public AuthenticationResult(Core.Common.Models.Client client, string errorMessage)
{
Client = client;
ErrorMessage = errorMessage;
}
public async Task <bool> UpdateAsync(Core.Common.Models.Client client)
{
using (var translation = _context.Database.BeginTransaction())
{
try
{
var grantTypes = client.GrantTypes == null
? string.Empty
: ConcatListOfIntegers(client.GrantTypes.Select(k => (int)k).ToList());
var responseTypes = client.ResponseTypes == null
? string.Empty
: ConcatListOfIntegers(client.ResponseTypes.Select(r => (int)r).ToList());
var connectedClient = await _context.Clients
.Include(c => c.ClientScopes)
.FirstOrDefaultAsync(c => c.ClientId == client.ClientId)
.ConfigureAwait(false);
connectedClient.ClientName = client.ClientName;
connectedClient.ClientUri = client.ClientUri;
connectedClient.Contacts = ConcatListOfStrings(client.Contacts);
connectedClient.DefaultAcrValues = client.DefaultAcrValues;
connectedClient.DefaultMaxAge = client.DefaultMaxAge;
connectedClient.GrantTypes = grantTypes;
connectedClient.IdTokenEncryptedResponseAlg = client.IdTokenEncryptedResponseAlg;
connectedClient.IdTokenEncryptedResponseEnc = client.IdTokenEncryptedResponseEnc;
connectedClient.IdTokenSignedResponseAlg = client.IdTokenSignedResponseAlg;
connectedClient.InitiateLoginUri = client.InitiateLoginUri;
connectedClient.JwksUri = client.JwksUri;
connectedClient.LogoUri = client.LogoUri;
connectedClient.PolicyUri = client.PolicyUri;
connectedClient.RedirectionUrls = ConcatListOfStrings(client.RedirectionUrls);
connectedClient.RequestObjectEncryptionAlg = client.RequestObjectEncryptionAlg;
connectedClient.RequestObjectEncryptionEnc = client.RequestObjectEncryptionEnc;
connectedClient.RequestObjectSigningAlg = client.RequestObjectSigningAlg;
connectedClient.RequestUris = ConcatListOfStrings(client.RequestUris);
connectedClient.PostLogoutRedirectUris = ConcatListOfStrings(client.PostLogoutRedirectUris);
connectedClient.RequireAuthTime = client.RequireAuthTime;
connectedClient.ResponseTypes = responseTypes;
connectedClient.SectorIdentifierUri = client.SectorIdentifierUri;
connectedClient.SubjectType = client.SubjectType;
connectedClient.TokenEndPointAuthMethod = (TokenEndPointAuthenticationMethods)client.TokenEndPointAuthMethod;
connectedClient.TokenEndPointAuthSigningAlg = client.TokenEndPointAuthSigningAlg;
connectedClient.TosUri = client.TosUri;
connectedClient.UserInfoEncryptedResponseAlg = client.UserInfoEncryptedResponseAlg;
connectedClient.UserInfoEncryptedResponseEnc = client.UserInfoEncryptedResponseEnc;
connectedClient.UserInfoSignedResponseAlg = client.UserInfoSignedResponseAlg;
connectedClient.ScimProfile = client.ScimProfile;
connectedClient.UpdateDateTime = DateTime.UtcNow;
var scopesNotToBeDeleted = new List <string>();
if (client.AllowedScopes != null)
{
foreach (var scope in client.AllowedScopes)
{
var record = connectedClient.ClientScopes.FirstOrDefault(c => c.ScopeName == scope.Name);
if (record == null)
{
record = new ClientScope
{
ClientId = connectedClient.ClientId,
ScopeName = scope.Name
};
connectedClient.ClientScopes.Add(record);
}
