public async Task <RedirectUriResolutionResult> ResolveRedirectUriAsync(string clientId, string redirectUrl)
{
if (clientId == null)
{
throw new ArgumentNullException(nameof(clientId));
}
var app = await _applicationManager.FindByClientIdAsync(clientId);
if (app == null)
{
return(RedirectUriResolutionResult.Invalid(_errorProvider.InvalidClientId(clientId)));
}
var redirectUris = await _applicationManager.FindRegisteredUrisAsync(app);
if (redirectUrl == null && redirectUris.Count() == 1)
{
return(RedirectUriResolutionResult.Valid(redirectUris.Single()));
}
foreach (var uri in redirectUris)
{
if (string.Equals(uri, redirectUrl, StringComparison.Ordinal))
{
return(RedirectUriResolutionResult.Valid(redirectUrl));
}
}
return(RedirectUriResolutionResult.Invalid(_errorProvider.InvalidRedirectUri(redirectUrl)));
}
private async Task <(string clientId, string redirectUri, OpenIdConnectMessage error)> ValidateClientIdAndRedirectUri(
IDictionary <string, string[]> requestParameters, string state)
{
var(clientId, clientIdError) = RequestParametersHelper.ValidateParameterIsUnique(requestParameters, OpenIdConnectParameterNames.ClientId, _errorProvider);
if (clientIdError != null)
{
clientIdError.State = state;
return(null, null, clientIdError);
}
if (!await _clientIdValidator.ValidateClientIdAsync(clientId))
{
clientIdError = _errorProvider.InvalidClientId(clientId);
clientIdError.State = state;
return(null, null, clientIdError);
}
var(redirectUri, redirectUriError) = RequestParametersHelper.ValidateOptionalParameterIsUnique(requestParameters, OpenIdConnectParameterNames.RedirectUri, _errorProvider);
if (redirectUriError != null)
{
redirectUriError.State = state;
return(null, null, redirectUriError);
}
if (redirectUri != null)
{
if (!Uri.IsWellFormedUriString(redirectUri, UriKind.Absolute))
{
redirectUriError = _errorProvider.InvalidUriFormat(redirectUri);
redirectUriError.State = state;
return(null, null, redirectUriError);
}
var parsedUri = new Uri(redirectUri, UriKind.Absolute);
if (!string.IsNullOrEmpty(parsedUri.Fragment))
{
redirectUriError = _errorProvider.InvalidUriFormat(redirectUri);
redirectUriError.State = state;
return(null, null, redirectUriError);
}
}
var resolvedUriResult = await _redirectUrlValidator.ResolveRedirectUriAsync(clientId, redirectUri);
if (!resolvedUriResult.IsValid)
{
resolvedUriResult.Error.State = state;
return(null, null, resolvedUriResult.Error);
}
return(clientId, resolvedUriResult.Uri, null);
}
public async Task FailsToCreateAuthorizationRequest_IfClientIdValidation_Fails()
{
// Arrange
var parameters = new Dictionary <string, string[]>
{
[OpenIdConnectParameterNames.State] = new[] { "state" },
[OpenIdConnectParameterNames.ClientId] = new[] { "a" }
};
var expectedError = new AuthorizationRequestError(ProtocolErrorProvider.InvalidClientId("a"), null, null);
expectedError.Message.State = "state";
var factory = CreateAuthorizationRequestFactory(validClientId: false);
// Act
var result = await factory.CreateAuthorizationRequestAsync(parameters);
// Assert
Assert.False(result.IsValid);
Assert.Equal(expectedError, result.Error, IdentityServiceErrorComparer.Instance);
Assert.Null(result.Error.RedirectUri);
Assert.Null(result.Error.ResponseMode);
}
public async Task <TokenRequest> CreateTokenRequestAsync(IDictionary <string, string[]> requestParameters)
{
var(clientId, clientIdParameterError) = RequestParametersHelper.ValidateParameterIsUnique(requestParameters, OpenIdConnectParameterNames.ClientId, _errorProvider);
if (clientIdParameterError != null)
{
