public override Task ValidateTokenRequest(ValidateTokenRequestContext context) { // Reject token requests that don't use grant_type=password or grant_type=refresh_token. if (!context.Request.IsPasswordGrantType() && !context.Request.IsRefreshTokenGrantType()) { context.Reject( error: OpenIdConnectConstants.Errors.UnsupportedGrantType, description: "Only grant_type=password and refresh_token " + "requests are accepted by this server."); return Task.FromResult(0); } if (string.Equals(context.ClientId, "AspNetContribSample", StringComparison.Ordinal)) { // Note: the context is marked as skipped instead of validated because the client // is not trusted (JavaScript applications cannot keep their credentials secret). context.Skip(); } else { // If the client_id doesn't correspond to the // intended identifier, reject the request. context.Reject(OpenIdConnectConstants.Errors.InvalidClient); } return Task.FromResult(0); }
public override Task ValidateTokenRequest(ValidateTokenRequestContext context) { // Reject the token request that don't use grant_type=password or grant_type=refresh_token. if (!context.Request.IsPasswordGrantType() && !context.Request.IsRefreshTokenGrantType()) { context.Reject( error: OpenIdConnectConstants.Errors.UnsupportedGrantType, description: "Only resource owner password credentials and refresh token " + "are accepted by this authorization server"); return Task.FromResult(0); } // Since there's only one application and since it's a public client // (i.e a client that cannot keep its credentials private), call Skip() // to inform the server the request should be accepted without // enforcing client authentication. context.Skip(); return Task.FromResult(0); }
public override Task ValidateTokenRequest(ValidateTokenRequestContext context) { // Note: the OpenID Connect server middleware supports authorization code, refresh token, client credentials // and resource owner password credentials grant types but this authorization provider uses a safer policy // rejecting the last two ones. You may consider relaxing it to support the ROPC or client credentials grant types. if (!context.Request.IsAuthorizationCodeGrantType() && !context.Request.IsRefreshTokenGrantType()) { context.Reject( error: OpenIdConnectConstants.Errors.UnsupportedGrantType, description: "Only authorization code and refresh token grant types " + "are accepted by this authorization server"); return Task.FromResult(0); } // Note: we use a relaxed policy here as the client credentials cannot be safely stored in the Cordova Javascript application. // In this case, we call context.Skip() to inform the server middleware the client is not trusted. context.Skip(); return Task.FromResult(0); }