public void Authorize(HttpContext context, IDictionary <string, string> query) { if (query.ContainsKey("grant_type")) { string grantType = query["grant_type"]; switch (grantType) { case "refresh_token": //if an application wants to exchange an refresh token for an access token if (_refreshTokenAuthorization != null) { _refreshTokenAuthorization.Authorize(context, query); } else { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.UNSUPPORTED_GRANT_TYPE; errorResponse.Error_description = "The grant type 'refresh_token' is not supported by this application"; //TODO: add URL //write payload context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; } break; case "authorization_code": //if an application wants to exchange an authorization code for an access token if (_authorizationCodeAuthorization != null) { _authorizationCodeAuthorization.Authorize(context, query); } else { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.UNSUPPORTED_GRANT_TYPE; errorResponse.Error_description = "The grant type 'authorization_code' is not supported by this application"; //TODO: add URL //write payload context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; } break; case "password": //if an application wants to exchange the user's name and password for an access token if (_passwordAuthorization != null) { _passwordAuthorization.Authorize(context, query); } else { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.UNSUPPORTED_GRANT_TYPE; errorResponse.Error_description = "The grant type 'password' is not supported by this application"; //TODO: add URL //write payload context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; } break; case "client_credentials": //if an application wants to exchange the client's credentials for an access token, not on behalf of a user if (_clientCredentialsAuthorization != null) { _clientCredentialsAuthorization.Authorize(context, query); } else { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.UNSUPPORTED_GRANT_TYPE; errorResponse.Error_description = "The grant type 'client_credentials' is not supported by this application"; //TODO: add URL //write payload context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; } break; default: InvalidAuthorizationResponse errResponse = new InvalidAuthorizationResponse(); errResponse.Error = InvalidAuthorizationResponse.UNSUPPORTED_GRANT_TYPE; errResponse.Error_description = "The grant type '" + grantType + "' is not supported by this application"; //TODO: add URL //write payload context.Response.Payload.Write(JsonSerializer.SerializeJson(errResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; break; } } else if (query.ContainsKey("response_type")) { } else { //create invalid request InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_REQUEST; errorResponse.Error_description = "The grant type or response type is missing. The request must include the query parameter 'grant_type' or 'response_type."; //TODO: add URL //write payload context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; } }
public void Authorize(HttpContext context, IDictionary <string, string> query) { string username = ""; string password = ""; string clientId = ""; string clientSecret = ""; string requestedScope = ""; //expected but already parsed input is: grant_type //expected input is: username, password //optional input is: scope //load username if (query.ContainsKey("username")) { username = query["username"]; } else { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_REQUEST; errorResponse.Error_description = "The username is missing. The request must include the query parameter 'username'"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } //load password if (query.ContainsKey("password")) { password = query["password"]; } else { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_REQUEST; errorResponse.Error_description = "The password is missing. The request must include the query parameter 'password'"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } //load client ID: if (query.ContainsKey("client_id")) { clientId = query["client_id"]; } else { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_REQUEST; errorResponse.Error_description = "The client ID is missing. The request must include the query parameter 'client_id'"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } //load client secret if (query.ContainsKey("client_secret")) { clientSecret = query["client_secret"]; } //load scope if (query.ContainsKey("scope")) { requestedScope = query["scope"]; } //step 1: check whether: 1) client exists, 2) client is not blocked, 3) client has user IClientAccount client = _clientStorage.GetClient(clientId); if (client == null || client.IsBlocked || !client.HasUser) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The client ID is invalid"; //TPDP: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } //step 2 (if applicable): 1) check whether client's secret is set (if enabled) and 2) if it is correct if (client.IsClientSecretRequiredForPasswordGrant) { if (String.IsNullOrWhiteSpace(clientSecret)) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_REQUEST; errorResponse.Error_description = "The client secret is missing. The request must include the query parameter 'client_secret'"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } if (client.ClientSecret.CompareTo(clientSecret) != 0) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The client ID or secret is invalid"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } } //step 3: check whether 1) user exists, 2) user is not blocked, 3) password is correct and 4) the user belongs to the passed client IUserAccount user = _userStorage.GetUserByName(username); if (user == null || user.IsBlocked || user.Password.CompareTo(password) != 0 || user.ClientId.CompareTo(clientId) != 0) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The username or password invalid"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } //step 4: validate scope string finalScope = ""; if (String.IsNullOrWhiteSpace(requestedScope)) { finalScope = user.Scope; } else { //extract single scopes from requested scope string[] scopes; if (requestedScope.Contains(",")) { scopes = requestedScope.Split(','); } else if (requestedScope.Contains(";")) { scopes = requestedScope.Split(';'); } else if (requestedScope.Contains(" ")) { scopes = requestedScope.Split(' '); } else { scopes = new string[] { requestedScope }; } //check whether all requested scopes are permitted: IList <string> permittedScope = user.GetScopeAsList; foreach (string scope in scopes) { if (!permittedScope.Contains(scope)) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_SCOPE; errorResponse.Error_description = "The scope '" + scope + "' is not permitted or unknown"; //TODO: add URL context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } finalScope += scope + " "; } finalScope.Trim(); } //step 6: create access token and (if applicable) refresh token AccessToken accessToken = _reference.GenerateAccessToken(username, clientId, finalScope, client.AccessTokenExpiryInSeconds); string refreshToken = _reference.GenerateRefreshToken(username, clientId, finalScope, client.RefreshTokenExpiryInSeconds); //step 7: return access token and (if applicable) refresh token accessToken.RefreshToken = refreshToken; context.Response.Payload.Write(JsonSerializer.SerializeJson(accessToken)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Headers.Set("Cache-Control", "no-store"); context.Response.Headers.Set("Pragma", "no-cache"); context.Response.Status = HttpStatus.OK; }
public void Authorize(HttpContext context, IDictionary <string, string> query) { string clientId = ""; string clientSecret = ""; string requestedScope = ""; //expected but already parsed input is: grant_type //expected input is: client_id, client_secret //optional input is: scope //load client ID if (query.ContainsKey("client_id")) { clientId = query["client_id"]; } else { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_REQUEST; errorResponse.Error_description = "The client ID is missing. The request must include the query parameter 'client_id'"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } //load client secret if (query.ContainsKey("client_secret")) { clientSecret = query["client_secret"]; } else { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_REQUEST; errorResponse.Error_description = "The client secret is missing. The request must include the query parameter 'client_secret'"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } //load scope if (query.ContainsKey("scope")) { requestedScope = query["scope"]; } //step 1: check whether: 1) client exists, 2) client is not blocked, 3) credentials are correct IClientAccount client = _storage.GetClient(clientId); if (client == null || client.IsBlocked || client.ClientSecret.CompareTo(clientSecret) != 0) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The client ID or secret is invalid"; //TPDP: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } //step 2: validate scope string finalScope = ""; if (String.IsNullOrWhiteSpace(requestedScope)) { finalScope = client.Scope; } else { //extract single scopes from requested scope string[] scopes; if (requestedScope.Contains(",")) { scopes = requestedScope.Split(','); } else if (requestedScope.Contains(";")) { scopes = requestedScope.Split(';'); } else if (requestedScope.Contains(" ")) { scopes = requestedScope.Split(' '); } else { scopes = new string[] { requestedScope }; } //check whether all requested scopes are permitted: IList <string> permittedScope = client.GetScopeAsList; foreach (string scope in scopes) { if (!permittedScope.Contains(scope)) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_SCOPE; errorResponse.Error_description = "The scope '" + scope + "' is not permitted or unknown"; //TODO: add URL context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } finalScope += scope + " "; } finalScope.Trim(); } //step 3: create access token and (if applicable) refresh token AccessToken accessToken = _reference.GenerateAccessToken(null, clientId, finalScope, client.AccessTokenExpiryInSeconds); string refreshToken = _reference.GenerateRefreshToken(null, clientId, finalScope, client.RefreshTokenExpiryInSeconds); //step 4: return access token and (if applicable) refresh token accessToken.RefreshToken = refreshToken; context.Response.Payload.Write(JsonSerializer.SerializeJson(accessToken)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Headers.Set("Cache-Control", "no-store"); context.Response.Headers.Set("Pragma", "no-cache"); context.Response.Status = HttpStatus.OK; }
public void Authorize(HttpContext context, IDictionary <string, string> query) { string refreshToken; string clientId = ""; string clientSecret = ""; string username = ""; string userPassword = ""; string requestedScope = ""; //expected but already parsed input is: grant_type //expected input is: refresh token //expected input is (if enabled): client ID //expected input is (if enabled): client secret //expected input is (if enabled): user ID //expected input is (if enabled): user password //optional input is: scope //load refresh token if (query.ContainsKey("refresh_token")) { refreshToken = query["refresh_token"]; } else { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_REQUEST; errorResponse.Error_description = "The refresh token is missing. The request must include the query parameter 'refresh_token'"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } //load client ID if (query.ContainsKey("client_id")) { clientId = query["client_id"]; } //load client secret if (query.ContainsKey("client_secret")) { clientSecret = query["client_secret"]; } //load user ID if (query.ContainsKey("username")) { username = query["username"]; } //load user password if (query.ContainsKey("password")) { userPassword = query["password"]; } //load scope if (query.ContainsKey("scope")) { requestedScope = query["scope"]; } //step 1: load refresh token and check whether the refresh token is listed and is valid IRefreshToken refreshTokenSet = _refreshStorage.GetRefreshToken(refreshToken); if (refreshTokenSet == null || refreshTokenSet.IsInvalidated) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The refresh token is invalid"; //TODO: add uri context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } //step 2: check whether the refresh token