/// <inheritdoc/> public virtual async Task <ResourceValidationResult> ValidateRequestedResourcesAsync(ResourceValidationRequest request) { if (request == null) { throw new ArgumentNullException(nameof(request)); } var scopeNames = request.ParsedScopeValues.Select(x => x.Name).Distinct().ToArray(); var resourcesFromStore = await _store.FindEnabledResourcesByScopeAsync(scopeNames); var result = new ResourceValidationResult(); foreach (var scope in request.ParsedScopeValues) { await ValidateScopeAsync(request.Client, resourcesFromStore, scope, result); } if (result.InvalidScopes.Count > 0) { result.Resources.IdentityResources.Clear(); result.Resources.ApiResources.Clear(); result.Resources.ApiScopes.Clear(); result.ParsedScopes.Clear(); } return(result); }
public override async Task <ResourceValidationResult> ValidateRequestedResourcesAsync(ResourceValidationRequest request) { var nvc = _scopedHttpContextRequestForm.GetFormCollection(); var token = nvc["token"]; if (string.IsNullOrWhiteSpace(token)) { token = nvc["refresh_token"]; } if (!string.IsNullOrWhiteSpace(token)) { if (token.StartsWith("1_")) { // this has already been validated. if (request == null) { throw new ArgumentNullException(nameof(request)); } var result = new ResourceValidationResult(); var parsedScopesResult = _scopeParser.ParseScopeValues(request.Scopes); result.ParsedScopes = parsedScopesResult.ParsedScopes; return(result); } } return(await base.ValidateRequestedResourcesAsync(request)); }
/// <inheritdoc/> public virtual async Task <ResourceValidationResult> ValidateRequestedResourcesAsync(ResourceValidationRequest request) { if (request == null) { throw new ArgumentNullException(nameof(request)); } var parsedScopesResult = _scopeParser.ParseScopeValues(request.Scopes); var result = new ResourceValidationResult(); if (!parsedScopesResult.Succeeded) { foreach (var invalidScope in parsedScopesResult.Errors) { _logger.LogError("Invalid parsed scope {scope}, message: {error}", invalidScope.RawValue, invalidScope.Error); result.InvalidScopes.Add(invalidScope.RawValue); } return(result); } var scopeNames = parsedScopesResult.ParsedScopes.Select(x => x.ParsedName).Distinct().ToArray(); var resourcesFromStore = await _store.FindEnabledResourcesByScopeAsync(scopeNames); foreach (var scope in parsedScopesResult.ParsedScopes) { await ValidateScopeAsync(request.Client, resourcesFromStore, scope, result); } if (result.InvalidScopes.Count > 0) { result.Resources.IdentityResources.Clear(); result.Resources.ApiResources.Clear(); result.Resources.ApiScopes.Clear(); result.ParsedScopes.Clear(); } return(result); }
/// <summary> /// Validates that the requested scopes is contained in the store, and the client is allowed to request it. /// </summary> /// <param name="client"></param> /// <param name="resourcesFromStore"></param> /// <param name="requestedScope"></param> /// <param name="result"></param> /// <returns></returns> protected virtual async Task ValidateScopeAsync( Client client, Resources resourcesFromStore, ParsedScopeValue requestedScope, ResourceValidationResult result) { if (requestedScope.Name == IdentityServerConstants.StandardScopes.OfflineAccess) { if (await IsClientAllowedOfflineAccessAsync(client)) { result.Resources.OfflineAccess = true; result.ParsedScopes.Add(new ParsedScopeValue(IdentityServerConstants.StandardScopes.OfflineAccess)); } else { result.InvalidScopes.Add(IdentityServerConstants.StandardScopes.OfflineAccess); } } else { var identity = resourcesFromStore.FindIdentityResourcesByScope(requestedScope.Name); if (identity != null) { if (await IsClientAllowedIdentityResourceAsync(client, identity)) { result.ParsedScopes.Add(requestedScope); result.Resources.IdentityResources.Add(identity); } else { result.InvalidScopes.Add(requestedScope.Value); } } else { var apiScope = resourcesFromStore.FindApiScope(requestedScope.Name); if (apiScope != null) { if (await IsClientAllowedApiScopeAsync(client, apiScope)) { result.ParsedScopes.Add(requestedScope); result.Resources.ApiScopes.Add(apiScope); var apis = resourcesFromStore.FindApiResourcesByScope(apiScope.Name); foreach (var api in apis) { result.Resources.ApiResources.Add(api); } } else { result.InvalidScopes.Add(requestedScope.Value); } } else { _logger.LogError("Scope {scope} not found in store.", requestedScope.Name); result.InvalidScopes.Add(requestedScope.Value); } } } }
/// <summary> /// Validates that the requested scopes is contained in the store, and the client is allowed to request it. /// </summary> /// <param name="client"></param> /// <param name="resourcesFromStore"></param> /// <param name="requestedScope"></param> /// <param name="result"></param> /// <returns></returns> protected override async Task ValidateScopeAsync(Client client, Resources resourcesFromStore, ParsedScopeValue requestedScope, ResourceValidationResult result) { var parameters = await _scopedHttpContextRequestForm.GetFormCollectionAsync(); var grantType = parameters.Get(OidcConstants.TokenRequest.GrantType); if (grantType == null) { // check if this is deviceauthorizaiton. if (_httpContextAccessor.HttpContext.Request.Path.ToString().Contains("deviceauthorization")) { grantType = Constants.GrantType.DeviceAuthorization; } } switch (grantType) { case Constants.GrantType.DeviceCode: case Constants.GrantType.DeviceAuthorization: case Constants.GrantType.TokenExchangeMutate: case Constants.GrantType.TokenExchange: case Constants.GrantType.ArbitraryToken: case Constants.GrantType.ArbitraryIdentity: if (requestedScope.ParsedName == IdentityServerConstants.StandardScopes.OfflineAccess) { if (await IsClientAllowedOfflineAccessAsync(client)) { result.Resources.OfflineAccess = true; result.ParsedScopes.Add(new ParsedScopeValue(IdentityServerConstants.StandardScopes.OfflineAccess)); } else { result.InvalidScopes.Add(IdentityServerConstants.StandardScopes.OfflineAccess); } } else { result.ParsedScopes.Add(requestedScope); } break; default: await base.ValidateScopeAsync(client, resourcesFromStore, requestedScope, result); break; } }