private async Task <bool> InvokeAuthorizationEndpointAsync() { OpenIdConnectRequest request; if (HttpMethods.IsGet(Request.Method)) { request = new OpenIdConnectRequest(Request.Query); } else if (HttpMethods.IsPost(Request.Method)) { // See http://openid.net/specs/openid-connect-core-1_0.html#FormSerialization if (string.IsNullOrEmpty(Request.ContentType)) { Logger.LogError("The authorization request was rejected because " + "the mandatory 'Content-Type' header was missing."); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The mandatory 'Content-Type' header must be specified." })); } // May have media/type; charset=utf-8, allow partial match. if (!Request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase)) { Logger.LogError("The authorization request was rejected because an invalid 'Content-Type' " + "header was specified: {ContentType}.", Request.ContentType); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The specified 'Content-Type' header is not valid." })); } request = new OpenIdConnectRequest(await Request.ReadFormAsync(Context.RequestAborted)); } else { Logger.LogError("The authorization request was rejected because an invalid " + "HTTP method was specified: {Method}.", Request.Method); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The specified HTTP method is not valid." })); } // Note: set the message type before invoking the ExtractAuthorizationRequest event. request.SetProperty(OpenIdConnectConstants.Properties.MessageType, OpenIdConnectConstants.MessageTypes.AuthorizationRequest); // Store the authorization request in the ASP.NET context. Context.SetOpenIdConnectRequest(request); var @event = new ExtractAuthorizationRequestContext(Context, Scheme, Options, request); await Provider.ExtractAuthorizationRequest(@event); if (@event.Result != null) { if (@event.Result.Handled) { Logger.LogDebug("The authorization request was handled in user code."); return(true); } else if (@event.Result.Skipped) { Logger.LogDebug("The default authorization request handling was skipped from user code."); return(false); } } else if (@event.IsRejected) { Logger.LogError("The authorization request was rejected with the following error: {Error} ; {Description}", /* Error: */ @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest, /* Description: */ @event.ErrorDescription); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = @event.Error ?? OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = @event.ErrorDescription, ErrorUri = @event.ErrorUri })); } // Store the original redirect_uri sent by the client application for later comparison. request.SetProperty(OpenIdConnectConstants.Properties.OriginalRedirectUri, request.RedirectUri); Logger.LogInformation("The authorization request was successfully extracted " + "from the HTTP request: {Request}.", request); // client_id is mandatory parameter and MUST cause an error when missing. // See http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest if (string.IsNullOrEmpty(request.ClientId)) { Logger.LogError("The authorization request was rejected because " + "the mandatory 'client_id' parameter was missing."); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The mandatory 'client_id' parameter is missing." })); } // While redirect_uri was not mandatory in OAuth2, this parameter // is now declared as REQUIRED and MUST cause an error when missing. // See http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest // To keep Security.OpenIdConnect.Server compatible with pure OAuth2 clients, // an error is only returned if the request was made by an OpenID Connect client. if (string.IsNullOrEmpty(request.RedirectUri) && request.HasScope(OpenIdConnectConstants.Scopes.OpenId)) { Logger.LogError("The authorization request was rejected because " + "the mandatory 'redirect_uri' parameter was missing."); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The mandatory 'redirect_uri' parameter is missing." })); } if (!string.IsNullOrEmpty(request.RedirectUri)) { // Note: when specified, redirect_uri MUST be an absolute URI. // See http://tools.ietf.org/html/rfc6749#section-3.1.2 // and http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest // // Note: on Linux/macOS, "/path" URLs are treated as valid absolute file URLs. // To ensure relative redirect_uris are correctly rejected on these platforms, // an additional check using IsWellFormedOriginalString() is made here. // See https://github.com/dotnet/corefx/issues/22098 for more information. if (!Uri.TryCreate(request.RedirectUri, UriKind.Absolute, out Uri uri) || !uri.IsWellFormedOriginalString()) { Logger.LogError("The