public ActionResult HandleConsentResponse(string button, AuthorizeRequest request)
{
Client client;
var error = CheckRequest(request, out client);
if (error != null)
{
return(error);
}
if (button == "no")
{
return(ClientError(client.RedirectUri, OAuth2Constants.Errors.AccessDenied, request.response_type,
request.state));
}
if (button == "yes")
{
var grantResult = PerformGrant(request, client);
if (grantResult != null)
{
return(grantResult);
}
}
// todo: return appropiate error
return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type,
request.state));
}
private ActionResult PerformImplicitGrant(AuthorizeRequest request, Client client)
{
var sts = new STS();
TokenResponse tokenResponse;
if (sts.TryIssueToken(
new EndpointReference(request.scope),
ClaimsPrincipal.Current,
Configuration.Global.DefaultHttpTokenType,
out tokenResponse))
{
var tokenString = string.Format("access_token={0}&token_type={1}&expires_in={2}",
tokenResponse.AccessToken,
tokenResponse.TokenType,
tokenResponse.ExpiresIn);
if (!string.IsNullOrEmpty(request.state))
{
tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state));
}
var redirectString = string.Format("{0}#{1}",
client.RedirectUri.AbsoluteUri,
tokenString);
return(Redirect(redirectString));
}
// return right error code
return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type,
request.state));
}
public ActionResult HandleRequest(AuthorizeRequest request)
{
Tracing.Information("OAuth2 HandleRequest endpoint invoked");
// check client
Client client;
var error = CheckRequest(request, out client);
if (error != null)
{
return(error);
}
RelyingParty rp;
if (!RPRepository.TryGet(request.scope, out rp))
{
Tracing.Error("RP not found for scope : " + request.scope);
return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type,
request.state));
}
if (Configuration.OAuth2.EnableConsent)
{
// show resource name, uri and client name
// client is trying to access resource on your behalf
var vm = new OAuth2ConsentViewModel
{
ResourceUri = rp.Realm.AbsoluteUri,
ResourceName = rp.Name,
ClientName = client.ClientId,
RefreshTokenEnabled = client.AllowRefreshToken
};
return(View("ShowConsent", vm));
}
var grantResult = PerformGrant(request, client);
if (grantResult != null)
{
return(grantResult);
}
// we don't know exactly why, so use ServerError
Tracing.Error("Authorization Endpoint failed");
return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type,
request.state));
}
private ActionResult PerformGrant(AuthorizeRequest request, Client client)
{
// implicit grant
if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal))
{
return(PerformImplicitGrant(request, client));
}
// authorization code grant
if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
{
return(PerformAuthorizationCodeGrant(request, client));
}
return(null);
}
private ActionResult PerformAuthorizationCodeGrant(AuthorizeRequest request, Client client)
{
var code = CodeTokenRepository.AddCode(CodeTokenType.AuthorizationCode, client.ID,
ClaimsPrincipal.Current.Identity.Name, request.scope);
var tokenString = string.Format("code={0}", code);
if (!string.IsNullOrEmpty(request.state))
{
tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state));
}
var redirectString = string.Format("{0}?{1}",
client.RedirectUri.AbsoluteUri,
tokenString);
return(Redirect(redirectString));
}
public ActionResult HandleConsent(AuthorizeRequest request, string button, string[] selectedScopes)
{
Tracing.Start("OIDC consent response");
ValidatedRequest validatedRequest;
ActionResult failedResult;
if (!TryValidateRequest(request, out validatedRequest, out failedResult))
{
Tracing.Error("Aborting OIDC consent response");
return failedResult;
}
if (button == "allow")
{
var vm = new OidcViewModel(validatedRequest);
vm.SetScopes(selectedScopes);
return PerformGrant(vm.ValidatedRequest);
}
return DenyGrant(validatedRequest);
}
public ActionResult HandleConsentResponse(string button, AuthorizeRequest request)
{
Client client;
var error = CheckRequest(request, out client);
if (error != null) return error;
if (button == "no")
{
return ClientError(client.RedirectUri, OAuth2Constants.Errors.AccessDenied, request.response_type,
request.state);
}
if (button == "yes")
{
var grantResult = PerformGrant(request, client);
if (grantResult != null) return grantResult;