scopesNotToBeDeleted.Add(record.ScopeName);
}
}
var scopeNames = connectedClient.ClientScopes.Select(o => o.ScopeName).ToList();
foreach (var scopeName in scopeNames.Where(id => !scopesNotToBeDeleted.Contains(id)))
{
connectedClient.ClientScopes.Remove(connectedClient.ClientScopes.First(s => s.ScopeName == scopeName));
}
await _context.SaveChangesAsync();
translation.Commit();
}
catch (Exception ex)
{
_managerEventSource.Failure(ex);
translation.Rollback();
return(false);
}
}
return(true);
}
public async Task <bool> InsertAsync(Core.Common.Models.Client client)
{
using (var transaction = _context.Database.BeginTransaction())
{
try
{
var scopes = new List <ClientScope>();
var jsonWebKeys = new List <JsonWebKey>();
var clientSecrets = new List <ClientSecret>();
var grantTypes = client.GrantTypes == null
? string.Empty
: ConcatListOfIntegers(client.GrantTypes.Select(k => (int)k).ToList());
var responseTypes = client.ResponseTypes == null
? string.Empty
: ConcatListOfIntegers(client.ResponseTypes.Select(r => (int)r).ToList());
if (client.AllowedScopes != null)
{
var scopeNames = client.AllowedScopes.Select(s => s.Name).ToList();
scopes = _context.Scopes.Where(s => scopeNames.Contains(s.Name))
.Select(s => new ClientScope {
ScopeName = s.Name
})
.ToList();
}
if (client.JsonWebKeys != null)
{
client.JsonWebKeys.ForEach(jsonWebKey =>
{
var jsonWebKeyRecord = new JsonWebKey
{
Kid = jsonWebKey.Kid,
Use = (Use)jsonWebKey.Use,
Kty = (KeyType)jsonWebKey.Kty,
SerializedKey = jsonWebKey.SerializedKey,
X5t = jsonWebKey.X5t,
X5tS256 = jsonWebKey.X5tS256,
X5u = jsonWebKey.X5u == null ? string.Empty : jsonWebKey.X5u.AbsoluteUri,
Alg = (AllAlg)jsonWebKey.Alg,
KeyOps = jsonWebKey.KeyOps == null ? string.Empty : ConcatListOfIntegers(jsonWebKey.KeyOps.Select(k => (int)k).ToList())
};
jsonWebKeys.Add(jsonWebKeyRecord);
});
}
if (client.Secrets != null)
{
foreach (var secret in client.Secrets)
{
clientSecrets.Add(new ClientSecret
{
Id = Guid.NewGuid().ToString(),
ClientId = client.ClientId,
Type = (SecretTypes)secret.Type,
Value = secret.Value
});
}
}
var newClient = new Models.Client
{
ClientId = client.ClientId,
ClientName = client.ClientName,
ClientUri = client.ClientUri,
IdTokenEncryptedResponseAlg = client.IdTokenEncryptedResponseAlg,
IdTokenEncryptedResponseEnc = client.IdTokenEncryptedResponseEnc,
JwksUri = client.JwksUri,
TosUri = client.TosUri,
LogoUri = client.LogoUri,
PolicyUri = client.PolicyUri,
RequestObjectEncryptionAlg = client.RequestObjectEncryptionAlg,
RequestObjectEncryptionEnc = client.RequestObjectEncryptionEnc,
IdTokenSignedResponseAlg = client.IdTokenSignedResponseAlg,
RequireAuthTime = client.RequireAuthTime,
SectorIdentifierUri = client.SectorIdentifierUri,
SubjectType = client.SubjectType,
TokenEndPointAuthSigningAlg = client.TokenEndPointAuthSigningAlg,
UserInfoEncryptedResponseAlg = client.UserInfoEncryptedResponseAlg,
UserInfoSignedResponseAlg = client.UserInfoSignedResponseAlg,
UserInfoEncryptedResponseEnc = client.UserInfoEncryptedResponseEnc,
DefaultMaxAge = client.DefaultMaxAge,
DefaultAcrValues = client.DefaultAcrValues,
