public async Task <GrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var validator = _validators.FirstOrDefault(v => v.GrantType.Equals(request.GrantType, StringComparison.Ordinal));
if (validator == null)
{
_logger.LogError("No validator found for grant type");
return(new GrantValidationResult(TokenRequestErrors.UnsupportedGrantType));
}
try
{
_logger.LogTrace("Calling into custom grant validator: {type}", validator.GetType().FullName);
var context = new ExtensionGrantValidationContext
{
Request = request
};
await validator.ValidateAsync(context);
return(context.Result);
}
catch (Exception e)
{
_logger.LogError(1, e, "Grant validation error: {message}", e.Message);
return(new GrantValidationResult(TokenRequestErrors.InvalidGrant));
}
}
public TokenRequestValidationResult(ValidatedTokenRequest validatedRequest, Dictionary <string, object> customResponse = null)
{
IsError = false;
ValidatedRequest = validatedRequest;
CustomResponse = customResponse;
}
/// <summary>
/// Validates the request.
/// </summary>
/// <param name="parameters">The parameters.</param>
/// <param name="client">The client.</param>
/// <returns></returns>
/// <exception cref="System.ArgumentNullException">
/// parameters
/// or
/// client
/// </exception>
public async Task <TokenRequestValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client)
{
_logger.LogDebug("Start token request validation");
_validatedRequest = new ValidatedTokenRequest
{
Raw = parameters ?? throw new ArgumentNullException(nameof(parameters)),
Options = _options
};
_validatedRequest.SetClient(client ?? throw new ArgumentNullException(nameof(client)));
/////////////////////////////////////////////
// check client protocol type
/////////////////////////////////////////////
if (client.ProtocolType != IdentityServerConstants.ProtocolTypes.OpenIdConnect)
{
LogError("Client {clientId} has invalid protocol type for token endpoint: {protocolType}", client.ClientId, client.ProtocolType);
return(Invalid(OidcConstants.TokenErrors.InvalidClient));
}
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = parameters.Get(OidcConstants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
_validatedRequest.GrantType = grantType;
switch (grantType)
{
case OidcConstants.GrantTypes.AuthorizationCode:
return(await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters));
case OidcConstants.GrantTypes.ClientCredentials:
return(await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters));
case OidcConstants.GrantTypes.Password:
return(await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters));
case OidcConstants.GrantTypes.RefreshToken:
return(await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters));
default:
return(await RunValidationAsync(ValidateExtensionGrantRequestAsync, parameters));
}
}
public async Task <TokenRequestValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client)
{
_logger.LogDebug("Start token request validation");
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (parameters == null)
{
throw new ArgumentNullException(nameof(parameters));
}
_validatedRequest = new ValidatedTokenRequest
{
Raw = parameters,
Client = client,
Options = _options
};
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = parameters.Get(OidcConstants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
_validatedRequest.GrantType = grantType;
switch (grantType)
{
case OidcConstants.GrantTypes.AuthorizationCode:
return(await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters));
case OidcConstants.GrantTypes.ClientCredentials:
return(await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters));
case OidcConstants.GrantTypes.Password:
return(await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters));
case OidcConstants.GrantTypes.RefreshToken:
return(await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters));
default:
return(await RunValidationAsync(ValidateExtensionGrantRequestAsync, parameters));
}
}
/// <summary>
/// Initializes a new instance of the <see cref="TokenRequestValidationResult"/> class.
/// </summary>
/// <param name="validatedRequest">The validated request.</param>
/// <param name="error">The error.</param>
/// <param name="errorDescription">The error description.</param>
/// <param name="customResponse">The custom response.</param>
public TokenRequestValidationResult(ValidatedTokenRequest validatedRequest, string error, string errorDescription = null, Dictionary <string, object> customResponse = null)
{
IsError = true;
Error = error;
ErrorDescription = errorDescription;
ValidatedRequest = validatedRequest;
CustomResponse = customResponse;
}
public async Task <CustomGrantValidationResult> ValidateAsync(ValidatedTokenRequest request)
{
var validator = _validators.FirstOrDefault(v => v.GrantType.Equals(request.GrantType, StringComparison.Ordinal));
if (validator == null)
{
return(new CustomGrantValidationResult("No validator found for grant type"));
}
try
{
_logger.LogTrace("Calling into custom grant validator: {type}", validator.GetType().FullName);
return(await validator.ValidateAsync(request));
}
catch (Exception e)
{
_logger.LogError("Grant validation error", e);
return(new CustomGrantValidationResult("Grant validation error"));
}
}
public Task <CustomGrantValidationResult> ValidateAsync(string userName, string password, ValidatedTokenRequest request)
{
var result = new CustomGrantValidationResult("unsupported_grant_type");
_logger.LogWarning("Resource owner password credential type not supported. Configure an IResourceOwnerPasswordValidator.");
return(Task.FromResult(result));
}
public async Task <TokenRequestValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client)
{
_logger.LogDebug("Start token request validation");
_validatedRequest = new ValidatedTokenRequest
{
Raw = parameters ?? throw new ArgumentNullException(nameof(parameters)),
Options = _options
};
_validatedRequest.SetClient(client ?? throw new ArgumentNullException(nameof(client)));
/////////////////////////////////////////////
// check client protocol type
/////////////////////////////////////////////
if (client.ProtocolType != IdentityServerConstants.ProtocolTypes.OpenIdConnect)
{
LogError("Client {clientId} has invalid protocol type for token endpoint: {protocolType}", client.ClientId, client.ProtocolType);
return(Invalid(OidcConstants.TokenErrors.InvalidClient));
}
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = parameters.Get(OidcConstants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
_validatedRequest.GrantType = grantType;
switch (grantType)
{
case OidcConstants.GrantTypes.AuthorizationCode:
return(await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters));
case OidcConstants.GrantTypes.ClientCredentials:
return(await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters));
case OidcConstants.GrantTypes.Password:
return(await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters));
case OidcConstants.GrantTypes.RefreshToken:
return(await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters));
default:
return(await RunValidationAsync(ValidateExtensionGrantRequestAsync, parameters));
}
}
async Task <TokenRequestValidationResult> RunValidationAsync(Func <NameValueCollection, Task <TokenRequestValidationResult> > validationFunc, NameValueCollection parameters)
{
// run standard validation
var result = await validationFunc(parameters);
if (result.IsError)
{
return(result);
}
// run custom validation
_logger.LogTrace("Calling into custom request validator: {type}", _customRequestValidator.GetType().FullName);
var customValidationContext = new CustomTokenRequestValidationContext {
Result = result
};
await _customRequestValidator.ValidateAsync(customValidationContext);
if (customValidationContext.Result.IsError)
{
if (customValidationContext.Result.Error.IsPresent())
{
LogError("Custom token request validator error {error}", customValidationContext.Result.Error);
}
else
{
LogError("Custom token request validator error");
}
return(customValidationContext.Result);
}
LogSuccess();
return(customValidationContext.Result);
}
/// <summary>
/// Custom validation logic for the token request.
