private async Task <bool> ValidateRequestedScopesAsync(NameValueCollection parameters)
{
var scopes = parameters.Get(Constants.TokenRequest.Scope);
if (scopes.IsMissingOrTooLong(Constants.MaxScopeLength))
{
Logger.Warn("Scopes missing or too long");
return(false);
}
var requestedScopes = ScopeValidator.ParseScopesString(scopes);
if (requestedScopes == null)
{
return(false);
}
if (!_scopeValidator.AreScopesAllowed(_validatedRequest.Client, requestedScopes))
{
return(false);
}
if (!await _scopeValidator.AreScopesValidAsync(requestedScopes))
{
return(false);
}
_validatedRequest.Scopes = requestedScopes;
_validatedRequest.ValidatedScopes = _scopeValidator;
return(true);
}
public static TokenRequestValidator CreateTokenRequestValidator(
IdentityServerOptions options = null,
IScopeStore scopes = null,
IAuthorizationCodeStore authorizationCodeStore = null,
IRefreshTokenStore refreshTokens = null,
IUserService userService = null,
ICustomGrantValidator customGrantValidator = null,
ICustomRequestValidator customRequestValidator = null,
ScopeValidator scopeValidator = null,
IDictionary<string, object> environment = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (scopes == null)
{
scopes = new InMemoryScopeStore(TestScopes.Get());
}
if (userService == null)
{
userService = new TestUserService();
}
if (customRequestValidator == null)
{
customRequestValidator = new DefaultCustomRequestValidator();
}
if (customGrantValidator == null)
{
customGrantValidator = new TestGrantValidator();
}
if (refreshTokens == null)
{
refreshTokens = new InMemoryRefreshTokenStore();
}
if (scopeValidator == null)
{
scopeValidator = new ScopeValidator(scopes);
}
IOwinContext context;
if (environment == null)
{
context = new OwinContext(new Dictionary<string, object>());
}
else
{
context = new OwinContext(environment);
}
return new TokenRequestValidator(options, authorizationCodeStore, refreshTokens, userService, scopes, customGrantValidator, customRequestValidator, scopeValidator, context);
}
public AuthorizeRequestValidator(IdentityServerOptions options, IClientStore clients, ICustomRequestValidator customValidator, IRedirectUriValidator uriValidator, ScopeValidator scopeValidator, SessionCookie sessionCookie)
{
_options = options;
_clients = clients;
_customValidator = customValidator;
_uriValidator = uriValidator;
_scopeValidator = scopeValidator;
_sessionCookie = sessionCookie;
}
public AuthorizeRequestValidator(IdentityServerOptions options, IClientStore clients, ICustomRequestValidator customValidator, IRedirectUriValidator uriValidator, ScopeValidator scopeValidator, SessionCookie sessionCookie)
{
_options = options;
_clients = clients;
_customValidator = customValidator;
_uriValidator = uriValidator;
_scopeValidator = scopeValidator;
_sessionCookie = sessionCookie;
}
public static TokenRequestValidator CreateTokenRequestValidator(
IdentityServerOptions options = null,
IScopeStore scopes = null,
IAuthorizationCodeStore authorizationCodeStore = null,
IRefreshTokenStore refreshTokens = null,
IUserService userService = null,
ICustomGrantValidator customGrantValidator = null,
ICustomRequestValidator customRequestValidator = null,
ScopeValidator scopeValidator = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (scopes == null)
{
scopes = new InMemoryScopeStore(TestScopes.Get());
}
if (userService == null)
{
userService = new TestUserService();
}
if (customRequestValidator == null)
{
customRequestValidator = new DefaultCustomRequestValidator();
}
if (customGrantValidator == null)
{
customGrantValidator = new TestGrantValidator();
}
if (refreshTokens == null)
{
refreshTokens = new InMemoryRefreshTokenStore();
}
if (scopeValidator == null)
{
scopeValidator = new ScopeValidator(scopes);
}
return new TokenRequestValidator(
options,
authorizationCodeStore,
refreshTokens,
userService,
customGrantValidator,
customRequestValidator,
scopeValidator,
new DefaultEventService());
}
public TokenRequestValidator(IdentityServerOptions options, IAuthorizationCodeStore authorizationCodes, IRefreshTokenStore refreshTokens, IUserService users, ICustomGrantValidator customGrantValidator, ICustomRequestValidator customRequestValidator, ScopeValidator scopeValidator, IEventService events)
{
_options = options;
_authorizationCodes = authorizationCodes;
_refreshTokens = refreshTokens;
_users = users;
_customGrantValidator = customGrantValidator;
_customRequestValidator = customRequestValidator;
_scopeValidator = scopeValidator;
_events = events;
}
public TokenRequestValidator(IdentityServerOptions options, IAuthorizationCodeStore authorizationCodes, IRefreshTokenStore refreshTokens, IUserService users, ICustomGrantValidator customGrantValidator, ICustomRequestValidator customRequestValidator, ScopeValidator scopeValidator, IEventService events)
