protected override Task InitializeAsync(object initializationData = null)
{
if (!HttpResponse.IsSuccessStatusCode)
{
ErrorMessage = initializationData as string;
return(Task.CompletedTask);
}
Policy = initializationData as DiscoveryPolicy ?? new DiscoveryPolicy();
var validationError = Validate(Policy);
if (validationError.IsPresent())
{
Json = default;
ErrorType = ResponseErrorType.PolicyViolation;
ErrorMessage = validationError;
}
MtlsEndpointAliases =
new MtlsEndpointAliases(Json.TryGetValue(OidcConstants.Discovery.MtlsEndpointAliases));
return(Task.CompletedTask);
}
public DiscoveryResponse(string raw, DiscoveryPolicy policy = null)
{
if (policy == null)
{
policy = new DiscoveryPolicy();
}
IsError = false;
StatusCode = HttpStatusCode.OK;
Raw = raw;
try
{
Json = JObject.Parse(raw);
var validationError = Validate(policy);
if (!string.IsNullOrEmpty(validationError))
{
IsError = true;
Json = null;
ErrorType = ResponseErrorType.PolicyViolation;
Error = validationError;
}
}
catch (Exception ex)
{
IsError = true;
ErrorType = ResponseErrorType.Exception;
Error = ex.Message;
Exception = ex;
}
}
private string Validate(DiscoveryPolicy policy)
{
if (policy.ValidateIssuerName)
{
if (string.IsNullOrWhiteSpace(Issuer))
{
return("Issuer name is missing");
}
var isValid = ValidateIssuerName(Issuer.RemoveTrailingSlash(), policy.Authority.RemoveTrailingSlash(), policy.AuthorityNameComparison);
if (!isValid)
{
return("Issuer name does not match authority: " + Issuer);
}
}
var error = ValidateEndpoints(Json, policy);
if (error.IsPresent())
{
return(error);
}
return(string.Empty);
}
/// <summary>
/// Initialize instance of DiscoveryCache with passed authority.
/// </summary>
/// <param name="authority">Base address or discovery document endpoint.</param>
/// <param name="client">The client.</param>
/// <param name="policy">The policy.</param>
public DiscoveryCache(string authority, HttpClient client = null, DiscoveryPolicy policy = null)
{
_authority = authority;
_policy = policy ?? new DiscoveryPolicy();
if (client == null)
{
client = new HttpClient();
}
_getHttpClient = () => client;
}
public string ValidateEndoints(JObject json, DiscoveryPolicy policy)
{
var authorityHost = new Uri(policy.Authority).Authority;
foreach (var element in json)
{
if (element.Key.EndsWith("Endpoint", StringComparison.OrdinalIgnoreCase) ||
element.Key.Equals(OidcConstants.Discovery.JwksUri, StringComparison.OrdinalIgnoreCase))
{
var endpoint = element.Value.ToString();
Uri uri;
var isValidUri = Uri.TryCreate(endpoint, UriKind.Absolute, out uri);
if (!isValidUri)
{
return($"Malformed endpoint: {endpoint}");
}
if (!DiscoveryUrlHelper.IsValidScheme(uri))
{
return($"Malformed endpoint: {endpoint}");
}
if (!DiscoveryUrlHelper.IsSecureScheme(uri, policy))
{
return($"Endpoint does not use HTTPS: {endpoint}");
}
if (policy.ValidateEndpoints)
{
if (!string.Equals(authorityHost, uri.Host))
{
return($"Endpoint is on a different host than authority: {endpoint}");
}
if (!endpoint.StartsWith(policy.Authority, StringComparison.Ordinal))
{
return($"Endpoint belongs to different authority: {endpoint}");
}
}
}
}
if (policy.RequireKeySet)
{
if (string.IsNullOrWhiteSpace(JwksUri))
{
return("Keyset is missing");
}
}
return(string.Empty);
}
private string Validate(DiscoveryPolicy policy)
{
if (policy.ValidateIssuerName)
{
var isValid = ValidateIssuerName(Issuer.RemoveTrailingSlash(), policy.Authority.RemoveTrailingSlash());
if (!isValid)
{
return("Issuer name does not match authority");
}
}
var error = ValidateEndoints(Json, policy);
if (!string.IsNullOrEmpty(error))
{
return(error);
}
return(string.Empty);
}
public static bool IsSecureScheme(Uri url, DiscoveryPolicy policy)
{
if (policy.RequireHttps == true)
{
if (policy.AllowHttpOnLoopback == true)
{
var hostName = url.DnsSafeHost;
foreach (var address in policy.LoopbackAddresses)
{
if (string.Equals(hostName, address, StringComparison.OrdinalIgnoreCase))
{
return(true);
}
}
}
return(string.Equals(url.Scheme, "https", StringComparison.OrdinalIgnoreCase));
}
return(true);
}
protected override Task InitializeAsync(object initializationData = null)
{
if (!HttpResponse.IsSuccessStatusCode)
{
ErrorMessage = initializationData as string;
return(Task.CompletedTask);
}
Policy = initializationData as DiscoveryPolicy ?? new DiscoveryPolicy();
