private ActionResult PerformImplicitGrant(AuthorizeRequest request, Client client) { var sts = new STS(); TokenResponse tokenResponse; if (sts.TryIssueToken( new EndpointReference(request.scope), ClaimsPrincipal.Current, Configuration.Global.DefaultHttpTokenType, out tokenResponse)) { var tokenString = string.Format("access_token={0}&token_type={1}&expires_in={2}", tokenResponse.AccessToken, tokenResponse.TokenType, tokenResponse.ExpiresIn); if (!string.IsNullOrEmpty(request.state)) { tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state)); } var redirectString = string.Format("{0}#{1}", client.RedirectUri.AbsoluteUri, tokenString); return(Redirect(redirectString)); } // return right error code return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type, request.state)); }
private ActionResult CheckRequest(AuthorizeRequest request, out Client client) { // validate client if (!Clients.TryGetClient(request.client_id, out client)) { ViewBag.Message = "Invalid client_id : " + request.client_id; return View("Error"); } // validate redirect uri if (string.IsNullOrEmpty(request.redirect_uri) || !string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase)) { ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri + " did not match a registered redirect URI."; return View("Error"); } // validate scope (must be a valid URI) Uri uri; if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri)) { return Error(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.state); } return null; }
private ActionResult CheckRequest(AuthorizeRequest request, out Client client) { // validate client if (!Clients.TryGetClient(request.client_id, out client)) { ViewBag.Message = "Invalid client_id : " + request.client_id; return(View("Error")); } // validate redirect uri if (string.IsNullOrEmpty(request.redirect_uri) || !string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase)) { ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri + " did not match a registered redirect URI."; return(View("Error")); } // validate scope (must be a valid URI) Uri uri; if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri)) { return(Error(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.state)); } return(null); }
public ActionResult HandleConsentResponse(string button, AuthorizeRequest request) { Client client; var error = CheckRequest(request, out client); if (error != null) { return(error); } if (button == "no") { return(ClientError(client.RedirectUri, OAuth2Constants.Errors.AccessDenied, request.response_type, request.state)); } if (button == "yes") { var grantResult = PerformGrant(request, client); if (grantResult != null) { return(grantResult); } } // todo: return appropiate error return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type, request.state)); }
public ActionResult HandleRequest(AuthorizeRequest request) { // // first round of validation: // missing, invalid, or mismatching redirection URI or // missing or invalid client id // show error page to user // Client client; var error = CheckRequest(request, out client); if (error != null) { return(error); } // implicit grant if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) || request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal)) { if (Configuration.OAuth2.EnableConsent) { RelyingParty rp; if (RPRepository.TryGet(request.scope, out rp)) { // show resource name, uri and client name // client is trying to access resource on your behalf var vm = new OAuth2ConsentViewModel { ResourceUri = rp.Realm.AbsoluteUri, ResourceName = rp.Name, ClientName = client.ClientId }; return(View("ShowConsent", vm)); } } else { var grantResult = PerformGrant(request, client); if (grantResult != null) { return(grantResult); } } } // todo: return appropiate error return(Error(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.state)); }
public ActionResult HandleRequest(AuthorizeRequest request) { Tracing.Information("OAuth2 HandleRequest endpoint invoked"); // check client Client client; var error = CheckRequest(request, out client); if (error != null) { return(error); } RelyingParty rp; if (!RPRepository.TryGet(request.scope, out rp)) { Tracing.Error("RP not found for scope : " + request.scope); return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type, request.state)); } if (Configuration.OAuth2.EnableConsent) { // show resource name, uri and client name // client is trying to access resource on your behalf var vm = new OAuth2ConsentViewModel { ResourceUri = rp.Realm.AbsoluteUri, ResourceName = rp.Name, ClientName = client.ClientId, RefreshTokenEnabled = client.AllowRefreshToken }; return(View("ShowConsent", vm)); } else { var grantResult = PerformGrant(request, client); if (grantResult != null) { return(grantResult); } } // we don't know exactly why, so use ServerError Tracing.Error("Authorization Endpoint failed"); return(ClientError(client.RedirectUri, OAuth2Constants.Errors.ServerError, request.response_type, request.state)); }
private ActionResult PerformGrant(AuthorizeRequest request, Client client) { // implicit grant if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal)) { return(PerformImplicitGrant(request, client)); } // authorization code grant if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal)) { return(PerformAuthorizationCodeGrant(request, client)); } return(null); }
