public async Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var legacyAccountStoreType = request.Raw.Get("account_store");
var id = request.Raw.Get("legacy_id");
var secret = request.Raw.Get("legacy_secret");
if (string.IsNullOrWhiteSpace(legacyAccountStoreType) ||
string.IsNullOrWhiteSpace(id) ||
string.IsNullOrWhiteSpace(secret))
{
Logger.Error("malformed request");
return null;
}
var message = new SignInMessage { Tenant = legacyAccountStoreType };
var context = new LocalAuthenticationContext
{
UserName = id, Password = secret,
SignInMessage = message
};
await _users.AuthenticateLocalAsync(context);
var result = context.AuthenticateResult;
if (result.IsError)
{
Logger.Error("authentication failed");
return new CustomGrantValidationResult("Authentication failed.");
}
return new CustomGrantValidationResult(
result.User.GetSubjectId(),
"custom",
result.User.Claims);
}
public TokenRequestValidationLog(ValidatedTokenRequest request)
{
const string scrubValue = "******";
Raw = request.Raw.ToDictionary();
if (Raw.ContainsKey(Constants.TokenRequest.Password))
{
Raw[Constants.TokenRequest.Password] = scrubValue;
}
if (request.Client != null)
{
ClientId = request.Client.ClientId;
ClientName = request.Client.ClientName;
}
if (request.Scopes != null)
{
Scopes = request.Scopes.ToSpaceSeparatedString();
}
if (request.SignInMessage != null)
{
IdP = request.SignInMessage.IdP;
Tenant = request.SignInMessage.Tenant;
AuthenticationContextReferenceClasses = request.SignInMessage.AcrValues;
}
GrantType = request.GrantType;
AuthorizationCode = request.AuthorizationCodeHandle;
RefreshToken = request.RefreshTokenHandle;
UserName = request.UserName;
}
public async Task <CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var validator = _validators.FirstOrDefault(v => v.GrantType.Equals(request.GrantType, StringComparison.Ordinal));
if (validator == null)
{
return(new CustomGrantValidationResult
{
IsError = true,
Error = "No validator found for grant type"
});
}
try
{
return(await validator.ValidateAsync(request));
}
catch (Exception e)
{
Logger.Error("Grant validation error:" + e.Message);
return(new CustomGrantValidationResult
{
IsError = true,
Error = "Grant validation error",
});
}
}
public async Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var validator = _validators.FirstOrDefault(v => v.GrantType.Equals(request.GrantType, StringComparison.Ordinal));
if (validator == null)
{
return new CustomGrantValidationResult
{
IsError = true,
Error = "No validator found for grant type"
};
}
try
{
return await validator.ValidateAsync(request);
}
catch (Exception e)
{
Logger.Error("Grant validation error:" + e.Message);
return new CustomGrantValidationResult
{
IsError = true,
Error = "Grant validation error",
};
}
}
/// <summary>
/// Custom validation logic for the token request.
/// </summary>
/// <param name="request">The validated request.</param>
/// <returns>
/// The validation result
/// </returns>
public Task<TokenRequestValidationResult> ValidateTokenRequestAsync(ValidatedTokenRequest request)
{
return Task.FromResult(new TokenRequestValidationResult
{
IsError = false
});
}
public async Task Valid_Custom_Grant_Multiple_Validator()
{
var validator = new CustomGrantValidator(new List<ICustomGrantValidator>
{
new TestGrantValidator(),
new TestGrantValidator2()
});
var request = new ValidatedTokenRequest
{
GrantType = "custom_grant"
};
var result = await validator.ValidateAsync(request);
result.IsError.Should().BeFalse();
result.Principal.Should().NotBeNull();
result.Principal.GetSubjectId().Should().Be("bob");
result.Principal.GetAuthenticationMethod().Should().Be("CustomGrant");
request.GrantType = "custom_grant2";
result = await validator.ValidateAsync(request);
result.IsError.Should().BeFalse();
result.Principal.Should().NotBeNull();
result.Principal.GetSubjectId().Should().Be("alice");
result.Principal.GetAuthenticationMethod().Should().Be("CustomGrant2");
}
Task<CustomGrantValidationResult> ICustomGrantValidator.ValidateAsync(ValidatedTokenRequest request)
{
CustomGrantValidationResult grantResult = null;
var param = request.Raw.Get("token");
if (string.IsNullOrWhiteSpace(param))
{
grantResult = new CustomGrantValidationResult(Constants.TokenErrors.InvalidRequest);
}
var result = _validator.ValidateAccessTokenAsync(param).Result;
if (result.IsError)
{
grantResult = new CustomGrantValidationResult(result.Error);
}
var subjectClaim = result.Claims.FirstOrDefault(x => x.Type == "sub");
if(subjectClaim == null)
{
grantResult = new CustomGrantValidationResult(Constants.TokenErrors.InvalidRequest);
}
if (grantResult == null)
{
grantResult = new CustomGrantValidationResult(subjectClaim.Value, "access_token");
}
return Task.FromResult(grantResult);
}
public Task<TokenResponse> GenerateAsync(ValidatedTokenRequest request, TokenResponse response)