authorization request was rejected because the 'redirect_uri' parameter " + "didn't correspond to a valid absolute URL: {RedirectUri}.", request.RedirectUri); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The 'redirect_uri' parameter must be a valid absolute URL." })); } // Note: when specified, redirect_uri MUST NOT include a fragment component. // See http://tools.ietf.org/html/rfc6749#section-3.1.2 // and http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest if (!string.IsNullOrEmpty(uri.Fragment)) { Logger.LogError("The authorization request was rejected because the 'redirect_uri' " + "contained a URL fragment: {RedirectUri}.", request.RedirectUri); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The 'redirect_uri' parameter must not include a fragment." })); } } // Reject requests missing the mandatory response_type parameter. if (string.IsNullOrEmpty(request.ResponseType)) { Logger.LogError("The authorization request was rejected because " + "the mandatory 'response_type' parameter was missing."); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The mandatory 'response_type' parameter is missing." })); } // response_mode=query (explicit or not) and a response_type containing id_token // or token are not considered as a safe combination and MUST be rejected. // See http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Security if (request.IsQueryResponseMode() && (request.HasResponseType(OpenIdConnectConstants.ResponseTypes.IdToken) || request.HasResponseType(OpenIdConnectConstants.ResponseTypes.Token))) { Logger.LogError("The authorization request was rejected because the 'response_type'/'response_mode' combination " + "was invalid: {ResponseType} ; {ResponseMode}.", request.ResponseType, request.ResponseMode); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The specified 'response_type'/'response_mode' combination is invalid." })); } // Reject OpenID Connect implicit/hybrid requests missing the mandatory nonce parameter. // See http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest, // http://openid.net/specs/openid-connect-implicit-1_0.html#RequestParameters // and http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken. if (string.IsNullOrEmpty(request.Nonce) && request.HasScope(OpenIdConnectConstants.Scopes.OpenId) && (request.IsImplicitFlow() || request.IsHybridFlow())) { Logger.LogError("The authorization request was rejected because the mandatory 'nonce' parameter was missing."); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The mandatory 'nonce' parameter is missing." })); } // Reject requests containing the id_token response_type if no openid scope has been received. if (request.HasResponseType(OpenIdConnectConstants.ResponseTypes.IdToken) && !request.HasScope(OpenIdConnectConstants.Scopes.OpenId)) { Logger.LogError("The authorization request was rejected because the 'openid' scope was missing."); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The mandatory 'openid' scope is missing." })); } // Reject requests containing the id_token response_type if no asymmetric signing key has been registered. if (request.HasResponseType(OpenIdConnectConstants.ResponseTypes.IdToken) && !Options.SigningCredentials.Any(credentials => credentials.Key is AsymmetricSecurityKey)) { Logger.LogError("The authorization request was rejected because the 'id_token' response type could not be honored. " + "To fix this error, consider registering a X.509 signing certificate or an ephemeral signing key."); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.UnsupportedResponseType, ErrorDescription = "The specified 'response_type' is not supported by this server." })); } // Reject requests containing the code response_type if the token endpoint has been disabled. if (request.HasResponseType(OpenIdConnectConstants.ResponseTypes.Code) && !Options.TokenEndpointPath.HasValue) { Logger.LogError("The authorization request was rejected because the authorization code flow was disabled."); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.UnsupportedResponseType, ErrorDescription = "The specified 'response_type' is not supported by this server." })); } // Reject requests specifying prompt=none with consent/login or select_account. if (request.HasPrompt(OpenIdConnectConstants.Prompts.None) && (request.HasPrompt(OpenIdConnectConstants.Prompts.Consent) || request.HasPrompt(OpenIdConnectConstants.Prompts.Login) || request.HasPrompt(OpenIdConnectConstants.Prompts.SelectAccount))) { Logger.LogError("The authorization request was rejected because an invalid prompt parameter was