public Task<ValidationResult> ValidateAuthorizeRequestAsync(ValidatedAuthorizeRequest request)
{
return Task.FromResult(new ValidationResult
{
IsError = false
});
}
public async Task<AuthorizeResponse> CreateCodeFlowResponseAsync(ValidatedAuthorizeRequest request, ClaimsPrincipal subject)
{
var code = new AuthorizationCode
{
Client = request.Client,
Subject = subject,
IsOpenId = request.IsOpenIdRequest,
RequestedScopes = request.ValidatedScopes.GrantedScopes,
RedirectUri = request.RedirectUri,
WasConsentShown = request.WasConsentShown,
RefreshTokenLifetime = request.Client.RefreshTokenLifetime
};
// store id token and access token and return authorization code
var id = Guid.NewGuid().ToString("N");
await _authorizationCodes.StoreAsync(id, code);
return new AuthorizeResponse
{
RedirectUri = request.RedirectUri,
Code = id,
State = request.State
};
}
public async Task<AuthorizeResponse> CreateImplicitFlowResponseAsync(ValidatedAuthorizeRequest request)
{
string accessTokenValue = null;
int accessTokenLifetime = 0;
if (request.IsResourceRequest)
{
var accessToken = await _tokenService.CreateAccessTokenAsync(request.Subject, request.Client, request.ValidatedScopes.GrantedScopes, request.Raw);
accessTokenLifetime = accessToken.Lifetime;
accessTokenValue = await _tokenService.CreateSecurityTokenAsync(accessToken);
}
string jwt = null;
if (request.IsOpenIdRequest)
{
var idToken = await _tokenService.CreateIdentityTokenAsync(request.Subject, request.Client, request.ValidatedScopes.GrantedScopes, !request.AccessTokenRequested, request.Raw, accessTokenValue);
jwt = await _tokenService.CreateSecurityTokenAsync(idToken);
}
return new AuthorizeResponse
{
RedirectUri = request.RedirectUri,
AccessToken = accessTokenValue,
AccessTokenLifetime = accessTokenLifetime,
IdentityToken = jwt,
State = request.State,
Scope = request.ValidatedScopes.GrantedScopes.ToSpaceSeparatedString()
};
}
public AuthorizeRequestValidator(ICoreSettings core, ILogger logger, IUserService users, ICustomRequestValidator customValidator)
{
_core = core;
_logger = logger;
_users = users;
_customValidator = customValidator;
_validatedRequest = new ValidatedAuthorizeRequest();
_validatedRequest.CoreSettings = _core;
}
public AuthorizeRequestValidator(IdentityServerOptions options, IScopeStore scopes, IClientStore clients, ICustomRequestValidator customValidator)
{
_options = options;
_scopes = scopes;
_clients = clients;
_customValidator = customValidator;
_validatedRequest = new ValidatedAuthorizeRequest();
_validatedRequest.IdentityServerOptions = _options;
}
public AuthorizeRequestValidator(CoreSettings core, IScopeService scopes, IClientService clients, IUserService users, ICustomRequestValidator customValidator)
{
_core = core;
_scopes = scopes;
_clients = clients;
_users = users;
_customValidator = customValidator;
_validatedRequest = new ValidatedAuthorizeRequest();
_validatedRequest.CoreSettings = _core;
}
public void ProcessConsentAsync_AllowsNullConsent()
{
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = Constants.ResponseModes.Fragment,
State = "12345",
RedirectUri = new Uri("https://client.com/callback"),
PromptMode = Constants.PromptModes.Consent
};
var result = subject.ProcessConsentAsync(request, null).Result;
}
private async Task<IHttpActionResult> CreateImplicitFlowAuthorizeResponseAsync(ValidatedAuthorizeRequest request)
{
var response = await _responseGenerator.CreateImplicitFlowResponseAsync(request);
// create form post response if responseMode is set form_post
if (request.ResponseMode == Constants.ResponseModes.FormPost)
{
return this.AuthorizeImplicitFormPostResponse(response);