private ActionResult PerformAuthorizationCodeGrant(AuthorizeRequest request, Client client) { var code = CodeTokenRepository.AddCode(CodeTokenType.AuthorizationCode, client.ID, ClaimsPrincipal.Current.Identity.Name, request.scope); var tokenString = string.Format("code={0}", code); if (!string.IsNullOrEmpty(request.state)) { tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state)); } var redirectString = string.Format("{0}?{1}", client.RedirectUri.AbsoluteUri, tokenString); return(Redirect(redirectString)); }
public ActionResult HandleRequest(AuthorizeRequest request) { // // first round of validation: // missing, invalid, or mismatching redirection URI or // missing or invalid client id // show error page to user // Client client; var error = CheckRequest(request, out client); if (error != null) return error; // implicit grant if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) || request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal)) { if (Configuration.OAuth2.EnableConsent) { RelyingParty rp; if (RPRepository.TryGet(request.scope, out rp)) { // show resource name, uri and client name // client is trying to access resource on your behalf var vm = new OAuth2ConsentViewModel { ResourceUri = rp.Realm.AbsoluteUri, ResourceName = rp.Name, ClientName = client.ClientId }; return View("ShowConsent", vm); } } else { var grantResult = PerformGrant(request, client); if (grantResult != null) return grantResult; } } // todo: return appropiate error return Error(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.state); }
protected bool TryValidateRequest(AuthorizeRequest request, out ValidatedRequest validatedRequest, out ActionResult failedResult) { validatedRequest = null; failedResult = null; try { var validator = new AuthorizeRequestValidator(Clients); validatedRequest = validator.Validate(request); return true; } catch (AuthorizeRequestValidationException ex) { failedResult = this.AuthorizeValidationError(ex); return false; } }
public ActionResult Index(AuthorizeRequest request) { Tracing.Start("OIDC Authorize Endpoint"); ValidatedRequest validatedRequest; ActionResult failedResult; if (!TryValidateRequest(request, out validatedRequest, out failedResult)) { Tracing.Error("Aborting OAuth2 authorization request"); return failedResult; } if (validatedRequest.Client.RequireConsent) { return ShowConsent(validatedRequest); } return PerformGrant(validatedRequest); }
public ActionResult HandleRequest(AuthorizeRequest request) { logger.Info("OAuth2 HandleRequest endpoint invoked"); // check client Client client; var error = CheckRequest(request, out client); if (error != null) return error; RelyingParty rp; if (!RPRepository.TryGet(request.scope, out rp)) { logger.Error("RP not found for scope : " + request.scope); return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type, request.state); } if (Configuration.OAuth2.EnableConsent) { // show resource name, uri and client name // client is trying to access resource on your behalf var vm = new OAuth2ConsentViewModel { ResourceUri = rp.Realm.AbsoluteUri, ResourceName = rp.Name, ClientName = client.ClientId, RefreshTokenEnabled = client.AllowRefreshToken }; return View("ShowConsent", vm); } else { var grantResult = PerformGrant(request, client); if (grantResult != null) return grantResult; } // we don't know exactly why, so use ServerError logger.Error("Authorization Endpoint failed"); return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type, request.state); }
public ActionResult Index(AuthorizeRequest request) { Tracing.Start("OIDC Authorize Endpoint"); ValidatedRequest validatedRequest; try { var validator = new AuthorizeRequestValidator(Clients); validatedRequest = validator.Validate(request); } catch (AuthorizeRequestValidationException ex) { Tracing.Error("Aborting OAuth2 authorization request"); return this.AuthorizeValidationError(ex); } // consent - todo return PerformGrant(validatedRequest); }
public ActionResult HandleRequest(AuthorizeRequest request) { // check client Client client; var error = CheckRequest(request, out client); if (error != null) return error; if (Configuration.OAuth2.EnableConsent) { RelyingParty rp; if (RPRepository.TryGet(request.scope, out rp)) { // show resource name, uri and client name // client is trying to access resource on your behalf var vm = new OAuth2ConsentViewModel { ResourceUri = rp.Realm.AbsoluteUri, ResourceName = rp.Name, ClientName = client.ClientId, RefreshTokenEnabled = client.AllowRefreshToken }; return View("ShowConsent", vm); } else { // unknown RP - error out return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type, request.state); } } else { var grantResult = PerformGrant(request, client); if (grantResult != null) return grantResult; } return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.response_type, request.state); }
public ActionResult HandleConsent(AuthorizeRequest request, string button, string[] selectedScopes) { Tracing.Start("OIDC consent response"); ValidatedRequest validatedRequest; ActionResult failedResult; if (!TryValidateRequest(request, out validatedRequest, out failedResult)) { Tracing.Error("Aborting OIDC consent response"); return failedResult; } if (button == "allow") { var vm = new OidcViewModel(validatedRequest); vm.SetScopes(selectedScopes); return PerformGrant(vm.ValidatedRequest); } else { return DenyGrant(validatedRequest); } }
