public virtual TokenResponse CreateTokenResponseFromAuthorizationCode(TokenHandle handle, ITokenHandleManager handleManager) { var resourceOwner = Principal.Create( "OAuth2", handle.ResourceOwner.ToClaims().ToArray()); var validatedRequest = new ValidatedRequest { Client = handle.Client, Application = handle.Application, Scopes = handle.Scopes }; var response = CreateTokenResponse(validatedRequest, resourceOwner); if (handle.CreateRefreshToken) { var refreshTokenHandle = TokenHandle.CreateRefreshTokenHandle( resourceOwner.GetSubject(), handle.Client, handle.Application, resourceOwner.Claims, handle.Scopes, handle.RefreshTokenExpiration); handleManager.Add(refreshTokenHandle); response.RefreshToken = refreshTokenHandle.HandleId; } handleManager.Delete(handle.HandleId); return response; }
private HttpResponseMessage ProcessAssertionGrant(ValidatedRequest validatedRequest) { ClaimsPrincipal principal; try { Tracing.Information("Calling assertion grant handler for assertion: " + validatedRequest.Assertion); principal = _assertionGrantValidator.ValidateAssertion(validatedRequest); } catch (Exception ex) { Tracing.Error("Unhandled exception in assertion grant handler: " + ex.ToString()); throw; } if (principal == null) { Tracing.Error("Assertion grant handler failed to validate assertion"); return Request.CreateOAuthErrorResponse(OAuthConstants.Errors.InvalidGrant); } var sts = new TokenService(_config.GlobalConfiguration); var response = sts.CreateTokenResponse(validatedRequest, principal); return Request.CreateTokenResponse(response); }
private HttpResponseMessage ProcessClientCredentialsRequest(ValidatedRequest validatedRequest) { Tracing.Information("Processing refresh token request"); var sts = new TokenService(_config.GlobalConfiguration); var response = sts.CreateTokenResponse(validatedRequest); return Request.CreateTokenResponse(response); }
public virtual TokenResponse CreateTokenResponseFromRefreshToken(TokenHandle handle, ITokenHandleManager handleManager) { var resourceOwner = Principal.Create( "OAuth2", handle.ResourceOwner.ToClaims().ToArray()); var validatedRequest = new ValidatedRequest { Client = handle.Client, Application = handle.Application, Scopes = handle.Scopes, }; var response = CreateTokenResponse(validatedRequest, resourceOwner); response.RefreshToken = handle.HandleId; return response; }
public virtual TokenResponse CreateTokenResponse(ValidatedRequest request, ClaimsPrincipal resourceOwner = null) { try { var claims = CreateClaims(request, resourceOwner); var token = CreateToken(request, claims); return new TokenResponse { AccessToken = WriteToken(token), ExpiresIn = request.Application.TokenLifetime * 60, TokenType = "Bearer" }; } catch (Exception ex) { Tracing.Error(ex.ToString()); throw; } }
private ActionResult PerformGrant(ValidatedRequest validatedRequest) { // implicit grant if (validatedRequest.ResponseType.Equals(OAuthConstants.ResponseTypes.Token, StringComparison.Ordinal)) { return PerformImplicitGrant(validatedRequest); } // authorization code grant if (validatedRequest.ResponseType.Equals(OAuthConstants.ResponseTypes.Code, StringComparison.Ordinal)) { return PerformAuthorizationCodeGrant(validatedRequest); } return null; }
private ActionResult PerformAuthorizationCodeGrant(ValidatedRequest validatedRequest) { var handle = StoredGrant.CreateAuthorizationCode( validatedRequest.Client, validatedRequest.Application, validatedRequest.RedirectUri.Uri, ClaimsPrincipal.Current.FilterInternalClaims(), validatedRequest.Scopes, validatedRequest.RequestingRefreshToken, validatedRequest.RequestedRefreshTokenExpiration); _handleManager.Add(handle); var tokenString = string.Format("code={0}", handle.GrantId); if (!string.IsNullOrWhiteSpace(validatedRequest.State)) { tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(validatedRequest.State)); } var redirectString = string.Format("{0}?{1}", validatedRequest.RedirectUri.Uri, tokenString); return Redirect(redirectString); }