{
_options = options;
_authorizationCodes = authorizationCodes;
_refreshTokens = refreshTokens;
_users = users;
_customGrantValidator = customGrantValidator;
_customRequestValidator = customRequestValidator;
_scopeValidator = scopeValidator;
_events = events;
}
public TokenRequestValidator(IdentityServerOptions options, IAuthorizationCodeStore authorizationCodes, IRefreshTokenStore refreshTokens, IUserService users, IScopeStore scopes, ICustomGrantValidator customGrantValidator, ICustomRequestValidator customRequestValidator, ScopeValidator scopeValidator, IOwinContext context)
{
_options = options;
_authorizationCodes = authorizationCodes;
_refreshTokens = refreshTokens;
_users = users;
_scopes = scopes;
_customGrantValidator = customGrantValidator;
_customRequestValidator = customRequestValidator;
_scopeValidator = scopeValidator;
_environment = context.Environment;
}
public TokenRequestValidator(IdentityServerOptions options, IAuthorizationCodeStore authorizationCodes, IRefreshTokenStore refreshTokens, IUserService users, IScopeStore scopes, ICustomGrantValidator customGrantValidator, ICustomRequestValidator customRequestValidator, ScopeValidator scopeValidator, IOwinContext context)
{
_options = options;
_authorizationCodes = authorizationCodes;
_refreshTokens = refreshTokens;
_users = users;
_scopes = scopes;
_customGrantValidator = customGrantValidator;
_customRequestValidator = customRequestValidator;
_scopeValidator = scopeValidator;
_environment = context.Environment;
}
public AuthorizeRequestValidator(IdentityServerOptions options, IClientStore clients, ICustomRequestValidator customValidator, IRedirectUriValidator uriValidator, ScopeValidator scopeValidator, IOwinContext context)
{
_options = options;
_clients = clients;
_customValidator = customValidator;
_uriValidator = uriValidator;
_scopeValidator = scopeValidator;
_validatedRequest = new ValidatedAuthorizeRequest
{
Options = _options,
Environment = context.Environment
};
}
public AuthorizeRequestValidator(IdentityServerOptions options, IClientStore clients, ICustomRequestValidator customValidator, IRedirectUriValidator uriValidator, ScopeValidator scopeValidator, IOwinContext context)
{
_options = options;
_clients = clients;
_customValidator = customValidator;
_uriValidator = uriValidator;
_scopeValidator = scopeValidator;
_validatedRequest = new ValidatedAuthorizeRequest
{
Options = _options,
Environment = context.Environment
};
}
private async Task <bool> ValidateRequestedScopesAsync(NameValueCollection parameters)
{
var requestedScopes = ScopeValidator.ParseScopesString(parameters.Get(Constants.TokenRequest.Scope));
if (requestedScopes == null)
{
return(false);
}
if (!_scopeValidator.AreScopesAllowed(_validatedRequest.Client, requestedScopes))
{
return(false);
}
if (!await _scopeValidator.AreScopesValidAsync(requestedScopes))
{
return(false);
}
_validatedRequest.Scopes = requestedScopes;
_validatedRequest.ValidatedScopes = _scopeValidator;
return(true);
}
public async Task Disabled_Scope()
{
var scopes = ScopeValidator.ParseScopesString("openid email resource1 resource2 disabled");
var validator = new ScopeValidator(_store);
var result = await validator.AreScopesValidAsync(scopes);
result.Should().BeFalse();
}
public static AuthorizeRequestValidator CreateAuthorizeRequestValidator(
IdentityServerOptions options = null,
IScopeStore scopes = null,
IClientStore clients = null,
IUserService users = null,
ICustomRequestValidator customValidator = null,
IRedirectUriValidator uriValidator = null,
ScopeValidator scopeValidator = null,
IDictionary<string, object> environment = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (scopes == null)
{
scopes = new InMemoryScopeStore(TestScopes.Get());
}
if (clients == null)
{
clients = new InMemoryClientStore(TestClients.Get());
}
if (customValidator == null)
{
customValidator = new DefaultCustomRequestValidator();
}
if (uriValidator == null)
{
uriValidator = new DefaultRedirectUriValidator();
}
if (scopeValidator == null)
{
scopeValidator = new ScopeValidator(scopes);
}
IOwinContext context;
if (environment == null)
{
context = new OwinContext(new Dictionary<string, object>());
}
else
{
context = new OwinContext(environment);
}
return new AuthorizeRequestValidator(options, clients, customValidator, uriValidator, scopeValidator, context);
}
public static AuthorizeRequestValidator CreateAuthorizeRequestValidator(
IdentityServerOptions options = null,
IScopeStore scopes = null,
IClientStore clients = null,
IUserService users = null,
ICustomRequestValidator customValidator = null,
IRedirectUriValidator uriValidator = null,
ScopeValidator scopeValidator = null,
IDictionary<string, object> environment = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (scopes == null)
{
