public override async Task ValidateTokenRequest(OAuthValidateTokenRequestContext context) { if (!ObjectId.TryParse(context.ClientContext.ClientId, out var mongoObjectId)) { context.SetError("invalid_request"); return; } var client = await _clientManager.FindClientByIdAsync(context.ClientContext.ClientId); if (client == null) { context.SetError("invalid_client"); } else { context.Validated(); } }
/// <summary> /// Called at the final stage of a successful Token endpoint request. An application may implement this call in order to do any final /// modification of the claims being used to issue access or refresh tokens. This call may also be used in order to add additional /// response parameters to the Token endpoint's json response body. /// </summary> /// <param name="context">The context of the event carries information in and results out.</param> /// <returns> /// Task to enable asynchronous execution /// </returns> /// <remarks> /// This validates the grant_type accepted and also processes CORS /// </remarks> public override Task ValidateTokenRequest(OAuthValidateTokenRequestContext context) { //TODO: Determine which grant types will will actually support - these will probably be the only ones if (!context.TokenRequest.IsAuthorizationCodeGrantType && !context.TokenRequest.IsResourceOwnerPasswordCredentialsGrantType && !context.TokenRequest.IsRefreshTokenGrantType) { context.Rejected(); context.SetError("invalid_grant_type", "Only grant_type=authorization_code, grant_type=password or grant_type=refresh_token are accepted by this server."); return(Task.FromResult(0)); } ProcessCors(context); return(base.ValidateTokenRequest(context)); }
private void ProcessCors(OAuthValidateTokenRequestContext context) { var accessControlRequestMethodHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod); var originHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.Origin); var accessControlRequestHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod); var corsRequest = new CorsRequestContext { Host = context.Request.Host.Value, HttpMethod = context.Request.Method, Origin = originHeaders?.FirstOrDefault(), RequestUri = context.Request.Uri, AccessControlRequestMethod = accessControlRequestMethodHeaders?.FirstOrDefault() }; if (accessControlRequestHeaders != null) { foreach (var header in context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod)) { corsRequest.AccessControlRequestHeaders.Add(header); } } var engine = new CorsEngine(); if (corsRequest.IsPreflight) { try { // Make sure Access-Control-Request-Method is valid. var test = new HttpMethod(corsRequest.AccessControlRequestMethod); } catch (ArgumentException) { context.Response.StatusCode = (int)HttpStatusCode.BadRequest; context.SetError("Access Control Request Method Cannot Be Null Or Empty"); //context.RequestCompleted(); return; } catch (FormatException) { context.Response.StatusCode = (int)HttpStatusCode.BadRequest; context.SetError("Invalid Access Control Request Method"); //context.RequestCompleted(); return; } var result = engine.EvaluatePolicy(corsRequest, _options.CorsPolicy); if (!result.IsValid) { context.Response.StatusCode = (int)HttpStatusCode.BadRequest; context.SetError(string.Join(" | ", result.ErrorMessages)); //context.RequestCompleted(); return; } WriteCorsHeaders(result, context); } else { var result = engine.EvaluatePolicy(corsRequest, _options.CorsPolicy); if (result.IsValid) { WriteCorsHeaders(result, context); } } }
private void ProcessCors(OAuthValidateTokenRequestContext context) { var accessControlRequestMethodHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod); var originHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.Origin); var accessControlRequestHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod); var corsRequest = new CorsRequestContext { Host = context.Request.Host.Value, HttpMethod = context.Request.Method, Origin = originHeaders == null ? null : originHeaders.FirstOrDefault(), RequestUri = context.Request.Uri, AccessControlRequestMethod = accessControlRequestMethodHeaders == null ? null : accessControlRequestMethodHeaders.FirstOrDefault() }; if (accessControlRequestHeaders != null) { foreach (var header in context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod)) { corsRequest.AccessControlRequestHeaders.Add(header); } } var engine = new CorsEngine(); if (corsRequest.IsPreflight) { try { // Make sure Access-Control-Request-Method is valid. var test = new HttpMethod(corsRequest.AccessControlRequestMethod); } catch (ArgumentException) { context.Response.StatusCode = (int)HttpStatusCode.BadRequest; context.SetError("Access Control Request Method Cannot Be Null Or Empty"); //context.RequestCompleted(); return; } catch (FormatException) { context.Response.StatusCode = (int)HttpStatusCode.BadRequest; context.SetError("Invalid Access Control Request Method"); //context.RequestCompleted(); return; } var result = engine.EvaluatePolicy(corsRequest, _options.CorsPolicy); if (!result.IsValid) { context.Response.StatusCode = (int)HttpStatusCode.BadRequest; context.SetError(string.Join(" | ", result.ErrorMessages)); //context.RequestCompleted(); return; } WriteCorsHeaders(result, context); } else { var result = engine.EvaluatePolicy(corsRequest, _options.CorsPolicy); if (result.IsValid) { WriteCorsHeaders(result, context); } } }