public override Task ValidateTokenRequest(ValidateTokenRequestContext context) {
// Reject token requests that don't use grant_type=password or grant_type=refresh_token.
if (!context.Request.IsPasswordGrantType() && !context.Request.IsRefreshTokenGrantType()) {
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "Only grant_type=password and refresh_token " +
"requests are accepted by this server.");
return Task.FromResult(0);
}
if (string.Equals(context.ClientId, "AspNetContribSample", StringComparison.Ordinal)) {
// Note: the context is marked as skipped instead of validated because the client
// is not trusted (JavaScript applications cannot keep their credentials secret).
context.Skip();
}
else {
// If the client_id doesn't correspond to the
// intended identifier, reject the request.
context.Reject(OpenIdConnectConstants.Errors.InvalidClient);
}
return Task.FromResult(0);
}
public override async Task ValidateTokenRequest(ValidateTokenRequestContext context) {
// Note: the OpenID Connect server middleware supports authorization code, refresh token, client credentials
// and resource owner password credentials grant types but this authorization provider uses a safer policy
// rejecting the last two ones. You may consider relaxing it to support the ROPC or client credentials grant types.
if (!context.Request.IsAuthorizationCodeGrantType() && !context.Request.IsRefreshTokenGrantType()) {
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "Only authorization code and refresh token grant types " +
"are accepted by this authorization server");
return;
}
// Note: client authentication is not mandatory for non-confidential client applications like mobile apps
// (except when using the client credentials grant type) but this authorization server uses a safer policy
// that makes client authentication mandatory and returns an error if client_id or client_secret is missing.
// You may consider relaxing it to support the resource owner password credentials grant type
// with JavaScript or desktop applications, where client credentials cannot be safely stored.
// In this case, call context.Skip() to inform the server middleware the client is not trusted.
if (string.IsNullOrEmpty(context.ClientId) || string.IsNullOrEmpty(context.ClientSecret)) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "Missing credentials: ensure that your credentials were correctly " +
"flowed in the request body or in the authorization header");
return;
}
var database = context.HttpContext.RequestServices.GetRequiredService<ApplicationContext>();
// Retrieve the application details corresponding to the requested client_id.
var application = await (from entity in database.Applications
where entity.ApplicationID == context.ClientId
select entity).SingleOrDefaultAsync(context.HttpContext.RequestAborted);
if (application == null) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "Application not found in the database: ensure that your client_id is correct");
return;
}
// Note: to mitigate brute force attacks, you SHOULD strongly consider applying
// a key derivation function like PBKDF2 to slow down the secret validation process.
// You SHOULD also consider using a time-constant comparer to prevent timing attacks.
// For that, you can use the CryptoHelper library developed by @henkmollema:
// https://github.com/henkmollema/CryptoHelper. If you don't need .NET Core support,
// SecurityDriven.NET/inferno is a rock-solid alternative: http://securitydriven.net/inferno/
if (!string.Equals(context.ClientSecret, application.Secret, StringComparison.Ordinal)) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "Invalid credentials: ensure that you specified a correct client_secret");
return;
}
context.Validate();
}
public override Task ValidateTokenRequest(ValidateTokenRequestContext context)
{
// Reject the token request that don't use grant_type=password or grant_type=refresh_token.
if (!context.Request.IsPasswordGrantType() && !context.Request.IsRefreshTokenGrantType())
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "Only resource owner password credentials and refresh token " +
"are accepted by this authorization server");
return Task.FromResult(0);
}
// Since there's only one application and since it's a public client
// (i.e a client that cannot keep its credentials private), call Skip()
// to inform the server the request should be accepted without
// enforcing client authentication.
context.Skip();
return Task.FromResult(0);
}
public override Task ValidateTokenRequest(ValidateTokenRequestContext context)
{
// Note: the OpenID Connect server middleware supports authorization code, refresh token, client credentials
// and resource owner password credentials grant types but this authorization provider uses a safer policy
// rejecting the last two ones. You may consider relaxing it to support the ROPC or client credentials grant types.
if (!context.Request.IsAuthorizationCodeGrantType() && !context.Request.IsRefreshTokenGrantType())
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedGrantType,
description: "Only authorization code and refresh token grant types " +
"are accepted by this authorization server");
return Task.FromResult(0);
}
// Note: we use a relaxed policy here as the client credentials cannot be safely stored in the Cordova Javascript application.
// In this case, we call context.Skip() to inform the server middleware the client is not trusted.
context.Skip();
return Task.FromResult(0);
}