public ValidatedRequest Validate(Application application, AuthorizeRequest request) { // If the request fails due to a missing, invalid, or mismatching // redirection URI, or if the client identifier is missing or invalid, // the authorization server SHOULD inform the resource owner of the // error and MUST NOT automatically redirect the user-agent to the // invalid redirection URI. var validatedRequest = new ValidatedRequest(); // validate request model binding if (request == null) { throw new AuthorizeRequestResourceOwnerException("Invalid request parameters."); } validatedRequest.Application = application; Tracing.InformationFormat("OAuth2 application: {0} ({1})", validatedRequest.Application.Name, validatedRequest.Application.Namespace); validatedRequest.ShowRememberConsent = application.AllowRememberConsentDecision; // make sure redirect uri is present if (string.IsNullOrWhiteSpace(request.redirect_uri)) { throw new AuthorizeRequestResourceOwnerException("Missing redirect URI"); } // validate client if (string.IsNullOrWhiteSpace(request.client_id)) { throw new AuthorizeRequestResourceOwnerException("Missing client identifier"); } var client = _clientManager.Get(request.client_id); if (client == null) { throw new AuthorizeRequestResourceOwnerException("Invalid client: " + request.client_id); } validatedRequest.Client = client; Tracing.InformationFormat("Client: {0} ({1})", validatedRequest.Client.Name, validatedRequest.Client.ClientId); // make sure redirect_uri is a valid uri, and in case of http is over ssl Uri redirectUri; if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri)) { if (redirectUri.Scheme == Uri.UriSchemeHttp) { throw new AuthorizeRequestClientException( "Redirect URI not over SSL : " + request.redirect_uri, new Uri(request.redirect_uri), OAuthConstants.Errors.InvalidRequest, string.Empty, validatedRequest.State); } // make sure redirect uri is registered with client var validUri = validatedRequest.Client.RedirectUris.Get(request.redirect_uri); if (validUri == null) { throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri); } validatedRequest.RedirectUri = validUri; Tracing.InformationFormat("Redirect URI: {0} ({1})", validatedRequest.RedirectUri.Uri, validatedRequest.RedirectUri.Description); } else { var message = "Invalid redirect URI: " + request.redirect_uri; Tracing.Error(message); throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri); } // check state if (!string.IsNullOrWhiteSpace(request.state)) { validatedRequest.State = request.state; Tracing.Information("State: " + validatedRequest.State); } else { Tracing.Information("No state supplied."); } // validate response type if (String.IsNullOrWhiteSpace(request.response_type)) { throw new AuthorizeRequestClientException( "response_type is null or empty", new Uri(validatedRequest.RedirectUri.Uri), OAuthConstants.Errors.InvalidRequest, string.Empty, validatedRequest.State); } // check response type (only code and token are supported) if (!request.response_type.Equals(OAuthConstants.ResponseTypes.Token, StringComparison.Ordinal) && !request.response_type.Equals(OAuthConstants.ResponseTypes.Code, StringComparison.Ordinal)) { throw new AuthorizeRequestClientException( "response_type is not token or code: " + request.response_type, new Uri(validatedRequest.RedirectUri.Uri), OAuthConstants.Errors.UnsupportedResponseType, string.Empty, validatedRequest.State); } validatedRequest.ResponseType = request.response_type; Tracing.Information("Response type: " + validatedRequest.ResponseType); if (request.response_type == OAuthConstants.ResponseTypes.Code) { ValidateCodeResponseType(validatedRequest, request); } else if (request.response_type == OAuthConstants.ResponseTypes.Token) { ValidateTokenResponseType(validatedRequest, request); } else { throw new AuthorizeRequestClientException( "Invalid response_type: " + request.response_type, new Uri(validatedRequest.RedirectUri.Uri), OAuthConstants.Errors.UnsupportedResponseType, request.response_type, validatedRequest.State); } ValidateScopes(request, validatedRequest); // TODO: fix based upon past "remember me" settings validatedRequest.ShowConsent = client.RequireConsent || application.RequireConsent; Tracing.Information("Authorize request validation successful."); return validatedRequest; }