InitiateLoginUri = client.InitiateLoginUri,
RequestObjectSigningAlg = client.RequestObjectSigningAlg,
TokenEndPointAuthMethod = (Models.TokenEndPointAuthenticationMethods)client.TokenEndPointAuthMethod,
ApplicationType = (Models.ApplicationTypes)client.ApplicationType,
RequestUris = ConcatListOfStrings(client.RequestUris),
RedirectionUrls = ConcatListOfStrings(client.RedirectionUrls),
Contacts = ConcatListOfStrings(client.Contacts),
PostLogoutRedirectUris = ConcatListOfStrings(client.PostLogoutRedirectUris),
ClientScopes = scopes,
JsonWebKeys = jsonWebKeys,
GrantTypes = grantTypes,
ResponseTypes = responseTypes,
ScimProfile = client.ScimProfile,
ClientSecrets = clientSecrets,
CreateDateTime = DateTime.UtcNow,
UpdateDateTime = DateTime.UtcNow
};
_context.Clients.Add(newClient);
await _context.SaveChangesAsync().ConfigureAwait(false);
transaction.Commit();
}
catch (Exception ex)
{
_managerEventSource.Failure(ex);
transaction.Rollback();
return(false);
}
}
return(true);
}
public async Task When_Passing_Registration_Parameter_With_Specific_Values_Then_Client_Is_Returned()
{
// ARRANGE
InitializeFakeObjects();
const string clientName = "client_name";
const string clientUri = "client_uri";
const string policyUri = "policy_uri";
const string tosUri = "tos_uri";
const string jwksUri = "jwks_uri";
const string kid = "kid";
const string sectorIdentifierUri = "sector_identifier_uri";
const double defaultMaxAge = 3;
const string defaultAcrValues = "default_acr_values";
const bool requireAuthTime = false;
const string initiateLoginUri = "initiate_login_uri";
const string requestUri = "request_uri";
var registrationParameter = new RegistrationParameter
{
ClientName = clientName,
ResponseTypes = new List <ResponseType>
{
ResponseType.token
},
GrantTypes = new List <GrantType>
{
GrantType.@implicit
},
ApplicationType = ApplicationTypes.native,
ClientUri = clientUri,
PolicyUri = policyUri,
TosUri = tosUri,
JwksUri = jwksUri,
Jwks = new JsonWebKeySet(),
SectorIdentifierUri = sectorIdentifierUri,
IdTokenSignedResponseAlg = Jwt.Constants.JwsAlgNames.RS256,
IdTokenEncryptedResponseAlg = Jwt.Constants.JweAlgNames.RSA1_5,
IdTokenEncryptedResponseEnc = Jwt.Constants.JweEncNames.A128CBC_HS256,
UserInfoSignedResponseAlg = Jwt.Constants.JwsAlgNames.RS256,
UserInfoEncryptedResponseAlg = Jwt.Constants.JweAlgNames.RSA1_5,
UserInfoEncryptedResponseEnc = Jwt.Constants.JweEncNames.A128CBC_HS256,
RequestObjectSigningAlg = Jwt.Constants.JwsAlgNames.RS256,
RequestObjectEncryptionAlg = Jwt.Constants.JweAlgNames.RSA1_5,
RequestObjectEncryptionEnc = Jwt.Constants.JweEncNames.A128CBC_HS256,
TokenEndPointAuthMethod = "client_secret_post",
TokenEndPointAuthSigningAlg = Jwt.Constants.JwsAlgNames.RS256,
DefaultMaxAge = defaultMaxAge,
DefaultAcrValues = defaultAcrValues,
RequireAuthTime = requireAuthTime,
InitiateLoginUri = initiateLoginUri,
RequestUris = new List <string>
{
requestUri
}
};
var jsonWebKeys = new List <JsonWebKey>
{
new JsonWebKey
{
Kid = kid
}
};
var client = new Core.Common.Models.Client
{
ClientName = clientName,
ResponseTypes = new List <ResponseType>
{
ResponseType.token
},