}
// todo: return appropiate error
return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type,
request.state);
}
private ActionResult PerformImplicitGrant(AuthorizeRequest request, Client client)
{
var sts = new STS();
TokenResponse tokenResponse;
if (sts.TryIssueToken(
new EndpointReference(request.scope),
ClaimsPrincipal.Current,
Configuration.Global.DefaultHttpTokenType,
out tokenResponse))
{
var tokenString = string.Format("access_token={0}&token_type={1}&expires_in={2}",
tokenResponse.AccessToken,
tokenResponse.TokenType,
tokenResponse.ExpiresIn);
if (!string.IsNullOrEmpty(request.state))
{
tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state));
}
var redirectString = string.Format("{0}#{1}",
client.RedirectUri.AbsoluteUri,
tokenString);
return Redirect(redirectString);
}
// return right error code
return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type,
request.state);
}
private ActionResult PerformGrant(AuthorizeRequest request, Client client)
{
// implicit grant
if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal))
{
return PerformImplicitGrant(request, client);
}
// authorization code grant
if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
{
return PerformAuthorizationCodeGrant(request, client);
}
return null;
}
private ActionResult PerformAuthorizationCodeGrant(AuthorizeRequest request, Client client)
{
var code = CodeTokenRepository.AddCode(CodeTokenType.AuthorizationCode, client.ID,
ClaimsPrincipal.Current.Identity.Name, request.scope);
var tokenString = string.Format("code={0}", code);
if (!string.IsNullOrEmpty(request.state))
{
tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state));
}
var redirectString = string.Format("{0}?{1}",
client.RedirectUri.AbsoluteUri,
tokenString);
return Redirect(redirectString);
}
private ActionResult CheckRequest(AuthorizeRequest request, out Client client)
{
if (request == null)
{
client = null;
ViewBag.Message = "Invalid request parameters";
Tracing.Error(ViewBag.Message);
return View("Error");
}
// validate client
if (!Clients.TryGetClient(request.client_id, out client))
{
ViewBag.Message = "Invalid client_id : " + request.client_id;
Tracing.Error(ViewBag.Message);
return View("Error");
}
// validate redirect uri
if (client.RedirectUri == null)
{
ViewBag.Message = "A redirect uri for client_id " + request.client_id + " was not configured.";
Tracing.Error(ViewBag.Message);
return View("Error");
}
if (string.IsNullOrEmpty(request.redirect_uri) ||
!string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase))
{
ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri +
" did not match a registered redirect URI.";
Tracing.Error(ViewBag.Message);
return View("Error");
}
Uri redirectUrl;
if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUrl))
{
if (redirectUrl.Scheme == Uri.UriSchemeHttp)
{
Tracing.Error("Redirect URI not over SSL : " + request.redirect_uri);
return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty,
request.state);
}
}
else
{
Tracing.Error("Redirect URI not a valid URI : " + request.redirect_uri);
return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty,
request.state);
}
if (string.IsNullOrWhiteSpace(request.response_type))
{
Tracing.Error("response_type is null or empty");
return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty,
request.state);
}
// check response type (only code and token are supported)
if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) &&
!request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
{
Tracing.Error("response_type is not token or code: " + request.response_type);
return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, string.Empty,
request.state);
}
// validate scope (must be a valid URI)
Uri uri;
if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri))
{
Tracing.Error("scope is not a URI: " + request.scope);
return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type,
request.state);
}
// validate if request grant type is allowed for client (implicit vs code flow)
if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token) &&
!client.AllowImplicitFlow)
{
Tracing.Error("response_type is token and client does not allow implicit flow. client: " + client.Name);
return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType,
