private async Task _validateClientCredentialsTokenRequest(ValidateTokenRequestContext context) { // TODO increment user rate limit (nb this increment only happens in Validate) authservice = context.HttpContext.RequestServices.GetRequiredService <IValidateAuthorizationService>(); if (authservice == null) { context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request"); return; } if (String.IsNullOrWhiteSpace(context.ClientId)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "Missing credentials: ensure that you specified a client_id."); return; } else if (String.IsNullOrWhiteSpace(context.ClientSecret)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "Missing credentials: ensure that you specified a client_secret."); return; } else if (!(await authservice.CheckClientIdExists(context.ClientId))) { context.Reject(error: OpenIdConnectConstants.Errors.InvalidClient, description: "Supplied Client Id was not a valid application Client Id."); return; } else if (!(await authservice.CheckSecretMatchesId(context.ClientId, context.ClientSecret))) { context.Reject(error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Supplied Secret was not correct for the Client Id."); return; } context.Validate(); }
private async Task _validateRefreshTokenRequest(ValidateTokenRequestContext context) { authservice = context.HttpContext.RequestServices.GetRequiredService <IValidateAuthorizationService>(); if (authservice == null) { context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request"); return; } IRateLimitService rls = context.HttpContext.RequestServices.GetRequiredService <IRateLimitService>(); if (rls == null) { context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request"); return; } // TODO increment user rate limit (nb this increment only happens in Validate) if (String.IsNullOrWhiteSpace(context.Request.RefreshToken)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Missing parameter: ensure that you specified a refresh_token."); } AuthenticateResult ar = await context.HttpContext.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme); AuthenticationTicket at = ar.Ticket; if (ar == null) { context.Reject(); return; } else if (ar.Principal == null) { context.Reject(error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Supplied refresh token was not valid"); return; } else if (ar.Principal.Identity == null) { context.Reject(); return; } else if (!ar.Principal.Identity.IsAuthenticated) { context.Reject(); return; } /** here we do the legwork of validating that: * the client application still exists, * the supplied secret still matches, * the user's refresh and access tokens haven't been revoked, * the user isn't rate limited */ List <Claim> claims = ar.Principal.Claims.ToList(); var gtype = claims.Find(x => x.Type == "grant_type"); var userid = claims.Find(x => x.Type == "sub"); var clientSecret = context.ClientSecret; if (gtype == null || string.IsNullOrWhiteSpace(gtype.Value)) { context.Reject(); } if (userid == null || string.IsNullOrWhiteSpace(userid.Value)) { context.Reject(); } if (!await authservice.CheckClientIdExists(context.ClientId)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id no longer exists."); return; } else if (!await authservice.CheckSecretMatchesId(context.ClientId, context.ClientSecret)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client secret is no longer valid."); return; } else if (!await authservice.CheckTokenNotRevoked(gtype.Value, context.Request.RefreshToken)) { context.Reject(OpenIdConnectConstants.Errors.AccessDenied, "The supplied token has been revoked. Please re-authenticate."); } //TODO come back to this - rls is no longer our preferred service. _mc.RateLimits should be our goto else if (!(await rls.UserWithinRateLimit(userid.Value)) && !(await rls.UserWithinAppRateLimit(context.ClientId, userid.Value, gtype.Value))) { context.Reject(RateLimits.RateLimitExceededError, RateLimits.RateLimitExceededErrorDescription); return; } await rls.IncrementUserAPICallCount(userid.Value, context.ClientId); context.Validate(); }