public async Task<AuthorizeResponse> CreateCodeFlowResponseAsync(ValidatedAuthorizeRequest request)
{
_logger.LogInformation("Creating Authorization Code Flow response.");
var code = await CreateCodeAsync(request);
var response = new AuthorizeResponse
{
Request = request,
RedirectUri = request.RedirectUri,
Code = code,
State = request.State
};
if (request.IsOpenIdRequest)
{
response.SessionState = GenerateSessionStateValue(request);
}
return response;
}
internal static string BuildUri(AuthorizeResponse response)
{
var uri = response.RedirectUri;
var query = response.ToNameValueCollection().ToQueryString();
if (response.Request.ResponseMode == OidcConstants.ResponseModes.Query)
{
uri = uri.AddQueryString(query);
}
else
{
uri = uri.AddHashFragment(query);
}
if (response.IsError && !uri.Contains("#"))
{
// https://tools.ietf.org/html/draft-bradley-oauth-open-redirector-00
uri += "#_=_";
}
return uri;
}
public AuthorizeRedirectResult(AuthorizeResponse response)
: base(response)
{
}
Task<IEndpointResult> CreateAuthorizeResultAsync(AuthorizeResponse response)
{
var request = response.Request;
IEndpointResult result = null;
if (request.ResponseMode == Constants.ResponseModes.Query ||
request.ResponseMode == Constants.ResponseModes.Fragment)
{
result = new AuthorizeRedirectResult(response);
}
if (request.ResponseMode == Constants.ResponseModes.FormPost)
{
result = new AuthorizeFormPostResult(response);
}
if (result != null)
{
if (response.IsError == false)
{
_logger.LogDebug("Adding client {0} to client list cookie for subject {1}", request.ClientId, request.Subject.GetSubjectId());
_clientListCookie.AddClient(request.ClientId);
}
return Task.FromResult(result);
}
_logger.LogError("Unsupported response mode.");
throw new InvalidOperationException("Unsupported response mode");
}
public async Task<IEndpointResult> CreateErrorResultAsync(ErrorTypes errorType, string error, ValidatedAuthorizeRequest request)
{
if (errorType == ErrorTypes.Client && request == null)
{
throw new ArgumentNullException(nameof(request), "Request must be passed when error type is Client.");
}
AuthorizeResponse response = null;
if (errorType == ErrorTypes.Client)
{
response = new AuthorizeResponse
{
Request = request,
IsError = true,
Error = error,
State = request.State,
RedirectUri = request.RedirectUri
};
// do some early checks to see if we will end up not generating an error page
if (error == Constants.AuthorizeErrors.AccessDenied)
{
return await CreateAuthorizeResultAsync(response);
}
if (request.PromptMode == Constants.PromptModes.None &&
request.Client.AllowPromptNone == true &&
(error == Constants.AuthorizeErrors.LoginRequired ||
error == Constants.AuthorizeErrors.ConsentRequired ||
error == Constants.AuthorizeErrors.InteractionRequired)
)
{
// todo: verify these are the right conditions to allow
// redirecting back to client
// https://tools.ietf.org/html/draft-bradley-oauth-open-redirector-00
return await CreateAuthorizeResultAsync(response);
}
else
{
//_logger.LogWarning("Rendering error page due to prompt=none, client does not allow prompt mode none, response is query, and ");
}
}
// we now know we must show error page
var msg = _localizationService.GetMessage(error);
if (msg.IsMissing())
{
msg = error;
}
var errorModel = new ErrorMessage
{
RequestId = _context.GetRequestId(),
ErrorCode = error,
ErrorDescription = msg
};
if (errorType == ErrorTypes.Client)
{
// if this is a client error, we need to build up the
// response back to the client, and provide it in the
// error view model so the UI can build the link/form
errorModel.ReturnInfo = new ClientReturnInfo
{
ClientId = request.ClientId,
};
if (request.ResponseMode == Constants.ResponseModes.Query ||
request.ResponseMode == Constants.ResponseModes.Fragment)
{
errorModel.ReturnInfo.Uri = request.RedirectUri = AuthorizeRedirectResult.BuildUri(response);
}
else if (request.ResponseMode == Constants.ResponseModes.FormPost)
{
errorModel.ReturnInfo.Uri = request.RedirectUri;
errorModel.ReturnInfo.PostBody = AuthorizeFormPostResult.BuildFormBody(response);
}
else
{
_logger.LogError("Unsupported response mode.");
throw new InvalidOperationException("Unsupported response mode");
}
}
var message = new Message<ErrorMessage>(errorModel);
await _errorMessageStore.WriteAsync(message);
return new ErrorPageResult(message.Id);
}
internal static string BuildFormBody(AuthorizeResponse response)
{
return response.ToNameValueCollection().ToFormPost();
}
public AuthorizeFormPostResult(AuthorizeResponse response)
: base(response)
{
}
public async Task<AuthorizeResponse> CreateImplicitFlowResponseAsync(ValidatedAuthorizeRequest request, string authorizationCode = null)
{
_logger.LogInformation("Creating Implicit Flow response.");
string accessTokenValue = null;
int accessTokenLifetime = 0;
var responseTypes = request.ResponseType.FromSpaceSeparatedString();
if (responseTypes.Contains(Constants.ResponseTypes.Token))
{
var tokenRequest = new TokenCreationRequest
{
Subject = request.Subject,
Client = request.Client,
Scopes = request.ValidatedScopes.GrantedScopes,
ValidatedRequest = request
};
var accessToken = await _tokenService.CreateAccessTokenAsync(tokenRequest);
accessTokenLifetime = accessToken.Lifetime;
accessTokenValue = await _tokenService.CreateSecurityTokenAsync(accessToken);
}
string jwt = null;
if (responseTypes.Contains(Constants.ResponseTypes.IdToken))
{
var tokenRequest = new TokenCreationRequest
{
ValidatedRequest = request,
Subject = request.Subject,
Client = request.Client,
Scopes = request.ValidatedScopes.GrantedScopes,
Nonce = request.Raw.Get(Constants.AuthorizeRequest.Nonce),
IncludeAllIdentityClaims = !request.AccessTokenRequested,
AccessTokenToHash = accessTokenValue,
AuthorizationCodeToHash = authorizationCode
};
var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest);
jwt = await _tokenService.CreateSecurityTokenAsync(idToken);
}
var response = new AuthorizeResponse
{
Request = request,
RedirectUri = request.RedirectUri,
AccessToken = accessTokenValue,
AccessTokenLifetime = accessTokenLifetime,
IdentityToken = jwt,
State = request.State,
Scope = request.ValidatedScopes.GrantedScopes.ToSpaceSeparatedString(),
};
if (request.IsOpenIdRequest)
{
response.SessionState = GenerateSessionStateValue(request);
}
return response;
}
public AuthorizeResult(AuthorizeResponse response)
{
Response = response;
}