/// <summary>
/// Represents an event called for each request to the authorization endpoint
/// to determine if the request is valid and should continue.
/// </summary>
/// <param name="context">The context instance associated with this event.</param>
public override async Task ValidateAuthorizationRequest(ValidateAuthorizationRequestContext context)
{
// Note: the OpenID Connect server middleware supports the authorization code, implicit and hybrid flows
// but this authorization provider only accepts response_type=code authorization/authentication requests.
// You may consider relaxing it to support the implicit or hybrid flows. In this case, consider adding
// checks rejecting implicit/hybrid authorization requests when the client is a confidential application.
if (!context.Request.IsAuthorizationCodeFlow())
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedResponseType,
description: "Only the authorization code flow is supported by this authorization server.");
return;
}
// Note: to support custom response modes, the OpenID Connect server middleware doesn't
// reject unknown modes before the ApplyAuthorizationResponse event is invoked.
// To ensure invalid modes are rejected early enough, a check is made here.
if (!context.Request.ResponseMode.IsNullOrWhiteSpace() && !context.Request.IsFormPostResponseMode() &&
!context.Request.IsFragmentResponseMode() && !context.Request.IsQueryResponseMode())
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The specified 'response_mode' is unsupported.");
return;
}
// Retrieve the application details corresponding to the requested client_id.
var rockContext = new RockContext();
var authClientService = new AuthClientService(rockContext);
var authClient = await authClientService.GetByClientIdAsync(context.ClientId);
if (authClient == null)
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "The specified client identifier is invalid.");
return;
}
if (!context.RedirectUri.IsNullOrWhiteSpace() &&
!string.Equals(context.RedirectUri, authClient.RedirectUri, StringComparison.OrdinalIgnoreCase))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "The specified 'redirect_uri' is invalid.");
return;
}
context.Validate(authClient.RedirectUri);
}
/// <summary>
/// Gets the authentication client.
/// </summary>
/// <returns></returns>
private async Task <AuthClient> GetAuthClient()
{
if (_authClient == null)
{
var rockContext = new RockContext();
var authClientService = new AuthClientService(rockContext);
var authClientId = PageParameter(PageParamKey.ClientId);
_authClient = await authClientService.GetByClientIdAsync(authClientId);
}
return(_authClient);
}