/// <summary> /// Validates authorize request parameters. /// </summary> /// <param name="parameters"></param> /// <param name="subject"></param> /// <returns></returns> public async Task <AuthorizeRequestValidationResult> ValidateAsync(NameValueCollection parameters, ClaimsPrincipal subject = null) { if (parameters == null) { throw new ArgumentNullException(nameof(parameters)); } var responseMode = parameters.Get(IdentityModel.OidcConstants.AuthorizeRequest.ResponseMode); var acrValues = parameters.Get(IdentityModel.OidcConstants.AuthorizeRequest.AcrValues); if (acrValues == Constants.KnownAcrValues.Anonymous && responseMode == OidcConstants.ResponseModes.Json) { // source validator dont support "json" response mode // the "json" response mode only for anonymous requests parameters.Remove(IdentityModel.OidcConstants.AuthorizeRequest.ResponseMode); var result = await _inner.ValidateAsync(parameters, subject); if (!result.IsError) { if (subject == null) { // create anon user var anonUser = await _anonUserFactory.CreateAsync(); await _anonUserManager.CreateAsync(anonUser); // and sign in with "anon" authentication method await _anonSignInManager.SignInAsync(anonUser); // reload the current user result.ValidatedRequest.Subject = await _userSession.GetUserAsync(); } // return "json" response mode back result.ValidatedRequest.ResponseMode = OidcConstants.ResponseModes.Json; // set anonymous token lifetime // https://github.com/IdentityServer/IdentityServer4/issues/3578 if (result.ValidatedRequest.Subject.IsAnonymous()) { result.ValidatedRequest.AccessTokenLifetime = _options.AccessTokenLifetime; } } return(result); } return(await _inner.ValidateAsync(parameters, subject)); }
public async Task <IEndpointResult> ProcessAsync(HttpContext context) { if (HttpMethods.IsGet(context.Request.Method)) { var user = await _userSession.GetUserAsync(); var parameters = context.Request.Query.AsNameValueCollection(); var result = await _validator.ValidateAsync(parameters, user); if (!result.IsError) { var request = result.ValidatedRequest; if (request.IsAnonymous() && request.ResponseMode == OidcConstants.ResponseModes.Json) { var response = await _authorizeResponseGenerator.CreateResponseAsync(request); return(new AuthorizeResult(response)); } } } // call source handler var innerHandler = _handlerProvider.GetByPath("/connect/authorize"); return(await innerHandler.ProcessAsync(context)); }
public async Task <AuthorizationRequest> ParseAsync(string returnUrl) { using var activity = Tracing.ValidationActivitySource.StartActivity("OidcReturnUrlParser.Parse"); if (IsValidReturnUrl(returnUrl)) { var parameters = returnUrl.ReadQueryStringAsNameValueCollection(); if (_authorizationParametersMessageStore != null) { var messageStoreId = parameters[Constants.AuthorizationParamsStore.MessageStoreIdParameterName]; var entry = await _authorizationParametersMessageStore.ReadAsync(messageStoreId); parameters = entry?.Data.FromFullDictionary() ?? new NameValueCollection(); } var user = await _userSession.GetUserAsync(); var result = await _validator.ValidateAsync(parameters, user); if (!result.IsError) { _logger.LogTrace("AuthorizationRequest being returned"); return(new AuthorizationRequest(result.ValidatedRequest)); } } _logger.LogTrace("No AuthorizationRequest being returned"); return(null); }
