public async Task <JObject> Handle(string clientId, HandlerContext handlerContext, CancellationToken cancellationToken) { var oauthClient = await GetClient(clientId, handlerContext, cancellationToken); var extractedClient = ExtractClient(handlerContext); if (extractedClient.ClientId != oauthClient.ClientId) { Logger.LogError("the client identifier must be identical"); throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.CLIENT_IDENTIFIER_MUST_BE_IDENTICAL); } if (extractedClient.Secrets.Any() && extractedClient.Secrets.First(_ => _.Type == ClientSecretTypes.SharedSecret).Value != oauthClient.Secrets.First(_ => _.Type == ClientSecretTypes.SharedSecret).Value) { Logger.LogError("the client secret must be identical"); throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.CLIENT_SECRET_MUST_BE_IDENTICAL); } extractedClient.ClientId = clientId; extractedClient.Secrets = oauthClient.Secrets; extractedClient.RegistrationAccessToken = oauthClient.RegistrationAccessToken; extractedClient.UpdateDateTime = DateTime.UtcNow; extractedClient.CreateDateTime = oauthClient.CreateDateTime; await _oauthClientValidator.Validate(extractedClient, cancellationToken); await OAuthClientCommandRepository.Update(extractedClient, cancellationToken); await OAuthClientCommandRepository.SaveChanges(cancellationToken); Logger.LogInformation($"the client '{clientId}' has been updated"); return(null); }
public virtual async Task Handle(string clientId, HandlerContext handlerContext, CancellationToken cancellationToken) { var oauthClient = await GetClient(clientId, handlerContext, cancellationToken); var searchResult = await _tokenQueryRepository.Find(new SearchTokenParameter { ClientId = clientId }, cancellationToken); if (searchResult.Content.Any()) { await _grantedTokenHelper.RemoveTokens(searchResult.Content, cancellationToken); Logger.LogInformation($"the tokens '{string.Join(",", searchResult.Content.Select(_ => _.Id))}' have been revoked"); } Logger.LogInformation($"the client '{clientId}' has been removed"); await OAuthClientCommandRepository.Delete(oauthClient, cancellationToken); }
public virtual async Task <OAuthClient> GetClient(string clientId, HandlerContext handlerContext, CancellationToken cancellationToken) { var accessToken = handlerContext.Request.GetToken(AutenticationSchemes.Bearer, AutenticationSchemes.Basic); if (string.IsNullOrWhiteSpace(accessToken)) { Logger.LogError("access token is missing"); throw new OAuthUnauthorizedException(ErrorCodes.INVALID_TOKEN, ErrorMessages.MISSING_ACCESS_TOKEN); } var clients = await OAuthClientQueryRepository.Find(new Persistence.Parameters.SearchClientParameter { RegistrationAccessToken = accessToken }, cancellationToken); if (!clients.Content.Any()) { Logger.LogError($"access token '{accessToken}' is invalid"); throw new OAuthUnauthorizedException(ErrorCodes.INVALID_TOKEN, ErrorMessages.BAD_ACCESS_TOKEN); } var client = clients.Content.First(); if (client.ClientId != clientId) { client.RegistrationAccessToken = null; await OAuthClientCommandRepository.Update(client, cancellationToken); await OAuthClientCommandRepository.SaveChanges(cancellationToken); Logger.LogError($"access token '{accessToken}' can be used for the client '{client.ClientId}' and not for the client '{clientId}'"); throw new OAuthUnauthorizedException(ErrorCodes.INVALID_TOKEN, string.Format(ErrorMessages.ACCESS_TOKEN_VALID_CLIENT, client.ClientId, clientId)); } return(client); }
protected override async Task <JObject> Create(HandlerContext context) { var jObj = context.Request.Data; var applicationType = GetDefaultApplicationType(jObj); var sectorIdentifierUri = jObj.GetSectorIdentifierUriFromRegisterRequest(); var subjectType = jObj.GetSubjectTypeFromRegisterRequest(); var idTokenSignedResponseAlg = jObj.GetIdTokenSignedResponseAlgFromRegisterRequest(); var idTokenEncryptedResponseAlg = jObj.GetIdTokenEncryptedResponseAlgFromRegisterRequest(); var idTokenEncryptedResponseEnc = jObj.GetIdTokenEncryptedResponseEncFromRegisterRequest(); var userInfoSignedResponseAlg = jObj.GetUserInfoSignedResponseAlgFromRegisterRequest(); var userInfoEncryptedResponseAlg = jObj.GetUserInfoEncryptedResponseAlgFromRegisterRequest(); var userInfoEncryptedResponseEnc = jObj.GetUserInfoEncryptedResponseEncFromRegisterRequest(); var