}
return this.AuthorizeImplicitFragmentResponse(response);
}
private async Task<IHttpActionResult> CreateCodeFlowAuthorizeResponseAsync(ValidatedAuthorizeRequest request)
{
var response = await _responseGenerator.CreateCodeFlowResponseAsync(request, User as ClaimsPrincipal);
return this.AuthorizeCodeResponse(response);
}
private async Task<IHttpActionResult> CreateAuthorizeResponseAsync(ValidatedAuthorizeRequest request)
{
if (request.Flow == Flows.Implicit)
{
return await CreateImplicitFlowAuthorizeResponseAsync(request);
}
if (request.Flow == Flows.Code)
{
return await CreateCodeFlowAuthorizeResponseAsync(request);
}
Logger.Error("Unsupported flow. Aborting.");
throw new InvalidOperationException("Unsupported flow");
}
private IHttpActionResult CreateConsentResult(
ValidatedAuthorizeRequest validatedRequest,
UserConsent consent,
NameValueCollection requestParameters,
string errorMessage)
{
var env = Request.GetOwinEnvironment();
var consentModel = new ConsentViewModel()
{
SiteName = _options.SiteName,
SiteUrl = env.GetIdentityServerBaseUrl(),
ErrorMessage = errorMessage,
CurrentUser = User.GetName(),
ClientName = validatedRequest.Client.ClientName,
ClientUrl = validatedRequest.Client.ClientUri,
ClientLogoUrl = validatedRequest.Client.LogoUri.AbsoluteUri,
IdentityScopes = validatedRequest.GetIdentityScopes(),
ApplicationScopes = validatedRequest.GetApplicationScopes(),
AllowRememberConsent = validatedRequest.Client.AllowRememberConsent,
RememberConsent = consent != null ? consent.RememberConsent : true,
LoginWithDifferentAccountUrl = Url.Route(Constants.RouteNames.Oidc.SwitchUser, null) + "?" + requestParameters.ToQueryString(),
LogoutUrl = Url.Route(Constants.RouteNames.Oidc.EndSession, null),
ConsentUrl = Url.Route(Constants.RouteNames.Oidc.Consent, null) + "?" + requestParameters.ToQueryString()
};
return new ConsentActionResult(_viewService, env, consentModel);
}
public LoginInteractionResponse ProcessLogin(ValidatedAuthorizeRequest request, ClaimsPrincipal user)
{
// pass through display mode to signin service
if (request.DisplayMode.IsPresent())
{
_signIn.DisplayMode = request.DisplayMode;
}
// pass through ui locales to signin service
if (request.UiLocales.IsPresent())
{
_signIn.UiLocales = request.UiLocales;
}
// check login_hint - we only support idp: right now
if (request.LoginHint.IsPresent())
{
if (request.LoginHint.StartsWith("idp:"))
{
_signIn.IdP = request.LoginHint.Substring(4);
}
}
if (request.PromptMode == Constants.PromptModes.Login)
{
// remove prompt so when we redirect back in from login page
// we won't think we need to force a prompt again
request.Raw.Remove(Constants.AuthorizeRequest.Prompt);
return(new LoginInteractionResponse
{
SignInMessage = _signIn
});
}
// unauthenticated user
if (!user.Identity.IsAuthenticated)
{
// prompt=none means user must be signed in already
if (request.PromptMode == Constants.PromptModes.None)
{
return(new LoginInteractionResponse
{
Error = new AuthorizeError
{
ErrorType = ErrorTypes.Client,
Error = Constants.AuthorizeErrors.LoginRequired,
ResponseMode = request.ResponseMode,
ErrorUri = request.RedirectUri,
State = request.State
}
});
}
return(new LoginInteractionResponse
{
SignInMessage = _signIn
});
}
// check authentication freshness
if (request.MaxAge.HasValue)
{
var authTime = user.GetAuthenticationTime();
if (DateTime.UtcNow > authTime.AddSeconds(request.MaxAge.Value))
{
return(new LoginInteractionResponse
{
SignInMessage = _signIn
});
}
}
return(new LoginInteractionResponse());
}
public void ProcessConsentAsync_NoPromptMode_ConsentServiceRequiresConsent_ConsentNotGranted_ReturnsErrorResult()