GrantTypes = new List <GrantType>
{
GrantType.@implicit
},
ApplicationType = ApplicationTypes.native,
ClientUri = clientUri,
PolicyUri = policyUri,
TosUri = tosUri,
JwksUri = jwksUri,
JsonWebKeys = new List <JsonWebKey>(),
SectorIdentifierUri = sectorIdentifierUri,
IdTokenSignedResponseAlg = Jwt.Constants.JwsAlgNames.RS256,
IdTokenEncryptedResponseAlg = Jwt.Constants.JweAlgNames.RSA1_5,
IdTokenEncryptedResponseEnc = Jwt.Constants.JweEncNames.A128CBC_HS256,
UserInfoSignedResponseAlg = Jwt.Constants.JwsAlgNames.RS256,
UserInfoEncryptedResponseAlg = Jwt.Constants.JweAlgNames.RSA1_5,
UserInfoEncryptedResponseEnc = Jwt.Constants.JweEncNames.A128CBC_HS256,
RequestObjectSigningAlg = Jwt.Constants.JwsAlgNames.RS256,
RequestObjectEncryptionAlg = Jwt.Constants.JweAlgNames.RSA1_5,
RequestObjectEncryptionEnc = Jwt.Constants.JweEncNames.A128CBC_HS256,
TokenEndPointAuthMethod = TokenEndPointAuthenticationMethods.client_secret_basic,
TokenEndPointAuthSigningAlg = Jwt.Constants.JwsAlgNames.RS256,
DefaultMaxAge = defaultMaxAge,
DefaultAcrValues = defaultAcrValues,
RequireAuthTime = requireAuthTime,
InitiateLoginUri = initiateLoginUri,
RequestUris = new List <string>
{
requestUri
}
};
_generateClientFromRegistrationRequest.Setup(g => g.Execute(It.IsAny <RegistrationParameter>()))
.Returns(client);
_clientRepositoryFake.Setup(c => c.InsertAsync(It.IsAny <Core.Common.Models.Client>()))
.Callback <Core.Common.Models.Client>(c => client = c)
.Returns(Task.FromResult(true));
// ACT
var result = await _registerClientAction.Execute(registrationParameter);
// ASSERT
_oauthEventSource.Verify(s => s.StartRegistration(clientName));
_clientRepositoryFake.Verify(c => c.InsertAsync(It.IsAny <Core.Common.Models.Client>()));
_oauthEventSource.Verify(s => s.EndRegistration(It.IsAny <string>(), clientName));
Assert.NotEmpty(result.ClientSecret);
Assert.True(client.AllowedScopes.Contains(Constants.StandardScopes.OpenId));
Assert.True(client.AllowedScopes.Contains(Constants.StandardScopes.Address));
Assert.True(client.AllowedScopes.Contains(Constants.StandardScopes.Email));
Assert.True(client.AllowedScopes.Contains(Constants.StandardScopes.Phone));
Assert.True(client.AllowedScopes.Contains(Constants.StandardScopes.ProfileScope));
}
public async Task <ActionResult> Execute(AuthorizationParameter authorizationParameter, IPrincipal principal, Core.Common.Models.Client client, string issuerName)
{
if (authorizationParameter == null)
{
throw new ArgumentNullException(nameof(authorizationParameter));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
var claimsPrincipal = principal == null ? null : principal as ClaimsPrincipal;
_oAuthEventSource.StartAuthorizationCodeFlow(
authorizationParameter.ClientId,
authorizationParameter.Scope,
authorizationParameter.Claims == null ? string.Empty : authorizationParameter.Claims.ToString());
var result = await _processAuthorizationRequest.ProcessAsync(authorizationParameter, claimsPrincipal, client, issuerName);
if (!_clientValidator.CheckGrantTypes(client, GrantType.authorization_code)) // 1. Check the client is authorized to use the authorization_code flow.
