/// <summary>
/// Is Valid OAuth 2.0 Access Token Request or OIDC Token Request.
/// </summary>
public static void Validate(this TokenRequest request)
{
if (request == null)
{
new ArgumentNullException(nameof(request));
}
if (request.GrantType.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(request.GrantType), request.GetTypeName());
}
if (request.GrantType == IdentityConstants.GrantTypes.AuthorizationCode)
{
if (request.Code.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(request.Code), request.GetTypeName());
}
}
else if (request.GrantType == IdentityConstants.GrantTypes.RefreshToken)
{
if (request.RefreshToken.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(request.RefreshToken), request.GetTypeName());
}
}
else if (request.GrantType == IdentityConstants.GrantTypes.ClientCredentials)
{
if (request.ClientId.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(request.ClientId), request.GetTypeName());
}
}
else if (request.GrantType == IdentityConstants.GrantTypes.Delegation)
{
if (request.Assertion.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(request.Assertion), request.GetTypeName());
}
}
request.GrantType.ValidateMaxLength(IdentityConstants.MessageLength.GrantTypeMax, nameof(request.GrantType), request.GetTypeName());
request.Code.ValidateMaxLength(IdentityConstants.MessageLength.CodeMax, nameof(request.Code), request.GetTypeName());
request.RefreshToken.ValidateMaxLength(IdentityConstants.MessageLength.RefreshTokenMax, nameof(request.RefreshToken), request.GetTypeName());
request.Assertion.ValidateMaxLength(IdentityConstants.MessageLength.AssertionMax, nameof(request.Assertion), request.GetTypeName());
request.RedirectUri.ValidateMaxLength(IdentityConstants.MessageLength.RedirectUriMax, nameof(request.RedirectUri), request.GetTypeName());
request.ClientId.ValidateMaxLength(IdentityConstants.MessageLength.ClientIdMax, nameof(request.ClientId), request.GetTypeName());
request.Scope.ValidateMaxLength(IdentityConstants.MessageLength.ScopeMax, nameof(request.Scope), request.GetTypeName());
request.Username.ValidateMaxLength(IdentityConstants.MessageLength.UsernameMax, nameof(request.Username), request.GetTypeName());
request.Password.ValidateMaxLength(IdentityConstants.MessageLength.PasswordMax, nameof(request.Password), request.GetTypeName());
}
protected async Task ValidateSecret(TClient client, TokenRequest tokenRequest, ClientCredentials clientCredentials)
{
if (tokenRequest.ClientId.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(tokenRequest.ClientId), tokenRequest.GetTypeName());
}
clientCredentials.Validate();
if (client?.Secrets.Count() <= 0)
{
throw new OAuthRequestException($"Invalid client secret. Secret not configured for client id '{tokenRequest.ClientId}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidGrant
};
}
foreach (var secret in client.Secrets)
{
if (await secretHashLogic.ValidateSecretAsync(secret, clientCredentials.ClientSecret))
{
logger.ScopeTrace($"Down, OAuth Client id '{tokenRequest.ClientId}. Client secret valid.", triggerEvent: true);
return;
}
}
throw new OAuthRequestException($"Invalid client secret for client id '{tokenRequest.ClientId}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidGrant
};
}
protected void ValidateAuthCodeRequest(TClient client, TokenRequest tokenRequest)
{
tokenRequest.Validate();
if (tokenRequest.RedirectUri.IsNullOrEmpty())
{
throw new ArgumentNullException(nameof(tokenRequest.RedirectUri), tokenRequest.GetTypeName());
}
if (!client.RedirectUris.Any(u => u.Equals(tokenRequest.RedirectUri, StringComparison.InvariantCultureIgnoreCase)))
{
throw new OAuthRequestException($"Invalid redirect Uri '{tokenRequest.RedirectUri}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidGrant
};
}
if (!client.ClientId.Equals(tokenRequest.ClientId, StringComparison.InvariantCultureIgnoreCase))
{
throw new OAuthRequestException($"Invalid client id '{tokenRequest.ClientId}'.")
{
RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidClient
};
}
}