private void ValidateRefreshTokenGrant(ValidatedRequest validatedRequest, TokenRequest request) { if (_handleManager == null) { throw new ArgumentNullException("HandleManager"); } if (!validatedRequest.Client.AllowRefreshToken) { throw new TokenRequestValidationException( "Refresh tokens not allowed for client", OAuthConstants.Errors.UnauthorizedClient); } // check for refresh token if (string.IsNullOrWhiteSpace(request.Refresh_Token)) { throw new TokenRequestValidationException( "Missing refresh token", OAuthConstants.Errors.InvalidGrant); } validatedRequest.RefreshToken = request.Refresh_Token; Tracing.Information("Refresh token: " + validatedRequest.RefreshToken); // check for refresh token in datastore var handle = _handleManager.Get(validatedRequest.RefreshToken); if (handle == null) { throw new TokenRequestValidationException( "Refresh token not found: " + validatedRequest.RefreshToken, OAuthConstants.Errors.InvalidGrant); } validatedRequest.StoredGrant = handle; Tracing.Information("Token handle found: " + handle.GrantId); // make sure the refresh token has an expiration time if (validatedRequest.StoredGrant.Expiration == null) { throw new TokenRequestValidationException( "No expiration time set for refresh token. That's not allowed.", OAuthConstants.Errors.InvalidGrant); } // make sure refresh token has not expired if (DateTime.UtcNow > validatedRequest.StoredGrant.Expiration) { throw new TokenRequestValidationException( "Refresh token expired.", OAuthConstants.Errors.InvalidGrant); } // check the client binding if (handle.Client.ClientId != validatedRequest.Client.ClientId) { throw new TokenRequestValidationException( string.Format("Client {0} is trying to refresh token from {1}.", validatedRequest.Client.ClientId, handle.Client.ClientId), OAuthConstants.Errors.InvalidGrant); } }
private static void ValidateScopes(ValidatedRequest validatedRequest, TokenRequest request) { // validate scope if (string.IsNullOrWhiteSpace(request.Scope)) { throw new TokenRequestValidationException( "Missing scope", OAuthConstants.Errors.InvalidScope); } // make sure client is allowed to request all scope var requestedScopes = request.Scope.Split(' ').ToList(); List<Scope> resultingScopes; if (validatedRequest.Application.Scopes.TryValidateScopes(validatedRequest.Client.ClientId, requestedScopes, out resultingScopes)) { validatedRequest.Scopes = resultingScopes; Tracing.InformationFormat("Requested scopes: {0}", request.Scope); } else { throw new TokenRequestValidationException( "Invalid scope", OAuthConstants.Errors.InvalidScope); } }
private void ValidateAssertionGrant(ValidatedRequest validatedRequest, TokenRequest request) { ValidateScopes(validatedRequest, request); if (validatedRequest.Client.Flow != OAuthFlow.Assertion) { throw new TokenRequestValidationException( "Assertion flow not allowed for client", OAuthConstants.Errors.UnauthorizedClient); } }
private HttpResponseMessage ProcessResourceOwnerCredentialRequest(ValidatedRequest validatedRequest) { Tracing.Information("Processing resource owner credential request"); ClaimsPrincipal principal; try { principal = _rocv.Validate(validatedRequest.UserName, validatedRequest.Password); } catch (Exception ex) { Tracing.Error("Resource owner credential validation failed: " + ex.ToString()); throw; } if (principal != null && principal.Identity.IsAuthenticated) { var response = _tokenService.CreateTokenResponse(validatedRequest, principal); // check if refresh token is enabled for the client if (validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken) { var handle = StoredGrant.CreateRefreshTokenHandle( principal.GetSubject(), validatedRequest.Client, validatedRequest.Application, principal.Claims, validatedRequest.Scopes, DateTime.UtcNow.AddYears(5)); _handleManager.Add(handle); response.RefreshToken = handle.GrantId; } return Request.CreateTokenResponse(response); } else { return Request.CreateOAuthErrorResponse(OAuthConstants.Errors.InvalidGrant); } }
private HttpResponseMessage ProcessRefreshTokenRequest(ValidatedRequest validatedRequest) { Tracing.Information("Processing refresh token request"); var response = _tokenService.CreateTokenResponse(validatedRequest.StoredGrant, _handleManager); return Request.CreateTokenResponse(response); }
private HttpResponseMessage ProcessAuthorizationCodeRequest(ValidatedRequest validatedRequest) { Tracing.Information("Processing authorization code request"); var tokenService = new TokenService(_config.GlobalConfiguration); var response = tokenService.CreateTokenResponse(validatedRequest.TokenHandle, _handleManager); return Request.CreateTokenResponse(response); }
