public void ExpiredRefreshToken()
{
TestTokenHandleManager handleManager =
new TestTokenHandleManager("abc", "codeclient", "https://validredirect", expired: true);
var validator = new TokenRequestValidator(handleManager);
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.RefreshToken,
Refresh_Token = "abc"
};
try
{
var result = validator.Validate(app, request, _client);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.InvalidGrant, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
public void MissingClientId()
{
var validator = new TokenRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.Password,
UserName = "******",
Password = "******",
Scope = "read"
};
try
{
var client = Principal.Create("Test",
new Claim("password", "secret"));
var result = validator.Validate(app, request, client);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.InvalidClient, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
public void ValidSingleScope()
{
var validator = new TokenRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.ClientCredentials,
Scope = "read"
};
var result = validator.Validate(app, request, _client);
}
public void ValidRequest()
{
var validator = new TokenRequestValidator(_handleManager);
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.RefreshToken,
Refresh_Token = "abc"
};
var result = validator.Validate(app, request, _client);
}
public void ValidCodeGrant()
{
var validator = new TokenRequestValidator(new TestTokenHandleManager("codeclient", "https://todo"));
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.AuthorizationCode,
Code = "abc",
Redirect_Uri = "https://todo"
};
var result = validator.Validate(app, request, _codeClient);
}
public void ValidSingleScope()
{
var validator = new TokenRequestValidator(_clientManager);
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = "assertion",
Assertion = "assertion",
Scope = "read"
};
var result = validator.Validate(app, request, _client);
}
public void ValidSingleScope()
{
var validator = new TokenRequestValidator(_handleManager);
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.AuthorizationCode,
Code = "abc",
Redirect_Uri = "https://validredirect"
};
var result = validator.Validate(app, request, _client);
}
public void ValidSingleScope()
{
var validator = new TokenRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.Password,
UserName = "******",
Password = "******",
Scope = "read"
};
var result = validator.Validate(app, request, _client);
}
public HttpResponseMessage Post(string appName, TokenRequest request)
{
Tracing.Start("OAuth2 Token Endpoint");
// make sure application is registered
var application = _config.FindApplication(appName);
if (application == null)
{
Tracing.Error("Application not found: " + appName);
return Request.CreateErrorResponse(HttpStatusCode.NotFound, "Not found");
}
// validate token request
ValidatedRequest validatedRequest;
try
{
validatedRequest = new TokenRequestValidator(_handleManager).Validate(application, request, ClaimsPrincipal.Current);
}
catch (TokenRequestValidationException ex)
{
Tracing.Error("Aborting OAuth2 token request");
return Request.CreateOAuthErrorResponse(ex.OAuthError);
}
// switch over the grant type
if (validatedRequest.GrantType.Equals(OAuthConstants.GrantTypes.Password))
{
return ProcessResourceOwnerCredentialRequest(validatedRequest);
}
else if (validatedRequest.GrantType.Equals(OAuthConstants.GrantTypes.AuthorizationCode))
{
return ProcessAuthorizationCodeRequest(validatedRequest);
}
else if (string.Equals(validatedRequest.GrantType, OAuthConstants.GrantTypes.RefreshToken))
{
return ProcessRefreshTokenRequest(validatedRequest);
}
else if (string.Equals(validatedRequest.GrantType, OAuthConstants.GrantTypes.ClientCredentials))
{
return ProcessClientCredentialsRequest(validatedRequest);
}
Tracing.Error("invalid grant type: " + request.Grant_Type);
return Request.CreateOAuthErrorResponse(OAuthConstants.Errors.UnsupportedGrantType);
}
public void MissingCode()
{
var validator = new TokenRequestValidator(_handleManager);