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType,
authorizationParameter.ClientId,
"authorization_code"),
authorizationParameter.State);
}
if (result.Type == TypeActionResult.RedirectToCallBackUrl)
{
if (claimsPrincipal == null)
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
ErrorDescriptions.TheResponseCannotBeGeneratedBecauseResourceOwnerNeedsToBeAuthenticated,
authorizationParameter.State);
}
await _generateAuthorizationResponse.ExecuteAsync(result, authorizationParameter, claimsPrincipal, client, issuerName);
}
var actionTypeName = Enum.GetName(typeof(TypeActionResult), result.Type);
_oAuthEventSource.EndAuthorizationCodeFlow(
authorizationParameter.ClientId,
actionTypeName,
result.RedirectInstruction == null ? string.Empty : Enum.GetName(typeof(IdentityServerEndPoints), result.RedirectInstruction.Action));
return(result);
}
public static JweAlg?GetUserInfoEncryptedResponseAlg(this Core.Common.Models.Client client)
{
var algName = client.UserInfoEncryptedResponseAlg;
return(GetDefaultEncryptAlg(algName));
}
public Core.Common.Models.Client AuthenticateClient(AuthenticateInstruction instruction, Core.Common.Models.Client client)
{
if (instruction == null || client == null)
{
throw new ArgumentNullException("the instruction or client parameter cannot be null");
}
if (client.Secrets == null)
{
return(null);
}
var clientSecret = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret);
if (clientSecret == null)
{
return(null);
}
var sameSecret = string.Compare(clientSecret.Value, _clientPasswordService.Encrypt(instruction.ClientSecretFromHttpRequestBody), StringComparison.CurrentCultureIgnoreCase) == 0;
return(sameSecret ? client : null);
}
public async Task When_No_Consent_Has_Been_Given_And_ResponseMode_Is_No_Correct_Then_Exception_Is_Thrown()
{
// ARRANGE
InitializeFakeObjects();
const string subject = "subject";
const string state = "state";
var authorizationParameter = new AuthorizationParameter
{
Claims = null,
Scope = "profile",
ResponseMode = ResponseMode.None,
State = state
};
var claims = new List <Claim>
{
new Claim(Jwt.Constants.StandardResourceOwnerClaimNames.Subject, subject)
};
var claimsIdentity = new ClaimsIdentity(claims, "SimpleIdentityServer");
var claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
var client = new Core.Common.Models.Client
{
ClientId = "clientId"
};
var resourceOwner = new ResourceOwner
{
Id = subject
};
var actionResult = new ActionResult
{
Type = TypeActionResult.RedirectToCallBackUrl,
RedirectInstruction = new RedirectInstruction()
};
ICollection <string> scopeNames = new List <string>();
ICollection <Scope> scopes = new List <Scope>();
_consentHelperFake.Setup(c => c.GetConfirmedConsentsAsync(It.IsAny <string>(),
It.IsAny <AuthorizationParameter>()))
.Returns(Task.FromResult((Core.Common.Models.Consent)null));
_clientRepositoryFake.Setup(c => c.GetClientByIdAsync(It.IsAny <string>()))
.Returns(Task.FromResult(client));
_parameterParserHelperFake.Setup(p => p.ParseScopes(It.IsAny <string>()))
.Returns(scopeNames);
_resourceOwnerRepositoryFake.Setup(r => r.GetAsync(It.IsAny <string>()))
.Returns(Task.FromResult(resourceOwner));
_actionResultFactoryFake.Setup(a => a.CreateAnEmptyActionResultWithRedirectionToCallBackUrl())
.Returns(actionResult);
_scopeRepositoryFake.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >()))
.Returns(Task.FromResult(scopes));
_parameterParserHelperFake.Setup(p => p.ParseResponseTypes(It.IsAny <string>()))
.Returns(new List <ResponseType> {
ResponseType.id_token, ResponseType.id_token
});
// ACT & ASSERT
var exception = await Assert.ThrowsAsync <IdentityServerExceptionWithState>(() => _confirmConsentAction.Execute(authorizationParameter, claimsPrincipal, null));
Assert.NotNull(exception);
Assert.True(exception.Code == ErrorCodes.InvalidRequestCode);
Assert.True(exception.Message == ErrorDescriptions.TheAuthorizationFlowIsNotSupported);
Assert.True(exception.State == state);
}
public async Task ExecuteAsync(ActionResult actionResult, AuthorizationParameter authorizationParameter, ClaimsPrincipal claimsPrincipal, Core.Common.Models.Client client, string issuerName)
{
if (actionResult == null || actionResult.RedirectInstruction == null)
{
throw new ArgumentNullException(nameof(actionResult));
}
;
if (authorizationParameter == null)
{
throw new ArgumentNullException(nameof(authorizationParameter));
}
if (claimsPrincipal == null)
{
throw new ArgumentNullException(nameof(claimsPrincipal));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
var newAccessTokenGranted = false;
var allowedTokenScopes = string.Empty;
GrantedToken grantedToken = null;
var newAuthorizationCodeGranted = false;
AuthorizationCode authorizationCode = null;
_oauthEventSource.StartGeneratingAuthorizationResponseToClient(authorizationParameter.ClientId,
authorizationParameter.ResponseType);
var responses = _parameterParserHelper.ParseResponseTypes(authorizationParameter.ResponseType);
var idTokenPayload = await GenerateIdTokenPayload(claimsPrincipal, authorizationParameter, issuerName);
var userInformationPayload = await GenerateUserInformationPayload(claimsPrincipal, authorizationParameter);
if (responses.Contains(ResponseType.token)) // 1. Generate an access token.
