $"auth_id={result.Id}");
}
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
var request = context.Result.ValidatedRequest;
var identity = request.Subject?.Identity;
var name = identity?.Name;
var sub = identity?.IsAuthenticated == true?identity.GetSubjectId() : null;
return(Task.CompletedTask);
}
public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
foreach (var validator in _validators)
{
await validator.ValidateAsync(context);
if (context.Result.IsError)
{
break;
}
}
_logger.LogDebug("All custom token request validators evaluated to valid.");
}
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
if (!context.Result.IsError)
{
var TenantClaim = _context.GetTenantTokenClaim();
if (TenantClaim != null)
{
context.Result.ValidatedRequest.ClientClaims.Add(TenantClaim);
}
}
return(Task.CompletedTask);
}
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
//var x = context.Result.Subject;
//var user = await _userManager.FindByNameAsync(x.UserName);
if (!context.Result.IsError)
{
//if (user != null && user.LockoutEnd.HasValue)
context.Result.Error = OidcConstants.AuthorizeErrors.UnauthorizedClient;
}
context.Result.Error = OidcConstants.AuthorizeErrors.ConsentRequired;
return(Task.CompletedTask);
}
public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
var user = context.Result.ValidatedRequest.Subject;
if (user.Identity.IsAuthenticated)
{
if (!await UserCanAccessClient(user, context.Result.ValidatedRequest.ClientClaims, db))
{
context.Result.IsError = true;
context.Result.Error = "app_denied";
context.Result.ErrorDescription = $"Access to this application has been denied to {user.Identity.Name} ({user.FindFirst("email").Value}).";
}
}
return;
}
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
_logger.LogInformation("Start token request validator");
var validatedRequest = context.Result.ValidatedRequest;
if (validatedRequest.Client.ClientId.Contains("SPA", StringComparison.OrdinalIgnoreCase))
{
_logger.LogInformation("ClientId is SPA, no further validation required");
return(Task.CompletedTask);
}
var parameters = context.Result.ValidatedRequest.Raw;
if (IsAnyRequiredParameterMissing(parameters))
{
MutateContextToError(context);
return(Task.CompletedTask);
}
if (IsAnyRequiredPayloadParameterMissing(validatedRequest.RequestObjectValues))
{
MutateContextToError(context);
return(Task.CompletedTask);
}
if (IsScopeInvalid(validatedRequest.RequestObjectValues["scope"]))
{
MutateContextToError(context);
return(Task.CompletedTask);
}
if (IsLanguageInvalid(validatedRequest))
{
MutateContextToError(context);
return(Task.CompletedTask);
}
_logger.LogInformation("TokenRequestValidator is valid for {client}", validatedRequest.Client.ClientId);
return(Task.CompletedTask);
}
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
var subject = context.Result.ValidatedRequest.Subject.Claims.SingleOrDefault(c => c.Type == "sub")?.Value;
var loginHint = context.Result.ValidatedRequest.LoginHint;
if (loginHint.IsPresent() && subject != loginHint)
{
_logger.LogInformation($"Impersonating subject {loginHint}.");
// Replace the subject with the person being impersonated in login_hint
context.Result.ValidatedRequest.Subject = new ClaimsPrincipal(new ClaimsIdentity(new List <Claim>
{
new Claim("sub", loginHint),
new Claim("auth_time", DateTime.UtcNow.ToEpochTime().ToString()),
new Claim("idp", "local")
}, AuthenticationType));
}
return(Task.CompletedTask);
}
public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
await Task.CompletedTask;
}
private static void MutateContextToError(CustomAuthorizeRequestValidationContext context)
{
context.Result.IsError = true;
context.Result.Error = OidcConstants.TokenErrors.InvalidRequest;
}
public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
context.Result.IsError = false;
await Task.CompletedTask;
}
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
WasCalled = true;
Callback?.Invoke(context);
return(Task.CompletedTask);
}
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
WasCalled = true;
Callback?.Invoke(context);
return(Task.FromResult(0));
}
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
throw new NotImplementedException();
}
/// <summary>
/// Custom validation logic for the authorize request.
/// </summary>
/// <param name="context">The context.</param>
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
return(Task.CompletedTask);
}
public async Task <AuthorizeRequestValidationResult> ValidateAsync(NameValueCollection parameters, ClaimsPrincipal subject = null)
{
using var activity = Tracing.BasicActivitySource.StartActivity("AuthorizeRequestValidator.Validate");
_logger.LogDebug("Start authorize request protocol validation");
var request = new ValidatedAuthorizeRequest
{
Options = _options,
IssuerName = await _issuerNameService.GetCurrentAsync(),
Subject = subject ?? Principal.Anonymous,
Raw = parameters ?? throw new ArgumentNullException(nameof(parameters))
};
// load client_id
// client_id must always be present on the request
var loadClientResult = await LoadClientAsync(request);
if (loadClientResult.IsError)
{
return(loadClientResult);
}
// load request object
var roLoadResult = await LoadRequestObjectAsync(request);
if (roLoadResult.IsError)
{
return(roLoadResult);
}
// validate request object
var roValidationResult = await ValidateRequestObjectAsync(request);
if (roValidationResult.IsError)
{
return(roValidationResult);
}
// validate client_id and redirect_uri
var clientResult = await ValidateClientAsync(request);
if (clientResult.IsError)
{
return(clientResult);
}
// state, response_type, response_mode
var mandatoryResult = ValidateCoreParameters(request);
if (mandatoryResult.IsError)
{
return(mandatoryResult);
}
// scope, scope restrictions and plausability, and resource indicators
var scopeResult = await ValidateScopeAndResourceAsync(request);
if (scopeResult.IsError)
{
return(scopeResult);
}
// nonce, prompt, acr_values, login_hint etc.
var optionalResult = await ValidateOptionalParametersAsync(request);
if (optionalResult.IsError)
{
return(optionalResult);
}
// custom validator
_logger.LogDebug("Calling into custom validator: {type}", _customValidator.GetType().FullName);
var context = new CustomAuthorizeRequestValidationContext
{
Result = new AuthorizeRequestValidationResult(request)
};
await _customValidator.ValidateAsync(context);
var customResult = context.Result;
if (customResult.IsError)
{
LogError("Error in custom validation", customResult.Error, request);
return(Invalid(request, customResult.Error, customResult.ErrorDescription));
}
_logger.LogTrace("Authorize request protocol validation successful");
LicenseValidator.ValidateClient(request.ClientId);
return(Valid(request));
}