internal async Task <IEndpointResult> ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent, HttpContext context) { if (user != null) { Logger.LogDebug("User in authorize request: {subjectId}", user.GetSubjectId()); } else { Logger.LogDebug("No user present in authorize request"); } // validate request var result = await _validator.ValidateAsync(parameters, user); if (result.IsError) { return(await CreateErrorResultAsync( "Request validation failed", result.ValidatedRequest, result.Error, result.ErrorDescription)); } var request = result.ValidatedRequest; LogRequest(request); // determine user interaction var interactionResult = await _interactionGenerator.ProcessInteractionAsync(request, consent); if (interactionResult.IsError) { return(await CreateErrorResultAsync("Interaction generator error", request, interactionResult.Error, interactionResult.ErrorDescription, false)); } if (interactionResult.IsLogin) { return(new LoginPageResult(request, _loginUrlProcessor)); } if (interactionResult.IsConsent) { return(new ConsentPageResult(request)); } if (interactionResult.IsRedirect) { return(new CustomRedirectResult(request, interactionResult.RedirectUrl)); } request.ClientIp = context.GetRequestIp(); request.Device = context .GetHeaderValueAs <string>("User-Agent") .GetDevice(); var response = await _authorizeResponseGenerator.CreateResponseAsync(request); await RaiseResponseEventAsync(response); LogResponse(response); return(new AuthorizeResult(response)); }
public void ValidateAsync_ParametersEqNull_Throws() { NameValueCollection parameters = null; Func <Task> act = async() => await _sut.ValidateAsync(parameters); act.Should().Throw <ArgumentNullException>(); }
internal async Task <IActionResult> ProcessAuthorizeRequestAsync(NameValueCollection parameters) { var result = await _authorizeRequestValidator.ValidateAsync(parameters); if (result.IsError) { return(BadRequest(result.ErrorDescription)); } return(Ok()); }
public async Task<AuthorizationRequest> ParseAsync(string returnUrl) { if (IsValidReturnUrl(returnUrl)) { var parameters = returnUrl.ReadQueryStringAsNameValueCollection(); var user = await _userSession.GetUserAsync(); var result = await _validator.ValidateAsync(parameters, user); if (!result.IsError) { _logger.LogTrace("AuthorizationRequest being returned"); return result.ValidatedRequest.ToAuthorizationRequest(); } } _logger.LogTrace("No AuthorizationRequest being returned"); return null; }
internal async Task <IEndpointResult> ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent) { if (user != null) { _logger.LogTrace("User in authorize request: name:{0}, sub:{1}", user.GetName(), user.GetSubjectId()); } else { _logger.LogTrace("No user present in authorize request"); } // validate request var result = await _validator.ValidateAsync(parameters, user); if (result.IsError) { return(await ErrorPageAsync( result.ErrorType, result.Error, result.ValidatedRequest)); } var request = result.ValidatedRequest; // determine user interaction var interactionResult = await _interactionGenerator.ProcessInteractionAsync(request, consent); if (interactionResult.IsError) { return(await ErrorPageAsync( interactionResult.Error.ErrorType, interactionResult.Error.Error, request)); } if (interactionResult.IsLogin) { return(await LoginPageAsync(request)); } if (interactionResult.IsConsent) { return(await ConsentPageAsync(request)); } // issue response return(await SuccessfulAuthorizationAsync(request)); }
public async Task <AuthorizationRequest> ParseAsync(string returnUrl) { if (IsValidReturnUrl(returnUrl)) { var parameters = returnUrl.ReadQueryStringAsNameValueCollection(); var user = await _userSession.GetUserAsync(); var result = await _validator.ValidateAsync(parameters, user); if (!result.IsError) { return(result.ValidatedRequest.ToAuthorizatonRequest()); } } return(null); }
public async Task <AuthorizationRequest> GetAuthorizationContextAsync(string returnUrl) { if (returnUrl != null && IsValidReturnUrl(returnUrl)) { var parameters = returnUrl.ReadQueryStringAsNameValueCollection(); var user = await _context.HttpContext.GetIdentityServerUserAsync(); var result = await _validator.ValidateAsync(parameters, user); if (!result.IsError) { _logger.LogTrace("AuthorizationRequest being returned"); return(new AuthorizationRequest(result.ValidatedRequest)); } } _logger.LogTrace("No AuthorizationRequest being returned"); return(null); }
