public virtual async Task <BCAcceptRequestValidationResult> ValidateConfirm(HandlerContext context, CancellationToken cancellationToken)
{
var tokens = new bool[]
{
string.IsNullOrWhiteSpace(context.Request.RequestData.GetLoginHintToken()),
string.IsNullOrWhiteSpace(context.Request.RequestData.GetIdTokenHintFromAuthorizationRequest()),
string.IsNullOrWhiteSpace(context.Request.RequestData.GetLoginHintFromAuthorizationRequest())
};
if (tokens.All(_ => _) || (tokens.Where(_ => !_).Count() > 1))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.ONE_HINT_MUST_BE_PASSED);
}
var user = await CheckLoginHintToken(context, cancellationToken);
if (user == null)
{
user = await CheckIdTokenHint(context, cancellationToken);
if (user == null)
{
user = await CheckLoginHint(context, cancellationToken);
}
}
var authRequestId = context.Request.RequestData.GetAuthRequestId();
if (string.IsNullOrWhiteSpace(authRequestId))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, string.Format(OAuth.ErrorMessages.MISSING_PARAMETER, DTOs.AuthorizationRequestParameters.AuthReqId));
}
var authRequest = await _bcAuthorizeRepository.Get(authRequestId, cancellationToken);
if (authRequest == null)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_AUTH_REQUEST_ID);
}
var permissionIds = context.Request.RequestData.GetPermissionIds();
var unknownPermissionIds = permissionIds.Where(pid => !authRequest.Permissions.Any(p => p.PermissionId == pid));
if (unknownPermissionIds.Any())
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, string.Format(ErrorMessages.UNKNOWN_PERMISSIONS, string.Join(",", unknownPermissionIds)));
}
return(new BCAcceptRequestValidationResult(user, authRequest));
}
public async Task Enrich(JwsPayload result, JObject queryParameters, CancellationToken cancellationToken)
{
var authRequestId = queryParameters.GetAuthRequestId();
if (!string.IsNullOrWhiteSpace(authRequestId))
{
var authorize = await _bcAuthorizeRepository.Get(authRequestId, cancellationToken);
if (authorize != null && authorize.Permissions.Any())
{
var firstPermission = authorize.Permissions.First();
if (result.ContainsKey(_options.OpenBankingApiConsentClaimName))
{
result[_options.OpenBankingApiConsentClaimName] = firstPermission.ConsentId;
}
else
{
result.Add(_options.OpenBankingApiConsentClaimName, firstPermission.ConsentId);
}
}
if (authorize.Scopes.Contains(SIDOpenIdConstants.StandardScopes.OpenIdScope.Name) && !result.ContainsKey(UserClaims.Subject))
{
result.Add(UserClaims.Subject, authorize.UserId);
}
}
var requestedClaims = queryParameters.GetClaimsFromAuthorizationRequest();
if (requestedClaims != null)
{
var requestedClaim = requestedClaims.FirstOrDefault(c => c.Name == _options.OpenBankingApiConsentClaimName);
if (requestedClaim != null)
{
result.Add(_options.OpenBankingApiConsentClaimName, requestedClaim.Values.First());
}
}
}
public async Task <Domains.BCAuthorize> Validate(HandlerContext context, CancellationToken cancellationToken)
{
var openidClient = context.Client as OpenIdClient;
if (openidClient.BCTokenDeliveryMode != SIDOpenIdConstants.StandardNotificationModes.Ping &&
openidClient.BCTokenDeliveryMode != SIDOpenIdConstants.StandardNotificationModes.Poll)
{
throw new OAuthException(OAuth.ErrorCodes.INVALID_REQUEST, ErrorMessages.ONLY_PINGORPUSH_MODE_CAN_BE_USED);
}
var authRequestId = context.Request.RequestData.GetAuthRequestId();
if (string.IsNullOrWhiteSpace(authRequestId))
{
throw new OAuthException(OAuth.ErrorCodes.INVALID_REQUEST, string.Format(OAuth.ErrorMessages.MISSING_PARAMETER, AuthorizationRequestParameters.AuthReqId));
}
var authRequest = await _bcAuthorizeRepository.Get(authRequestId, cancellationToken);
if (authRequest == null)
{
throw new OAuthException(OAuth.ErrorCodes.INVALID_GRANT, ErrorMessages.INVALID_AUTH_REQUEST_ID);
}
if (authRequest.ClientId != openidClient.ClientId)
{
throw new OAuthException(OAuth.ErrorCodes.INVALID_GRANT, ErrorMessages.AUTH_REQUEST_CLIENT_NOT_AUTHORIZED);
}
var currentDateTime = DateTime.UtcNow;
var isSlowDown = currentDateTime <= authRequest.NextFetchTime;
if (authRequest.Status == Domains.BCAuthorizeStatus.Pending || isSlowDown)
{
if (isSlowDown)
{
throw new OAuthException(OAuth.ErrorCodes.SLOW_DOWN, string.Format(ErrorMessages.TOO_MANY_AUTH_REQUEST, authRequestId));
}
authRequest.IncrementNextFetchTime();
await _bcAuthorizeRepository.Update(authRequest, cancellationToken);
await _bcAuthorizeRepository.SaveChanges(cancellationToken);
throw new OAuthException(OAuth.ErrorCodes.AUTHORIZATION_PENDING, string.Format(ErrorMessages.AUTH_REQUEST_NOT_CONFIRMED, authRequestId));
}
if (authRequest.Status == BCAuthorizeStatus.Rejected)
{
throw new OAuthException(OAuth.ErrorCodes.ACCESS_DENIED, string.Format(ErrorMessages.AUTH_REQUEST_REJECTED, authRequestId));
}
if (authRequest.Status == BCAuthorizeStatus.Sent)
{
throw new OAuthException(OAuth.ErrorCodes.INVALID_GRANT, string.Format(ErrorMessages.AUTH_REQUEST_SENT, authRequestId));
}
if (currentDateTime > authRequest.ExpirationDateTime)
{
throw new OAuthException(OAuth.ErrorCodes.EXPIRED_TOKEN, string.Format(ErrorMessages.AUTH_REQUEST_EXPIRED, authRequestId));
}
return(authRequest);
}