private async Task <bool> ValidateRequestedScopesAsync(NameValueCollection parameters) { var scopes = parameters.Get(Constants.TokenRequest.Scope); if (scopes.IsMissingOrTooLong(Constants.MaxScopeLength)) { Logger.Warn("Scopes missing or too long"); return(false); } var requestedScopes = ScopeValidator.ParseScopesString(scopes); if (requestedScopes == null) { return(false); } if (!_scopeValidator.AreScopesAllowed(_validatedRequest.Client, requestedScopes)) { return(false); } if (!await _scopeValidator.AreScopesValidAsync(requestedScopes)) { return(false); } _validatedRequest.Scopes = requestedScopes; _validatedRequest.ValidatedScopes = _scopeValidator; return(true); }
public static TokenRequestValidator CreateTokenRequestValidator( IdentityServerOptions options = null, IScopeStore scopes = null, IAuthorizationCodeStore authorizationCodeStore = null, IRefreshTokenStore refreshTokens = null, IUserService userService = null, ICustomGrantValidator customGrantValidator = null, ICustomRequestValidator customRequestValidator = null, ScopeValidator scopeValidator = null, IDictionary<string, object> environment = null) { if (options == null) { options = TestIdentityServerOptions.Create(); } if (scopes == null) { scopes = new InMemoryScopeStore(TestScopes.Get()); } if (userService == null) { userService = new TestUserService(); } if (customRequestValidator == null) { customRequestValidator = new DefaultCustomRequestValidator(); } if (customGrantValidator == null) { customGrantValidator = new TestGrantValidator(); } if (refreshTokens == null) { refreshTokens = new InMemoryRefreshTokenStore(); } if (scopeValidator == null) { scopeValidator = new ScopeValidator(scopes); } IOwinContext context; if (environment == null) { context = new OwinContext(new Dictionary<string, object>()); } else { context = new OwinContext(environment); } return new TokenRequestValidator(options, authorizationCodeStore, refreshTokens, userService, scopes, customGrantValidator, customRequestValidator, scopeValidator, context); }
public AuthorizeRequestValidator(IdentityServerOptions options, IClientStore clients, ICustomRequestValidator customValidator, IRedirectUriValidator uriValidator, ScopeValidator scopeValidator, SessionCookie sessionCookie) { _options = options; _clients = clients; _customValidator = customValidator; _uriValidator = uriValidator; _scopeValidator = scopeValidator; _sessionCookie = sessionCookie; }
public static TokenRequestValidator CreateTokenRequestValidator( IdentityServerOptions options = null, IScopeStore scopes = null, IAuthorizationCodeStore authorizationCodeStore = null, IRefreshTokenStore refreshTokens = null, IUserService userService = null, ICustomGrantValidator customGrantValidator = null, ICustomRequestValidator customRequestValidator = null, ScopeValidator scopeValidator = null) { if (options == null) { options = TestIdentityServerOptions.Create(); } if (scopes == null) { scopes = new InMemoryScopeStore(TestScopes.Get()); } if (userService == null) { userService = new TestUserService(); } if (customRequestValidator == null) { customRequestValidator = new DefaultCustomRequestValidator(); } if (customGrantValidator == null) { customGrantValidator = new TestGrantValidator(); } if (refreshTokens == null) { refreshTokens = new InMemoryRefreshTokenStore(); } if (scopeValidator == null) { scopeValidator = new ScopeValidator(scopes); } return new TokenRequestValidator( options, authorizationCodeStore, refreshTokens, userService, customGrantValidator, customRequestValidator, scopeValidator, new DefaultEventService()); }
public TokenRequestValidator(IdentityServerOptions options, IAuthorizationCodeStore authorizationCodes, IRefreshTokenStore refreshTokens, IUserService users, ICustomGrantValidator customGrantValidator, ICustomRequestValidator customRequestValidator, ScopeValidator scopeValidator, IEventService events) { _options = options; _authorizationCodes = authorizationCodes; _refreshTokens = refreshTokens; _users = users; _customGrantValidator = customGrantValidator; _customRequestValidator = customRequestValidator; _scopeValidator = scopeValidator; _events = events; }
public TokenRequestValidator(IdentityServerOptions options, IAuthorizationCodeStore authorizationCodes, IRefreshTokenStore refreshTokens, IUserService users, IScopeStore scopes, ICustomGrantValidator customGrantValidator, ICustomRequestValidator customRequestValidator, ScopeValidator scopeValidator, IOwinContext context) { _options = options; _authorizationCodes = authorizationCodes; _refreshTokens = refreshTokens; _users = users; _scopes = scopes; _customGrantValidator = customGrantValidator; _customRequestValidator = customRequestValidator; _scopeValidator = scopeValidator; _environment = context.Environment; }
public AuthorizeRequestValidator(IdentityServerOptions options, IClientStore clients, ICustomRequestValidator customValidator, IRedirectUriValidator uriValidator, ScopeValidator scopeValidator, IOwinContext context) { _options = options; _clients = clients; _customValidator = customValidator; _uriValidator = uriValidator; _scopeValidator = scopeValidator; _validatedRequest = new ValidatedAuthorizeRequest { Options = _options, Environment = context.Environment }; }
private async Task <bool> ValidateRequestedScopesAsync(NameValueCollection parameters) { var requestedScopes = ScopeValidator.ParseScopesString(parameters.Get(Constants.TokenRequest.Scope)); if (requestedScopes == null) { return(false); } if (!_scopeValidator.AreScopesAllowed(_validatedRequest.Client, requestedScopes)) { return(false); } if (!await _scopeValidator.AreScopesValidAsync(requestedScopes)) { return(false); } _validatedRequest.Scopes = requestedScopes; _validatedRequest.ValidatedScopes = _scopeValidator; return(true); }