protected async Task <IEndpointResult> ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent) { // validate request var result = await _validator.ValidateAsync(parameters, user); if (result.IsError) { return(await CreateErrorResultAsync( "Request validation failed", result.ValidatedRequest, result.Error, result.ErrorDescription)); } var request = result.ValidatedRequest; // determine user interaction var interactionResult = await _interactionGenerator.ProcessInteractionAsync(request, consent); if (interactionResult.IsError) { return(await CreateErrorResultAsync("Interaction generator error", request, interactionResult.Error)); } if (interactionResult.IsLogin) { return(new LoginPageResult(request)); } if (interactionResult.IsConsent) { return(new ConsentPageResult(request)); } if (interactionResult.IsRedirect) { return(new CustomRedirectResult(request, interactionResult.RedirectUrl)); } var response = await _authorizeResponseGenerator.CreateResponseAsync(request); await RaiseResponseEventAsync(response); return(new AuthorizeResult(response)); }
async Task <AuthorizationRequest> GetAuthorizeRequest(string paramName, string paramValue) { if (paramValue == null) { paramValue = _context.HttpContext.Request.Query[paramName].FirstOrDefault(); } if (paramValue != null && IsValidReturnUrl(paramValue)) { var parameters = paramValue.ReadQueryStringAsNameValueCollection(); var user = await _context.GetIdentityServerUserAsync(); var result = await _validator.ValidateAsync(parameters, user); if (!result.IsError) { return(new AuthorizationRequest(result.ValidatedRequest)); } } return(null); }
public async Task <IEndpointResult> ProcessAsync(HttpContext context) { string key = null; try { var request = new ValidatedAuthorizeRequest(); _logger.LogInformation("Process AuthorizeEndpoint Start.._signinManager.SignOutAsync() "); await _signinManager.SignOutAsync(); /* * https://localhost:44305/connect/authorize? * client_id=mvc * &redirect_uri=https%3A%2F%2Fp7core.127.0.0.1.xip.io%3A44311%2Fsignin-oidc * &response_type=id_token * &scope=openid%20profile * &response_mode=form_post * &nonce=636973229335838266.ZWJhM2U4M2YtYWNiYi00YjZkLTkwMWYtNjRmMjM3MWRiYTk5OWNkNDIzMWUtZmY4OS00YWE0LTk4MGUtMTdiMjYxNmNmZjRk&state=CfDJ8KOz5LEySMhBtqpccMk4UVhA1PvGQQvpqQBUyR-97TDZvaPuNquTLJIUxKMYzF-Ov_HHCnnmcTForzd5RJ4jmLONvcZLY3XCHnrhh9Sc2oR2Lv2HACvPVBMy2oYmmPBtNIoXroQ9WePE_KtPyFw8ntRsHIYMmT5a0fLKGeJcwK3ewoiRHxjKpOr9hXZau9f7CVVqMvtWC2ngWrFsEeh8S0YtRZQFT-7XyjE9dNiyKp_Z-4iBUbbqzVnT4GmEmErZXUjmBhmVsMLz5h9y_F3usRT3lg7LxUNamnJuROnYIqmJzf0fYVJq1mcB5hcUipo2SNcILG3xkUikc84VznSGvD7V_qFjOHVPtOEX02JH9M4ymb3iZtZSE9dDr2RkwTU7StoKgM-x195bBULpwms8weJO-kx5I6UrY_lmWl0SFqYN * &x-client-SKU=ID_NETSTANDARD2_0 * &x-client-ver=5.4.0.0 * */ SimpleNameValueCollection values; if (HttpMethods.IsGet(context.Request.Method)) { values = context.Request.Query.AsNameValueCollection(); } else if (HttpMethods.IsPost(context.Request.Method)) { if (!context.Request.HasFormContentType) { return(new OIDCPipeline.Core.Endpoints.Results.StatusCodeResult((int)HttpStatusCode.UnsupportedMediaType)); } values = context.Request.Form.AsNameValueCollection(); } else { return(new OIDCPipeline.Core.Endpoints.Results.StatusCodeResult((int)HttpStatusCode.MethodNotAllowed)); } request.Raw = values; var result = await _authorizeRequestValidator.ValidateAsync(request); _logger.LogInformation($"Method:{context.Request.Method} ValidateAsync Error:{result.IsError}"); string redirectUrl = null; if (!result.IsError) { if (string.IsNullOrWhiteSpace(request.Nonce)) { request.Nonce = GenerateNonce(); values["OidcConstants.AuthorizeRequest.Nonce"] = request.Nonce; } var downstreamAuthorizationRequest = values.ToDownstreamAuthorizationRequest(); key = _oidcPipeLineKey.GetOIDCPipeLineKey(); if (!string.IsNullOrWhiteSpace(key)) { _logger.LogInformation($"DeleteStoredCacheAsync previouse if it exists"); await _oidcPipelineStore.DeleteStoredCacheAsync(key); } // Initially was using the NONCE as the key, but we can't trust that clients will not hardcode a nonce // The key has to be generated on our side and subsequently stored as a cookie. key = Guid.NewGuid().ToString("N"); // context.SetOIDCPipeLineKey(key); _logger.LogInformation($"StoreOriginalIdTokenRequestAsync clientid:{downstreamAuthorizationRequest.client_id}"); await _oidcPipelineStore.StoreOriginalAuthorizeRequestAsync(key, result.ValidatedAuthorizeRequest); redirectUrl = $"{context.Request.Scheme}://{context.Request.Host}{_options.PostAuthorizeHookRedirectUrl}"; } else { redirectUrl = $"{context.Request.Scheme}://{context.Request.Host}{_options.PostAuthorizeHookErrorRedirectUrl}"; } _logger.LogInformation($"redirecting to:{redirectUrl}"); return(new Results.OriginalAuthorizeResult(_oidcPipeLineKey, redirectUrl, key)); } catch (Exception ex) { string redirectUrl = $"{context.Request.Scheme}://{context.Request.Host}{_options.PostAuthorizeHookErrorRedirectUrl}"; return(new Results.OriginalAuthorizeResult(_oidcPipeLineKey, redirectUrl, key)); } }
internal async Task <IEndpointResult> ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, bool checkConsentResponse = false) { if (user != null) { Logger.LogDebug("User in authorize request: {subjectId}", user.GetSubjectId()); } else { Logger.LogDebug("No user present in authorize request"); } if (checkConsentResponse && _authorizationParametersMessageStore != null) { var messageStoreId = parameters[Constants.AuthorizationParamsStore.MessageStoreIdParameterName]; var entry = await _authorizationParametersMessageStore.ReadAsync(messageStoreId); parameters = entry?.Data.FromFullDictionary() ?? new NameValueCollection(); await _authorizationParametersMessageStore.DeleteAsync(messageStoreId); } // validate request var result = await _validator.ValidateAsync(parameters, user); if (result.IsError) { return(await CreateErrorResultAsync( "Request validation failed", result.ValidatedRequest, result.Error, result.ErrorDescription)); } string consentRequestId = null; try { Message <ConsentResponse> consent = null; if (checkConsentResponse) { var consentRequest = new ConsentRequest(result.ValidatedRequest.Raw, user?.GetSubjectId()); consentRequestId = consentRequest.Id; consent = await _consentResponseStore.ReadAsync(consentRequestId); if (consent != null && consent.Data == null) { return(await CreateErrorResultAsync("consent message is missing data")); } } var request = result.ValidatedRequest; LogRequest(request); // determine user interaction var interactionResult = await _interactionGenerator.ProcessInteractionAsync(request, consent?.Data); if (interactionResult.IsError) { return(await CreateErrorResultAsync("Interaction generator error", request, interactionResult.Error, interactionResult.ErrorDescription, false)); } if (interactionResult.IsLogin) { return(new LoginPageResult(request)); } if (interactionResult.IsConsent) { return(new ConsentPageResult(request)); } if (interactionResult.IsRedirect) { return(new CustomRedirectResult(request, interactionResult.RedirectUrl)); } var response = await _authorizeResponseGenerator.CreateResponseAsync(request); await RaiseResponseEventAsync(response); LogResponse(response); return(new AuthorizeResult(response)); } finally { if (consentRequestId != null) { await _consentResponseStore.DeleteAsync(consentRequestId); } } }