{
response.Custom.Add("custom_field", "custom data");
response.Custom.Add("custom_complex_field", new ResponsePoco { SomeString = "foo", SomeInt = 42 });
return Task.FromResult(response);
}
Task<CustomGrantValidationResult> ICustomGrantValidator.ValidateAsync(ValidatedTokenRequest request)
{
var param = request.Raw.Get("some_custom_parameter");
if (string.IsNullOrWhiteSpace(param))
{
return Task.FromResult<CustomGrantValidationResult>(
new CustomGrantValidationResult("Missing parameters."));
}
return Task.FromResult(new CustomGrantValidationResult("bob", "customGrant"));
}
private async Task<TokenResponse> ProcessAuthorizationCodeRequestAsync(ValidatedTokenRequest request)
{
Logger.Info("Processing authorization code request");
//////////////////////////
// access token
/////////////////////////
var accessToken = await CreateAccessTokenAsync(request);
var response = new TokenResponse
{
AccessToken = accessToken.Item1,
AccessTokenLifetime = request.Client.AccessTokenLifetime
};
if (request.RequestedTokenType == RequestedTokenTypes.PoP)
{
response.TokenType = Constants.ResponseTokenTypes.PoP;
response.Algorithm = request.ProofKeyAlgorithm;
}
//////////////////////////
// refresh token
/////////////////////////
if (accessToken.Item2.IsPresent())
{
response.RefreshToken = accessToken.Item2;
}
//////////////////////////
// id token
/////////////////////////
if (request.AuthorizationCode.IsOpenId)
{
var tokenRequest = new TokenCreationRequest
{
Subject = request.AuthorizationCode.Subject,
Client = request.AuthorizationCode.Client,
Scopes = request.AuthorizationCode.RequestedScopes,
Nonce = request.AuthorizationCode.Nonce,
ValidatedRequest = request
};
var idToken = await _tokenService.CreateIdentityTokenAsync(tokenRequest);
var jwt = await _tokenService.CreateSecurityTokenAsync(idToken);
response.IdentityToken = jwt;
}
return response;
}
public Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var credential = request.Raw.Get("custom_credential");
if (credential != null)
{
// valid credential
return Task.FromResult(new CustomGrantValidationResult("818727", "custom"));
}
else
{
// custom error message
return Task.FromResult(new CustomGrantValidationResult("invalid custom credential"));
}
}
public async Task<TokenResponse> ProcessAsync(ValidatedTokenRequest request)
{
Logger.Info("Creating token response");
if (request.GrantType == Constants.GrantTypes.AuthorizationCode)
{
return await ProcessAuthorizationCodeRequestAsync(request);
}
if (request.GrantType == Constants.GrantTypes.RefreshToken)
{
return await ProcessRefreshTokenRequestAsync(request);
}
return await ProcessTokenRequestAsync(request);
}
public async Task <CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var validator = _validators.FirstOrDefault(v => v.GrantType.Equals(request.GrantType, StringComparison.Ordinal));
if (validator != null)
{
return(await validator.ValidateAsync(request));
}
else
{
return(new CustomGrantValidationResult
{
IsError = true,
ErrorDescription = "No validator found for grant type"
});
}
}
public async Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var validator = _validators.FirstOrDefault(v => v.GrantType.Equals(request.GrantType, StringComparison.Ordinal));
if (validator != null)
{
return await validator.ValidateAsync(request);
}
else
{
return new CustomGrantValidationResult
{
IsError = true,
ErrorDescription = "No validator found for grant type"
};
}
}
public async Task Valid_Custom_Grant_Validator_Throws_Exception()
{
var validatorThrowingException = new Mock<ICustomGrantValidator>();
validatorThrowingException.Setup(y => y.ValidateAsync(It.IsAny<ValidatedTokenRequest>())).Throws(new Exception("Random validation error"));
validatorThrowingException.Setup(y => y.GrantType).Returns("custom_grant");
var validator = new CustomGrantValidator(new[] { validatorThrowingException.Object});
var request = new ValidatedTokenRequest
{
GrantType = validator.GetAvailableGrantTypes().Single()
};
var result = await validator.ValidateAsync(request);
result.IsError.Should().BeTrue();
result.Error.Should().Be("Grant validation error");
result.Principal.Should().BeNull();
}
public async Task<TokenResponse> ProcessAsync(ValidatedTokenRequest request)
{
Logger.Info("Creating token response");
TokenResponse response;
if (request.GrantType == Constants.GrantTypes.AuthorizationCode)
{
response = await ProcessAuthorizationCodeRequestAsync(request);
}
else if (request.GrantType == Constants.GrantTypes.RefreshToken)
{
response = await ProcessRefreshTokenRequestAsync(request);
}
else
{
response = await ProcessTokenRequestAsync(request);
}
return await _customResponseGenerator.GenerateAsync(request, response);
}
/// <summary>
/// Custom response generation
/// </summary>
