public async Task Contains_Identity_Scopes_Only() { var scopes = ScopeValidator.ParseScopesString("openid email"); var validator = new ScopeValidator(_store); var result = await validator.AreScopesValidAsync(scopes); result.Should().BeTrue(); validator.ContainsOpenIdScopes.Should().BeTrue(); validator.ContainsResourceScopes.Should().BeFalse(); }
public async Task Disabled_Scope() { var scopes = ScopeValidator.ParseScopesString("openid email resource1 resource2 disabled"); var validator = new ScopeValidator(_store); var result = await validator.AreScopesValidAsync(scopes); result.Should().BeFalse(); }
public async Task <ValidationResult> ValidateClientAsync() { Logger.Info("Start client validation"); if (_validatedRequest.ClientId.IsMissing()) { throw new InvalidOperationException("ClientId is empty. Validate protocol first."); } ////////////////////////////////////////////////////////// // check for valid client ////////////////////////////////////////////////////////// var client = await _clients.FindClientByIdAsync(_validatedRequest.ClientId); if (client == null || client.Enabled == false) { Logger.ErrorFormat("Unknown client or not enabled: {0}", _validatedRequest.ClientId); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } Logger.InfoFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName); _validatedRequest.Client = client; ////////////////////////////////////////////////////////// // check if redirect_uri is valid ////////////////////////////////////////////////////////// if (await _uriValidator.IsRedirecUriValidAsync(_validatedRequest.RedirectUri, _validatedRequest.Client) == false) { Logger.ErrorFormat("Invalid redirect_uri: {0}", _validatedRequest.RedirectUri); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } ////////////////////////////////////////////////////////// // check if flow is allowed for client ////////////////////////////////////////////////////////// if (_validatedRequest.Flow != _validatedRequest.Client.Flow) { Logger.ErrorFormat("Invalid flow for client: {0}", _validatedRequest.Flow); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } ////////////////////////////////////////////////////////// // check if scopes are valid/supported and check for resource scopes ////////////////////////////////////////////////////////// if (await _scopeValidator.AreScopesValidAsync(_validatedRequest.RequestedScopes) == false) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (_scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest) { Logger.Error("Identity related scope requests, but no openid scope"); return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (_scopeValidator.ContainsResourceScopes) { _validatedRequest.IsResourceRequest = true; } ////////////////////////////////////////////////////////// // check scopes and scope restrictions ////////////////////////////////////////////////////////// if (!_scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes)) { return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } _validatedRequest.ValidatedScopes = _scopeValidator; ////////////////////////////////////////////////////////// // check id vs resource scopes and response types plausability ////////////////////////////////////////////////////////// if (!_scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType)) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } var customResult = await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest); if (customResult.IsError) { Logger.Error("Error in custom validation: " + customResult.Error); } else { Logger.Info("Client validation successful"); } return(customResult); }
public async Task All_Scopes_Valid() { var scopes = ScopeValidator.ParseScopesString("openid email resource1 resource2"); var validator = new ScopeValidator(_store); var result = await validator.AreScopesValidAsync(scopes); result.Should().BeTrue(); }
private async Task <AuthorizeRequestValidationResult> ValidateScopeAsync(ValidatedAuthorizeRequest request) { ////////////////////////////////////////////////////////// // scope must be present ////////////////////////////////////////////////////////// var scope = request.Raw.Get(Constants.AuthorizeRequest.Scope); if (scope.IsMissing()) { LogError("scope is missing", request); return(Invalid(request, ErrorTypes.Client)); } if (scope.Length > Constants.MaxScopeLength) { LogError("scopes too long.", request); return(Invalid(request, ErrorTypes.Client)); } request.RequestedScopes = scope.FromSpaceSeparatedString().Distinct().ToList(); if (request.RequestedScopes.Contains(Constants.StandardScopes.OpenId)) { request.IsOpenIdRequest = true; } ////////////////////////////////////////////////////////// // check scope vs response_type plausability ////////////////////////////////////////////////////////// var requirement = Constants.ResponseTypeToScopeRequirement[request.ResponseType]; if (requirement == Constants.ScopeRequirement.Identity || requirement == Constants.ScopeRequirement.IdentityOnly) { if (request.IsOpenIdRequest == false) { LogError("response_type requires the openid scope", request); return(Invalid(request, ErrorTypes.Client)); } } ////////////////////////////////////////////////////////// // check if scopes are valid/supported and check for resource scopes ////////////////////////////////////////////////////////// if (await _scopeValidator.AreScopesValidAsync(request.RequestedScopes) == false) { return(Invalid(request, ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (_scopeValidator.ContainsOpenIdScopes && !request.IsOpenIdRequest) { LogError("Identity related scope requests, but no openid scope", request); return(Invalid(request, ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (_scopeValidator.ContainsResourceScopes) { request.IsResourceRequest = true; } ////////////////////////////////////////////////////////// // check scopes and scope restrictions ////////////////////////////////////////////////////////// if (!_scopeValidator.AreScopesAllowed(request.Client, request.RequestedScopes)) { return(Invalid(request, ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } request.ValidatedScopes = _scopeValidator; ////////////////////////////////////////////////////////// // check id vs resource scopes and response types plausability ////////////////////////////////////////////////////////// if (!_scopeValidator.IsResponseTypeValid(request.ResponseType)) { return(Invalid(request, ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } return(Valid(request)); }