public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, OAuthClient client, string expectedIssuer)
{
if (authenticateInstruction == null)
{
throw new ArgumentNullException(nameof(authenticateInstruction));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (client.Secrets == null)
{
throw new ArgumentNullException(nameof(client.Secrets));
}
var clientSecret = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret);
if (clientSecret == null)
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.NO_CLIENT_SECRET);
}
var clientAssertion = authenticateInstruction.ClientAssertion;
var isJweToken = _jwtParser.IsJweToken(clientAssertion);
if (!isJweToken)
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT);
}
var clientId = authenticateInstruction.ClientIdFromHttpRequestBody;
var jws = await _jwtParser.Decrypt(clientAssertion, clientId, clientSecret.Value).ConfigureAwait(false);
if (string.IsNullOrWhiteSpace(jws))
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_DECRYPTION);
}
var isJwsToken = _jwtParser.IsJwsToken(jws);
if (!isJwsToken)
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT);
}
var payload = await _jwtParser.Unsign(clientAssertion, clientId).ConfigureAwait(false);
if (payload == null)
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_AUTH, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE);
}
return(ValidateJwsPayLoad(payload, expectedIssuer));
}
public async Task <bool> Handle(AuthenticateInstruction authenticateInstruction, BaseClient client, string expectedIssuer, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_CLIENT)
{
if (authenticateInstruction == null)
{
throw new ArgumentNullException(nameof(authenticateInstruction));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (string.IsNullOrWhiteSpace(client.ClientSecret))
{
throw new OAuthException(errorCode, ErrorMessages.NO_CLIENT_SECRET);
}
var clientAssertion = authenticateInstruction.ClientAssertion;
var isJweToken = _jwtParser.IsJweToken(clientAssertion);
if (!isJweToken)
{
throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT);
}
var clientId = authenticateInstruction.ClientIdFromHttpRequestBody;
var jws = await _jwtParser.Decrypt(clientAssertion, clientId, client.ClientSecret, cancellationToken);
if (string.IsNullOrWhiteSpace(jws))
{
throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_DECRYPTION);
}
var isJwsToken = _jwtParser.IsJwsToken(jws);
if (!isJwsToken)
{
throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_FORMAT);
}
JwsPayload payload = await _jwtParser.Unsign(clientAssertion, clientId, cancellationToken, errorCode);
if (payload == null)
{
throw new OAuthException(errorCode, ErrorMessages.BAD_CLIENT_ASSERTION_SIGNATURE);
}
return(ValidateJwsPayLoad(payload, expectedIssuer, errorCode));
}
private async Task <JwsPayload> Extract(string accessToken)
{
var isJwe = _jwtParser.IsJweToken(accessToken);
var isJws = _jwtParser.IsJwsToken(accessToken);
if (!isJwe && !isJws)
{
return(null);
}
var jws = accessToken;
if (isJwe)
{
jws = await _jwtParser.Decrypt(accessToken);
}
return(await _jwtParser.Unsign(jws));
}
protected async Task <JwsPayload> ExtractHint(string tokenHint, CancellationToken cancellationToken)
{
if (!_jwtParser.IsJwsToken(tokenHint) && !_jwtParser.IsJweToken(tokenHint))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_IDTOKENHINT);
}
if (_jwtParser.IsJweToken(tokenHint))
{
tokenHint = await _jwtParser.Decrypt(tokenHint, cancellationToken);
if (string.IsNullOrWhiteSpace(tokenHint))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_IDTOKENHINT);
}
}
return(await _jwtParser.Unsign(tokenHint, cancellationToken));
}
public virtual async Task <RequestObjectValidatorResult> Validate(string request, BaseClient oauthClient, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_REQUEST_OBJECT)
{
if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request))
{
throw new OAuthException(errorCode, ErrorMessages.INVALID_REQUEST_PARAMETER);
}
var jws = request;
if (_jwtParser.IsJweToken(request))
{
jws = await _jwtParser.Decrypt(jws, cancellationToken);
if (string.IsNullOrWhiteSpace(jws))
{
throw new OAuthException(errorCode, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER);
}
}
JwsHeader header = null;
try
{
header = _jwtParser.ExtractJwsHeader(jws);
}
catch (InvalidOperationException)
{
throw new OAuthException(errorCode, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
JwsPayload jwsPayload;
try
{
jwsPayload = await _jwtParser.Unsign(jws, oauthClient, errorCode);
}
catch (JwtException ex)
{
throw new OAuthException(errorCode, ex.Message);
}
return(new RequestObjectValidatorResult(jwsPayload, header));
}
private async Task <JwsPayload> ExtractPATTokenPayload(CancellationToken cancellationToken)
{
var token = ExtractAuthorizationValue();
if (string.IsNullOrWhiteSpace(token))
{
return(null);
}
var isJweToken = _jwtParser.IsJweToken(token);
var isJwsToken = _jwtParser.IsJwsToken(token);
if (isJweToken && isJwsToken)
{
return(null);
}
if (isJweToken)
{
token = await _jwtParser.Decrypt(token, cancellationToken);
}
return(await _jwtParser.Unsign(token, cancellationToken));
}
protected async Task <bool> CheckRequest(HandlerContext context, string request)
{
var openidClient = (OpenIdClient)context.Client;
if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_REQUEST_PARAMETER);
}
var jws = request;
if (_jwtParser.IsJweToken(request))
{
jws = await _jwtParser.Decrypt(jws);
if (string.IsNullOrWhiteSpace(jws))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER);
}
}
JwsHeader header = null;
try
{
header = _jwtParser.ExtractJwsHeader(jws);
}
catch (InvalidOperationException)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
if (
(!string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != openidClient.RequestObjectSigningAlg) ||
(string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != NoneSignHandler.ALG_NAME)
)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_SIGNATURE_ALG);
}
var jwsPayload = await _jwtParser.Unsign(jws, context.Client);
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ResponseType))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_RESPONSE_TYPE_CLAIM);
}
if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ClientId))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_CLIENT_ID_CLAIM);
}
if (!jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ResponseType].ToString().Split(' ').OrderBy(s => s).SequenceEqual(context.Request.Data.GetResponseTypesFromAuthorizationRequest()))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_RESPONSE_TYPE_CLAIM);
}
if (jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ClientId].ToString() != context.Client.ClientId)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_CLIENT_ID_CLAIM);
}
context.Request.SetData(JObject.FromObject(jwsPayload));
return(true);
}