public async Task <JObject> Handle(string clientId, HandlerContext handlerContext, CancellationToken cancellationToken)
{
var oauthClient = await GetClient(clientId, handlerContext, cancellationToken);
var extractedClient = ExtractClient(handlerContext);
if (extractedClient.ClientId != oauthClient.ClientId)
{
Logger.LogError("the client identifier must be identical");
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.CLIENT_IDENTIFIER_MUST_BE_IDENTICAL);
}
if (extractedClient.Secrets.Any() && extractedClient.Secrets.First(_ => _.Type == ClientSecretTypes.SharedSecret).Value != oauthClient.Secrets.First(_ => _.Type == ClientSecretTypes.SharedSecret).Value)
{
Logger.LogError("the client secret must be identical");
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.CLIENT_SECRET_MUST_BE_IDENTICAL);
}
extractedClient.ClientId = clientId;
extractedClient.Secrets = oauthClient.Secrets;
extractedClient.RegistrationAccessToken = oauthClient.RegistrationAccessToken;
extractedClient.UpdateDateTime = DateTime.UtcNow;
extractedClient.CreateDateTime = oauthClient.CreateDateTime;
await _oauthClientValidator.Validate(extractedClient, cancellationToken);
await OAuthClientCommandRepository.Update(extractedClient, cancellationToken);
await OAuthClientCommandRepository.SaveChanges(cancellationToken);
Logger.LogInformation($"the client '{clientId}' has been updated");
return(null);
}
public virtual async Task Handle(string clientId, HandlerContext handlerContext, CancellationToken cancellationToken)
{
var oauthClient = await GetClient(clientId, handlerContext, cancellationToken);
var searchResult = await _tokenQueryRepository.Find(new SearchTokenParameter
{
ClientId = clientId
}, cancellationToken);
if (searchResult.Content.Any())
{
await _grantedTokenHelper.RemoveTokens(searchResult.Content, cancellationToken);
Logger.LogInformation($"the tokens '{string.Join(",", searchResult.Content.Select(_ => _.Id))}' have been revoked");
}
Logger.LogInformation($"the client '{clientId}' has been removed");
await OAuthClientCommandRepository.Delete(oauthClient, cancellationToken);
}
public virtual async Task <OAuthClient> GetClient(string clientId, HandlerContext handlerContext, CancellationToken cancellationToken)
{
var accessToken = handlerContext.Request.GetToken(AutenticationSchemes.Bearer, AutenticationSchemes.Basic);
if (string.IsNullOrWhiteSpace(accessToken))
{
Logger.LogError("access token is missing");
throw new OAuthUnauthorizedException(ErrorCodes.INVALID_TOKEN, ErrorMessages.MISSING_ACCESS_TOKEN);
}
var clients = await OAuthClientQueryRepository.Find(new Persistence.Parameters.SearchClientParameter
{
RegistrationAccessToken = accessToken
}, cancellationToken);
if (!clients.Content.Any())
{
Logger.LogError($"access token '{accessToken}' is invalid");
throw new OAuthUnauthorizedException(ErrorCodes.INVALID_TOKEN, ErrorMessages.BAD_ACCESS_TOKEN);
}
var client = clients.Content.First();
if (client.ClientId != clientId)
{
client.RegistrationAccessToken = null;
await OAuthClientCommandRepository.Update(client, cancellationToken);
await OAuthClientCommandRepository.SaveChanges(cancellationToken);
Logger.LogError($"access token '{accessToken}' can be used for the client '{client.ClientId}' and not for the client '{clientId}'");
throw new OAuthUnauthorizedException(ErrorCodes.INVALID_TOKEN, string.Format(ErrorMessages.ACCESS_TOKEN_VALID_CLIENT, client.ClientId, clientId));
}
return(client);
}
protected override async Task <JObject> Create(HandlerContext context)
{
var jObj = context.Request.Data;
var applicationType = GetDefaultApplicationType(jObj);
var sectorIdentifierUri = jObj.GetSectorIdentifierUriFromRegisterRequest();
var subjectType = jObj.GetSubjectTypeFromRegisterRequest();
var idTokenSignedResponseAlg = jObj.GetIdTokenSignedResponseAlgFromRegisterRequest();
var idTokenEncryptedResponseAlg = jObj.GetIdTokenEncryptedResponseAlgFromRegisterRequest();
var idTokenEncryptedResponseEnc = jObj.GetIdTokenEncryptedResponseEncFromRegisterRequest();
var userInfoSignedResponseAlg = jObj.GetUserInfoSignedResponseAlgFromRegisterRequest();
var userInfoEncryptedResponseAlg = jObj.GetUserInfoEncryptedResponseAlgFromRegisterRequest();
var userInfoEncryptedResponseEnc = jObj.GetUserInfoEncryptedResponseEncFromRegisterRequest();