{
if (!string.IsNullOrWhiteSpace(authorizationParameter.Scope))
{
allowedTokenScopes = string.Join(" ", _parameterParserHelper.ParseScopes(authorizationParameter.Scope));
}
grantedToken = await _grantedTokenHelper.GetValidGrantedTokenAsync(allowedTokenScopes, client.ClientId,
userInformationPayload, idTokenPayload);
if (grantedToken == null)
{
grantedToken = await _grantedTokenGeneratorHelper.GenerateTokenAsync(client, allowedTokenScopes,
issuerName, userInformationPayload, idTokenPayload);
newAccessTokenGranted = true;
}
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.AccessTokenName,
grantedToken.AccessToken);
}
if (responses.Contains(ResponseType.code)) // 2. Generate an authorization code.
{
var subject = claimsPrincipal == null ? string.Empty : claimsPrincipal.GetSubject();
var assignedConsent = await _consentHelper.GetConfirmedConsentsAsync(subject, authorizationParameter);
if (assignedConsent != null)
{
// Insert a temporary authorization code
// It will be used later to retrieve tha id_token or an access token.
authorizationCode = new AuthorizationCode
{
Code = Guid.NewGuid().ToString(),
RedirectUri = authorizationParameter.RedirectUrl,
CreateDateTime = DateTime.UtcNow,
ClientId = authorizationParameter.ClientId,
Scopes = authorizationParameter.Scope,
IdTokenPayload = idTokenPayload,
UserInfoPayLoad = userInformationPayload
};
newAuthorizationCodeGranted = true;
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.AuthorizationCodeName,
authorizationCode.Code);
}
}
_jwtGenerator.FillInOtherClaimsIdentityTokenPayload(idTokenPayload,
authorizationCode == null ? string.Empty : authorizationCode.Code,
grantedToken == null ? string.Empty : grantedToken.AccessToken,
authorizationParameter, client);
if (newAccessTokenGranted) // 3. Insert the stateful access token into the DB OR insert the access token into the caching.
{
await _tokenStore.AddToken(grantedToken);
_oauthEventSource.GrantAccessToClient(authorizationParameter.ClientId,
grantedToken.AccessToken,
allowedTokenScopes);
}
if (newAuthorizationCodeGranted) // 4. Insert the authorization code into the caching.
