public async Task <InitRegistrationResponse> Generate(InitRegistrationRequestValidationResult validationResult)
{
var authorizationCode = new TrustedDeviceAuthorizationCode {
ClientId = validationResult.Client.ClientId,
DeviceId = validationResult.DeviceId,
InteractionMode = validationResult.InteractionMode,
CodeChallenge = validationResult.CodeChallenge.Sha256(),
CreationTime = SystemClock.UtcNow.UtcDateTime,
Lifetime = validationResult.Client.AuthorizationCodeLifetime,
RequestedScopes = validationResult.RequestedScopes,
Subject = validationResult.Principal
};
var challenge = await CodeChallengeStore.GenerateChallenge(authorizationCode);
return(new InitRegistrationResponse {
Challenge = challenge
});
}
public async Task <DeviceAuthorizationResponse> Generate(DeviceAuthorizationRequestValidationResult validationResult)
{
var authorizationCode = new TrustedDeviceAuthorizationCode {
ClientId = validationResult.Client.ClientId,
CodeChallenge = validationResult.CodeChallenge.Sha256(),
CreationTime = SystemClock.UtcNow.UtcDateTime,
DeviceId = validationResult.Device.DeviceId,
InteractionMode = validationResult.InteractionMode,
Lifetime = validationResult.Client.AuthorizationCodeLifetime,
RequestedScopes = validationResult.RequestedScopes,
Subject = Principal.Create("TrustedDevice", new Claim(JwtClaimTypes.Subject, validationResult.UserId))
};
var challenge = await CodeChallengeStore.GenerateChallenge(authorizationCode);
return(new DeviceAuthorizationResponse {
Challenge = challenge
});
}
private async Task <ValidationResult> ValidateAuthorizationCode(string code, TrustedDeviceAuthorizationCode authorizationCode, string codeVerifier, string deviceId, Client client)
{
// Validate that the current client is not trying to use an authorization code of a different client.
if (authorizationCode.ClientId != client.ClientId)
{
return(Error(OidcConstants.TokenErrors.InvalidGrant, "Authorization code is invalid."));
}
// Validate that the current device is not trying to use an authorization code of a different device.
if (authorizationCode.DeviceId != deviceId)
{
return(Error(OidcConstants.TokenErrors.InvalidGrant, "Authorization code is invalid."));
}
// Remove authorization code.
await CodeChallengeStore.RemoveAuthorizationCode(code);
// Validate code expiration.
if (authorizationCode.CreationTime.HasExceeded(authorizationCode.Lifetime, SystemClock.UtcNow.UtcDateTime))
{
return(Error(OidcConstants.TokenErrors.InvalidGrant, "Authorization code is invalid."));
}
if (authorizationCode.CreationTime.HasExceeded(client.AuthorizationCodeLifetime, SystemClock.UtcNow.UtcDateTime))
{
return(Error(OidcConstants.TokenErrors.InvalidGrant, "Authorization code is invalid."));
}
if (authorizationCode.RequestedScopes == null || !authorizationCode.RequestedScopes.Any())
{
return(Error(OidcConstants.TokenErrors.InvalidGrant, "Authorization code is invalid."));
}
var proofKeyParametersValidationResult = ValidateAuthorizationCodeWithProofKeyParameters(codeVerifier, authorizationCode);
if (proofKeyParametersValidationResult.IsError)
{
return(Error(proofKeyParametersValidationResult.Error, proofKeyParametersValidationResult.ErrorDescription));
}
return(Success());
}
protected static ValidationResult ValidateAuthorizationCodeWithProofKeyParameters(string codeVerifier, TrustedDeviceAuthorizationCode authorizationCode)
{
if (string.IsNullOrWhiteSpace(authorizationCode.CodeChallenge))
{
return(new ValidationResult {
IsError = true,
Error = OidcConstants.TokenErrors.InvalidGrant,
ErrorDescription = "Client is missing code challenge."
});
}
if (!ValidateCodeVerifierAgainstCodeChallenge(codeVerifier, authorizationCode.CodeChallenge))
{
return(new ValidationResult {
IsError = true,
Error = OidcConstants.TokenErrors.InvalidGrant,
ErrorDescription = "Transformed code verifier does not match code challenge."
});
}
return(Success());
}