private ActionResult CheckRequest(AuthorizeRequest request, out Client client) { if (request == null) { client = null; ViewBag.Message = "Invalid request parameters"; Tracing.Error(ViewBag.Message); return(View("Error")); } // validate client if (!Clients.TryGetClient(request.client_id, out client)) { ViewBag.Message = "Invalid client_id : " + request.client_id; Tracing.Error(ViewBag.Message); return(View("Error")); } // validate redirect uri if (string.IsNullOrEmpty(request.redirect_uri) || !string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase)) { ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri + " did not match a registered redirect URI."; Tracing.Error(ViewBag.Message); return(View("Error")); } Uri redirectUrl; if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUrl)) { if (redirectUrl.Scheme == Uri.UriSchemeHttp) { Tracing.Error("Redirect URI not over SSL : " + request.redirect_uri); return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty, request.state)); } } else { Tracing.Error("Redirect URI not a valid URI : " + request.redirect_uri); return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty, request.state)); } if (String.IsNullOrWhiteSpace(request.response_type)) { Tracing.Error("response_type is null or empty"); return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty, request.state)); } // check response type (only code and token are supported) if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) && !request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal)) { Tracing.Error("response_type is not token or code: " + request.response_type); return(ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, string.Empty, request.state)); } // validate scope (must be a valid URI) Uri uri; if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri)) { Tracing.Error("scope is not a URI: " + request.scope); return(ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type, request.state)); } // validate if request grant type is allowed for client (implicit vs code flow) if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token) && !client.AllowImplicitFlow) { Tracing.Error("response_type is token and client does not allow implicit flow. client: " + client.Name); return(ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, request.state)); } if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code) && !client.AllowCodeFlow) { Tracing.Error("response_type is code and client does not allow code flow. client: " + client.Name); return(ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, request.state)); } return(null); }
private void ValidateCodeResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request) { if (validatedRequest.Client.Flow != OpenIdConnectFlows.AuthorizationCode) { throw new AuthorizeRequestClientException( "response_type is not allowed: " + request.response_type, new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, validatedRequest.State); } }
private ActionResult HandleImplicitGrant(AuthorizeRequest request, Client client) { var sts = new STS(); TokenResponse tokenResponse; if (sts.TryIssueToken( new EndpointReference(request.scope), ClaimsPrincipal.Current, Configuration.Global.DefaultHttpTokenType, out tokenResponse)) { var redirectString = string.Format("{0}#access_token={1}&token_type={2}&expires_in={3}", client.RedirectUri.AbsoluteUri, tokenResponse.AccessToken, tokenResponse.TokenType, tokenResponse.ExpiresIn); if (!string.IsNullOrEmpty(request.state)) { redirectString = string.Format("{0}&state={1}", redirectString, request.state); } return Redirect(redirectString); } // return right error code return Error(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, request.state); }
private ActionResult HandleAuthorizationCodeGrant(AuthorizeRequest request, Client client) { throw new System.NotImplementedException(); }
private ActionResult PerformAuthorizationCodeGrant(AuthorizeRequest request, Client client) { var code = CodeTokenRepository.AddCode(CodeTokenType.AuthorizationCode, client.ID, ClaimsPrincipal.Current.Identity.Name, request.scope); var tokenString = string.Format("code={0}", code); if (!string.IsNullOrEmpty(request.state)) { tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(request.state)); } var redirectString = string.Format("{0}?{1}", client.RedirectUri.AbsoluteUri, tokenString); return Redirect(redirectString); }
private ActionResult PerformGrant(AuthorizeRequest request, Client client) { // implicit grant if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal)) { return HandleImplicitGrant(request, client); } // authorization code grant if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal)) { return HandleAuthorizationCodeGrant(request, client); } return null; }
public ActionResult HandleResponse(string button, AuthorizeRequest request) { Client client; var error = CheckRequest(request, out client); if (error != null) return error; if (button == "no") { return Error(client.RedirectUri, OAuth2Constants.Errors.AccessDenied, request.state); } if (button == "yes") { var grantResult = PerformGrant(request, client); if (grantResult != null) return grantResult; } // todo: return appropiate error return Error(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.state); }