{
RequiresConsent(true);
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = Constants.ResponseModes.Fragment,
State = "12345",
RedirectUri = new Uri("https://client.com/callback"),
};
var consent = new UserConsent
{
Button = "no",
RememberConsent = false,
Scopes = new string[] { "read", "write" }
};
var result = subject.ProcessConsentAsync(request, consent).Result;
Assert.IsTrue(request.WasConsentShown);
Assert.IsTrue(result.IsError);
Assert.AreEqual(ErrorTypes.Client, result.Error.ErrorType);
Assert.AreEqual(Constants.AuthorizeErrors.AccessDenied, result.Error.Error);
AssertErrorReturnsRequestValues(result.Error, request);
AssertUpdateConsentNotCalled();
}
public async Task <ConsentInteractionResponse> ProcessConsentAsync(ValidatedAuthorizeRequest request, UserConsent consent = null)
{
if (request == null)
{
throw new ArgumentNullException("request");
}
if (request.PromptMode != null &&
request.PromptMode != Constants.PromptModes.None &&
request.PromptMode != Constants.PromptModes.Consent)
{
throw new ArgumentException("Invalid PromptMode");
}
var consentRequired = await _consent.RequiresConsentAsync(request.Client, request.Subject, request.RequestedScopes);
if (consentRequired && request.PromptMode == Constants.PromptModes.None)
{
return(new ConsentInteractionResponse
{
Error = new AuthorizeError
{
ErrorType = ErrorTypes.Client,
Error = Constants.AuthorizeErrors.InteractionRequired,
ResponseMode = request.ResponseMode,
ErrorUri = request.RedirectUri,
State = request.State
}
});
}
if (request.PromptMode == Constants.PromptModes.Consent || consentRequired)
{
var response = new ConsentInteractionResponse();
// did user provide consent
if (consent == null)
{
// user was not yet shown conset screen
response.IsConsent = true;
}
else
{
request.WasConsentShown = true;
// user was shown consent -- did they say yes or no
if (consent.WasConsentGranted == false)
{
// no need to show consent screen again
// build access denied error to return to client
response.Error = new AuthorizeError {
ErrorType = ErrorTypes.Client,
Error = Constants.AuthorizeErrors.AccessDenied,
ResponseMode = request.ResponseMode,
ErrorUri = request.RedirectUri,
State = request.State
};
}
else
{
// they said yes, set scopes they chose
request.ValidatedScopes.SetConsentedScopes(consent.ScopedConsented);
if (!request.ValidatedScopes.GrantedScopes.Any())
{
// they said yes, but didn't pick any scopes
// show consent again and provide error message
response.IsConsent = true;
response.ConsentError = Messages.MustSelectAtLeastOnePermission;
}
else if (request.Client.AllowRememberConsent)
{
// remember consent
var scopes = Enumerable.Empty <string>();
if (consent.RememberConsent)
{
// remember what user actually selected
scopes = request.ValidatedScopes.GrantedScopes.Select(x => x.Name);
}
await _consent.UpdateConsentAsync(request.Client, request.Subject, scopes);
}
}
}
return(response);
}
return(new ConsentInteractionResponse());
}
public async Task<InteractionResponse> ProcessConsentAsync(ValidatedAuthorizeRequest request, UserConsent consent)
{
if (request.PromptMode == Constants.PromptModes.Consent ||
await _consent.RequiresConsentAsync(request.Client, request.Subject, request.RequestedScopes))
{
var response = new InteractionResponse();
// did user provide consent
if (consent == null)
{
// user was not yet shown conset screen
response.IsConsent = true;
}
else
{
request.WasConsentShown = true;
// user was shown consent -- did they say yes or no
if (consent.WasConsentGranted == false)
{
// no need to show consent screen again
// build access denied error to return to client