var requestObjectSigningAlg = jObj.GetRequestObjectSigningAlgFromRegisterRequest();
var requestObjectEncryptionAlg = jObj.GetRequestObjectEncryptionAlgFromRegisterRequest();
var requestObjectEncryptionEnc = jObj.GetRequestObjectEncryptionEncFromRegisterRequest();
var defaultMaxAge = jObj.GetDefaultMaxAgeFromRegisterRequest();
var requireAuthTime = jObj.GetRequireAuhTimeFromRegisterRequest();
var acrValues = jObj.GetDefaultAcrValuesFromRegisterRequest();
var postLogoutRedirectUris = jObj.GetPostLogoutRedirectUrisFromRegisterRequest();
if (string.IsNullOrWhiteSpace(subjectType))
{
subjectType = _openIDHostOptions.DefaultSubjectType;
}
if (string.IsNullOrWhiteSpace(idTokenSignedResponseAlg))
{
idTokenSignedResponseAlg = RSA256SignHandler.ALG_NAME;
}
if (defaultMaxAge == null)
{
defaultMaxAge = _openIDHostOptions.DefaultMaxAge;
}
if (requireAuthTime == null)
{
requireAuthTime = false;
}
if (!string.IsNullOrWhiteSpace(idTokenEncryptedResponseAlg) && string.IsNullOrWhiteSpace(idTokenEncryptedResponseEnc))
{
idTokenEncryptedResponseEnc = A128CBCHS256EncHandler.ENC_NAME;
}
if (!string.IsNullOrWhiteSpace(userInfoEncryptedResponseAlg) && string.IsNullOrWhiteSpace(userInfoEncryptedResponseEnc))
{
userInfoEncryptedResponseEnc = A128CBCHS256EncHandler.ENC_NAME;
}
if (!string.IsNullOrWhiteSpace(requestObjectEncryptionAlg) && string.IsNullOrWhiteSpace(requestObjectEncryptionEnc))
{
requestObjectEncryptionEnc = A128CBCHS256EncHandler.ENC_NAME;
}
var openidClient = new OpenIdClient();
var result = await EnrichOAuthClient(context, openidClient);
openidClient.ApplicationType = applicationType;
openidClient.SectorIdentifierUri = sectorIdentifierUri;
openidClient.SubjectType = subjectType;
openidClient.IdTokenSignedResponseAlg = idTokenSignedResponseAlg;
openidClient.IdTokenEncryptedResponseAlg = idTokenEncryptedResponseAlg;
openidClient.IdTokenEncryptedResponseEnc = idTokenEncryptedResponseEnc;
openidClient.UserInfoSignedResponseAlg = userInfoSignedResponseAlg;
openidClient.UserInfoEncryptedResponseAlg = userInfoEncryptedResponseAlg;
openidClient.UserInfoEncryptedResponseEnc = userInfoEncryptedResponseEnc;
openidClient.RequestObjectSigningAlg = requestObjectSigningAlg;
openidClient.RequestObjectEncryptionAlg = requestObjectEncryptionAlg;
openidClient.RequestObjectEncryptionEnc = requestObjectEncryptionEnc;
openidClient.DefaultMaxAge = defaultMaxAge;
openidClient.RequireAuthTime = requireAuthTime.Value;
openidClient.DefaultAcrValues = acrValues.ToList();
openidClient.PostLogoutRedirectUris = postLogoutRedirectUris.ToList();
OAuthClientCommandRepository.Add(openidClient);
await OAuthClientCommandRepository.SaveChanges();
AddNotEmpty(result, RegisterRequestParameters.ApplicationType, applicationType);
AddNotEmpty(result, RegisterRequestParameters.SectorIdentifierUri, sectorIdentifierUri);
AddNotEmpty(result, RegisterRequestParameters.SubjectType, subjectType);
AddNotEmpty(result, RegisterRequestParameters.IdTokenSignedResponseAlg, idTokenSignedResponseAlg);
AddNotEmpty(result, RegisterRequestParameters.IdTokenEncryptedResponseAlg, idTokenEncryptedResponseAlg);
AddNotEmpty(result, RegisterRequestParameters.IdTokenEncryptedResponseEnc, idTokenEncryptedResponseEnc);
AddNotEmpty(result, RegisterRequestParameters.UserInfoSignedResponseAlg, userInfoSignedResponseAlg);
AddNotEmpty(result, RegisterRequestParameters.UserInfoEncryptedResponseAlg, userInfoEncryptedResponseAlg);
AddNotEmpty(result, RegisterRequestParameters.UserInfoEncryptedResponseEnc, userInfoEncryptedResponseEnc);
AddNotEmpty(result, RegisterRequestParameters.RequestObjectSigningAlg, requestObjectSigningAlg);
AddNotEmpty(result, RegisterRequestParameters.RequestObjectEncryptionAlg, requestObjectEncryptionAlg);
AddNotEmpty(result, RegisterRequestParameters.RequestObjectEncryptionEnc, requestObjectEncryptionEnc);
if (defaultMaxAge != null)
{
AddNotEmpty(result, RegisterRequestParameters.DefaultMaxAge, defaultMaxAge.Value.ToString().ToLowerInvariant());
}
AddNotEmpty(result, RegisterRequestParameters.RequireAuthTime, requireAuthTime.Value.ToString().ToLowerInvariant());
AddNotEmpty(result, RegisterRequestParameters.DefaultAcrValues, acrValues);
AddNotEmpty(result, RegisterRequestParameters.PostLogoutRedirectUris, postLogoutRedirectUris);
return(result);
}
