public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
{
_logger.LogInformation("Start token request validator");
var validatedRequest = context.Result.ValidatedRequest;
if (validatedRequest.Client.ClientId.Contains("SPA", StringComparison.OrdinalIgnoreCase))
{
_logger.LogInformation("ClientId is SPA, no further validation required");
return;
}
var parameters = context.Result.ValidatedRequest.Raw;
const string requestParam = "request";
var requestFromParameters = parameters.Get("request");
if (string.IsNullOrWhiteSpace(requestFromParameters))
{
_logger.LogError($"{requestParam} is missing from the request parameters.");
context.Result.IsError = true;
context.Result.Error = OidcConstants.TokenErrors.InvalidRequest;
return;
}
var requestValidationResult = await _assertionManager.ValidateAsync(requestFromParameters);
if (!requestValidationResult.Success)
{
context.Result.IsError = true;
context.Result.Error = OidcConstants.TokenErrors.InvalidClient;
}
var jwt = _assertionManager.Parse(requestFromParameters);
_logger.LogInformation("TokenRequestValidator is valid for {client}", validatedRequest.Client.ClientId);
}
public async Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
{
var assertion = _assertionManager.Parse(parsedSecret.Credential as string);
var result = await _assertionManager.ValidateAsync(assertion);
if (!result.Success)
{
return(result);
}
var validity = await _certificateTypeValidationService.Validate(assertion.Certificates, parsedSecret.Id);
return(new SecretValidationResult {
Success = validity
});
}
public async Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
{
_logger.LogDebug("Validate client assertion started");
var fail = new SecretValidationResult {
Success = false
};
if (parsedSecret.Type != IdentityServerConstants.ParsedSecretTypes.JwtBearer)
{
_logger.LogDebug($"Secret type is not a JwtBearer, instead it was {parsedSecret.Type}");
return(fail);
}
if (!(parsedSecret.Credential is string jwtTokenString))
{
_logger.LogDebug("Secret is not like a JWT string");
return(fail);
}
return(await _assertionManager.ValidateAsync(jwtTokenString));
}
protected async Task <JwtSecurityToken> ValidateJwtAsync(string jwtTokenString, Client client)
{
if (!_defaultJwtValidator.IsValid(jwtTokenString, client.ClientId, _audience))
{
throw new SecurityTokenException();
}
var validationResult = await _assertionManager.ValidateAsync(jwtTokenString);
if (!validationResult.Success)
{
throw new SecurityTokenException();
}
var securityToken = new JwtSecurityTokenHandler().ReadToken(jwtTokenString);
var jwtToken = (JwtSecurityToken)securityToken;
return(jwtToken);
}
public async Task <IdentityResult> Validate(DelegationMask mask)
{
try
{
if (mask.PreviousSteps != null)
{
foreach (var step in mask.PreviousSteps)
{
var assertion = _assertionParser.Parse(step);
var result = await _assertionParser.ValidateAsync(assertion);
if (!result.Success || !_defaultJwtValidator.IsValid(step,
mask.DelegationRequest.Target.AccessSubject, // client id should be access subject
_context.HttpContext.User.GetRequestingClientId() // audience should be the requester id
))
{
return(IdentityResult.Failed(new IdentityError {
Code = "previous_steps_validation_error"
}));
}
if (mask.DelegationRequest.Target.AccessSubject != assertion.JwtToken.Issuer)
{
return(IdentityResult.Failed(new IdentityError {
Code = "invalid_delegation_assertion_pair"
}));
}
}
}
return(IdentityResult.Success);
}
catch (Exception ex)
{
_logger.LogWarning(ex, "Exception while authorizing previous steps");
return(IdentityResult.Failed(new IdentityError {
Code = "previous_steps_validation_error", Description = ex.Message
}));
}
}
public async Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
{
var assertion = _assertionManager.Parse(parsedSecret.Credential as string);
var result = await _assertionManager.ValidateAsync(assertion);
if (!result.Success)
{
_logger.LogInformation("Service consumer validation failed for {issuer}.", assertion?.JwtToken?.Issuer ?? "[not present]");
return(result);
}
_logger.LogInformation("Service consumer validation is valid. Continue with the {innerValidator}", _inner.Instance.GetType().Name);
var allSecrets = secrets.ToList();
allSecrets.AddRange(assertion.Certificates.Select(c => new Secret
{
Type = IdentityServerConstants.SecretTypes.X509CertificateBase64,
Value = c
}));
return(await _inner.Instance.ValidateAsync(allSecrets, parsedSecret));
}