response.IsError = true;
response.Error = new AuthorizeError {
ErrorType = ErrorTypes.Client,
Error = Constants.AuthorizeErrors.AccessDenied,
ResponseMode = request.ResponseMode,
ErrorUri = request.RedirectUri,
State = request.State
};
}
else
{
// they said yes, set scopes they chose
request.ValidatedScopes.SetConsentedScopes(consent.ScopedConsented);
if (!request.ValidatedScopes.GrantedScopes.Any())
{
// they said yes, but didn't pick any scopes
// show consent again and provide error message
response.IsConsent = true;
response.ConsentError = "Must select at least one permission.";
}
if (request.Client.AllowRememberConsent)
{
// remember consent
var scopes = Enumerable.Empty<string>();
if (consent.RememberConsent)
{
// remember what user actually selected
scopes = request.ValidatedScopes.GrantedScopes.Select(x => x.Name);
}
await _consent.UpdateConsentAsync(request.Client, request.Subject, scopes);
}
}
}
return response;
}
return new InteractionResponse();
}
private void AssertErrorReturnsRequestValues(AuthorizeError error, ValidatedAuthorizeRequest request)
{
Assert.AreEqual(request.ResponseMode, error.ResponseMode);
Assert.AreEqual(request.RedirectUri, error.ErrorUri);
Assert.AreEqual(request.State, error.State);
}
public void ProcessConsentAsync_AllowConsentSelected_SavesConsent()
{
RequiresConsent(true);
var client = new Client { AllowRememberConsent = true };
var user = new ClaimsPrincipal();
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = Constants.ResponseModes.Fragment,
State = "12345",
RedirectUri = new Uri("https://client.com/callback"),
ValidatedScopes = new ScopeValidator(),
Client = client,
Subject = user
};
request.ValidatedScopes.AreScopesValid(new string[] { "read", "write" }, TestScopes.Get());
var consent = new UserConsent
{
Button = "yes",
RememberConsent = true,
Scopes = new string[] { "read" }
};
var result = subject.ProcessConsentAsync(request, consent).Result;
AssertUpdateConsentCalled(client, user, "read");
}
public void ProcessConsentAsync_PromptModeConsent_ConsentGranted_ScopesSelected_ReturnsConsentResult()
{
RequiresConsent(true);
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = Constants.ResponseModes.Fragment,
State = "12345",
RedirectUri = new Uri("https://client.com/callback"),
ValidatedScopes = new ScopeValidator(),
Client = new Client { }
};
request.ValidatedScopes.AreScopesValid(new string[] { "read", "write" }, TestScopes.Get());
var consent = new UserConsent
{
Button = "yes",
RememberConsent = false,
Scopes = new string[] { "read" }
};
var result = subject.ProcessConsentAsync(request, consent).Result;
Assert.AreEqual(1, request.ValidatedScopes.GrantedScopes.Count);
Assert.AreEqual(request.ValidatedScopes.GrantedScopes.First().Name, "read");
Assert.IsTrue(request.WasConsentShown);
Assert.IsFalse(result.IsConsent);
AssertUpdateConsentNotCalled();
}
public void ProcessConsentAsync_NoPromptMode_ConsentServiceRequiresConsent_ConsentGranted_NoScopesSelected_ReturnsConsentResult()
{
RequiresConsent(true);
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = Constants.ResponseModes.Fragment,
State = "12345",
RedirectUri = new Uri("https://client.com/callback"),
ValidatedScopes = new ScopeValidator(),
Client = new Client { }
};
var consent = new UserConsent
{
Button = "yes",
RememberConsent = false,
Scopes = new string[] { }
};
var result = subject.ProcessConsentAsync(request, consent).Result;
Assert.IsTrue(request.WasConsentShown);
Assert.IsTrue(result.IsConsent);
Assert.AreEqual(Messages.MustSelectAtLeastOnePermission, result.ConsentError);
AssertUpdateConsentNotCalled();
}
private IHttpActionResult CreateConsentResult(