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.RefreshToken,
};
try
{
var result = validator.Validate(app, request, _client);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.InvalidGrant, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
public void MissingScope()
{
var validator = new TokenRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.ClientCredentials,
};
try
{
var result = validator.Validate(app, request, _client);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.InvalidScope, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
public void MissingScope()
{
var validator = new TokenRequestValidator(_clientManager);
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.Password,
UserName = "******",
Password = "******",
};
try
{
var result = validator.Validate(app, request, _client);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.InvalidScope, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
public void NonMatchingRedirectUri()
{
var validator = new TokenRequestValidator(_handleManager);
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.AuthorizationCode,
Code = "abc",
Redirect_Uri = "https://invalidredirect"
};
try
{
var result = validator.Validate(app, request, _client);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.InvalidRequest, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
public void UnknownScope()
{
var validator = new TokenRequestValidator(_clientManager);
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = "assertion",
Assertion = "assertion",
Scope = "unknown"
};
try
{
var result = validator.Validate(app, request, _client);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.InvalidScope, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
public void UnauthorizedClientCredentialGrant()
{
var validator = new TokenRequestValidator(_handleManager, _clientManager);
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.ClientCredentials,
};
try
{
var result = validator.Validate(app, request, _client);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.UnauthorizedClient, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
public void InvalidCodeToClientBinding()
{
var handleManager =
new TestTokenHandleManager("abc", "someotherclient", "https://validredirect");
var validator = new TokenRequestValidator(handleManager, _clientManager);
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.AuthorizationCode,
Code = "abc",
Redirect_Uri = "https://validredirect"
};
try
{
var result = validator.Validate(app, request, _client);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.InvalidGrant, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
public void UnauthorizedScopeSingle()
{
var validator = new TokenRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.Password,
UserName = "******",
Password = "******",
Scope = "delete"
};
try
{
var result = validator.Validate(app, request, _client);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.InvalidScope, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
private void ValidateRefreshTokenGrant(ValidatedRequest validatedRequest, TokenRequest request)
{
if (_handleManager == null)
{
throw new ArgumentNullException("HandleManager");
}
if (!validatedRequest.Client.AllowRefreshToken)
{
throw new TokenRequestValidationException(
"Refresh tokens not allowed for client",
OAuthConstants.Errors.UnsupportedGrantType);
}
// check for refresh token
if (string.IsNullOrWhiteSpace(request.Refresh_Token))
{
throw new TokenRequestValidationException(
"Missing refresh token",
OAuthConstants.Errors.InvalidGrant);
}
validatedRequest.RefreshToken = request.Refresh_Token;
Tracing.Information("Refresh token: " + validatedRequest.RefreshToken);
// check for refresh token in datastore
var handle = _handleManager.Get(validatedRequest.RefreshToken);
if (handle == null)
{
throw new TokenRequestValidationException(
"Refresh token not found: " + validatedRequest.RefreshToken,
OAuthConstants.Errors.InvalidGrant);
}
validatedRequest.TokenHandle = handle;
Tracing.Information("Token handle found: " + handle.HandleId);
// check the client binding
