public virtual async Task <RequestObjectValidatorResult> Validate(string request, BaseClient oauthClient, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_REQUEST_OBJECT) { if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request)) { throw new OAuthException(errorCode, ErrorMessages.INVALID_REQUEST_PARAMETER); } var jws = request; if (_jwtParser.IsJweToken(request)) { jws = await _jwtParser.Decrypt(jws, cancellationToken); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(errorCode, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER); } } JwsHeader header = null; try { header = _jwtParser.ExtractJwsHeader(jws); } catch (InvalidOperationException) { throw new OAuthException(errorCode, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } JwsPayload jwsPayload; try { jwsPayload = await _jwtParser.Unsign(jws, oauthClient, errorCode); } catch (JwtException ex) { throw new OAuthException(errorCode, ex.Message); } return(new RequestObjectValidatorResult(jwsPayload, header)); }
protected async Task <bool> CheckRequest(HandlerContext context, string request) { var openidClient = (OpenIdClient)context.Client; if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_REQUEST_PARAMETER); } var jws = request; if (_jwtParser.IsJweToken(request)) { jws = await _jwtParser.Decrypt(jws); if (string.IsNullOrWhiteSpace(jws)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER); } } JwsHeader header = null; try { header = _jwtParser.ExtractJwsHeader(jws); } catch (InvalidOperationException) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } if ( (!string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != openidClient.RequestObjectSigningAlg) || (string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != NoneSignHandler.ALG_NAME) ) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_SIGNATURE_ALG); } var jwsPayload = await _jwtParser.Unsign(jws, context.Client); if (jwsPayload == null) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ResponseType)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_RESPONSE_TYPE_CLAIM); } if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ClientId)) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_CLIENT_ID_CLAIM); } if (!jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ResponseType].ToString().Split(' ').OrderBy(s => s).SequenceEqual(context.Request.Data.GetResponseTypesFromAuthorizationRequest())) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_RESPONSE_TYPE_CLAIM); } if (jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ClientId].ToString() != context.Client.ClientId) { throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_CLIENT_ID_CLAIM); } context.Request.SetData(JObject.FromObject(jwsPayload)); return(true); }
private async Task ExtractSoftwareStatement(JObject jObj) { var softwareStatement = jObj.GetSoftwareStatement(); if (string.IsNullOrWhiteSpace(softwareStatement)) { return; } if (!_jwtParser.IsJwsToken(softwareStatement)) { throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_JWS_SOFTWARE_STATEMENT); } SimpleIdServer.Jwt.Jws.JwsPayload jwsPayload; SimpleIdServer.Jwt.Jws.JwsHeader header; try { jwsPayload = _jwtParser.ExtractJwsPayload(softwareStatement); header = _jwtParser.ExtractJwsHeader(softwareStatement); if (jwsPayload == null) { throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_JWS_SOFTWARE_STATEMENT); } } catch { throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_JWS_SOFTWARE_STATEMENT); } var issuer = jwsPayload.GetIssuer(); var trustedParty = OauthHostOptions.SoftwareStatementTrustedParties.FirstOrDefault(s => s.Iss == issuer); if (trustedParty == null) { throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_ISSUER_SOFTWARE_STATEMENT); } using (var httpClient = _httpClientFactory.GetHttpClient()) { var json = await httpClient.GetStringAsync(trustedParty.JwksUrl); var keysJson = JObject.Parse(json)["keys"].ToString(); var jsonWebKeys = JsonConvert.DeserializeObject <JArray>(keysJson).Select(k => SimpleIdServer.Jwt.JsonWebKey.Deserialize(k.ToString())); var jsonWebKey = jsonWebKeys.FirstOrDefault(j => j.Kid == header.Kid); jwsPayload = _jwtParser.Unsign(softwareStatement, jsonWebKey); if (jwsPayload == null) { throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_SOFTWARE_STATEMENT_SIGNATURE); } foreach (var kvp in jwsPayload) { if (jObj.ContainsKey(kvp.Key)) { jObj.Remove(kvp.Key); } jObj.Add(kvp.Key, JToken.FromObject(kvp.Value)); } } }