public virtual TokenResponse CreateTokenResponseFromRefreshToken(StoredGrant handle, IStoredGrantManager handleManager) { var resourceOwner = Principal.Create( "OAuth2", handle.ResourceOwner.ToClaims().ToArray()); if (DateTime.UtcNow > handle.Expiration) { throw new InvalidOperationException("Refresh token has expired."); } var validatedRequest = new ValidatedRequest { Client = handle.Client, Application = handle.Application, Scopes = handle.Scopes, }; var response = CreateTokenResponse(validatedRequest, resourceOwner); if (handle.CreateRefreshToken) { StoredGrant refreshTokenHandle; if (validatedRequest.Application.AllowSlidingRefreshTokenExpiration) { var rememberTimeSpan = handle.Expiration.Subtract(handle.Created); var newRefreshTokenExpiration = DateTime.UtcNow.Add(rememberTimeSpan); refreshTokenHandle = StoredGrant.CreateRefreshTokenHandle( resourceOwner.GetSubject(), handle.Client, handle.Application, resourceOwner.Claims, handle.Scopes, newRefreshTokenExpiration, createRefreshToken: validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken); } else { refreshTokenHandle = StoredGrant.CreateRefreshTokenHandle( resourceOwner.GetSubject(), handle.Client, handle.Application, resourceOwner.Claims, handle.Scopes, handle.Expiration, createRefreshToken: validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken); } response.RefreshToken = refreshTokenHandle.GrantId; handleManager.Add(refreshTokenHandle); handleManager.Delete(handle.GrantId); } else { response.RefreshToken = handle.GrantId; } return response; }
private void ValidateClientCredentialsGrant(ValidatedRequest validatedRequest, TokenRequest request) { if (validatedRequest.Client.Flow != OAuthFlow.Client) { throw new TokenRequestValidationException( "Client flow not allowed for client", OAuthConstants.Errors.UnsupportedGrantType); } ValidateScopes(validatedRequest, request); }
public ValidatedRequest Validate(Application application, TokenRequest request, ClaimsPrincipal clientPrincipal) { var validatedRequest = new ValidatedRequest(); // validate request model binding if (request == null) { throw new TokenRequestValidationException( "Invalid request parameters.", OAuthConstants.Errors.InvalidRequest); } validatedRequest.Application = application; Tracing.InformationFormat("OAuth2 application: {0} ({1})", validatedRequest.Application.Name, validatedRequest.Application.Namespace); // grant type is required if (string.IsNullOrWhiteSpace(request.Grant_Type)) { throw new TokenRequestValidationException( "Missing grant_type", OAuthConstants.Errors.UnsupportedGrantType); } validatedRequest.GrantType = request.Grant_Type; Tracing.Information("Grant type: " + validatedRequest.GrantType); // validate client credentials var client = ValidateClient(clientPrincipal, validatedRequest.Application); if (client == null) { throw new TokenRequestValidationException( "Invalid client: " + ClaimsPrincipal.Current.Identity.Name, OAuthConstants.Errors.InvalidClient); } validatedRequest.Client = client; Tracing.InformationFormat("Client: {0} ({1})", validatedRequest.Client.Name, validatedRequest.Client.ClientId); switch (request.Grant_Type) { case OAuthConstants.GrantTypes.AuthorizationCode: ValidateCodeGrant(validatedRequest, request); break; case OAuthConstants.GrantTypes.Password: ValidatePasswordGrant(validatedRequest, request); break; case OAuthConstants.GrantTypes.RefreshToken: ValidateRefreshTokenGrant(validatedRequest, request); break; case OAuthConstants.GrantTypes.ClientCredentials: ValidateClientCredentialsGrant(validatedRequest, request); break; default: throw new TokenRequestValidationException( "Invalid grant_type: " + request.Grant_Type, OAuthConstants.Errors.UnsupportedGrantType); } Tracing.Information("Token request validation successful."); return validatedRequest; }