public ActionResult HandleRequest(AuthorizeRequest request) { Client client; ActionResult actionResult1 = this.CheckRequest(request, out client); if (actionResult1 != null) return actionResult1; if (request.response_type.Equals("token", StringComparison.Ordinal) || request.response_type.Equals("code", StringComparison.Ordinal)) { if (this.Configuration.OAuth2.EnableConsent) { RelyingParty relyingParty; if (this.RPRepository.TryGet(request.scope, out relyingParty)) return (ActionResult) this.View("ShowConsent", (object) new OAuth2ConsentViewModel() { ResourceUri = relyingParty.Realm.AbsoluteUri, ResourceName = relyingParty.Name, ClientName = client.ClientId }); } else { ActionResult actionResult2 = this.PerformGrant(request, client); if (actionResult2 != null) return actionResult2; } } return this.Error(client.RedirectUri, "unsupported_response_type", request.state); }
public ActionResult HandleResponse(string button, AuthorizeRequest request) { Client client; ActionResult actionResult1 = this.CheckRequest(request, out client); if (actionResult1 != null) return actionResult1; if (button == "no") return this.Error(client.RedirectUri, "access_denied", request.state); if (button == "yes") { ActionResult actionResult2 = this.PerformGrant(request, client); if (actionResult2 != null) return actionResult2; } return this.Error(client.RedirectUri, "unsupported_response_type", request.state); }
private ActionResult PerformGrant(AuthorizeRequest request, Client client) { if (request.response_type.Equals("token", StringComparison.Ordinal)) return this.HandleImplicitGrant(request, client); if (request.response_type.Equals("code", StringComparison.Ordinal)) return this.HandleAuthorizationCodeGrant(request, client); else return (ActionResult) null; }
private ActionResult HandleImplicitGrant(AuthorizeRequest request, Client client) { TokenResponse response; if (!new STS().TryIssueToken(new EndpointReference(request.scope), ClaimsPrincipal.Current, this.Configuration.Global.DefaultHttpTokenType, out response)) return this.Error(client.RedirectUri, "invalid_request", request.state); string str = string.Format("access_token={0}&token_type={1}&expires_in={2}", (object) response.AccessToken, (object) response.TokenType, (object) response.ExpiresIn); if (!string.IsNullOrEmpty(request.state)) str = string.Format("{0}&state={1}", (object) str, (object) request.state); return (ActionResult) this.Redirect(string.Format("{0}#{1}", (object) client.RedirectUri.AbsoluteUri, (object) str)); }
private void ValidateTokenResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request) { throw new NotImplementedException(); }
private ActionResult CheckRequest(AuthorizeRequest request, out Client client) { if (request == null) { client = null; ViewBag.Message = "Invalid request parameters"; Tracing.Error(ViewBag.Message); return View("Error"); } // validate client if (!Clients.TryGetClient(request.client_id, out client)) { ViewBag.Message = "Invalid client_id : " + request.client_id; Tracing.Error(ViewBag.Message); return View("Error"); } // validate redirect uri if (string.IsNullOrEmpty(request.redirect_uri) || !string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase)) { ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri + " did not match a registered redirect URI."; Tracing.Error(ViewBag.Message); return View("Error"); } Uri redirectUrl; if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUrl)) { if (redirectUrl.Scheme == Uri.UriSchemeHttp) { Tracing.Error("Redirect URI not over SSL : " + request.redirect_uri); return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty, request.state); } } else { Tracing.Error("Redirect URI not a valid URI : " + request.redirect_uri); return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty, request.state); } if (String.IsNullOrWhiteSpace(request.response_type)) { Tracing.Error("response_type is null or empty"); return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidRequest, string.Empty, request.state); } // check response type (only code and token are supported) if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) && !request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal)) { Tracing.Error("response_type is not token or code: " + request.response_type); return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, string.Empty, request.state); } // validate scope (must be a valid URI) Uri uri; if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri)) { Tracing.Error("scope is not a URI: " + request.scope); return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type, request.state); } // validate if request grant type is allowed for client (implicit vs code flow) if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token) && !client.AllowImplicitFlow) { Tracing.Error("response_type is token and client does not allow implicit flow. client: " + client.Name); return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, request.state); } if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code) && !client.AllowCodeFlow) { Tracing.Error("response_type is code and client does not allow code flow. client: " + client.Name); return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, request.state); } return null; }
