public async Task <InitRegistrationResponse> Generate(InitRegistrationRequestValidationResult validationResult) { var authorizationCode = new TrustedDeviceAuthorizationCode { ClientId = validationResult.Client.ClientId, DeviceId = validationResult.DeviceId, InteractionMode = validationResult.InteractionMode, CodeChallenge = validationResult.CodeChallenge.Sha256(), CreationTime = SystemClock.UtcNow.UtcDateTime, Lifetime = validationResult.Client.AuthorizationCodeLifetime, RequestedScopes = validationResult.RequestedScopes, Subject = validationResult.Principal }; var challenge = await CodeChallengeStore.GenerateChallenge(authorizationCode); return(new InitRegistrationResponse { Challenge = challenge }); }
public async Task <DeviceAuthorizationResponse> Generate(DeviceAuthorizationRequestValidationResult validationResult) { var authorizationCode = new TrustedDeviceAuthorizationCode { ClientId = validationResult.Client.ClientId, CodeChallenge = validationResult.CodeChallenge.Sha256(), CreationTime = SystemClock.UtcNow.UtcDateTime, DeviceId = validationResult.Device.DeviceId, InteractionMode = validationResult.InteractionMode, Lifetime = validationResult.Client.AuthorizationCodeLifetime, RequestedScopes = validationResult.RequestedScopes, Subject = Principal.Create("TrustedDevice", new Claim(JwtClaimTypes.Subject, validationResult.UserId)) }; var challenge = await CodeChallengeStore.GenerateChallenge(authorizationCode); return(new DeviceAuthorizationResponse { Challenge = challenge }); }
private async Task <ValidationResult> ValidateAuthorizationCode(string code, TrustedDeviceAuthorizationCode authorizationCode, string codeVerifier, string deviceId, Client client) { // Validate that the current client is not trying to use an authorization code of a different client. if (authorizationCode.ClientId != client.ClientId) { return(Error(OidcConstants.TokenErrors.InvalidGrant, "Authorization code is invalid.")); } // Validate that the current device is not trying to use an authorization code of a different device. if (authorizationCode.DeviceId != deviceId) { return(Error(OidcConstants.TokenErrors.InvalidGrant, "Authorization code is invalid.")); } // Remove authorization code. await CodeChallengeStore.RemoveAuthorizationCode(code); // Validate code expiration. if (authorizationCode.CreationTime.HasExceeded(authorizationCode.Lifetime, SystemClock.UtcNow.UtcDateTime)) { return(Error(OidcConstants.TokenErrors.InvalidGrant, "Authorization code is invalid.")); } if (authorizationCode.CreationTime.HasExceeded(client.AuthorizationCodeLifetime, SystemClock.UtcNow.UtcDateTime)) { return(Error(OidcConstants.TokenErrors.InvalidGrant, "Authorization code is invalid.")); } if (authorizationCode.RequestedScopes == null || !authorizationCode.RequestedScopes.Any()) { return(Error(OidcConstants.TokenErrors.InvalidGrant, "Authorization code is invalid.")); } var proofKeyParametersValidationResult = ValidateAuthorizationCodeWithProofKeyParameters(codeVerifier, authorizationCode); if (proofKeyParametersValidationResult.IsError) { return(Error(proofKeyParametersValidationResult.Error, proofKeyParametersValidationResult.ErrorDescription)); } return(Success()); }
protected static ValidationResult ValidateAuthorizationCodeWithProofKeyParameters(string codeVerifier, TrustedDeviceAuthorizationCode authorizationCode) { if (string.IsNullOrWhiteSpace(authorizationCode.CodeChallenge)) { return(new ValidationResult { IsError = true, Error = OidcConstants.TokenErrors.InvalidGrant, ErrorDescription = "Client is missing code challenge." }); } if (!ValidateCodeVerifierAgainstCodeChallenge(codeVerifier, authorizationCode.CodeChallenge)) { return(new ValidationResult { IsError = true, Error = OidcConstants.TokenErrors.InvalidGrant, ErrorDescription = "Transformed code verifier does not match code challenge." }); } return(Success()); }