if (handle.Client.ClientId != validatedRequest.Client.ClientId)
{
throw new TokenRequestValidationException(
string.Format("Client {0} is trying to refresh token from {1}.", validatedRequest.Client.ClientId, handle.Client.ClientId),
OAuthConstants.Errors.InvalidGrant);
}
}
public void Refresh_Token_Create_New()
{
Claim[] claims = { new Claim("client_id", "MobileAppShop"), new Claim("secret", "12345678") };
ClaimsPrincipal claimsPrinciple = Principal.Create("Test", claims);
Thread.CurrentPrincipal = claimsPrinciple;
TokenRequest tokenRequest = new TokenRequest()
{
Grant_Type = "refresh_token",
Refresh_Token = "MyFavouriteRefrehToken1234"
};
var response = _TokenController.Post("Test Application 1", tokenRequest);
TokenResponse tokenResponse;
response.TryGetContentValue<TokenResponse>(out tokenResponse);
Assert.IsTrue(response.IsSuccessStatusCode == true);
Assert.IsFalse(string.IsNullOrEmpty(tokenResponse.AccessToken));
}
public void UnknownGrantType()
{
var validator = new TokenRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = "unknown"
};
try
{
var result = validator.Validate(app, request, null);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.UnsupportedGrantType, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
public ValidatedRequest Validate(Application application, TokenRequest request, ClaimsPrincipal clientPrincipal)
{
var validatedRequest = new ValidatedRequest();
// validate request model binding
if (request == null)
{
throw new TokenRequestValidationException(
"Invalid request parameters.",
OAuthConstants.Errors.InvalidRequest);
}
validatedRequest.Application = application;
Tracing.InformationFormat("OAuth2 application: {0} ({1})",
validatedRequest.Application.Name,
validatedRequest.Application.Namespace);
// grant type is required
if (string.IsNullOrWhiteSpace(request.Grant_Type))
{
throw new TokenRequestValidationException(
"Missing grant_type",
OAuthConstants.Errors.UnsupportedGrantType);
}
// check supported grant types
if (request.Grant_Type == OAuthConstants.GrantTypes.AuthorizationCode ||
request.Grant_Type == OAuthConstants.GrantTypes.ClientCredentials ||
request.Grant_Type == OAuthConstants.GrantTypes.RefreshToken ||
request.Grant_Type == OAuthConstants.GrantTypes.Password)
{
validatedRequest.GrantType = request.Grant_Type;
Tracing.Information("Grant type: " + validatedRequest.GrantType);
}
else if (!string.IsNullOrWhiteSpace(request.Assertion))
{
validatedRequest.GrantType = OAuthConstants.GrantTypes.Assertion;
validatedRequest.AssertionType = request.Grant_Type;
validatedRequest.Assertion = request.Assertion;
Tracing.Information("Grant type: " + validatedRequest.GrantType);
}
else
{
throw new TokenRequestValidationException(
"Invalid grant_type: " + request.Grant_Type,
OAuthConstants.Errors.UnsupportedGrantType);
}
// validate client credentials
var client = ValidateClient(clientPrincipal, validatedRequest.Application);
if (client == null)
{
throw new TokenRequestValidationException(
"Invalid client: " + ClaimsPrincipal.Current.Identity.Name,
OAuthConstants.Errors.InvalidClient);
}
validatedRequest.Client = client;
Tracing.InformationFormat("Client: {0} ({1})",
validatedRequest.Client.Name,
validatedRequest.Client.ClientId);
switch (validatedRequest.GrantType)
{
case OAuthConstants.GrantTypes.AuthorizationCode:
ValidateCodeGrant(validatedRequest, request);
break;
case OAuthConstants.GrantTypes.Password:
ValidatePasswordGrant(validatedRequest, request);
break;
case OAuthConstants.GrantTypes.RefreshToken:
ValidateRefreshTokenGrant(validatedRequest, request);
break;
case OAuthConstants.GrantTypes.ClientCredentials:
ValidateClientCredentialsGrant(validatedRequest, request);
break;
case OAuthConstants.GrantTypes.Assertion:
ValidateAssertionGrant(validatedRequest, request);
break;
default:
throw new TokenRequestValidationException(
"Invalid grant_type: " + request.Grant_Type,
OAuthConstants.Errors.UnsupportedGrantType);
}
Tracing.Information("Token request validation successful.");
return(validatedRequest);
}