return(TokenRequest.Invalid(clientIdParameterError));
}
if (!await _clientIdValidator.ValidateClientIdAsync(clientId))
{
return(TokenRequest.Invalid(_errorProvider.InvalidClientId(clientId)));
}
var(clientSecret, clientSecretParameterError) = RequestParametersHelper.ValidateOptionalParameterIsUnique(requestParameters, OpenIdConnectParameterNames.ClientSecret, _errorProvider);
if (clientSecretParameterError != null)
{
return(TokenRequest.Invalid(clientSecretParameterError));
}
if (!await _clientIdValidator.ValidateClientCredentialsAsync(clientId, clientSecret))
{
return(TokenRequest.Invalid(_errorProvider.InvalidClientCredentials()));
}
var(grantType, grantTypeError) = RequestParametersHelper.ValidateParameterIsUnique(
requestParameters,
OpenIdConnectParameterNames.GrantType,
_errorProvider);
if (grantTypeError != null)
{
return(TokenRequest.Invalid(grantTypeError));
}
var grantTypeParameter = GetGrantTypeParameter(requestParameters, grantType);
if (grantTypeParameter == null)
{
return(TokenRequest.Invalid(_errorProvider.InvalidGrantType(grantType)));
}
var(grantValue, grantValueError) = RequestParametersHelper.ValidateParameterIsUnique(
requestParameters,
grantTypeParameter,
_errorProvider);
if (grantValueError != null)
{
return(TokenRequest.Invalid(clientIdParameterError));
}
var message = new OpenIdConnectMessage(requestParameters)
{
RequestType = OpenIdConnectRequestType.Token
};
// TODO: File a bug to track we might want to redesign this if we want to consider other flows like
// client credentials or resource owner credentials.
var consentGrant = await _tokenManager.ExchangeTokenAsync(message);
if (!consentGrant.IsValid)
{
return(TokenRequest.Invalid(consentGrant.Error));
}
if (!_timeStampManager.IsValidPeriod(consentGrant.Token.NotBefore, consentGrant.Token.Expires))
{
return(TokenRequest.Invalid(_errorProvider.InvalidLifetime()));
}
if (!string.Equals(clientId, consentGrant.ClientId, StringComparison.Ordinal))
{
return(TokenRequest.Invalid(_errorProvider.InvalidGrant()));
}
var(scope, requestScopesError) = RequestParametersHelper.ValidateOptionalParameterIsUnique(requestParameters, OpenIdConnectParameterNames.Scope, _errorProvider);
if (requestScopesError != null)
{
return(TokenRequest.Invalid(requestScopesError));
}
var grantedScopes = consentGrant.GrantedScopes;
var parsedScope = scope?.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries);
if (parsedScope != null)
{
var scopeResolutionResult = await _scopeResolver.ResolveScopesAsync(clientId, parsedScope);
if (!scopeResolutionResult.IsValid)
{
return(TokenRequest.Invalid(scopeResolutionResult.Error));
}
if (grantType.Equals(OpenIdConnectGrantTypes.AuthorizationCode, StringComparison.Ordinal) ||
grantType.Equals(OpenIdConnectGrantTypes.RefreshToken, StringComparison.Ordinal))
{
if (scopeResolutionResult.Scopes.Any(rs => !consentGrant.GrantedScopes.Contains(rs)))
{
return(TokenRequest.Invalid(_errorProvider.UnauthorizedScope()));
}
}
grantedScopes = scopeResolutionResult.Scopes;
}
if (grantType.Equals(OpenIdConnectGrantTypes.AuthorizationCode, StringComparison.Ordinal))
{
var authorizationCodeError = await ValidateAuthorizationCode(
requestParameters,
clientId,
consentGrant);
if (authorizationCodeError != null)
{
return(TokenRequest.Invalid(authorizationCodeError));
}
}
var requestGrants = new RequestGrants
{
Tokens = consentGrant.GrantedTokens.ToList(),
Claims = consentGrant.Token.ToList(),
Scopes = grantedScopes.ToList()
};
return(await ValidateRequestAsync(TokenRequest.Valid(
message,
consentGrant.UserId,
consentGrant.ClientId,
requestGrants)));
}