private void ValidateCodeGrant(ValidatedRequest validatedRequest, TokenRequest request) { if (_handleManager == null) { throw new ArgumentNullException("HandleManager"); } if (validatedRequest.Client.Flow != OAuthFlow.Code) { throw new TokenRequestValidationException( "Code flow not allowed for client", OAuthConstants.Errors.UnsupportedGrantType); } // code needs to be present if (string.IsNullOrWhiteSpace(request.Code)) { throw new TokenRequestValidationException( "Missing authorization code", OAuthConstants.Errors.InvalidGrant); } validatedRequest.AuthorizationCode = request.Code; Tracing.Information("Authorization code: " + validatedRequest.AuthorizationCode); // check for authorization code in datastore var handle = _handleManager.Get(validatedRequest.AuthorizationCode); if (handle == null) { throw new TokenRequestValidationException( "Authorization code not found: " + validatedRequest.AuthorizationCode, OAuthConstants.Errors.InvalidGrant); } validatedRequest.TokenHandle = handle; Tracing.Information("Token handle found: " + handle.HandleId); // check the client binding if (handle.Client.ClientId != validatedRequest.Client.ClientId) { throw new TokenRequestValidationException( string.Format("Client {0} is trying to request token using an authorization code from {1}.", validatedRequest.Client.ClientId, handle.Client.ClientId), OAuthConstants.Errors.InvalidGrant); } // redirect URI is required if (string.IsNullOrWhiteSpace(request.Redirect_Uri)) { throw new TokenRequestValidationException( string.Format("Redirect URI is missing"), OAuthConstants.Errors.InvalidRequest); } // check if redirect URI from authorize and token request match if (!handle.RedirectUri.Equals(request.Redirect_Uri)) { throw new TokenRequestValidationException( string.Format("Redirect URI in token request ({0}), does not match redirect URI from authorize request ({1})", validatedRequest.RedirectUri, handle.RedirectUri), OAuthConstants.Errors.InvalidRequest); } }
private ActionResult PerformImplicitGrant(ValidatedRequest validatedRequest) { Tracing.Information("Performing implict grant"); var sts = new TokenService(this._config.GlobalConfiguration); var response = sts.CreateTokenResponse(validatedRequest, ClaimsPrincipal.Current); var tokenString = string.Format("access_token={0}&token_type={1}&expires_in={2}", response.AccessToken, response.TokenType, response.ExpiresIn); if (!string.IsNullOrWhiteSpace(validatedRequest.State)) { tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(validatedRequest.State)); } var redirectString = string.Format("{0}#{1}", validatedRequest.RedirectUri.Uri, tokenString); Tracing.Information("Sending token response to redirect URI"); return Redirect(redirectString); }
protected virtual IEnumerable<Claim> CreateClaims(ValidatedRequest request, ClaimsPrincipal resourceOwner = null) { var claims = new List<Claim>(); claims.AddRange(CreateRequestClaims(request)); if (resourceOwner != null) { claims.AddRange(CreateResourceOwnerClaims(resourceOwner)); } return claims; }
private HttpResponseMessage ProcessClientCredentialsRequest(ValidatedRequest validatedRequest) { Tracing.Information("Processing refresh token request"); var response = _tokenService.CreateTokenResponse(validatedRequest); return Request.CreateTokenResponse(response); }
private void ValidateRefreshTokenGrant(ValidatedRequest validatedRequest, TokenRequest request) { if (_handleManager == null) { throw new ArgumentNullException("HandleManager"); } if (!validatedRequest.Client.AllowRefreshToken) { throw new TokenRequestValidationException( "Refresh tokens not allowed for client", OAuthConstants.Errors.UnsupportedGrantType); } // check for refresh token if (string.IsNullOrWhiteSpace(request.Refresh_Token)) { throw new TokenRequestValidationException( "Missing refresh token", OAuthConstants.Errors.InvalidGrant); } validatedRequest.RefreshToken = request.Refresh_Token; Tracing.Information("Refresh token: " + validatedRequest.RefreshToken); // check for refresh token in datastore var handle = _handleManager.Get(validatedRequest.RefreshToken); if (handle == null) { throw new TokenRequestValidationException( "Refresh token not found: " + validatedRequest.RefreshToken, OAuthConstants.Errors.InvalidGrant); } validatedRequest.TokenHandle = handle; Tracing.Information("Token handle found: " + handle.HandleId); // check the client binding if (handle.Client.ClientId != validatedRequest.Client.ClientId) { throw new TokenRequestValidationException( string.Format("Client {0} is trying to refresh token from {1}.", validatedRequest.Client.ClientId, handle.Client.ClientId), OAuthConstants.Errors.InvalidGrant); } }