private static void ValidateScopes(ValidatedRequest validatedRequest, TokenRequest request)
{
// validate scope
if (string.IsNullOrWhiteSpace(request.Scope))
{
throw new TokenRequestValidationException(
"Missing scope",
OAuthConstants.Errors.InvalidScope);
}
// make sure client is allowed to request all scope
var requestedScopes = request.Scope.Split(' ').ToList();
List<Scope> resultingScopes;
if (validatedRequest.Application.Scopes.TryValidateScopes(validatedRequest.Client.ClientId, requestedScopes, out resultingScopes))
{
validatedRequest.Scopes = resultingScopes;
Tracing.InformationFormat("Requested scopes: {0}", request.Scope);
}
else
{
throw new TokenRequestValidationException(
"Invalid scope",
OAuthConstants.Errors.InvalidScope);
}
}
private void ValidateCodeGrant(ValidatedRequest validatedRequest, TokenRequest request)
{
if (_handleManager == null)
{
throw new ArgumentNullException("HandleManager");
}
if (validatedRequest.Client.Flow != OAuthFlow.Code)
{
throw new TokenRequestValidationException(
"Code flow not allowed for client",
OAuthConstants.Errors.UnauthorizedClient);
}
// code needs to be present
if (string.IsNullOrWhiteSpace(request.Code))
{
throw new TokenRequestValidationException(
"Missing authorization code",
OAuthConstants.Errors.InvalidGrant);
}
validatedRequest.AuthorizationCode = request.Code;
Tracing.Information("Authorization code: " + validatedRequest.AuthorizationCode);
// check for authorization code in datastore
var handle = _handleManager.Get(validatedRequest.AuthorizationCode);
if (handle == null)
{
throw new TokenRequestValidationException(
"Authorization code not found: " + validatedRequest.AuthorizationCode,
OAuthConstants.Errors.InvalidGrant);
}
validatedRequest.StoredGrant = handle;
Tracing.Information("Token handle found: " + handle.GrantId);
// check the client binding
if (handle.Client.ClientId != validatedRequest.Client.ClientId)
{
throw new TokenRequestValidationException(
string.Format("Client {0} is trying to request token using an authorization code from {1}.", validatedRequest.Client.ClientId, handle.Client.ClientId),
OAuthConstants.Errors.InvalidGrant);
}
// redirect URI is required
if (string.IsNullOrWhiteSpace(request.Redirect_Uri))
{
throw new TokenRequestValidationException(
string.Format("Redirect URI is missing"),
OAuthConstants.Errors.InvalidRequest);
}
// check if redirect URI from authorize and token request match
if (!handle.RedirectUri.Equals(request.Redirect_Uri))
{
throw new TokenRequestValidationException(
string.Format("Redirect URI in token request ({0}), does not match redirect URI from authorize request ({1})", validatedRequest.RedirectUri, handle.RedirectUri),
OAuthConstants.Errors.InvalidRequest);
}
}
private void ValidateCodeGrant(ValidatedRequest validatedRequest, TokenRequest request)
{
if (_handleManager == null)
{
throw new ArgumentNullException("HandleManager");
}
if (validatedRequest.Client.Flow != OAuthFlow.Code)
{
throw new TokenRequestValidationException(
"Code flow not allowed for client",
OAuthConstants.Errors.UnsupportedGrantType);
}
// code needs to be present
if (string.IsNullOrWhiteSpace(request.Code))
{
throw new TokenRequestValidationException(
"Missing authorization code",
OAuthConstants.Errors.InvalidGrant);
}
validatedRequest.AuthorizationCode = request.Code;
Tracing.Information("Authorization code: " + validatedRequest.AuthorizationCode);
// check for authorization code in datastore
var handle = _handleManager.Get(validatedRequest.AuthorizationCode);
if (handle == null)
{
throw new TokenRequestValidationException(
"Authorization code not found: " + validatedRequest.AuthorizationCode,
OAuthConstants.Errors.InvalidGrant);
}
validatedRequest.TokenHandle = handle;
Tracing.Information("Token handle found: " + handle.HandleId);
// check the client binding
if (handle.Client.ClientId != validatedRequest.Client.ClientId)
{
throw new TokenRequestValidationException(
string.Format("Client {0} is trying to request token using an authorization code from {1}.", validatedRequest.Client.ClientId, handle.Client.ClientId),
OAuthConstants.Errors.InvalidGrant);
}