public ValidatedRequest Validate(AuthorizeRequest request) { var validatedRequest = new ValidatedRequest(); // validate request model binding if (request == null) { throw new AuthorizeRequestResourceOwnerException("Invalid request parameters."); } // make sure redirect uri is present if (string.IsNullOrWhiteSpace(request.redirect_uri)) { throw new AuthorizeRequestResourceOwnerException("Missing redirect URI"); } // validate client if (string.IsNullOrWhiteSpace(request.client_id)) { throw new AuthorizeRequestResourceOwnerException("Missing client identifier"); } var client = Clients.Get(request.client_id); if (client == null) { throw new AuthorizeRequestResourceOwnerException("Invalid client: " + request.client_id); } validatedRequest.Client = client; Tracing.InformationFormat("Client: {0} ({1})", validatedRequest.Client.Name, validatedRequest.Client.ClientId); // make sure redirect_uri is a valid uri, and in case of http is over ssl Uri redirectUri; if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri)) { if (redirectUri.Scheme == Uri.UriSchemeHttp) { throw new AuthorizeRequestClientException( "Redirect URI not over SSL : " + request.redirect_uri, new Uri(request.redirect_uri), OAuth2Constants.Errors.InvalidRequest, string.Empty, validatedRequest.State); } // make sure redirect uri is registered with client if (!validatedRequest.Client.RedirectUris.Contains(request.redirect_uri)) { throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri); } validatedRequest.RedirectUri = request.redirect_uri; Tracing.InformationFormat("Redirect URI: {0}", validatedRequest.RedirectUri); } else { throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri); } // check state if (!string.IsNullOrWhiteSpace(request.state)) { validatedRequest.State = request.state; Tracing.Information("State: " + validatedRequest.State); } else { Tracing.Information("No state supplied."); } // validate response type if (String.IsNullOrWhiteSpace(request.response_type)) { throw new AuthorizeRequestClientException( "response_type is null or empty", new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.InvalidRequest, string.Empty, validatedRequest.State); } // check response type (only code and token are supported) if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) && !request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal)) { throw new AuthorizeRequestClientException( "response_type is not token or code: " + request.response_type, new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.UnsupportedResponseType, string.Empty, validatedRequest.State); } validatedRequest.ResponseType = request.response_type; Tracing.Information("Response type: " + validatedRequest.ResponseType); // scope is required if (string.IsNullOrWhiteSpace(request.scope)) { throw new AuthorizeRequestClientException( "Missing scope", new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.InvalidScope, validatedRequest.ResponseType, validatedRequest.State); } // validate scopes if (!request.scope.StartsWith("openid")) { throw new AuthorizeRequestClientException( "Invalid scope: " + request.scope, new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.InvalidScope, validatedRequest.ResponseType, validatedRequest.State); } validatedRequest.Scopes = request.scope; if (request.response_type == OAuth2Constants.ResponseTypes.Code) { ValidateCodeResponseType(validatedRequest, request); } else if (request.response_type == OAuth2Constants.ResponseTypes.Token) { ValidateTokenResponseType(validatedRequest, request); } else { throw new AuthorizeRequestClientException( "Invalid response_type: " + request.response_type, new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, validatedRequest.State); } return validatedRequest; }
private ActionResult CheckRequest(AuthorizeRequest request, out Client client) { // validate client if (!Clients.TryGetClient(request.client_id, out client)) { ViewBag.Message = "Invalid client_id : " + request.client_id; return View("Error"); } // validate redirect uri if (string.IsNullOrEmpty(request.redirect_uri) || !string.Equals(request.redirect_uri, client.RedirectUri.AbsoluteUri, StringComparison.OrdinalIgnoreCase)) { ViewBag.Message = "The redirect_uri in the request: " + request.redirect_uri + " did not match a registered redirect URI."; return View("Error"); } // check response type (only code and token are supported) if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) && !request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal)) { return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, string.Empty, request.state); } // validate scope (must be a valid URI) Uri uri; if (!Uri.TryCreate(request.scope, UriKind.Absolute, out uri)) { return ClientError(client.RedirectUri, OAuth2Constants.Errors.InvalidScope, request.response_type, request.state); } // validate if request grant type is allowed for client (implicit vs code flow) if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Token) && !client.AllowImplicitFlow) { return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, request.state); } if (request.response_type.Equals(OAuth2Constants.ResponseTypes.Code) && !client.AllowCodeFlow) { return ClientError(client.RedirectUri, OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, request.state); } return null; }