{
if (client.RequirePkce)
{
authorizationCode.CodeChallenge = authorizationParameter.CodeChallenge;
authorizationCode.CodeChallengeMethod = authorizationParameter.CodeChallengeMethod;
}
await _authorizationCodeStore.AddAuthorizationCode(authorizationCode);
_oauthEventSource.GrantAuthorizationCodeToClient(authorizationParameter.ClientId,
authorizationCode.Code,
authorizationParameter.Scope);
}
if (responses.Contains(ResponseType.id_token))
{
var idToken = await GenerateIdToken(idTokenPayload, authorizationParameter);
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.IdTokenName, idToken);
}
if (!string.IsNullOrWhiteSpace(authorizationParameter.State))
{
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.StateName, authorizationParameter.State);
}
var sessionState = GetSessionState(authorizationParameter.ClientId, authorizationParameter.OriginUrl, authorizationParameter.SessionId);
if (sessionState != null)
{
actionResult.RedirectInstruction.AddParameter(Constants.StandardAuthorizationResponseNames.SessionState, sessionState);
}
if (authorizationParameter.ResponseMode == ResponseMode.form_post)
{
actionResult.Type = TypeActionResult.RedirectToAction;
actionResult.RedirectInstruction.Action = IdentityServerEndPoints.FormIndex;
actionResult.RedirectInstruction.AddParameter("redirect_uri", authorizationParameter.RedirectUrl);
}
// Set the response mode
if (actionResult.Type == TypeActionResult.RedirectToCallBackUrl)
{
var responseMode = authorizationParameter.ResponseMode;
if (responseMode == ResponseMode.None)
{
var responseTypes = _parameterParserHelper.ParseResponseTypes(authorizationParameter.ResponseType);
var authorizationFlow = _authorizationFlowHelper.GetAuthorizationFlow(responseTypes,
authorizationParameter.State);
responseMode = GetResponseMode(authorizationFlow);
}
actionResult.RedirectInstruction.ResponseMode = responseMode;
}
_oauthEventSource.EndGeneratingAuthorizationResponseToClient(authorizationParameter.ClientId,
actionResult.RedirectInstruction.Parameters.SerializeWithJavascript());
}
public static JweEnc?GetRequestObjectEncryptionEnc(this Core.Common.Models.Client client)
{
var encName = client.RequestObjectEncryptionEnc;
return(GetDefaultEncryptEnc(encName));
}
public Core.Common.Models.Client AuthenticateClient(AuthenticateInstruction instruction, Core.Common.Models.Client client)
{
if (client == null || instruction == null)
{
throw new ArgumentNullException("the client or instruction cannot be null");
}
if (client.Secrets == null)
{
return(null);
}
var clientSecret = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.SharedSecret);
if (clientSecret == null)
{
return(null);
}
var sameSecret = string.Compare(clientSecret.Value,
instruction.ClientSecretFromAuthorizationHeader,
StringComparison.CurrentCultureIgnoreCase) == 0;
return(sameSecret ? client : null);
}
public static JweAlg?GetRequestObjectEncryptionAlg(this Core.Common.Models.Client client)
{
var algName = client.RequestObjectEncryptionAlg;
return(GetDefaultEncryptAlg(algName));
}
public static JwsAlg?GetRequestObjectSigningAlg(this Core.Common.Models.Client client)
{
var algName = client.RequestObjectSigningAlg;
return(GetDefaultJwsAlg(algName));
}
public static JweEnc?GetUserInfoEncryptedResponseEnc(this Core.Common.Models.Client client)
{
var encName = client.UserInfoEncryptedResponseEnc;
return(GetDefaultEncryptEnc(encName));
}
public async Task <ActionResult> Execute(AuthorizationParameter authorizationParameter, IPrincipal principal, Core.Common.Models.Client client, string issuerName)
{
if (authorizationParameter == null)
{
throw new ArgumentNullException(nameof(authorizationParameter));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (string.IsNullOrWhiteSpace(authorizationParameter.Nonce))
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
string.Format(ErrorDescriptions.MissingParameter, Constants.StandardAuthorizationRequestParameterNames.NonceName),
authorizationParameter.State);
}
_oAuthEventSource.StartImplicitFlow(
authorizationParameter.ClientId,
authorizationParameter.Scope,
authorizationParameter.Claims == null ? string.Empty : authorizationParameter.Claims.ToString());
if (!_clientValidator.CheckGrantTypes(client, GrantType.@implicit))
{
throw new IdentityServerExceptionWithState(
ErrorCodes.InvalidRequestCode,