/// <param name="request">The validated request.</param>
/// <param name="response">The standard token response.</param>
/// <returns>The custom token response.</returns>
public Task<TokenResponse> GenerateAsync(ValidatedTokenRequest request, TokenResponse response)
{
return Task.FromResult(response);
}
public async Task Unknown_Custom_Grant_Multiple_Validator()
{
var validator = new CustomGrantValidator(new List<ICustomGrantValidator>
{
new TestGrantValidator(),
new TestGrantValidator2()
});
var request = new ValidatedTokenRequest
{
GrantType = "unknown"
};
var result = await validator.ValidateAsync(request);
result.IsError.Should().BeTrue();
}
public Task<TokenResponse> GenerateAsync(ValidatedTokenRequest request, TokenResponse response)
{
response.Custom.Add("custom_field", "custom data");
return Task.FromResult(response);
}
public async Task Empty_Validator_List()
{
var validator = new CustomGrantValidator(new List<ICustomGrantValidator>());
var request = new ValidatedTokenRequest
{
GrantType = "something"
};
var result = await validator.ValidateAsync(request);
result.IsError.Should().BeTrue();
}
private async Task<Tuple<string, string>> CreateAccessTokenAsync(ValidatedTokenRequest request)
{
TokenCreationRequest tokenRequest;
bool createRefreshToken;
if (request.AuthorizationCode != null)
{
createRefreshToken = request.AuthorizationCode.RequestedScopes.Select(s => s.Name).Contains(Constants.StandardScopes.OfflineAccess);
tokenRequest = new TokenCreationRequest
{
Subject = request.AuthorizationCode.Subject,
Client = request.AuthorizationCode.Client,
Scopes = request.AuthorizationCode.RequestedScopes,
ValidatedRequest = request
};
}
else
{
createRefreshToken = request.ValidatedScopes.ContainsOfflineAccessScope;
tokenRequest = new TokenCreationRequest
{
Subject = request.Subject,
Client = request.Client,
Scopes = request.ValidatedScopes.GrantedScopes,
ValidatedRequest = request
};
}
Token accessToken = await _tokenService.CreateAccessTokenAsync(tokenRequest);
string refreshToken = "";
if (createRefreshToken)
{
refreshToken = await _refreshTokenService.CreateRefreshTokenAsync(tokenRequest.Subject, accessToken, request.Client);
}
var securityToken = await _tokenService.CreateSecurityTokenAsync(accessToken);
return Tuple.Create(securityToken, refreshToken);
}
private static ValidatedTokenRequest Request(string assertion)
{
var request = new ValidatedTokenRequest()
{
Raw = new NameValueCollection()
};
request.Raw["assertion"] = assertion;
return request;
}
private async Task<TokenResponse> ProcessTokenRequestAsync(ValidatedTokenRequest request)
{
Logger.Info("Processing token request");
var accessToken = await CreateAccessTokenAsync(request);
var response = new TokenResponse
{
AccessToken = accessToken.Item1,
AccessTokenLifetime = request.Client.AccessTokenLifetime
};
if (accessToken.Item2.IsPresent())
{
response.RefreshToken = accessToken.Item2;
}
return response;
}
private async Task<TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request)
{
Logger.Info("Processing refresh token request");
var oldAccessToken = request.RefreshToken.AccessToken;
string accessTokenString;
if (request.Client.UpdateAccessTokenClaimsOnRefresh)
{
var subject = request.RefreshToken.GetOriginalSubject();
var creationRequest = new TokenCreationRequest
{
Client = request.Client,
Subject = subject,
ValidatedRequest = request,
Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes)
};
var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest);
accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken);
}
else
{
oldAccessToken.CreationTime = DateTimeOffsetHelper.UtcNow;
oldAccessToken.Lifetime = request.Client.AccessTokenLifetime;
accessTokenString = await _tokenService.CreateSecurityTokenAsync(oldAccessToken);
}
var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client);
return new TokenResponse
{
AccessToken = accessTokenString,
AccessTokenLifetime = request.Client.AccessTokenLifetime,
RefreshToken = handle
};
}
public void ValidateAsync_Given_Missing_Assertion_Should_Throw_ArgumentNullException()
{
// Given
var request = new ValidatedTokenRequest();
// When, Then
Assert.Throws(Is.TypeOf<ArgumentNullException>().And.Message.Contains("SAML response not found"), async () => await underTest.ValidateAsync(request));
}
public async Task<TokenRequestValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client)
{
Logger.Info("Start token request validation");
_validatedRequest = new ValidatedTokenRequest();
if (client == null)
{
throw new ArgumentNullException("client");
}
if (parameters == null)
{
throw new ArgumentNullException("parameters");
}
_validatedRequest.Raw = parameters;
_validatedRequest.Client = client;
_validatedRequest.Options = _options;
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = parameters.Get(Constants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing.");
