public override async Task ValidateRevocationRequest(ValidateRevocationRequestContext context) { var query = new ValidateClientQuery(context.ClientId, context.ClientSecret); var result = await ExecuteQuery(context, query); if (!result.Succeeded) { context.Reject( error: "invalid_client", description: "Client not found in the database: ensure that your client_id is correct"); return; } context.HttpContext.Items.Add("as:clientAllowedOrigin", result.AllowedOrigin); // When token_type_hint is specified, reject the request if it doesn't correspond to a revocable token. if (!string.IsNullOrEmpty(context.TokenTypeHint) && !string.Equals(context.TokenTypeHint, OpenIdConnectConstants.TokenTypeHints.RefreshToken)) { context.Reject( error: OpenIdConnectConstants.Errors.UnsupportedTokenType, description: "Only refresh tokens can be revoked. When specifying a token_type_hint " + "parameter, its value must be equal to 'refresh_token'."); return; } context.Validate(); }
/// <summary> /// Validates whether the client is a valid known application in our system. /// </summary> public override async Task ValidateTokenRequest(ValidateTokenRequestContext context) { if (!context.Request.IsRefreshTokenGrantType() && !context.Request.IsPasswordGrantType()) { context.Reject( error: OpenIdConnectConstants.Errors.UnsupportedGrantType, description: "Only password and refresh token grant types " + "are accepted by this authorization server"); return; } var query = new ValidateClientQuery(context.ClientId, context.ClientSecret); var result = await ExecuteQuery(context, query); if (!result.Succeeded) { context.Reject( error: "invalid_client", description: "Client not found in the database: ensure that your client_id is correct"); return; } context.HttpContext.Items.Add("as:clientAllowedOrigin", result.AllowedOrigin); if (context.Request.IsPasswordGrantType()) { // Resolve ASP.NET Core Identity's user manager from the DI container. var userManager = context.HttpContext.RequestServices.GetRequiredService <UserManager <IdentityUser> >(); var user = await userManager.FindByNameAsync(context.Request.Username); if (user == null) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidGrant, description: "Invalid user details."); return; } // Reject the token request if email confirmation is required. //if (!(await userManager.IsEmailConfirmedAsync(user))) //{ // context.Reject( // error: OpenIdConnectConstants.Errors.InvalidGrant, // description: "Email confirmation is required for this account."); // return; //} } context.Validate(); }
public async Task <IActionResult> Exchange(OpenIdConnectRequest request) { Debug.Assert(request.IsTokenRequest(), "The OpenIddict binder for ASP.NET Core MVC is not registered. " + "Make sure services.AddOpenIddict().AddMvcBinders() is correctly called."); if (!request.IsRefreshTokenGrantType() && !request.IsPasswordGrantType()) { return(BadRequest(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.UnsupportedGrantType, ErrorDescription = "Only password and refresh token grant types " + "are accepted by this authorization server" })); } var query = new ValidateClientQuery(request.ClientId, request.ClientSecret); var result = await _queryProcessor.ProcessAsync(query); if (!result.Succeeded) { return(BadRequest(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidClient, ErrorDescription = "Client not found in the database: ensure that your client_id is correct" })); } Request.HttpContext.Items.Add("as:clientAllowedOrigin", result.AllowedOrigin); if (request.IsPasswordGrantType()) { // Resolve ASP.NET Core Identity's user manager from the DI container. var user = await _userManager.FindByNameAsync(request.Username); if (user == null) { return(BadRequest(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidGrant, ErrorDescription = "Invalid user details." })); } } if (request.IsPasswordGrantType() || request.IsRefreshTokenGrantType()) { //Set CORS SetCorsHeader(request); // Retrieve the claims principal stored in the authorization code/refresh token. var info = await HttpContext.Authentication.GetAuthenticateInfoAsync( OpenIdConnectServerDefaults.AuthenticationScheme); // Resolve ASP.NET Core Identity's user manager from the DI container. var user = await _userManager.FindByNameAsync(request.Username); // Create a new authentication ticket, but reuse the properties stored in the // authorization code/refresh token, including the scopes originally granted. var ticket = await CreateTicketAsync(request, user, info.Properties); return(SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme)); } return(BadRequest(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.UnsupportedGrantType, ErrorDescription = "The specified grant type is not supported." })); }