/// </summary>
/// <param name="request">The validated request.</param>
/// <returns>
/// The validation result
/// </returns>
public Task <TokenRequestValidationResult> ValidateTokenRequestAsync(ValidatedTokenRequest request)
{
return(Task.FromResult(new TokenRequestValidationResult(request)));
}
public async Task <TokenRequestValidationResult> ValidateRequestAsync(NameValueCollection parameters, Client client)
{
_logger.LogDebug("Start token request validation");
_validatedRequest = new ValidatedTokenRequest();
if (client == null)
{
throw new ArgumentNullException("client");
}
if (parameters == null)
{
throw new ArgumentNullException("parameters");
}
_validatedRequest.Raw = parameters;
_validatedRequest.Client = client;
_validatedRequest.Options = _options;
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = parameters.Get(OidcConstants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing.");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long.");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
_validatedRequest.GrantType = grantType;
// standard grant types
switch (grantType)
{
case OidcConstants.GrantTypes.AuthorizationCode:
return(await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters));
case OidcConstants.GrantTypes.ClientCredentials:
return(await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters));
case OidcConstants.GrantTypes.Password:
return(await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters));
case OidcConstants.GrantTypes.RefreshToken:
return(await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters));
}
// custom grant type
var result = await RunValidationAsync(ValidateCustomGrantRequestAsync, parameters);
if (result.IsError)
{
if (result.Error.IsPresent())
{
return(result);
}
LogError("Unsupported grant_type: " + grantType);
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
return(result);
}
/// <summary>
/// Validates the request.
/// </summary>
/// <param name="parameters">The parameters.</param>
/// <param name="clientValidationResult">The client validation result.</param>
/// <returns></returns>
/// <exception cref="System.ArgumentNullException">
/// parameters
/// or
/// client
/// </exception>
public async Task <TokenRequestValidationResult> ValidateRequestAsync(NameValueCollection parameters, ClientSecretValidationResult clientValidationResult)
{
_logger.LogDebug("Start token request validation");
_validatedRequest = new ValidatedTokenRequest
{
Raw = parameters ?? throw new ArgumentNullException(nameof(parameters)),
Options = _options
};
if (clientValidationResult == null)
{
throw new ArgumentNullException(nameof(clientValidationResult));
}
_validatedRequest.SetClient(clientValidationResult.Client, clientValidationResult.Secret, clientValidationResult.Confirmation);
/////////////////////////////////////////////
// check client protocol type
/////////////////////////////////////////////
if (_validatedRequest.Client.ProtocolType != IdentityServerConstants.ProtocolTypes.OpenIdConnect)
{
LogError("Invalid protocol type for client",
new
{
clientId = _validatedRequest.Client.ClientId,
expectedProtocolType = IdentityServerConstants.ProtocolTypes.OpenIdConnect,
actualProtocolType = _validatedRequest.Client.ProtocolType
});
return(Invalid(OidcConstants.TokenErrors.InvalidClient));
}
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = parameters.Get(OidcConstants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long");
return(Invalid(OidcConstants.TokenErrors.UnsupportedGrantType));
}
_validatedRequest.GrantType = grantType;
return(grantType switch
{
OidcConstants.GrantTypes.AuthorizationCode => await RunValidationAsync(ValidateAuthorizationCodeRequestAsync, parameters),
OidcConstants.GrantTypes.ClientCredentials => await RunValidationAsync(ValidateClientCredentialsRequestAsync, parameters),
OidcConstants.GrantTypes.Password => await RunValidationAsync(ValidateResourceOwnerCredentialRequestAsync, parameters),
OidcConstants.GrantTypes.RefreshToken => await RunValidationAsync(ValidateRefreshTokenRequestAsync, parameters),
OidcConstants.GrantTypes.DeviceCode => await RunValidationAsync(ValidateDeviceCodeRequestAsync, parameters),
_ => await RunValidationAsync(ValidateExtensionGrantRequestAsync, parameters),
});
