private string ValidateSid(HttpRequest request)
{
var sidCookie = _sessionCookie.GetSessionId();
if (sidCookie != null)
{
//TODO: update sid to OidcConstants when idmodel released
var sid = request.Query["sid"].FirstOrDefault();
if (sid != null)
{
if (TimeConstantComparer.IsEqual(sid, sidCookie))
{
_logger.LogDebug("sid validation successful");
return(sid);
}
else
{
_logger.LogError("sid in query string does not match sid from cookie");
}
}
else
{
_logger.LogError("No sid in query string");
}
}
else
{
_logger.LogError("No sid in cookie");
}
return(null);
}
public SessionInfo GetSession()
{
var id = SessionCookie.GetSessionId(Context);
if (!this.sessionInfoProvider.TryGet(id, out var sessionInfo))
{
sessionInfo = new SessionInfo();
}
return(sessionInfo);
}
public Task <SessionInfo> LoginAsync(UserLoginModel model)
{
var id = SessionCookie.GetSessionId(Context);
var auth = authManager.Authenticate(model.Username, model.Password);
var user = gameData.GetUser(auth.UserId);
if (user != null && user.Status >= 1)
{
return(Task.FromResult(new SessionInfo()
{
Authenticated = false
}));
}
return(sessionInfoProvider.SetAuthTokenAsync(id, auth));
}
private async Task <IHttpActionResult> RenderLoggedOutPage(string id)
{
Logger.Info("rendering logged out page");
var baseUrl = context.GetIdentityServerBaseUrl();
var iframeUrls = options.RenderProtocolUrls(baseUrl, sessionCookie.GetSessionId());
var message = signOutMessageCookie.Read(id);
var redirectUrl = message != null ? message.ReturnUrl : null;
var clientName = await clientStore.GetClientName(message);
var loggedOutModel = new LoggedOutViewModel
{
SiteName = options.SiteName,
SiteUrl = baseUrl,
IFrameUrls = iframeUrls,
ClientName = clientName,
RedirectUrl = redirectUrl,
AutoRedirect = options.AuthenticationOptions.EnablePostSignOutAutoRedirect,
AutoRedirectDelay = options.AuthenticationOptions.PostSignOutAutoRedirectDelay
};
return(new LoggedOutActionResult(viewService, loggedOutModel, message));
}
private AuthorizeRequestValidationResult ValidateOptionalParameters(ValidatedAuthorizeRequest request)
{
//////////////////////////////////////////////////////////
// check nonce
//////////////////////////////////////////////////////////
var nonce = request.Raw.Get(Constants.AuthorizeRequest.Nonce);
if (nonce.IsPresent())
{
if (nonce.Length > Constants.MaxNonceLength)
{
LogError("Nonce too long", request);
return(Invalid(request, ErrorTypes.Client));
}
request.Nonce = nonce;
}
else
{
if (request.Flow == Flows.Implicit ||
request.Flow == Flows.Hybrid)
{
// only openid requests require nonce
if (request.IsOpenIdRequest)
{
LogError("Nonce required for implicit and hybrid flow with openid scope", request);
return(Invalid(request, ErrorTypes.Client));
}
}
}
//////////////////////////////////////////////////////////
// check prompt
//////////////////////////////////////////////////////////
var prompt = request.Raw.Get(Constants.AuthorizeRequest.Prompt);
if (prompt.IsPresent())
{
if (Constants.SupportedPromptModes.Contains(prompt))
{
request.PromptMode = prompt;
}
else
{
Logger.Info("Unsupported prompt mode - ignored: " + prompt);
}
}
//////////////////////////////////////////////////////////
// check ui locales
//////////////////////////////////////////////////////////
var uilocales = request.Raw.Get(Constants.AuthorizeRequest.UiLocales);
if (uilocales.IsPresent())
{
if (uilocales.Length > Constants.MaxUiLocaleLength)
{
LogError("UI locale too long", request);
return(Invalid(request, ErrorTypes.Client));
}
request.UiLocales = uilocales;
}
//////////////////////////////////////////////////////////
// check display
//////////////////////////////////////////////////////////
var display = request.Raw.Get(Constants.AuthorizeRequest.Display);
if (display.IsPresent())
{
if (Constants.SupportedDisplayModes.Contains(display))
{
request.DisplayMode = display;
}
Logger.Info("Unsupported display mode - ignored: " + display);
}
//////////////////////////////////////////////////////////
// check max_age
//////////////////////////////////////////////////////////
var maxAge = request.Raw.Get(Constants.AuthorizeRequest.MaxAge);
if (maxAge.IsPresent())
{
int seconds;
if (int.TryParse(maxAge, out seconds))
{
if (seconds >= 0)
{
request.MaxAge = seconds;
}
else
{
LogError("Invalid max_age.", request);
return(Invalid(request, ErrorTypes.Client));
}
}
else
{
LogError("Invalid max_age.", request);
return(Invalid(request, ErrorTypes.Client));
}
}
//////////////////////////////////////////////////////////
// check login_hint
//////////////////////////////////////////////////////////
var loginHint = request.Raw.Get(Constants.AuthorizeRequest.LoginHint);
if (loginHint.IsPresent())
{
if (loginHint.Length > Constants.MaxLoginHintLength)
{
LogError("Login hint too long", request);