specified."); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The specified 'prompt' parameter is invalid." })); } if (!string.IsNullOrEmpty(request.CodeChallenge) || !string.IsNullOrEmpty(request.CodeChallengeMethod)) { // When code_challenge or code_challenge_method is specified, ensure the response_type includes "code". if (!request.HasResponseType(OpenIdConnectConstants.ResponseTypes.Code)) { Logger.LogError("The authorization request was rejected because the response type " + "was not compatible with 'code_challenge'/'code_challenge_method'."); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The 'code_challenge' and 'code_challenge_method' parameters " + "can only be used with a response type containing 'code'." })); } if (!string.IsNullOrEmpty(request.CodeChallengeMethod)) { // Ensure a code_challenge was specified if a code_challenge_method was used. if (string.IsNullOrEmpty(request.CodeChallenge)) { Logger.LogError("The authorization request was rejected because the code_challenge was missing."); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The 'code_challenge_method' parameter " + "cannot be used without 'code_challenge'." })); } // If a code_challenge_method was specified, ensure the algorithm is supported. if (request.CodeChallengeMethod != OpenIdConnectConstants.CodeChallengeMethods.Plain && request.CodeChallengeMethod != OpenIdConnectConstants.CodeChallengeMethods.Sha256) { Logger.LogError("The authorization request was rejected because " + "the specified code challenge was not supported."); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = "The specified code_challenge_method is not supported." })); } } } var context = new ValidateAuthorizationRequestContext(Context, Scheme, Options, request); await Provider.ValidateAuthorizationRequest(context); if (context.Result != null) { if (context.Result.Handled) { Logger.LogDebug("The authorization request was handled in user code."); return(true); } else if (context.Result.Skipped) { Logger.LogDebug("The default authorization request handling was skipped from user code."); return(false); } } else if (context.IsRejected) { Logger.LogError("The authorization request was rejected with the following error: {Error} ; {Description}", /* Error: */ context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest, /* Description: */ context.ErrorDescription); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = context.Error ?? OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = context.ErrorDescription, ErrorUri = context.ErrorUri })); } // Store the validated client_id/redirect_uri as request properties. request.SetProperty(OpenIdConnectConstants.Properties.ValidatedClientId, context.ClientId) .SetProperty(OpenIdConnectConstants.Properties.ValidatedRedirectUri, context.RedirectUri); Logger.LogInformation("The authorization request was successfully validated."); var notification = new HandleAuthorizationRequestContext(Context, Scheme, Options, request); await Provider.HandleAuthorizationRequest(notification); if (notification.Result != null) { if (notification.Result.Handled) { Logger.LogDebug("The authorization request was handled in user code."); return(true); } else if (notification.Result.Skipped) { Logger.LogDebug("The default authorization request handling was skipped from user code."); return(false); } } else if (notification.IsRejected) { Logger.LogError("The authorization request was rejected with the following error: {Error} ; {Description}", /* Error: */ notification.Error ?? OpenIdConnectConstants.Errors.InvalidRequest, /* Description: */ notification.ErrorDescription); return(await SendAuthorizationResponseAsync(new OpenIdConnectResponse { Error = notification.Error ?? OpenIdConnectConstants.Errors.InvalidRequest, ErrorDescription = notification.ErrorDescription, ErrorUri = notification.ErrorUri })); } // If an authentication ticket was provided, stop processing // the request and return an authorization response. var ticket = notification.Ticket; if (ticket == null) { return(false); } return(await SignInAsync(ticket)); }
/// <summary> /// Represents an event called for each request to the authorization endpoint to give the user code /// a chance to manually extract the authorization request from the ambient HTTP context. /// </summary> /// <param name="context">The context instance associated with this event.</param> /// <returns>A <see cref="Task"/> that can be used to monitor the asynchronous operation.</returns> public virtual Task ExtractAuthorizationRequest(ExtractAuthorizationRequestContext context) => OnExtractAuthorizationRequest(context);