private HttpResponseMessage ProcessAuthorizationCodeRequest(ValidatedRequest validatedRequest) { Tracing.Information("Processing authorization code request"); var tokenService = new OidcTokenService( ServerConfiguration.Global.IssuerUri, ServerConfiguration.Keys.SigningCertificate); var response = tokenService.CreateTokenResponse(validatedRequest.Grant, validatedRequest.Client.AccessTokenLifetime); Grants.Delete(validatedRequest.Grant.GrantId); if (validatedRequest.Grant.Scopes.Contains(OidcConstants.Scopes.OfflineAccess) && validatedRequest.Client.AllowRefreshToken) { var refreshToken = StoredGrant.CreateRefreshToken( validatedRequest.Grant.ClientId, validatedRequest.Grant.Subject, validatedRequest.Grant.Scopes, validatedRequest.Client.RefreshTokenLifetime); Grants.Add(refreshToken); response.RefreshToken = refreshToken.GrantId; } return Request.CreateTokenResponse(response); }
private ActionResult PerformAuthorizationCodeGrant(ValidatedRequest validatedRequest) { Tracing.Information("Processing authorization code request"); var grant = StoredGrant.CreateAuthorizationCode( validatedRequest.Client.ClientId, ClaimsPrincipal.Current.Identity.Name, validatedRequest.Scopes, validatedRequest.RedirectUri, 60); Grants.Add(grant); var tokenString = string.Format("code={0}", grant.GrantId); if (!string.IsNullOrWhiteSpace(validatedRequest.State)) { tokenString = string.Format("{0}&state={1}", tokenString, Server.UrlEncode(validatedRequest.State)); } var redirectString = string.Format("{0}?{1}", validatedRequest.RedirectUri, tokenString); return Redirect(redirectString); }
private HttpResponseMessage ProcessRefreshTokenRequest(ValidatedRequest validatedRequest) { Tracing.Information("Processing refresh token request"); var tokenService = new OidcTokenService(ServerConfiguration.Global.IssuerUri, ServerConfiguration.Keys.SigningCertificate); var response = tokenService.CreateTokenResponse(validatedRequest.Grant); response.RefreshToken = validatedRequest.Grant.GrantId; return Request.CreateTokenResponse(response); }
private ActionResult PerformGrant(ValidatedRequest validatedRequest) { // implicit grant if (validatedRequest.ResponseType.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal)) { return PerformImplicitGrant(validatedRequest); } // authorization code grant if (validatedRequest.ResponseType.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal)) { return PerformAuthorizationCodeGrant(validatedRequest); } return null; }
protected bool TryValidateRequest(AuthorizeRequest request, out ValidatedRequest validatedRequest, out ActionResult failedResult) { validatedRequest = null; failedResult = null; try { var validator = new AuthorizeRequestValidator(Clients); validatedRequest = validator.Validate(request); return true; } catch (AuthorizeRequestValidationException ex) { failedResult = this.AuthorizeValidationError(ex); return false; } }
public ValidatedRequest Validate(AuthorizeRequest request) { var validatedRequest = new ValidatedRequest(); // validate request model binding if (request == null) { throw new AuthorizeRequestResourceOwnerException("Invalid request parameters."); } // make sure redirect uri is present if (string.IsNullOrWhiteSpace(request.redirect_uri)) { throw new AuthorizeRequestResourceOwnerException("Missing redirect URI"); } // validate client if (string.IsNullOrWhiteSpace(request.client_id)) { throw new AuthorizeRequestResourceOwnerException("Missing client identifier"); } var client = Clients.Get(request.client_id); if (client == null) { throw new AuthorizeRequestResourceOwnerException("Invalid client: " + request.client_id); } validatedRequest.Client = client; Tracing.InformationFormat("Client: {0} ({1})", validatedRequest.Client.Name, validatedRequest.Client.ClientId); // make sure redirect_uri is a valid uri, and in case of http is over ssl Uri redirectUri; if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri)) { if (redirectUri.Scheme == Uri.UriSchemeHttp) { throw new AuthorizeRequestClientException( "Redirect URI not over SSL : " + request.redirect_uri, new Uri(request.redirect_uri), OAuth2Constants.Errors.InvalidRequest, string.Empty, validatedRequest.State); } // make sure redirect uri is registered with client if (!validatedRequest.Client.RedirectUris.Contains(request.redirect_uri)) { throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri); } validatedRequest.RedirectUri = request.redirect_uri; Tracing.InformationFormat("Redirect URI: {0}", validatedRequest.RedirectUri); } else { throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri); } // check state if (!string.IsNullOrWhiteSpace(request.state)) { validatedRequest.State = request.state; Tracing.Information("State: " + validatedRequest.State); } else { Tracing.Information("No state supplied."); } // validate response type if (String.IsNullOrWhiteSpace(request.response_type)) { throw new AuthorizeRequestClientException( "response_type is null or empty", new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.InvalidRequest, string.Empty, validatedRequest.State); } // check response type (only code and token are supported) if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) && !request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal)) { throw new AuthorizeRequestClientException( "response_type is not token or code: " + request.response_type, new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.UnsupportedResponseType, string.Empty, validatedRequest.State); } validatedRequest.ResponseType = request.response_type; Tracing.Information("Response type: " + validatedRequest.ResponseType); // scope is required if (string.IsNullOrWhiteSpace(request.scope)) { throw new AuthorizeRequestClientException( "Missing scope", new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.InvalidScope, validatedRequest.ResponseType, validatedRequest.State); } // validate scopes if (!request.scope.StartsWith("openid")) { throw new AuthorizeRequestClientException( "Invalid scope: " + request.scope, new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.InvalidScope, validatedRequest.ResponseType, validatedRequest.State); } validatedRequest.Scopes = request.scope; if (request.response_type == OAuth2Constants.ResponseTypes.Code) { ValidateCodeResponseType(validatedRequest, request); } else if (request.response_type == OAuth2Constants.ResponseTypes.Token) { ValidateTokenResponseType(validatedRequest, request); } else { throw new AuthorizeRequestClientException( "Invalid response_type: " + request.response_type, new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, validatedRequest.State); } return validatedRequest; }
private void ValidateCodeResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request) { if (validatedRequest.Client.Flow != OpenIdConnectFlows.AuthorizationCode) { throw new AuthorizeRequestClientException( "response_type is not allowed: " + request.response_type, new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, validatedRequest.State); } }
private void ValidateTokenResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request) { throw new NotImplementedException(); }
public ValidatedRequest Validate(TokenRequest request, ClaimsPrincipal clientPrincipal) { var validatedRequest = new ValidatedRequest(); // validate request model binding if (request == null) { throw new TokenRequestValidationException( "Invalid request parameters.", OAuth2Constants.Errors.InvalidRequest); } // grant type is required if (string.IsNullOrWhiteSpace(request.Grant_Type)) { throw new TokenRequestValidationException( "Missing grant_type", OAuth2Constants.Errors.UnsupportedGrantType); } // check supported grant types if (request.Grant_Type == OAuth2Constants.GrantTypes.AuthorizationCode || request.Grant_Type == OAuth2Constants.GrantTypes.RefreshToken) { validatedRequest.GrantType = request.Grant_Type; Tracing.Information("Grant type: " + validatedRequest.GrantType); } else { throw new TokenRequestValidationException( "Invalid grant_type: " + request.Grant_Type, OAuth2Constants.Errors.UnsupportedGrantType); } // validate client credentials var client = ValidateClient(clientPrincipal); if (client == null) { throw new TokenRequestValidationException( "Invalid client: " + clientPrincipal.Identity.Name, OAuth2Constants.Errors.InvalidClient); } validatedRequest.Client = client; Tracing.InformationFormat("Client: {0} ({1})", validatedRequest.Client.Name, validatedRequest.Client.ClientId); switch (request.Grant_Type) { case OAuth2Constants.GrantTypes.AuthorizationCode: ValidateCodeGrant(validatedRequest, request); break; case OAuth2Constants.GrantTypes.RefreshToken: ValidateRefreshTokenGrant(validatedRequest, request); break; default: throw new TokenRequestValidationException( "Invalid grant_type: " + request.Grant_Type, OAuth2Constants.Errors.UnsupportedGrantType); } Tracing.Information("Token request validation successful."); return validatedRequest; }