return(Invalid(request, ErrorTypes.Client));
}
request.LoginHint = loginHint;
}
//////////////////////////////////////////////////////////
// check acr_values
//////////////////////////////////////////////////////////
var acrValues = request.Raw.Get(Constants.AuthorizeRequest.AcrValues);
if (acrValues.IsPresent())
{
if (acrValues.Length > Constants.MaxAcrValuesLength)
{
LogError("Acr values too long", request);
return(Invalid(request, ErrorTypes.Client));
}
request.AuthenticationContextReferenceClasses = acrValues.FromSpaceSeparatedString().Distinct().ToList();
}
//////////////////////////////////////////////////////////
// check session cookie
//////////////////////////////////////////////////////////
if (_options.Endpoints.EnableCheckSessionEndpoint &&
request.Subject.Identity.IsAuthenticated)
{
var sessionId = _sessionCookie.GetSessionId();
if (sessionId.IsPresent())
{
request.SessionId = sessionId;
}
else
{
LogError("Check session endpoint enabled, but SessionId is missing", request);
}
}
return(Valid(request));
}
private bool ValidateSid(string sid)
{
return(IdentityModel.TimeConstantComparer.IsEqual(_sessionCookie.GetSessionId(), sid));
}
// basic protocol validation
public ValidationResult ValidateProtocol(NameValueCollection parameters)
{
Logger.Info("Start authorize request protocol validation");
if (parameters == null)
{
Logger.Error("Parameters are null.");
throw new ArgumentNullException("parameters");
}
_validatedRequest.Raw = parameters;
//////////////////////////////////////////////////////////
// check state
//////////////////////////////////////////////////////////
var state = parameters.Get(Constants.AuthorizeRequest.State);
if (state.IsPresent())
{
_validatedRequest.State = state;
}
//////////////////////////////////////////////////////////
// client_id must be present
/////////////////////////////////////////////////////////
var clientId = parameters.Get(Constants.AuthorizeRequest.ClientId);
if (clientId.IsMissingOrTooLong(Constants.MaxClientIdLength))
{
LogError("client_id is missing or too long");
return(Invalid());
}
_validatedRequest.ClientId = clientId;
//////////////////////////////////////////////////////////
// redirect_uri must be present, and a valid uri
//////////////////////////////////////////////////////////
var redirectUri = parameters.Get(Constants.AuthorizeRequest.RedirectUri);
if (redirectUri.IsMissingOrTooLong(Constants.MaxRedirectUriLength))
{
LogError("redirect_uri is missing or too long");
return(Invalid());
}
Uri uri;
if (!Uri.TryCreate(redirectUri, UriKind.Absolute, out uri))
{
LogError("invalid redirect_uri: " + redirectUri);
return(Invalid());
}
_validatedRequest.RedirectUri = redirectUri;
//////////////////////////////////////////////////////////
// response_type must be present and supported
//////////////////////////////////////////////////////////
var responseType = parameters.Get(Constants.AuthorizeRequest.ResponseType);
if (responseType.IsMissing())
{
LogError("Missing response_type");
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.UnsupportedResponseType));
}
if (!Constants.SupportedResponseTypes.Contains(responseType))
{
LogError("Response type not supported: " + responseType);
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.UnsupportedResponseType));
}
_validatedRequest.ResponseType = responseType;
//////////////////////////////////////////////////////////
// match response_type to flow
//////////////////////////////////////////////////////////
_validatedRequest.Flow = Constants.ResponseTypeToFlowMapping[_validatedRequest.ResponseType];
//////////////////////////////////////////////////////////
// check if flow is allowed at authorize endpoint
//////////////////////////////////////////////////////////
if (!Constants.AllowedFlowsForAuthorizeEndpoint.Contains(_validatedRequest.Flow))
{
LogError("Invalid flow");
return(Invalid());
}
//////////////////////////////////////////////////////////
// check response_mode parameter and set response_mode
//////////////////////////////////////////////////////////
// set default response mode for flow first
_validatedRequest.ResponseMode = Constants.AllowedResponseModesForFlow[_validatedRequest.Flow].First();
// check if response_mode parameter is present and valid
var responseMode = parameters.Get(Constants.AuthorizeRequest.ResponseMode);
if (responseMode.IsPresent())
{
if (Constants.SupportedResponseModes.Contains(responseMode))
{
if (Constants.AllowedResponseModesForFlow[_validatedRequest.Flow].Contains(responseMode))
{
_validatedRequest.ResponseMode = responseMode;
}
else
{
LogError("Invalid response_mode for flow: " + responseMode);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnsupportedResponseType));
}
}
else
{