// redirect URI is required
if (string.IsNullOrWhiteSpace(request.Redirect_Uri))
{
throw new TokenRequestValidationException(
string.Format("Redirect URI is missing"),
OAuthConstants.Errors.InvalidRequest);
}
// check if redirect URI from authorize and token request match
if (!handle.RedirectUri.Equals(request.Redirect_Uri))
{
throw new TokenRequestValidationException(
string.Format("Redirect URI in token request ({0}), does not match redirect URI from authorize request ({1})", validatedRequest.RedirectUri, handle.RedirectUri),
OAuthConstants.Errors.InvalidRequest);
}
}
public ValidatedRequest Validate(Application application, TokenRequest request, ClaimsPrincipal clientPrincipal)
{
var validatedRequest = new ValidatedRequest();
// validate request model binding
if (request == null)
{
throw new TokenRequestValidationException(
"Invalid request parameters.",
OAuthConstants.Errors.InvalidRequest);
}
validatedRequest.Application = application;
Tracing.InformationFormat("OAuth2 application: {0} ({1})",
validatedRequest.Application.Name,
validatedRequest.Application.Namespace);
// grant type is required
if (string.IsNullOrWhiteSpace(request.Grant_Type))
{
throw new TokenRequestValidationException(
"Missing grant_type",
OAuthConstants.Errors.UnsupportedGrantType);
}
validatedRequest.GrantType = request.Grant_Type;
Tracing.Information("Grant type: " + validatedRequest.GrantType);
// validate client credentials
var client = ValidateClient(clientPrincipal, validatedRequest.Application);
if (client == null)
{
throw new TokenRequestValidationException(
"Invalid client: " + ClaimsPrincipal.Current.Identity.Name,
OAuthConstants.Errors.InvalidClient);
}
validatedRequest.Client = client;
Tracing.InformationFormat("Client: {0} ({1})",
validatedRequest.Client.Name,
validatedRequest.Client.ClientId);
switch (request.Grant_Type)
{
case OAuthConstants.GrantTypes.AuthorizationCode:
ValidateCodeGrant(validatedRequest, request);
break;
case OAuthConstants.GrantTypes.Password:
ValidatePasswordGrant(validatedRequest, request);
break;
case OAuthConstants.GrantTypes.RefreshToken:
ValidateRefreshTokenGrant(validatedRequest, request);
break;
case OAuthConstants.GrantTypes.ClientCredentials:
ValidateClientCredentialsGrant(validatedRequest, request);
break;
default:
throw new TokenRequestValidationException(
"Invalid grant_type: " + request.Grant_Type,
OAuthConstants.Errors.UnsupportedGrantType);
}
Tracing.Information("Token request validation successful.");
return validatedRequest;
}
private void ValidateClientCredentialsGrant(ValidatedRequest validatedRequest, TokenRequest request)
{
if (validatedRequest.Client.Flow != OAuthFlow.Client)
{
throw new TokenRequestValidationException(
"Client flow not allowed for client",
OAuthConstants.Errors.UnsupportedGrantType);
}
ValidateScopes(validatedRequest, request);
}
private void ValidateClientCredentialsGrant(ValidatedRequest validatedRequest, TokenRequest request)
{
if (validatedRequest.Client.Flow != OAuthFlow.Client)
{
throw new TokenRequestValidationException(
"Client flow not allowed for client",
OAuthConstants.Errors.UnauthorizedClient);
}
ValidateScopes(validatedRequest, request);
}
public void DisabledClient()
{
var validator = new TokenRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.ClientCredentials
};
try
{
var client = Principal.Create("Test",
new Claim("client_id", "disabledclient"),
new Claim("secret", "secret"));
var result = validator.Validate(app, request, client);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.InvalidClient, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
public void AnonymousCodeGrant()
{
var validator = new TokenRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.AuthorizationCode,
Code = "abc",
Redirect_Uri = "https://validredirect"
};
try
{
var result = validator.Validate(app, request, Principal.Anonymous);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.InvalidClient, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
private void ValidatePasswordGrant(ValidatedRequest validatedRequest, TokenRequest request)
{