private void ValidateCodeGrant(ValidatedRequest validatedRequest, TokenRequest request) { if (!validatedRequest.Client.AllowCodeFlow) { throw new TokenRequestValidationException( "Code flow not allowed for client", OAuth2Constants.Errors.UnauthorizedClient); } // code needs to be present if (string.IsNullOrWhiteSpace(request.Code)) { throw new TokenRequestValidationException( "Missing authorization code", OAuth2Constants.Errors.InvalidGrant); } //validatedRequest.AuthorizationCode = request.Code; Tracing.Information("Authorization code: " + request.Code); // check for authorization code in datastore var grant = Grants.Get(request.Code); if (grant == null) { throw new TokenRequestValidationException( "Authorization code not found: " + request.Code, OAuth2Constants.Errors.InvalidGrant); } // make sure the handle is an authorization code if (grant.GrantType != StoredGrantType.AuthorizationCode) { throw new TokenRequestValidationException( "Tampered authorization code: " + request.Code, OAuth2Constants.Errors.InvalidGrant); } validatedRequest.Grant = grant; Tracing.Information("Token handle found: " + grant.GrantId); // check the client binding if (grant.ClientId != validatedRequest.Client.ClientId) { throw new TokenRequestValidationException( string.Format("Client {0} is trying to request token using an authorization code from {1}.", validatedRequest.Client.ClientId, grant.ClientId), OAuth2Constants.Errors.InvalidGrant); } // redirect URI is required if (string.IsNullOrWhiteSpace(request.Redirect_Uri)) { throw new TokenRequestValidationException( string.Format("Redirect URI is missing"), OAuth2Constants.Errors.InvalidRequest); } // check if redirect URI from authorize and token request match if (!grant.RedirectUri.Equals(request.Redirect_Uri)) { throw new TokenRequestValidationException( string.Format("Redirect URI in token request ({0}), does not match redirect URI from authorize request ({1})", validatedRequest.RedirectUri, grant.RedirectUri), OAuth2Constants.Errors.InvalidRequest); } }
private void ValidateRefreshTokenGrant(ValidatedRequest validatedRequest, TokenRequest request) { if (!validatedRequest.Client.AllowRefreshToken) { throw new TokenRequestValidationException( "Refresh token not allowed for client", OAuth2Constants.Errors.UnauthorizedClient); } // code needs to be present if (string.IsNullOrWhiteSpace(request.Refresh_Token)) { throw new TokenRequestValidationException( "Missing refresh token", OAuth2Constants.Errors.InvalidGrant); } Tracing.Information("Refresh token: " + request.Refresh_Token); // check for authorization code in datastore var grant = Grants.Get(request.Refresh_Token); if (grant == null) { throw new TokenRequestValidationException( "Refresh token not found: " + request.Refresh_Token, OAuth2Constants.Errors.InvalidGrant); } // make sure the handle is an authorization code if (grant.GrantType != StoredGrantType.RefreshToken) { throw new TokenRequestValidationException( "Tampered refresh token: " + request.Refresh_Token, OAuth2Constants.Errors.InvalidGrant); } validatedRequest.Grant = grant; Tracing.Information("Stored grant found: " + grant.GrantId); // check the client binding if (grant.ClientId != validatedRequest.Client.ClientId) { throw new TokenRequestValidationException( string.Format("Client {0} is trying to request a token using a refresh token from {1}.", validatedRequest.Client.ClientId, grant.ClientId), OAuth2Constants.Errors.InvalidGrant); } }
public OidcViewModel(ValidatedRequest validatedRequest) { if (validatedRequest == null) throw new ArgumentNullException("validatedRequest"); this.ValidatedRequest = validatedRequest; ValidateScopes(GetRawScopes()); }
private ActionResult PerformImplicitGrant(ValidatedRequest validatedRequest) { throw new NotImplementedException(); }
protected virtual ActionResult DenyGrant(ValidatedRequest validatedRequest) { return new ClientErrorResult(new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.AccessDenied, validatedRequest.ResponseType, validatedRequest.State); }
protected abstract ActionResult ShowConsent(ValidatedRequest validatedRequest);
protected virtual ActionResult PerformImplicitGrant(ValidatedRequest validatedRequest) { throw new NotImplementedException(); }