return Invalid(Constants.TokenErrors.UnsupportedGrantType);
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long.");
return Invalid(Constants.TokenErrors.UnsupportedGrantType);
}
_validatedRequest.GrantType = grantType;
// standard grant types
switch (grantType)
{
case Constants.GrantTypes.AuthorizationCode:
return await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters);
case Constants.GrantTypes.ClientCredentials:
return await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters);
case Constants.GrantTypes.Password:
return await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters);
case Constants.GrantTypes.RefreshToken:
return await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters);
}
// custom grant type
var result = await RunValidationAsync(ValidateCustomGrantRequestAsync, parameters);
if (result.IsError)
{
if (result.Error.IsPresent())
{
return result;
}
LogError("Unsupported grant_type: " + grantType);
return Invalid(Constants.TokenErrors.UnsupportedGrantType);
}
return result;
}
private async Task<TokenResponse> ProcessRefreshTokenRequestAsync(ValidatedTokenRequest request)
{
Logger.Info("Processing refresh token request");
var oldAccessToken = request.RefreshToken.AccessToken;
string accessTokenString;
// if pop request, claims must be updated because we need a fresh proof token
if (request.Client.UpdateAccessTokenClaimsOnRefresh || request.RequestedTokenType == RequestedTokenTypes.PoP)
{
var subject = request.RefreshToken.GetOriginalSubject();
var creationRequest = new TokenCreationRequest
{
Client = request.Client,
Subject = subject,
ValidatedRequest = request,
Scopes = await _scopes.FindScopesAsync(oldAccessToken.Scopes),
};
// if pop request, embed proof token
if (request.RequestedTokenType == RequestedTokenTypes.PoP)
{
creationRequest.ProofKey = GetProofKey(request);
}
var newAccessToken = await _tokenService.CreateAccessTokenAsync(creationRequest);
accessTokenString = await _tokenService.CreateSecurityTokenAsync(newAccessToken);
}
else
{
var copy = new Token(oldAccessToken);
copy.CreationTime = DateTimeOffsetHelper.UtcNow;
copy.Lifetime = request.Client.AccessTokenLifetime;
accessTokenString = await _tokenService.CreateSecurityTokenAsync(copy);
}
var handle = await _refreshTokenService.UpdateRefreshTokenAsync(request.RefreshTokenHandle, request.RefreshToken, request.Client);
var response = new TokenResponse
{
AccessToken = accessTokenString,
AccessTokenLifetime = request.Client.AccessTokenLifetime,
RefreshToken = handle
};
if (request.RequestedTokenType == RequestedTokenTypes.PoP)
{
response.TokenType = Constants.ResponseTokenTypes.PoP;
response.Algorithm = request.ProofKeyAlgorithm;
}
return response;
}
private string GetProofKey(ValidatedTokenRequest request)
{
// for now we only support client generated proof keys
return request.ProofKey;
}
public async Task <TokenRequestValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client)
{
Logger.Info("Start token request validation");
_validatedRequest = new ValidatedTokenRequest();
if (client == null)
{
throw new ArgumentNullException("client");
}
if (parameters == null)
{
throw new ArgumentNullException("parameters");
}
_validatedRequest.Raw = parameters;
_validatedRequest.Client = client;
_validatedRequest.Options = _options;
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = parameters.Get(Constants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing.");
return(Invalid(Constants.TokenErrors.UnsupportedGrantType));
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long.");
return(Invalid(Constants.TokenErrors.UnsupportedGrantType));
}
_validatedRequest.GrantType = grantType;
// standard grant types
switch (grantType)
{
case Constants.GrantTypes.AuthorizationCode:
return(await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters));
case Constants.GrantTypes.ClientCredentials:
return(await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters));
case Constants.GrantTypes.Password:
return(await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters));
case Constants.GrantTypes.RefreshToken:
return(await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters));
}
// custom grant type
var result = await RunValidationAsync(ValidateCustomGrantRequestAsync, parameters);
if (result.IsError)
{
if (result.Error.IsPresent())
{
return(result);
}
LogError("Unsupported grant_type: " + grantType);
return(Invalid(Constants.TokenErrors.UnsupportedGrantType));
}
return(result);
}
public Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
return Task.FromResult(new CustomGrantValidationResult("alice", "CustomGrant2"));
}
public Task<CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
return Task.FromResult<CustomGrantValidationResult>(null);
}
