public async Task <ValidationResult> ValidateClientAsync() { Logger.Info("Start client validation"); if (_validatedRequest.ClientId.IsMissing()) { throw new InvalidOperationException("ClientId is empty. Validate protocol first."); } ////////////////////////////////////////////////////////// // check for valid client ////////////////////////////////////////////////////////// var client = await _clients.FindClientByIdAsync(_validatedRequest.ClientId); if (client == null || client.Enabled == false) { Logger.ErrorFormat("Unknown client or not enabled: {0}", _validatedRequest.ClientId); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } Logger.InfoFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName); _validatedRequest.Client = client; ////////////////////////////////////////////////////////// // check if redirect_uri is valid ////////////////////////////////////////////////////////// if (!_validatedRequest.Client.RedirectUris.Contains(_validatedRequest.RedirectUri)) { Logger.ErrorFormat("Invalid redirect_uri: {0}", _validatedRequest.RedirectUri); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } ////////////////////////////////////////////////////////// // check if flow is allowed for client ////////////////////////////////////////////////////////// if (_validatedRequest.Flow != _validatedRequest.Client.Flow) { Logger.ErrorFormat("Invalid flow for client: {0}", _validatedRequest.Flow); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } var scopeValidator = new ScopeValidator(); ////////////////////////////////////////////////////////// // check if scopes are valid/supported and check for resource scopes ////////////////////////////////////////////////////////// if (!scopeValidator.AreScopesValid(_validatedRequest.RequestedScopes, await _scopes.GetScopesAsync())) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest) { Logger.Error("Identity related scope requests, but no openid scope"); return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (scopeValidator.ContainsResourceScopes) { _validatedRequest.IsResourceRequest = true; } ////////////////////////////////////////////////////////// // check scopes and scope restrictions ////////////////////////////////////////////////////////// if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes)) { return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } _validatedRequest.ValidatedScopes = scopeValidator; ////////////////////////////////////////////////////////// // check id vs resource scopes and response types plausability ////////////////////////////////////////////////////////// if (!scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType)) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } var customResult = await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest); if (customResult.IsError) { Logger.Error("Error in custom validation: " + customResult.Error); } Logger.Info("Client validation successful"); return(customResult); }
private async Task <AuthorizeRequestValidationResult> ValidateScopeAsync(ValidatedAuthorizeRequest request) { ////////////////////////////////////////////////////////// // scope must be present ////////////////////////////////////////////////////////// var scope = request.Raw.Get(Constants.AuthorizeRequest.Scope); if (scope.IsMissing()) { LogError("scope is missing", request); return(Invalid(request, ErrorTypes.Client)); } if (scope.Length > Constants.MaxScopeLength) { LogError("scopes too long.", request); return(Invalid(request, ErrorTypes.Client)); } request.RequestedScopes = scope.FromSpaceSeparatedString().Distinct().ToList(); if (request.RequestedScopes.Contains(Constants.StandardScopes.OpenId)) { request.IsOpenIdRequest = true; } ////////////////////////////////////////////////////////// // check scope vs response_type plausability ////////////////////////////////////////////////////////// var requirement = Constants.ResponseTypeToScopeRequirement[request.ResponseType]; if (requirement == Constants.ScopeRequirement.Identity || requirement == Constants.ScopeRequirement.IdentityOnly) { if (request.IsOpenIdRequest == false) { LogError("response_type requires the openid scope", request); return(Invalid(request, ErrorTypes.Client)); } } ////////////////////////////////////////////////////////// // check if scopes are valid/supported and check for resource scopes ////////////////////////////////////////////////////////// if (await _scopeValidator.AreScopesValidAsync(request.RequestedScopes) == false) { return(Invalid(request, ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (_scopeValidator.ContainsOpenIdScopes && !request.IsOpenIdRequest) { LogError("Identity related scope requests, but no openid scope", request); return(Invalid(request, ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (_scopeValidator.ContainsResourceScopes) { request.IsResourceRequest = true; } ////////////////////////////////////////////////////////// // check scopes and scope restrictions ////////////////////////////////////////////////////////// if (!_scopeValidator.AreScopesAllowed(request.Client, request.RequestedScopes)) { return(Invalid(request, ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } request.ValidatedScopes = _scopeValidator; ////////////////////////////////////////////////////////// // check id vs resource scopes and response types plausability ////////////////////////////////////////////////////////// if (!_scopeValidator.IsResponseTypeValid(request.ResponseType)) { return(Invalid(request, ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } return(Valid(request)); }
public async Task <ValidationResult> ValidateClientAsync() { Logger.Info("Start authorize request client validation"); if (_validatedRequest.ClientId.IsMissing()) { throw new InvalidOperationException("ClientId is empty. Validate protocol first."); } ////////////////////////////////////////////////////////// // check for valid client ////////////////////////////////////////////////////////// var client = await _clients.FindClientByIdAsync(_validatedRequest.ClientId); if (client == null || client.Enabled == false) { LogError("Unknown client or not enabled: " + _validatedRequest.ClientId); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } _validatedRequest.Client = client; ////////////////////////////////////////////////////////// // check if redirect_uri is valid ////////////////////////////////////////////////////////// if (await _uriValidator.IsRedirectUriValidAsync(_validatedRequest.RedirectUri, _validatedRequest.Client) == false) { LogError("Invalid redirect_uri: " + _validatedRequest.RedirectUri); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } ////////////////////////////////////////////////////////// // check if flow is allowed for client ////////////////////////////////////////////////////////// if (_validatedRequest.Flow != _validatedRequest.Client.Flow) { LogError("Invalid flow for client: " + _validatedRequest.Flow); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } ////////////////////////////////////////////////////////// // check if scopes are valid/supported and check for resource scopes ////////////////////////////////////////////////////////// if (await _scopeValidator.AreScopesValidAsync(_validatedRequest.RequestedScopes) == false) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (_scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest) { LogError("Identity related scope requests, but no openid scope"); return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (_scopeValidator.ContainsResourceScopes) { _validatedRequest.IsResourceRequest = true; } ////////////////////////////////////////////////////////// // check scopes and scope restrictions ////////////////////////////////////////////////////////// if (!_scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes)) { return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } _validatedRequest.ValidatedScopes = _scopeValidator; ////////////////////////////////////////////////////////// // check id vs resource scopes and response types plausability ////////////////////////////////////////////////////////// if (!_scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType)) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } ////////////////////////////////////////////////////////// // check if sessionId is available and if session management is enabled ////////////////////////////////////////////////////////// if (_options.Endpoints.EnableCheckSessionEndpoint) { if (_validatedRequest.SessionId.IsMissing()) { Logger.Warn("Session management is enabled, but session id cookie is missing."); } } var customResult = await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest); if (customResult.IsError) { LogError("Error in custom validation: " + customResult.Error); } else { LogSuccess(); } return(customResult); }