protected void ValidateClientCredentialsRequest(TClient client, TokenRequest tokenRequest) { tokenRequest.Validate(); if (!client.ClientId.Equals(tokenRequest.ClientId, StringComparison.InvariantCultureIgnoreCase)) { throw new OAuthRequestException($"Invalid client id '{tokenRequest.ClientId}'.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidClient }; } if (!tokenRequest.Scope.IsNullOrEmpty()) { var resourceScopes = oauthResourceScopeLogic.GetResourceScopes(client as TClient); var invalidScope = tokenRequest.Scope.ToSpaceList().Where(s => !(resourceScopes.Select(rs => rs).Contains(s) || (client.Scopes != null && client.Scopes.Select(ps => ps.Scope).Contains(s)))); if (invalidScope.Count() > 0) { throw new OAuthRequestException($"Invalid scope '{tokenRequest.Scope}'.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidScope }; } } }
private void ValidateAuthenticationRequest(OidcDownClient client, AuthenticationRequest authenticationRequest, bool requireCodeFlow) { try { var responseType = authenticationRequest.ResponseType.ToSpaceList(); bool isImplicitFlow = !responseType.Contains(IdentityConstants.ResponseTypes.Code); authenticationRequest.Validate(isImplicitFlow); if (requireCodeFlow) { if (responseType.Where(rt => !rt.Equals(IdentityConstants.ResponseTypes.Code)).Any()) { throw new OAuthRequestException($"Require '{IdentityConstants.ResponseTypes.Code}' flow with PKCE.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidRequest }; } } if (!client.RedirectUris.Any(u => u.Equals(authenticationRequest.RedirectUri, StringComparison.InvariantCultureIgnoreCase))) { throw new OAuthRequestException($"Invalid redirect Uri '{authenticationRequest.RedirectUri}'.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidRequest }; } if (!client.ClientId.Equals(authenticationRequest.ClientId, StringComparison.InvariantCultureIgnoreCase)) { throw new OAuthRequestException($"Invalid client id '{authenticationRequest.ClientId}'.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidClient }; } if (!authenticationRequest.Scope.Contains(IdentityConstants.DefaultOidcScopes.OpenId)) { throw new OAuthRequestException($"Require '{IdentityConstants.DefaultOidcScopes.OpenId}' scope.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidScope }; } var resourceScopes = oauthResourceScopeLogic.GetResourceScopes(client as TClient); var invalidScope = authenticationRequest.Scope.ToSpaceList().Where(s => !(resourceScopes.Select(rs => rs).Contains(s) || (client.Scopes != null && client.Scopes.Select(ps => ps.Scope).Contains(s))) && IdentityConstants.DefaultOidcScopes.OpenId != s); if (invalidScope.Count() > 0) { throw new OAuthRequestException($"Invalid scope '{authenticationRequest.Scope}'.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidScope }; } ValidateResponseType(client, authenticationRequest, responseType); if (!authenticationRequest.ResponseMode.IsNullOrEmpty()) { var invalidResponseMode = !(new[] { IdentityConstants.ResponseModes.Fragment, IdentityConstants.ResponseModes.Query, IdentityConstants.ResponseModes.FormPost }.Contains(authenticationRequest.ResponseMode)); if (invalidResponseMode) { throw new OAuthRequestException($"Invalid response mode '{authenticationRequest.ResponseMode}'.") { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidRequest }; } } } catch (ArgumentException ex) { throw new OAuthRequestException(ex.Message, ex) { RouteBinding = RouteBinding, Error = IdentityConstants.ResponseErrors.InvalidRequest }; } }