if (validatedRequest.Client.Flow != OAuthFlow.ResourceOwner)
{
throw new TokenRequestValidationException(
"Resource owner password flow not allowed for client",
OAuthConstants.Errors.UnsupportedGrantType);
}
ValidateScopes(validatedRequest, request);
// extract username and password
if (string.IsNullOrWhiteSpace(request.UserName) || string.IsNullOrWhiteSpace(request.Password))
{
throw new TokenRequestValidationException(
"Missing Username or password.",
OAuthConstants.Errors.InvalidGrant);
}
else
{
validatedRequest.UserName = request.UserName;
validatedRequest.Password = request.Password;
Tracing.Information("Resource owner: " + request.UserName);
}
}
public void MissingResourceOwnerPassword()
{
var validator = new TokenRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.Password,
UserName = "******",
Scope = "read"
};
try
{
var result = validator.Validate(app, request, _client);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.InvalidGrant, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
public void UnauthorizedCodeGrant()
{
TestTokenHandleManager handleManager =
new TestTokenHandleManager("abc", "codeclient", "https://validredirect");
var validator = new TokenRequestValidator(handleManager);
var app = _testConfig.FindApplication("test");
var request = new TokenRequest
{
Grant_Type = OAuthConstants.GrantTypes.AuthorizationCode,
};
try
{
var result = validator.Validate(app, request, _client);
}
catch (TokenRequestValidationException ex)
{
Assert.AreEqual(OAuthConstants.Errors.UnauthorizedClient, ex.OAuthError);
return;
}
Assert.Fail("No exception thrown.");
}
private void ValidateRefreshTokenGrant(ValidatedRequest validatedRequest, TokenRequest request)
{
if (_handleManager == null)
{
throw new ArgumentNullException("HandleManager");
}
if (!validatedRequest.Client.AllowRefreshToken)
{
throw new TokenRequestValidationException(
"Refresh tokens not allowed for client",
OAuthConstants.Errors.UnauthorizedClient);
}
// check for refresh token
if (string.IsNullOrWhiteSpace(request.Refresh_Token))
{
throw new TokenRequestValidationException(
"Missing refresh token",
OAuthConstants.Errors.InvalidGrant);
}
validatedRequest.RefreshToken = request.Refresh_Token;
Tracing.Information("Refresh token: " + validatedRequest.RefreshToken);
// check for refresh token in datastore
var handle = _handleManager.Get(validatedRequest.RefreshToken);
if (handle == null)
{
throw new TokenRequestValidationException(
"Refresh token not found: " + validatedRequest.RefreshToken,
OAuthConstants.Errors.InvalidGrant);
}
validatedRequest.StoredGrant = handle;
Tracing.Information("Token handle found: " + handle.GrantId);
// make sure the refresh token has an expiration time
if (validatedRequest.StoredGrant.Expiration == null)
{
throw new TokenRequestValidationException(
"No expiration time set for refresh token. That's not allowed.",
OAuthConstants.Errors.InvalidGrant);
}
// make sure refresh token has not expired
if (DateTime.UtcNow > validatedRequest.StoredGrant.Expiration)
{
throw new TokenRequestValidationException(
"Refresh token expired.",
OAuthConstants.Errors.InvalidGrant);
}
// check the client binding
if (handle.Client.ClientId != validatedRequest.Client.ClientId)
{
throw new TokenRequestValidationException(
string.Format("Client {0} is trying to refresh token from {1}.", validatedRequest.Client.ClientId, handle.Client.ClientId),
OAuthConstants.Errors.InvalidGrant);
}
}
public void Create_Token()
{
Claim[] claims = { new Claim("client_id", "MobileAppShop"), new Claim("secret", "12345678") };
ClaimsPrincipal claimsPrinciple = Principal.Create("Test", claims);
Thread.CurrentPrincipal = claimsPrinciple;
TokenRequest tokenRequest = new TokenRequest()
{
Grant_Type = "password",
UserName = "******",
Password = "******",
Scope = "read",
};
var response = _TokenController.Post("Test Application 1", tokenRequest);
TokenResponse tokenResponse;
response.TryGetContentValue<TokenResponse>(out tokenResponse);
Assert.IsTrue(response.IsSuccessStatusCode == true);
Assert.IsFalse(string.IsNullOrEmpty(tokenResponse.AccessToken));
}