request.response_type, request.state);
}
if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code) &&
!client.AllowCodeFlow)
{
Tracing.Error("response_type is code and client does not allow code flow. client: " + client.Name);
return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType,
request.response_type, request.state);
}
return null;
}
public ActionResult HandleRequest(AuthorizeRequest request)
{
Tracing.Information("OAuth2 HandleRequest endpoint invoked");
// check client
Client client;
var error = CheckRequest(request, out client);
if (error != null) return error;
RelyingParty rp;
if (!RPRepository.TryGet(request.scope, out rp))
{
Tracing.Error("RP not found for scope : " + request.scope);
return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type,
request.state);
}
if (Configuration.OAuth2.EnableConsent)
{
// show resource name, uri and client name
// client is trying to access resource on your behalf
var vm = new OAuth2ConsentViewModel
{
ResourceUri = rp.Realm.AbsoluteUri,
ResourceName = rp.Name,
ClientName = client.ClientId,
RefreshTokenEnabled = client.AllowRefreshToken
};
return View("ShowConsent", vm);
}
var grantResult = PerformGrant(request, client);
if (grantResult != null) return grantResult;
// we don't know exactly why, so use ServerError
Tracing.Error("Authorization Endpoint failed");
return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type,
request.state);
}
private ActionResult CheckRequest(AuthorizeRequest request, out Client client)
{
if (request == null)
{
client = null;
ViewBag.Message = "Invalid request parameters";
Tracing.Error(ViewBag.Message);
return(View("Error"));
}
// validate client
if (!Clients.TryGetClient(request.client_id, out client))
{
ViewBag.Message = "Invalid client_id : " + request.client_id;
Tracing.Error(ViewBag.Message);
return(View("Error"));
}
// validate redirect uri
if (client.RedirectUri == null)
{
ViewBag.Message = "A redirect uri for client_id " + request.client_id + " was not configured.";
Tracing.Error(ViewBag.Message);
return(View("Error"));
}
if (string.IsNullOrEmpty(request.redirect_uri) ||
!string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase))
{
ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri +
" did not match a registered redirect URI.";
Tracing.Error(ViewBag.Message);
return(View("Error"));
}
Uri redirectUrl;
if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUrl))
{
if (redirectUrl.Scheme == Uri.UriSchemeHttp)
{
Tracing.Error("Redirect URI not over SSL : " + request.redirect_uri);
return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty,
request.state));
}
}
else
{
Tracing.Error("Redirect URI not a valid URI : " + request.redirect_uri);
return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty,
request.state));
}
if (string.IsNullOrWhiteSpace(request.response_type))
{
Tracing.Error("response_type is null or empty");
return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty,
request.state));
}
// check response type (only code and token are supported)
if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) &&
!request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
{
Tracing.Error("response_type is not token or code: " + request.response_type);
return(ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, string.Empty,
request.state));
}
// validate scope (must be a valid URI)
Uri uri;
if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri))
{
Tracing.Error("scope is not a URI: " + request.scope);
return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type,
request.state));
}
// validate if request grant type is allowed for client (implicit vs code flow)
if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token) &&
!client.AllowImplicitFlow)
{
Tracing.Error("response_type is token and client does not allow implicit flow. client: " + client.Name);
return(ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType,
request.response_type, request.state));
}
if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code) &&
!client.AllowCodeFlow)
{
Tracing.Error("response_type is code and client does not allow code flow. client: " + client.Name);
return(ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType,
request.response_type, request.state));
}
return(null);
}
public ValidatedRequest Validate(AuthorizeRequest request)