scopes = new InMemoryScopeStore(TestScopes.Get());
}
if (clients == null)
{
clients = new InMemoryClientStore(TestClients.Get());
}
if (customValidator == null)
{
customValidator = new DefaultCustomRequestValidator();
}
if (uriValidator == null)
{
uriValidator = new DefaultRedirectUriValidator();
}
if (scopeValidator == null)
{
scopeValidator = new ScopeValidator(scopes);
}
var mockSessionCookie = new Mock<SessionCookie>((IOwinContext)null, (IdentityServerOptions)null);
mockSessionCookie.CallBase = false;
mockSessionCookie.Setup(x => x.GetSessionId()).Returns((string)null);
return new AuthorizeRequestValidator(options, clients, customValidator, uriValidator, scopeValidator, mockSessionCookie.Object);
}
public async Task <ValidationResult> ValidateClientAsync()
{
Logger.Info("Start client validation");
if (_validatedRequest.ClientId.IsMissing())
{
throw new InvalidOperationException("ClientId is empty. Validate protocol first.");
}
//////////////////////////////////////////////////////////
// check for valid client
//////////////////////////////////////////////////////////
var client = await _clients.FindClientByIdAsync(_validatedRequest.ClientId);
if (client == null || client.Enabled == false)
{
Logger.ErrorFormat("Unknown client or not enabled: {0}", _validatedRequest.ClientId);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
Logger.InfoFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName);
_validatedRequest.Client = client;
//////////////////////////////////////////////////////////
// check if redirect_uri is valid
//////////////////////////////////////////////////////////
if (!_validatedRequest.Client.RedirectUris.Contains(_validatedRequest.RedirectUri))
{
Logger.ErrorFormat("Invalid redirect_uri: {0}", _validatedRequest.RedirectUri);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
//////////////////////////////////////////////////////////
// check if flow is allowed for client
//////////////////////////////////////////////////////////
if (_validatedRequest.Flow != _validatedRequest.Client.Flow)
{
Logger.ErrorFormat("Invalid flow for client: {0}", _validatedRequest.Flow);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
var scopeValidator = new ScopeValidator();
//////////////////////////////////////////////////////////
// check if scopes are valid/supported and check for resource scopes
//////////////////////////////////////////////////////////
if (!scopeValidator.AreScopesValid(_validatedRequest.RequestedScopes, await _scopes.GetScopesAsync()))
{
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest)
{
Logger.Error("Identity related scope requests, but no openid scope");
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (scopeValidator.ContainsResourceScopes)
{
_validatedRequest.IsResourceRequest = true;
}
//////////////////////////////////////////////////////////
// check scopes and scope restrictions
//////////////////////////////////////////////////////////
if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes))
{
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
_validatedRequest.ValidatedScopes = scopeValidator;
//////////////////////////////////////////////////////////
// check id vs resource scopes and response types plausability
//////////////////////////////////////////////////////////
if (!scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType))
{
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
var customResult = await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest);
if (customResult.IsError)
{
Logger.Error("Error in custom validation: " + customResult.Error);
}
Logger.Info("Client validation successful");
return(customResult);
}
public async Task Contains_Identity_Scopes_Only()
{
var scopes = ScopeValidator.ParseScopesString("openid email");
var validator = new ScopeValidator(_store);
var result = await validator.AreScopesValidAsync(scopes);
result.Should().BeTrue();
validator.ContainsOpenIdScopes.Should().BeTrue();
validator.ContainsResourceScopes.Should().BeFalse();
}
public void Restricted_Scopes()
{
var scopes = ScopeValidator.ParseScopesString("openid email resource1 resource2");
var validator = new ScopeValidator(_store);
var result = validator.AreScopesAllowed(_restrictedClient, scopes);
result.Should().BeFalse();
}
public void All_Scopes_Allowed_For_Restricted_Client()
{
var scopes = ScopeValidator.ParseScopesString("openid resource1");
var validator = new ScopeValidator(_store);
var result = validator.AreScopesAllowed(_restrictedClient, scopes);
result.Should().BeTrue();
}
public async Task All_Scopes_Valid()
{
var scopes = ScopeValidator.ParseScopesString("openid email resource1 resource2");
var validator = new ScopeValidator(_store);
var result = await validator.AreScopesValidAsync(scopes);
result.Should().BeTrue();
}