ValidatedAuthorizeRequest validatedRequest,
NameValueCollection requestParameters,
string errorMessage)
{
var consentModel = new ConsentModel(validatedRequest, requestParameters);
string name = User.GetName();
return new EmbeddedHtmlResult(
Request,
new LayoutModel
{
Server = _settings.SiteName,
ErrorMessage = errorMessage,
Page = "consent",
Username = name,
SwitchUrl = Url.Route("switch", null) + "?" + requestParameters.ToQueryString(),
PageModel = consentModel
});
}
public void ProcessConsentAsync_RequiresConsentButPromptModeIsNone_ReturnsErrorResult()
{
RequiresConsent(true);
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = Constants.ResponseModes.Fragment,
State = "12345",
RedirectUri = new Uri("https://client.com/callback"),
PromptMode = Constants.PromptModes.None
};
var result = subject.ProcessConsentAsync(request).Result;
Assert.IsFalse(request.WasConsentShown);
Assert.IsTrue(result.IsError);
Assert.AreEqual(ErrorTypes.Client, result.Error.ErrorType);
Assert.AreEqual(Constants.AuthorizeErrors.InteractionRequired, result.Error.Error);
AssertErrorReturnsRequestValues(result.Error, request);
AssertUpdateConsentNotCalled();
}
public void ProcessConsentAsync_NoPromptMode_ConsentServiceRequiresConsent_NoPriorConsent_ReturnsConsentResult()
{
RequiresConsent(true);
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = Constants.ResponseModes.Fragment,
State = "12345",
RedirectUri = new Uri("https://client.com/callback"),
PromptMode = Constants.PromptModes.Consent
};
var result = subject.ProcessConsentAsync(request).Result;
Assert.IsFalse(request.WasConsentShown);
Assert.IsTrue(result.IsConsent);
AssertUpdateConsentNotCalled();
}
public InteractionResponse ProcessLogin(ValidatedAuthorizeRequest request, ClaimsPrincipal user)
{
// pass through display mode to signin service
if (request.DisplayMode.IsPresent())
{
_signIn.DisplayMode = request.DisplayMode;
}
// pass through ui locales to signin service
if (request.UiLocales.IsPresent())
{
_signIn.UILocales = request.UiLocales;
}
if (request.PromptMode == Constants.PromptModes.Login)
{
// remove prompt so when we redirect back in from login page
// we won't think we need to force a prompt again
request.Raw.Remove(Constants.AuthorizeRequest.Prompt);
return new InteractionResponse
{
IsLogin = true,
SignInMessage = _signIn
};
}
// unauthenticated user
if (!user.Identity.IsAuthenticated)
{
// prompt=none means user must be signed in already
if (request.PromptMode == Constants.PromptModes.None)
{
return new InteractionResponse
{
IsError = true,
Error = new AuthorizeError
{
ErrorType = ErrorTypes.Client,
Error = Constants.AuthorizeErrors.InteractionRequired,
ResponseMode = request.ResponseMode,
ErrorUri = request.RedirectUri,
State = request.State
}
};
}
return new InteractionResponse
{
IsLogin = true,
SignInMessage = _signIn
};
}
// check authentication freshness
if (request.MaxAge.HasValue)
{
var authTime = user.GetAuthenticationTime();
if (DateTime.UtcNow > authTime.AddSeconds(request.MaxAge.Value))
{
return new InteractionResponse
{
IsLogin = true,
SignInMessage = _signIn
};
}
}
return new InteractionResponse();
}
public void ProcessConsentAsync_PromptModeIsLogin_Throws()
{
RequiresConsent(true);
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = Constants.ResponseModes.Fragment,
State = "12345",
RedirectUri = new Uri("https://client.com/callback"),
PromptMode = Constants.PromptModes.Login
};
try
{
var result = subject.ProcessConsentAsync(request).Result;
Assert.Fail();
}
catch (AggregateException ex)
{
var ex2 = ex.InnerException;
StringAssert.Contains(ex2.Message, "PromptMode");
}
}