{
var validatedRequest = new ValidatedRequest();
// validate request model binding
if (request == null)
{
throw new AuthorizeRequestResourceOwnerException("Invalid request parameters.");
}
// make sure redirect uri is present
if (string.IsNullOrWhiteSpace(request.redirect_uri))
{
throw new AuthorizeRequestResourceOwnerException("Missing redirect URI");
}
// validate client
if (string.IsNullOrWhiteSpace(request.client_id))
{
throw new AuthorizeRequestResourceOwnerException("Missing client identifier");
}
var client = Clients.Get(request.client_id);
if (client == null)
{
throw new AuthorizeRequestResourceOwnerException("Invalid client: " + request.client_id);
}
validatedRequest.Client = client;
Tracing.InformationFormat("Client: {0} ({1})",
validatedRequest.Client.Name,
validatedRequest.Client.ClientId);
// make sure redirect_uri is a valid uri, and in case of http is over ssl
Uri redirectUri;
if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri))
{
if (redirectUri.Scheme == Uri.UriSchemeHttp)
{
throw new AuthorizeRequestClientException(
"Redirect URI not over SSL : " + request.redirect_uri,
new Uri(request.redirect_uri),
OAuth2Constants.Errors.InvalidRequest,
string.Empty,
validatedRequest.State);
}
// make sure redirect uri is registered with client
if (!validatedRequest.Client.RedirectUris.Contains(request.redirect_uri))
{
throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
}
validatedRequest.RedirectUri = request.redirect_uri;
Tracing.InformationFormat("Redirect URI: {0}",
validatedRequest.RedirectUri);
}
else
{
throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
}
// check state
if (!string.IsNullOrWhiteSpace(request.state))
{
validatedRequest.State = request.state;
Tracing.Information("State: " + validatedRequest.State);
}
else
{
Tracing.Information("No state supplied.");
}
// validate response type
if (string.IsNullOrWhiteSpace(request.response_type))
{
throw new AuthorizeRequestClientException(
"response_type is null or empty",
new Uri(validatedRequest.RedirectUri),
OAuth2Constants.Errors.InvalidRequest,
string.Empty,
validatedRequest.State);
}
// check response type (only code and token are supported)
if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) &&
!request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
{
throw new AuthorizeRequestClientException(
"response_type is not token or code: " + request.response_type,
new Uri(validatedRequest.RedirectUri),
OAuth2Constants.Errors.UnsupportedResponseType,
string.Empty,
validatedRequest.State);
}
validatedRequest.ResponseType = request.response_type;
Tracing.Information("Response type: " + validatedRequest.ResponseType);
// scope is required
if (string.IsNullOrWhiteSpace(request.scope))
{
throw new AuthorizeRequestClientException(
"Missing scope",
new Uri(validatedRequest.RedirectUri),
OAuth2Constants.Errors.InvalidScope,
validatedRequest.ResponseType,
validatedRequest.State);
}
// validate scopes
if (!request.scope.StartsWith("openid"))
{
throw new AuthorizeRequestClientException(
"Invalid scope: " + request.scope,
new Uri(validatedRequest.RedirectUri),
OAuth2Constants.Errors.InvalidScope,
validatedRequest.ResponseType,
validatedRequest.State);
}
validatedRequest.Scopes = request.scope;
if (request.response_type == OAuth2Constants.ResponseTypes.Code)
{
ValidateCodeResponseType(validatedRequest, request);
}
else if (request.response_type == OAuth2Constants.ResponseTypes.Token)
{
ValidateTokenResponseType(validatedRequest, request);
}
else
{
throw new AuthorizeRequestClientException(
"Invalid response_type: " + request.response_type,
new Uri(validatedRequest.RedirectUri),
OAuth2Constants.Errors.UnsupportedResponseType,
request.response_type,
validatedRequest.State);
}
return validatedRequest;
}
private void ValidateTokenResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
{
throw new NotImplementedException();
}
private void ValidateCodeResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
{
if (validatedRequest.Client.Flow != OpenIdConnectFlows.AuthorizationCode)
{
throw new AuthorizeRequestClientException(
"response_type is not allowed: " + request.response_type,
new Uri(validatedRequest.RedirectUri),
OAuth2Constants.Errors.UnsupportedResponseType,
request.response_type,
validatedRequest.State);
}
}