private HttpResponseMessage ProcessAuthorizationCodeRequest(ValidatedRequest validatedRequest) { Tracing.Information("Processing authorization code request"); var response = _tokenService.CreateTokenResponse(validatedRequest.StoredGrant, _handleManager); return Request.CreateTokenResponse(response); }
private void ValidatePasswordGrant(ValidatedRequest validatedRequest, TokenRequest request) { if (validatedRequest.Client.Flow != OAuthFlow.ResourceOwner) { throw new TokenRequestValidationException( "Resource owner password flow not allowed for client", OAuthConstants.Errors.UnsupportedGrantType); } ValidateScopes(validatedRequest, request); // extract username and password if (string.IsNullOrWhiteSpace(request.UserName) || string.IsNullOrWhiteSpace(request.Password)) { throw new TokenRequestValidationException( "Missing Username or password.", OAuthConstants.Errors.InvalidGrant); } else { validatedRequest.UserName = request.UserName; validatedRequest.Password = request.Password; Tracing.Information("Resource owner: " + request.UserName); } }
protected virtual JwtSecurityToken CreateToken(ValidatedRequest request, IEnumerable<Claim> claims) { var token = new JwtSecurityToken( issuer: globalConfiguration.Issuer, audience: request.Application.Audience, claims: claims, lifetime: new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(request.Application.TokenLifetime)), signingCredentials: request.Application.SigningCredentials); return token; }
private void ValidateTokenResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request) { if (validatedRequest.Client.Flow != OAuthFlow.Implicit) { throw new AuthorizeRequestClientException( "response_type is not allowed: " + request.response_type, new Uri(validatedRequest.RedirectUri.Uri), OAuthConstants.Errors.UnsupportedResponseType, request.response_type, validatedRequest.State); } }
protected virtual List<Claim> CreateRequestClaims(ValidatedRequest request) { var claims = new List<Claim> { new Claim("client_id", request.Client.ClientId) }; request.Scopes.ForEach(s => claims.Add(new Claim("scope", s.Name))); return claims; }
private void ValidateCodeResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request) { // make sure response type allowed for this client if (validatedRequest.Client.Flow != OAuthFlow.Code) { throw new AuthorizeRequestClientException( "response_type is not allowed: " + request.response_type, new Uri(validatedRequest.RedirectUri.Uri), OAuthConstants.Errors.UnsupportedResponseType, request.response_type, validatedRequest.State); } if (validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken) { Tracing.Information("The request allows arefresh token."); validatedRequest.RequestingRefreshToken = true; } if (validatedRequest.Client.RequireConsent || validatedRequest.Application.RequireConsent) { Tracing.Information("Consent is required."); validatedRequest.ShowConsent = true; } }
public virtual TokenResponse CreateTokenResponseFromRefreshToken(TokenHandle handle, ITokenHandleManager handleManager) { var resourceOwner = Principal.Create( "OAuth2", handle.ResourceOwner.ToClaims().ToArray()); if (DateTime.UtcNow > handle.Expiration) { throw new InvalidOperationException("Refresh token has expired."); } var validatedRequest = new ValidatedRequest { Client = handle.Client, Application = handle.Application, Scopes = handle.Scopes, }; var response = CreateTokenResponse(validatedRequest, resourceOwner); response.RefreshToken = handle.HandleId; return response; }
private static void ValidateScopes(AuthorizeRequest request, ValidatedRequest validatedRequest) { // validate scopes if (string.IsNullOrEmpty(request.scope)) { throw new AuthorizeRequestClientException( "Missing scope.", new Uri(validatedRequest.RedirectUri.Uri), OAuthConstants.Errors.InvalidScope, validatedRequest.ResponseType, validatedRequest.State); } var requestedScopes = request.scope.Split(' ').ToList(); List<Scope> resultingScopes; if (validatedRequest.Application.Scopes.TryValidateScopes(validatedRequest.Client.ClientId, requestedScopes, out resultingScopes)) { validatedRequest.Scopes = resultingScopes; Tracing.InformationFormat("Requested scopes: {0}", request.scope); } else { throw new AuthorizeRequestClientException( "Invalid scope.", new Uri(validatedRequest.RedirectUri.Uri), OAuthConstants.Errors.InvalidScope, validatedRequest.ResponseType, validatedRequest.State); } }