has expired if (refreshTokenSet.ValidUntil > 0 && refreshTokenSet.ValidUntil < DateTimeOffset.UtcNow.ToUnixTimeSeconds()) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The refresh token has expired"; //TODO: add uri context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } //step 3: load client and check whether the client is blocked IClientAccount client = _clientStorage.GetClient(refreshTokenSet.ClientId); if (client == null || client.IsBlocked) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The refresh token has been issued to a client which is not existing or has been blocked"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } //step 3a (if enabled): check whether client is linked to the refresh token if (client.IsClientIdRequiredForRefreshToken) { if (String.IsNullOrWhiteSpace(clientId)) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_REQUEST; errorResponse.Error_description = "The client ID is missing. The request must include the query parameter 'client_id'"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } if (client.ClientId.CompareTo(clientId) != 0) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The client ID is invalid"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } } //step 3b (if enabled): check whether client secret is valid if (client.IsClientSecretRequiredForRefreshToken) { if (String.IsNullOrWhiteSpace(clientSecret)) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_REQUEST; errorResponse.Error_description = "The client secret is missing. The request must include the query parameter 'client_secret'"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } if (client.ClientSecret.CompareTo(clientSecret) != 0) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The client ID or secret is invalid"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } } IUserAccount user = null; if (client.HasUser) { //step 4a: check whether the refresh token has been issued to a user if (String.IsNullOrWhiteSpace(refreshTokenSet.Subject)) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The refresh token is invalid"; //TODO: add uri context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } user = _userStorage.GetUserByName(refreshTokenSet.Subject); //step 4b: check whether the user is existing and not blocked if (user == null || user.IsBlocked) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The refresh token has been issued to a user which is not existing or has been blocked"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } //step 4c: check whether the linked subject (user ID) matches the passed user ID (if enabled) if (client.IsUserIdRequiredForRefreshToken) { if (String.IsNullOrWhiteSpace(username)) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_REQUEST; errorResponse.Error_description = "The username is missing. The request must include the query parameter 'username'"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } if (refreshTokenSet.Subject.CompareTo(username) != 0) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The username is invalid"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } } //step 4d: check whether the passed user password is correct (if enabled) if (client.IsUserPasswordRequiredForRefreshToken) { if (String.IsNullOrWhiteSpace(userPassword)) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_REQUEST; errorResponse.Error_description = "The password is missing. The request must include the query parameter 'password'"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } if (user.Password.CompareTo(userPassword) != 0) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The username or password is invalid"; //TODO: add URI context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } } } else { //check whether client has NO user, but the refresh token has been issued to a user: if (!String.IsNullOrWhiteSpace(refreshTokenSet.Subject)) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_CLIENT; errorResponse.Error_description = "The refresh token is invalid"; //TODO: add uri context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.Unauthorized; return; } } //step 4: check scope string finalScope = ""; if (String.IsNullOrWhiteSpace(requestedScope)) { finalScope = refreshTokenSet.Scope; } else { //extract single scopes from requested scope string[] scopes; if (requestedScope.Contains(",")) { scopes = requestedScope.Split(','); } else if (requestedScope.Contains(";")) { scopes = requestedScope.Split(';'); } else if (requestedScope.Contains(" ")) { scopes = requestedScope.Split(' '); } else { scopes = new string[] { requestedScope }; } //check whether all requested scopes are permitted: IList <string> permittedScope = refreshTokenSet.GetScopeAsList; foreach (string scope in scopes) { if (!permittedScope.Contains(scope)) { InvalidAuthorizationResponse errorResponse = new InvalidAuthorizationResponse(); errorResponse.Error = InvalidAuthorizationResponse.INVALID_SCOPE; errorResponse.Error_description = "The scope '" + scope + "' is not permitted or unknown"; //TODO: add URL context.Response.Payload.Write(JsonSerializer.SerializeJson(errorResponse)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Status = HttpStatus.BadRequest; return; } finalScope += scope + " "; } finalScope.Trim(); } //step 5: create new access token and issue new refresh token (if enabled and applicable) string subject; if (user == null) { subject = null; } else { subject = user.Username; } AccessToken accessToken = _reference.GenerateAccessToken(subject, clientId, finalScope, client.AccessTokenExpiryInSeconds); if (_issuesNewRefreshToken && refreshTokenSet.ValidUntil - DateTimeOffset.UtcNow.ToUnixTimeSeconds() < _newRefreshTokenExpiryThreshold) { accessToken.RefreshToken = _reference.GenerateRefreshToken(subject, client.ClientId, finalScope, client.RefreshTokenExpiryInSeconds); } else { accessToken.RefreshToken = null; } context.Response.Payload.Write(JsonSerializer.SerializeJson(accessToken)); context.Response.Headers.Set("Content-Type", MimeType.APPLICATION_JSON); context.Response.Headers.Set("Cache-Control", "no-store"); context.Response.Headers.Set("Pragma", "no-cache"); context.Response.Status = HttpStatus.OK; }