private void ValidateResponseType(OidcDownClient client, AuthenticationRequest authenticationRequest, string[] responseType)
{
foreach (var partyResponseType in client.ResponseTypes.Select(rt => rt.ToSpaceList()))
{
if (responseType.Count() == partyResponseType.Count())
{
var tempPartyResponseType = new List <string>(partyResponseType);
foreach (var responseTypeItem in responseType)
{
if (tempPartyResponseType.Contains(responseTypeItem))
{
tempPartyResponseType.Remove(responseTypeItem);
}
else
{
break;
}
}
if (tempPartyResponseType.Count() == 0)
{
//All Response Types match.
return;
}
}
}
throw new OAuthRequestException($"Unsupported response type '{authenticationRequest.ResponseType}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.UnsupportedResponseType
};
}
private void ValidateAuthenticationRequest(OidcDownClient client, AuthenticationRequest authenticationRequest, bool requireCodeFlow)
{
try
{
var responseType = authenticationRequest.ResponseType.ToSpaceList();
bool isImplicitFlow = !responseType.Contains(IdentityConstants.ResponseTypes.Code);
authenticationRequest.Validate(isImplicitFlow);
if (requireCodeFlow)
{
if (responseType.Where(rt => !rt.Equals(IdentityConstants.ResponseTypes.Code)).Any())
{
throw new OAuthRequestException($"Require '{IdentityConstants.ResponseTypes.Code}' flow with PKCE.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidRequest
};
}
}
if (!client.RedirectUris.Any(u => u.Equals(authenticationRequest.RedirectUri, StringComparison.InvariantCultureIgnoreCase)))
{
throw new OAuthRequestException($"Invalid redirect Uri '{authenticationRequest.RedirectUri}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidRequest
};
}
if (!client.ClientId.Equals(authenticationRequest.ClientId, StringComparison.InvariantCultureIgnoreCase))
{
throw new OAuthRequestException($"Invalid client id '{authenticationRequest.ClientId}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidClient
};
}
if (!authenticationRequest.Scope.Contains(IdentityConstants.DefaultOidcScopes.OpenId))
{
throw new OAuthRequestException($"Require '{IdentityConstants.DefaultOidcScopes.OpenId}' scope.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidScope
};
}
var resourceScopes = oauthResourceScopeLogic.GetResourceScopes(client as TClient);
var invalidScope = authenticationRequest.Scope.ToSpaceList().Where(s => !(resourceScopes.Select(rs => rs).Contains(s) || (client.Scopes != null && client.Scopes.Select(ps => ps.Scope).Contains(s))) && IdentityConstants.DefaultOidcScopes.OpenId != s);
if (invalidScope.Count() > 0)
{
throw new OAuthRequestException($"Invalid scope '{authenticationRequest.Scope}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidScope
};
}
ValidateResponseType(client, authenticationRequest, responseType);
if (!authenticationRequest.ResponseMode.IsNullOrEmpty())
{
var invalidResponseMode = !(new[] { IdentityConstants.ResponseModes.Fragment, IdentityConstants.ResponseModes.Query, IdentityConstants.ResponseModes.FormPost }.Contains(authenticationRequest.ResponseMode));
if (invalidResponseMode)
{
throw new OAuthRequestException($"Invalid response mode '{authenticationRequest.ResponseMode}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidRequest
};
}
}
}
catch (ArgumentException ex)
{
throw new OAuthRequestException(ex.Message, ex)
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidRequest
};
}
}