requestObjectSigningAlg = jObj.GetRequestObjectSigningAlgFromRegisterRequest(); var requestObjectEncryptionAlg = jObj.GetRequestObjectEncryptionAlgFromRegisterRequest(); var requestObjectEncryptionEnc = jObj.GetRequestObjectEncryptionEncFromRegisterRequest(); var defaultMaxAge = jObj.GetDefaultMaxAgeFromRegisterRequest(); var requireAuthTime = jObj.GetRequireAuhTimeFromRegisterRequest(); var acrValues = jObj.GetDefaultAcrValuesFromRegisterRequest(); var postLogoutRedirectUris = jObj.GetPostLogoutRedirectUrisFromRegisterRequest(); if (string.IsNullOrWhiteSpace(subjectType)) { subjectType = _openIDHostOptions.DefaultSubjectType; } if (string.IsNullOrWhiteSpace(idTokenSignedResponseAlg)) { idTokenSignedResponseAlg = RSA256SignHandler.ALG_NAME; } if (defaultMaxAge == null) { defaultMaxAge = _openIDHostOptions.DefaultMaxAge; } if (requireAuthTime == null) { requireAuthTime = false; } if (!string.IsNullOrWhiteSpace(idTokenEncryptedResponseAlg) && string.IsNullOrWhiteSpace(idTokenEncryptedResponseEnc)) { idTokenEncryptedResponseEnc = A128CBCHS256EncHandler.ENC_NAME; } if (!string.IsNullOrWhiteSpace(userInfoEncryptedResponseAlg) && string.IsNullOrWhiteSpace(userInfoEncryptedResponseEnc)) { userInfoEncryptedResponseEnc = A128CBCHS256EncHandler.ENC_NAME; } if (!string.IsNullOrWhiteSpace(requestObjectEncryptionAlg) && string.IsNullOrWhiteSpace(requestObjectEncryptionEnc)) { requestObjectEncryptionEnc = A128CBCHS256EncHandler.ENC_NAME; } var openidClient = new OpenIdClient(); var result = await EnrichOAuthClient(context, openidClient); openidClient.ApplicationType = applicationType; openidClient.SectorIdentifierUri = sectorIdentifierUri; openidClient.SubjectType = subjectType; openidClient.IdTokenSignedResponseAlg = idTokenSignedResponseAlg; openidClient.IdTokenEncryptedResponseAlg = idTokenEncryptedResponseAlg; openidClient.IdTokenEncryptedResponseEnc = idTokenEncryptedResponseEnc; openidClient.UserInfoSignedResponseAlg = userInfoSignedResponseAlg; openidClient.UserInfoEncryptedResponseAlg = userInfoEncryptedResponseAlg; openidClient.UserInfoEncryptedResponseEnc = userInfoEncryptedResponseEnc; openidClient.RequestObjectSigningAlg = requestObjectSigningAlg; openidClient.RequestObjectEncryptionAlg = requestObjectEncryptionAlg; openidClient.RequestObjectEncryptionEnc = requestObjectEncryptionEnc; openidClient.DefaultMaxAge = defaultMaxAge; openidClient.RequireAuthTime = requireAuthTime.Value; openidClient.DefaultAcrValues = acrValues.ToList(); openidClient.PostLogoutRedirectUris = postLogoutRedirectUris.ToList(); OAuthClientCommandRepository.Add(openidClient); await OAuthClientCommandRepository.SaveChanges(); AddNotEmpty(result, RegisterRequestParameters.ApplicationType, applicationType); AddNotEmpty(result, RegisterRequestParameters.SectorIdentifierUri, sectorIdentifierUri); AddNotEmpty(result, RegisterRequestParameters.SubjectType, subjectType); AddNotEmpty(result, RegisterRequestParameters.IdTokenSignedResponseAlg, idTokenSignedResponseAlg); AddNotEmpty(result, RegisterRequestParameters.IdTokenEncryptedResponseAlg, idTokenEncryptedResponseAlg); AddNotEmpty(result, RegisterRequestParameters.IdTokenEncryptedResponseEnc, idTokenEncryptedResponseEnc); AddNotEmpty(result, RegisterRequestParameters.UserInfoSignedResponseAlg, userInfoSignedResponseAlg); AddNotEmpty(result, RegisterRequestParameters.UserInfoEncryptedResponseAlg, userInfoEncryptedResponseAlg); AddNotEmpty(result, RegisterRequestParameters.UserInfoEncryptedResponseEnc, userInfoEncryptedResponseEnc); AddNotEmpty(result, RegisterRequestParameters.RequestObjectSigningAlg, requestObjectSigningAlg); AddNotEmpty(result, RegisterRequestParameters.RequestObjectEncryptionAlg, requestObjectEncryptionAlg); AddNotEmpty(result, RegisterRequestParameters.RequestObjectEncryptionEnc, requestObjectEncryptionEnc); if (defaultMaxAge != null) { AddNotEmpty(result, RegisterRequestParameters.DefaultMaxAge, defaultMaxAge.Value.ToString().ToLowerInvariant()); } AddNotEmpty(result, RegisterRequestParameters.RequireAuthTime, requireAuthTime.Value.ToString().ToLowerInvariant()); AddNotEmpty(result, RegisterRequestParameters.DefaultAcrValues, acrValues); AddNotEmpty(result, RegisterRequestParameters.PostLogoutRedirectUris, postLogoutRedirectUris); return(result); }