public async Task <AuthorizationGrant> ExchangeTokenAsync(OpenIdConnectMessage message) { switch (message.GrantType) { case OpenIdConnectGrantTypes.AuthorizationCode: return(await _codeIssuer.ExchangeAuthorizationCodeAsync(message)); case OpenIdConnectGrantTypes.RefreshToken: return(await _refreshTokenIssuer.ExchangeRefreshTokenAsync(message)); default: return(AuthorizationGrant.Invalid(_errorProvider.InvalidGrantType(message.GrantType))); } }
public async Task <TokenRequest> CreateTokenRequestAsync(IDictionary <string, string[]> requestParameters) { var(clientId, clientIdParameterError) = RequestParametersHelper.ValidateParameterIsUnique(requestParameters, OpenIdConnectParameterNames.ClientId, _errorProvider); if (clientIdParameterError != null) { return(TokenRequest.Invalid(clientIdParameterError)); } if (!await _clientIdValidator.ValidateClientIdAsync(clientId)) { return(TokenRequest.Invalid(_errorProvider.InvalidClientId(clientId))); } var(clientSecret, clientSecretParameterError) = RequestParametersHelper.ValidateOptionalParameterIsUnique(requestParameters, OpenIdConnectParameterNames.ClientSecret, _errorProvider); if (clientSecretParameterError != null) { return(TokenRequest.Invalid(clientSecretParameterError)); } if (!await _clientIdValidator.ValidateClientCredentialsAsync(clientId, clientSecret)) { return(TokenRequest.Invalid(_errorProvider.InvalidClientCredentials())); } var(grantType, grantTypeError) = RequestParametersHelper.ValidateParameterIsUnique( requestParameters, OpenIdConnectParameterNames.GrantType, _errorProvider); if (grantTypeError != null) { return(TokenRequest.Invalid(grantTypeError)); } var grantTypeParameter = GetGrantTypeParameter(requestParameters, grantType); if (grantTypeParameter == null) { return(TokenRequest.Invalid(_errorProvider.InvalidGrantType(grantType))); } var(grantValue, grantValueError) = RequestParametersHelper.ValidateParameterIsUnique( requestParameters, grantTypeParameter, _errorProvider); if (grantValueError != null) { return(TokenRequest.Invalid(clientIdParameterError)); } var message = new OpenIdConnectMessage(requestParameters) { RequestType = OpenIdConnectRequestType.Token }; // TODO: File a bug to track we might want to redesign this if we want to consider other flows like // client credentials or resource owner credentials. var consentGrant = await _tokenManager.ExchangeTokenAsync(message); if (!consentGrant.IsValid) { return(TokenRequest.Invalid(consentGrant.Error)); } if (!_timeStampManager.IsValidPeriod(consentGrant.Token.NotBefore, consentGrant.Token.Expires)) { return(TokenRequest.Invalid(_errorProvider.InvalidLifetime())); } if (!string.Equals(clientId, consentGrant.ClientId, StringComparison.Ordinal)) { return(TokenRequest.Invalid(_errorProvider.InvalidGrant())); } var(scope, requestScopesError) = RequestParametersHelper.ValidateOptionalParameterIsUnique(requestParameters, OpenIdConnectParameterNames.Scope, _errorProvider); if (requestScopesError != null) { return(TokenRequest.Invalid(requestScopesError)); } var grantedScopes = consentGrant.GrantedScopes; var parsedScope = scope?.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries); if (parsedScope != null) { var scopeResolutionResult = await _scopeResolver.ResolveScopesAsync(clientId, parsedScope); if (!scopeResolutionResult.IsValid) { return(TokenRequest.Invalid(scopeResolutionResult.Error)); } if (grantType.Equals(OpenIdConnectGrantTypes.AuthorizationCode, StringComparison.Ordinal) || grantType.Equals(OpenIdConnectGrantTypes.RefreshToken, StringComparison.Ordinal)) { if (scopeResolutionResult.Scopes.Any(rs => !consentGrant.GrantedScopes.Contains(rs))) { return(TokenRequest.Invalid(_errorProvider.UnauthorizedScope())); } } grantedScopes = scopeResolutionResult.Scopes; } if (grantType.Equals(OpenIdConnectGrantTypes.AuthorizationCode, StringComparison.Ordinal)) { var authorizationCodeError = await ValidateAuthorizationCode( requestParameters, clientId, consentGrant); if (authorizationCodeError != null) { return(TokenRequest.Invalid(authorizationCodeError)); } } var requestGrants = new RequestGrants { Tokens = consentGrant.GrantedTokens.ToList(), Claims = consentGrant.Token.ToList(), Scopes = grantedScopes.ToList() }; return(await ValidateRequestAsync(TokenRequest.Valid( message, consentGrant.UserId, consentGrant.ClientId, requestGrants))); }