var validationError = Validate(Policy);
if (validationError.IsPresent())
{
Json = null;
ErrorType = ResponseErrorType.PolicyViolation;
ErrorMessage = validationError;
}
return(Task.CompletedTask);
}
private string Validate(DiscoveryPolicy policy)
{
if (policy.ValidateIssuerName)
{
IAuthorityValidationStrategy strategy = policy.AuthorityValidationStrategy ?? DiscoveryPolicy.DefaultAuthorityValidationStrategy;
AuthorityValidationResult issuerValidationResult = strategy.IsIssuerNameValid(Issuer, policy.Authority);
if (!issuerValidationResult.Success)
{
return(issuerValidationResult.ErrorMessage);
}
}
var error = ValidateEndpoints(Json, policy);
if (error.IsPresent())
{
return(error);
}
return(string.Empty);
}
private string Validate(DiscoveryPolicy policy)
{
if (policy.ValidateIssuerName)
{
#pragma warning disable 0618
IAuthorityValidationStrategy strategy = policy.AuthorityValidationStrategy ?? new StringComparisonAuthorityValidationStrategy(policy.AuthorityNameComparison);
#pragma warning restore 0618
AuthorityValidationResult issuerValidationResult = strategy.IsIssuerNameValid(Issuer, policy.Authority);
if (!issuerValidationResult.Success)
{
return(issuerValidationResult.ErrorMessage);
}
}
var error = ValidateEndpoints(Json, policy);
if (error.IsPresent())
{
return(error);
}
return(string.Empty);
}
/// <summary>
/// Validates the endoints and jwks_uri according to the security policy.
/// </summary>
/// <param name="json">The json.</param>
/// <param name="policy">The policy.</param>
/// <returns></returns>
public string ValidateEndpoints(JObject json, DiscoveryPolicy policy)
{
// allowed hosts
var allowedHosts = new HashSet <string>(policy.AdditionalEndpointBaseAddresses.Select(e => new Uri(e).Authority))
{
new Uri(policy.Authority).Authority
};
// allowed authorities (hosts + base address)
var allowedAuthorities = new HashSet <string>(policy.AdditionalEndpointBaseAddresses)
{
policy.Authority
};
foreach (var element in json)
{
if (element.Key.EndsWith("endpoint", StringComparison.OrdinalIgnoreCase) ||
element.Key.Equals(OidcConstants.Discovery.JwksUri, StringComparison.OrdinalIgnoreCase) ||
element.Key.Equals(OidcConstants.Discovery.CheckSessionIframe, StringComparison.OrdinalIgnoreCase))
{
var endpoint = element.Value.ToString();
var isValidUri = Uri.TryCreate(endpoint, UriKind.Absolute, out Uri uri);
if (!isValidUri)
{
return($"Malformed endpoint: {endpoint}");
}
if (!DiscoveryUrlHelper.IsValidScheme(uri))
{
return($"Malformed endpoint: {endpoint}");
}
if (!DiscoveryUrlHelper.IsSecureScheme(uri, policy))
{
return($"Endpoint does not use HTTPS: {endpoint}");
}
if (policy.ValidateEndpoints)
{
// if endpoint is on exclude list, don't validate
if (policy.EndpointValidationExcludeList.Contains(element.Key))
{
continue;
}
bool isAllowed = false;
foreach (var host in allowedHosts)
{
if (string.Equals(host, uri.Authority))
{
isAllowed = true;
}
}
if (!isAllowed)
{
return($"Endpoint is on a different host than authority: {endpoint}");
}
isAllowed = false;
foreach (var authority in allowedAuthorities)
{
if (endpoint.StartsWith(authority, policy.AuthorityNameComparison))
{
isAllowed = true;
}
}
if (!isAllowed)
{
return($"Endpoint belongs to different authority: {endpoint}");
}
}
}
}
if (policy.RequireKeySet)
{
if (string.IsNullOrWhiteSpace(JwksUri))
{
return("Keyset is missing");
}
}
return(string.Empty);
}
/// <summary>
/// Initialize instance of DiscoveryCache with passed authority.
/// </summary>
/// <param name="authority">Base address or discovery document endpoint.</param>
/// <param name="httpClientFunc">The HTTP client function.</param>
/// <param name="policy">The policy.</param>
public DiscoveryCache(string authority, Func <HttpClient> httpClientFunc, DiscoveryPolicy policy = null)
{
_authority = authority;
_policy = policy ?? new DiscoveryPolicy();
_getHttpClient = httpClientFunc ?? throw new ArgumentNullException(nameof(httpClientFunc));
}
/// <summary>
/// Initialize instance of DiscoveryCache with passed authority.
/// </summary>
/// <param name="authority">Base address or discovery document endpoint.</param>
/// <param name="policy">The policy.</param>
public DiscoveryCache(string authority, DiscoveryPolicy policy = null)
{
_authority = authority;
_policy = policy ?? new DiscoveryPolicy();
_getHttpClient = () => new HttpClient();
}
