/// <summary> /// Validates the endoints and jwks_uri according to the security policy. /// </summary> /// <param name="json">The json.</param> /// <param name="policy">The policy.</param> /// <returns></returns> public string ValidateEndpoints(JObject json, DiscoveryPolicy policy) { // allowed hosts var allowedHosts = new HashSet <string>(policy.AdditionalEndpointBaseAddresses.Select(e => new Uri(e).Authority)) { new Uri(policy.Authority).Authority }; // allowed authorities (hosts + base address) var allowedAuthorities = new HashSet <string>(policy.AdditionalEndpointBaseAddresses) { policy.Authority }; foreach (var element in json) { if (element.Key.EndsWith("endpoint", StringComparison.OrdinalIgnoreCase) || element.Key.Equals(OidcConstants.Discovery.JwksUri, StringComparison.OrdinalIgnoreCase) || element.Key.Equals(OidcConstants.Discovery.CheckSessionIframe, StringComparison.OrdinalIgnoreCase)) { var endpoint = element.Value.ToString(); var isValidUri = Uri.TryCreate(endpoint, UriKind.Absolute, out Uri uri); if (!isValidUri) { return($"Malformed endpoint: {endpoint}"); } if (!DiscoveryEndpoint.IsValidScheme(uri)) { return($"Malformed endpoint: {endpoint}"); } if (!DiscoveryEndpoint.IsSecureScheme(uri, policy)) { return($"Endpoint does not use HTTPS: {endpoint}"); } if (policy.ValidateEndpoints) { // if endpoint is on exclude list, don't validate if (policy.EndpointValidationExcludeList.Contains(element.Key)) { continue; } bool isAllowed = false; foreach (var host in allowedHosts) { if (string.Equals(host, uri.Authority)) { isAllowed = true; } } if (!isAllowed) { return($"Endpoint is on a different host than authority: {endpoint}"); } IAuthorityValidationStrategy strategy = policy.AuthorityValidationStrategy ?? DiscoveryPolicy.DefaultAuthorityValidationStrategy; AuthorityValidationResult endpointValidationResult = strategy.IsEndpointValid(endpoint, allowedAuthorities); if (!endpointValidationResult.Success) { return(endpointValidationResult.ErrorMessage); } } } } if (policy.RequireKeySet) { if (string.IsNullOrWhiteSpace(JwksUri)) { return("Keyset is missing"); } } return(string.Empty); }
protected DiscoveryPolicyTestsBase(IAuthorityValidationStrategy authorityValidationStrategy) { _authorityValidationStrategy = authorityValidationStrategy; }
/// <summary> /// Checks if the issuer matches the authority. /// </summary> /// <param name="issuer">The issuer.</param> /// <param name="authority">The authority.</param> /// <param name="validationStrategy">The strategy to use.</param> /// <returns></returns> private bool ValidateIssuerName(string issuer, string authority, IAuthorityValidationStrategy validationStrategy) { return(validationStrategy.IsIssuerNameValid(issuer, authority).Success); }