LogError("Unsupported response_mode: " + responseMode);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnsupportedResponseType));
}
}
//////////////////////////////////////////////////////////
// scope must be present
//////////////////////////////////////////////////////////
var scope = parameters.Get(Constants.AuthorizeRequest.Scope);
if (scope.IsMissing())
{
LogError("scope is missing");
return(Invalid(ErrorTypes.Client));
}
if (scope.Length > Constants.MaxScopeLength)
{
LogError("scopes too long.");
return(Invalid(ErrorTypes.Client));
}
_validatedRequest.RequestedScopes = scope.FromSpaceSeparatedString().Distinct().ToList();
if (_validatedRequest.RequestedScopes.Contains(Constants.StandardScopes.OpenId))
{
_validatedRequest.IsOpenIdRequest = true;
}
//////////////////////////////////////////////////////////
// check scope vs response_type plausability
//////////////////////////////////////////////////////////
var requirement = Constants.ResponseTypeToScopeRequirement[_validatedRequest.ResponseType];
if (requirement == Constants.ScopeRequirement.Identity ||
requirement == Constants.ScopeRequirement.IdentityOnly)
{
if (_validatedRequest.IsOpenIdRequest == false)
{
LogError("response_type requires the openid scope");
return(Invalid(ErrorTypes.Client));
}
}
//////////////////////////////////////////////////////////
// check nonce
//////////////////////////////////////////////////////////
var nonce = parameters.Get(Constants.AuthorizeRequest.Nonce);
if (nonce.IsPresent())
{
if (nonce.Length > Constants.MaxNonceLength)
{
LogError("Nonce too long");
return(Invalid(ErrorTypes.Client));
}
_validatedRequest.Nonce = nonce;
}
else
{
if (_validatedRequest.Flow == Flows.Implicit)
{
// only openid requests require nonce
if (_validatedRequest.IsOpenIdRequest)
{
LogError("Nonce required for implicit flow with openid scope");
return(Invalid(ErrorTypes.Client));
}
}
}
//////////////////////////////////////////////////////////
// check prompt
//////////////////////////////////////////////////////////
var prompt = parameters.Get(Constants.AuthorizeRequest.Prompt);
if (prompt.IsPresent())
{
if (Constants.SupportedPromptModes.Contains(prompt))
{
_validatedRequest.PromptMode = prompt;
}
else
{
Logger.Info("Unsupported prompt mode - ignored: " + prompt);
}
}
//////////////////////////////////////////////////////////
// check ui locales
//////////////////////////////////////////////////////////
var uilocales = parameters.Get(Constants.AuthorizeRequest.UiLocales);
if (uilocales.IsPresent())
{
if (uilocales.Length > Constants.MaxUiLocaleLength)
{
LogError("UI locale too long");
return(Invalid(ErrorTypes.Client));
}
_validatedRequest.UiLocales = uilocales;
}
//////////////////////////////////////////////////////////
// check display
//////////////////////////////////////////////////////////
var display = parameters.Get(Constants.AuthorizeRequest.Display);
if (display.IsPresent())
{
if (Constants.SupportedDisplayModes.Contains(display))
{
_validatedRequest.DisplayMode = display;
}
Logger.Info("Unsupported display mode - ignored: " + display);
}
//////////////////////////////////////////////////////////
// check max_age
//////////////////////////////////////////////////////////
var maxAge = parameters.Get(Constants.AuthorizeRequest.MaxAge);
if (maxAge.IsPresent())
{
int seconds;
if (int.TryParse(maxAge, out seconds))
{
if (seconds >= 0)
{
_validatedRequest.MaxAge = seconds;
}
else
{
LogError("Invalid max_age.");
return(Invalid(ErrorTypes.Client));
}
}
else
{
LogError("Invalid max_age.");
return(Invalid(ErrorTypes.Client));
}
}
//////////////////////////////////////////////////////////
// check login_hint
//////////////////////////////////////////////////////////
var loginHint = parameters.Get(Constants.AuthorizeRequest.LoginHint);
if (loginHint.IsPresent())
{
if (loginHint.Length > Constants.MaxLoginHintLength)
{
LogError("Login hint too long");
return(Invalid(ErrorTypes.Client));
}
_validatedRequest.LoginHint = loginHint;
}
//////////////////////////////////////////////////////////
// check acr_values
//////////////////////////////////////////////////////////
var acrValues = parameters.Get(Constants.AuthorizeRequest.AcrValues);
if (acrValues.IsPresent())
{
if (acrValues.Length > Constants.MaxAcrValuesLength)
{
LogError("Acr values too long");
return(Invalid(ErrorTypes.Client));
}
_validatedRequest.AuthenticationContextReferenceClasses = acrValues.FromSpaceSeparatedString().Distinct().ToList();
}
//////////////////////////////////////////////////////////
// check session cookie
//////////////////////////////////////////////////////////
if (_options.Endpoints.EnableCheckSessionEndpoint)
{
var sessionId = _sessionCookie.GetSessionId();
if (sessionId.IsPresent())
{
_validatedRequest.SessionId = sessionId;
}
}
LogSuccess();
return(Valid());
}