string.Format(ErrorDescriptions.TheClientDoesntSupportTheGrantType,
authorizationParameter.ClientId,
"implicit"),
authorizationParameter.State);
}
var result = await _processAuthorizationRequest.ProcessAsync(authorizationParameter, principal as ClaimsPrincipal, client, issuerName);
if (result.Type == TypeActionResult.RedirectToCallBackUrl)
{
var claimsPrincipal = principal as ClaimsPrincipal;
await _generateAuthorizationResponse.ExecuteAsync(result, authorizationParameter, claimsPrincipal, client, issuerName);
}
var actionTypeName = Enum.GetName(typeof(TypeActionResult), result.Type);
_oAuthEventSource.EndImplicitFlow(
authorizationParameter.ClientId,
actionTypeName,
result.RedirectInstruction == null ? string.Empty : Enum.GetName(typeof(IdentityServerEndPoints), result.RedirectInstruction.Action));
return(result);
}
public Core.Common.Models.Client AuthenticateClient(AuthenticateInstruction instruction, Core.Common.Models.Client client)
{
if (instruction == null)
{
throw new ArgumentNullException(nameof(instruction));
}
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (instruction.Certificate == null || client.Secrets == null)
{
return(null);
}
var thumbPrint = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.X509Thumbprint);
var name = client.Secrets.FirstOrDefault(s => s.Type == ClientSecretTypes.X509Name);
if (thumbPrint == null || name == null)
{
return(null);
}
var certificate = instruction.Certificate;
var isSameThumbPrint = thumbPrint == null || thumbPrint != null && thumbPrint.Value == certificate.Thumbprint;
var isSameName = name == null || name != null && name.Value == certificate.SubjectName.Name;
return(isSameName && isSameThumbPrint ? client : null);
}
public async Task When_No_Consent_Has_Been_Given_For_The_Claims_Then_Create_And_Insert_A_New_One()
{
// ARRANGE
InitializeFakeObjects();
const string subject = "subject";
const string clientId = "clientId";
var authorizationParameter = new AuthorizationParameter
{
Claims = new ClaimsParameter
{
UserInfo = new List <ClaimParameter>
{
new ClaimParameter
{
Name = Jwt.Constants.StandardResourceOwnerClaimNames.Subject
}
}
},
Scope = "profile"
};
var claims = new List <Claim>
{
new Claim(Jwt.Constants.StandardResourceOwnerClaimNames.Subject, subject)
};
var claimsIdentity = new ClaimsIdentity(claims, "SimpleIdentityServer");
var claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
var client = new Core.Common.Models.Client
{
ClientId = clientId
};
var resourceOwner = new ResourceOwner
{
Id = subject
};
var actionResult = new ActionResult
{
RedirectInstruction = new RedirectInstruction()
};
ICollection <Scope> scopes = new List <Scope>();
_consentHelperFake.Setup(c => c.GetConfirmedConsentsAsync(It.IsAny <string>(),
It.IsAny <AuthorizationParameter>()))
.Returns(Task.FromResult((Core.Common.Models.Consent)null));
_clientRepositoryFake.Setup(c => c.GetClientByIdAsync(It.IsAny <string>()))
.Returns(Task.FromResult(client));
_parameterParserHelperFake.Setup(p => p.ParseScopes(It.IsAny <string>()))
.Returns(new List <string>());
_scopeRepositoryFake.Setup(s => s.SearchByNamesAsync(It.IsAny <IEnumerable <string> >()))
.Returns(Task.FromResult(scopes));
_authenticateResourceOwnerServiceStub.Setup(r => r.AuthenticateResourceOwnerAsync(It.IsAny <string>()))
.Returns(Task.FromResult(resourceOwner));
_actionResultFactoryFake.Setup(a => a.CreateAnEmptyActionResultWithRedirectionToCallBackUrl())
.Returns(actionResult);
Core.Common.Models.Consent insertedConsent = null;
_consentRepositoryFake.Setup(co => co.InsertAsync(It.IsAny <Core.Common.Models.Consent>()))
.Callback <Core.Common.Models.Consent>(consent => insertedConsent = consent)
.Returns(Task.FromResult(new Core.Common.Models.Consent()));
// ACT
await _confirmConsentAction.Execute(authorizationParameter, claimsPrincipal);
// ASSERT
Assert.NotNull(insertedConsent);
Assert.True(insertedConsent.Claims.Contains(Jwt.Constants.StandardResourceOwnerClaimNames.Subject));
Assert.True(insertedConsent.ResourceOwner.Id == subject);
Assert.True(insertedConsent.Client.ClientId == clientId);
_actionResultFactoryFake.Verify(a => a.CreateAnEmptyActionResultWithRedirectionToCallBackUrl());
}
public static JwsAlg?GetIdTokenSignedResponseAlg(this Core.Common.Models.Client client)
{
var algName = client.IdTokenSignedResponseAlg;
return(GetDefaultJwsAlg(algName));
}
