public async Task <ValidationResult> ValidateAsync(NameValueCollection parameters, ClaimsPrincipal subject)
{
_validatedRequest.Raw = parameters;
_validatedRequest.Subject = subject;
if (!subject.Identity.IsAuthenticated)
{
return(Invalid());
}
var idTokenHint = parameters.Get(Constants.EndSessionRequest.IdTokenHint);
if (idTokenHint.IsPresent())
{
// validate id_token - no need to validate token life time
var tokenValidationResult = await _tokenValidator.ValidateIdentityTokenAsync(idTokenHint, null, false);
if (tokenValidationResult.IsError)
{
return(Invalid());
}
_validatedRequest.Client = tokenValidationResult.Client;
// validate sub claim against currently logged on user
var subClaim = tokenValidationResult.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.Subject);
if (subClaim != null)
{
if (subject.GetSubjectId() != subClaim.Value)
{
return(Invalid());
}
}
var redirectUri = parameters.Get(Constants.EndSessionRequest.PostLogoutRedirectUri);
if (redirectUri.IsPresent())
{
Uri uri;
if (Uri.TryCreate(redirectUri, UriKind.Absolute, out uri))
{
if (_validatedRequest.Client.PostLogoutRedirectUris.Contains(uri))
{
_validatedRequest.PostLogOutUri = uri;
}
else
{
return(Invalid());
}
}
var state = parameters.Get(Constants.EndSessionRequest.State);
if (state.IsPresent())
{
_validatedRequest.State = state;
}
}
}
return(Valid());
}
public async Task <ValidationResult> ValidateAsync(NameValueCollection parameters, ClaimsPrincipal subject)
{
Logger.Info("Start end session request validation");
_validatedRequest.Raw = parameters;
_validatedRequest.Subject = subject;
if (!subject.Identity.IsAuthenticated)
{
Logger.Warn("User is anonymous. Ignoring end session parameters");
return(Invalid());
}
var idTokenHint = parameters.Get(Constants.EndSessionRequest.IdTokenHint);
if (idTokenHint.IsPresent())
{
// validate id_token - no need to validate token life time
var tokenValidationResult = await _tokenValidator.ValidateIdentityTokenAsync(idTokenHint, null, false);
if (tokenValidationResult.IsError)
{
LogError("Error validating id token hint.");
return(Invalid());
}
_validatedRequest.Client = tokenValidationResult.Client;
// validate sub claim against currently logged on user
var subClaim = tokenValidationResult.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.Subject);
if (subClaim != null)
{
if (subject.GetSubjectId() != subClaim.Value)
{
LogError("Current user does not match identity token");
return(Invalid());
}
}
var redirectUri = parameters.Get(Constants.EndSessionRequest.PostLogoutRedirectUri);
if (redirectUri.IsPresent())
{
_validatedRequest.PostLogOutUri = redirectUri;
if (await _uriValidator.IsPostLogoutRedirectUriValidAsync(redirectUri, _validatedRequest.Client) == false)
{
LogError("Invalid post logout URI");
return(Invalid());
}
var state = parameters.Get(Constants.EndSessionRequest.State);
if (state.IsPresent())
{
_validatedRequest.State = state;
}
}
}
LogSuccess();
return(Valid());
}
