/// <summary>
/// Handles success raw response from Token api call
/// </summary>
/// <param name="raw">raw</param>
/// <param name="policy">policy</param>
public DiscoveryResponse(string raw, DiscoveryPolicy policy = null)
{
if (policy == null)
{
policy = new DiscoveryPolicy();
}
IsError = false;
StatusCode = HttpStatusCode.OK;
Raw = raw;
try
{
Json = JObject.Parse(raw);
var validationError = Validate(policy);
if (!string.IsNullOrEmpty(validationError))
{
IsError = true;
Json = null;
ErrorType = ResponseErrorType.PolicyViolation;
Error = validationError;
}
}
catch (Exception ex)
{
IsError = true;
ErrorType = ResponseErrorType.Exception;
Error = ex.Message;
Exception = ex;
}
}
/// <summary>
/// Validates Endpoints
/// </summary>
/// <param name="json">json</param>
/// <param name="policy">policy</param>
/// <returns>bool</returns>
public string ValidateEndpoints(JObject json, DiscoveryPolicy policy)
{
//var authorityHost = new Uri(policy.Authority).Authority;
foreach (var element in json)
{
if (element.Key.EndsWith("Endpoint", StringComparison.OrdinalIgnoreCase) ||
element.Key.Equals(OidcConstants.Discovery.JwksUri, StringComparison.OrdinalIgnoreCase))
{
var endpoint = element.Value.ToString();
Uri uri;
var isValidUri = Uri.TryCreate(endpoint, UriKind.Absolute, out uri);
if (!isValidUri)//Uri not valid
{
return($"Malformed endpoint: {endpoint}");
}
if (!DiscoveryUrlHelper.IsValidScheme(uri))//Scheme not valid
{
return($"Malformed endpoint: {endpoint}");
}
if (!DiscoveryUrlHelper.IsSecureScheme(uri, policy))//Scheme not secure
{
return($"Endpoint does not use HTTPS: {endpoint}");
}
}
}
return(string.Empty);
}
/// <summary>
/// Validates Discovery policy
/// </summary>
/// <param name="policy">policy</param>
/// <returns>string</returns>
private string Validate(DiscoveryPolicy policy)
{
if (policy.ValidateIssuerName)
{
if (string.IsNullOrWhiteSpace(Issuer))
{
return("Issuer name is missing");
}
var isValid = ValidateIssuerName(Issuer.RemoveTrailingSlash(), policy.Authority.RemoveTrailingSlash());
if (!isValid)
{
return("Issuer name does not match authority: " + Issuer);
}
}
var error = ValidateEndpoints(Json, policy);
if (!string.IsNullOrEmpty(error))
{
return(error);
}
return(string.Empty);
}
/// <summary>
/// Validates Discovery policy
/// </summary>
/// <param name="policy">policy</param>
/// <returns>string</returns>
private string Validate(DiscoveryPolicy policy = null)
{
if (policy.ValidateIssuerName)
{
if (string.IsNullOrWhiteSpace(Issuer))
{
return("Issuer name is missing");
}
if (Issuer == OidcConstants.Discovery.IssuerUrl)//do this check only for prod/sandbox url as partners may test with e2e
{
var isValid = ValidateIssuerName(Issuer.RemoveTrailingSlash(), policy.Authority.RemoveTrailingSlash());
if (!isValid)
{
return("Issuer name does not match authority: " + Issuer);
}
}
}
var error = ValidateEndpoints(Json, policy);
if (!string.IsNullOrEmpty(error))
{
return(error);
}
return(string.Empty);
}
/// <summary>
/// Validate if url scheme is https or not
/// </summary>
/// <param name="url"></param>
/// <param name="policy"></param>
/// <returns>boolean value</returns>
public static bool IsSecureScheme(Uri url, DiscoveryPolicy policy)
{
if (policy.RequireHttps == true)
{
return(string.Equals(url.Scheme, "https", StringComparison.OrdinalIgnoreCase));
}
return(true);
}