public async Task Disabled_Scope() { var scopes = ScopeValidator.ParseScopesString("openid email resource1 resource2 disabled"); var validator = new ScopeValidator(_store); var result = await validator.AreScopesValidAsync(scopes); result.Should().BeFalse(); }
public static AuthorizeRequestValidator CreateAuthorizeRequestValidator( IdentityServerOptions options = null, IScopeStore scopes = null, IClientStore clients = null, IUserService users = null, ICustomRequestValidator customValidator = null, IRedirectUriValidator uriValidator = null, ScopeValidator scopeValidator = null, IDictionary<string, object> environment = null) { if (options == null) { options = TestIdentityServerOptions.Create(); } if (scopes == null) { scopes = new InMemoryScopeStore(TestScopes.Get()); } if (clients == null) { clients = new InMemoryClientStore(TestClients.Get()); } if (customValidator == null) { customValidator = new DefaultCustomRequestValidator(); } if (uriValidator == null) { uriValidator = new DefaultRedirectUriValidator(); } if (scopeValidator == null) { scopeValidator = new ScopeValidator(scopes); } IOwinContext context; if (environment == null) { context = new OwinContext(new Dictionary<string, object>()); } else { context = new OwinContext(environment); } return new AuthorizeRequestValidator(options, clients, customValidator, uriValidator, scopeValidator, context); }
public static AuthorizeRequestValidator CreateAuthorizeRequestValidator( IdentityServerOptions options = null, IScopeStore scopes = null, IClientStore clients = null, IUserService users = null, ICustomRequestValidator customValidator = null, IRedirectUriValidator uriValidator = null, ScopeValidator scopeValidator = null, IDictionary<string, object> environment = null) { if (options == null) { options = TestIdentityServerOptions.Create(); } if (scopes == null) { scopes = new InMemoryScopeStore(TestScopes.Get()); } if (clients == null) { clients = new InMemoryClientStore(TestClients.Get()); } if (customValidator == null) { customValidator = new DefaultCustomRequestValidator(); } if (uriValidator == null) { uriValidator = new DefaultRedirectUriValidator(); } if (scopeValidator == null) { scopeValidator = new ScopeValidator(scopes); } var mockSessionCookie = new Mock<SessionCookie>((IOwinContext)null, (IdentityServerOptions)null); mockSessionCookie.CallBase = false; mockSessionCookie.Setup(x => x.GetSessionId()).Returns((string)null); return new AuthorizeRequestValidator(options, clients, customValidator, uriValidator, scopeValidator, mockSessionCookie.Object); }
public async Task <ValidationResult> ValidateClientAsync() { Logger.Info("Start client validation"); if (_validatedRequest.ClientId.IsMissing()) { throw new InvalidOperationException("ClientId is empty. Validate protocol first."); } ////////////////////////////////////////////////////////// // check for valid client ////////////////////////////////////////////////////////// var client = await _clients.FindClientByIdAsync(_validatedRequest.ClientId); if (client == null || client.Enabled == false) { Logger.ErrorFormat("Unknown client or not enabled: {0}", _validatedRequest.ClientId); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } Logger.InfoFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName); _validatedRequest.Client = client; ////////////////////////////////////////////////////////// // check if redirect_uri is valid ////////////////////////////////////////////////////////// if (!_validatedRequest.Client.RedirectUris.Contains(_validatedRequest.RedirectUri)) { Logger.ErrorFormat("Invalid redirect_uri: {0}", _validatedRequest.RedirectUri); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } ////////////////////////////////////////////////////////// // check if flow is allowed for client ////////////////////////////////////////////////////////// if (_validatedRequest.Flow != _validatedRequest.Client.Flow) { Logger.ErrorFormat("Invalid flow for client: {0}", _validatedRequest.Flow); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } var scopeValidator = new ScopeValidator(); ////////////////////////////////////////////////////////// // check if scopes are valid/supported and check for resource scopes ////////////////////////////////////////////////////////// if (!scopeValidator.AreScopesValid(_validatedRequest.RequestedScopes, await _scopes.GetScopesAsync())) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest) { Logger.Error("Identity related scope requests, but no openid scope"); return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (scopeValidator.ContainsResourceScopes) { _validatedRequest.IsResourceRequest = true; } ////////////////////////////////////////////////////////// // check scopes and scope restrictions ////////////////////////////////////////////////////////// if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes)) { return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } _validatedRequest.ValidatedScopes = scopeValidator; ////////////////////////////////////////////////////////// // check id vs resource scopes and response types plausability ////////////////////////////////////////////////////////// if (!scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType)) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } var customResult = await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest); if (customResult.IsError) { Logger.Error("Error in custom validation: " + customResult.Error); } Logger.Info("Client validation successful"); return(customResult); }
public async Task Contains_Identity_Scopes_Only() { var scopes = ScopeValidator.ParseScopesString("openid email"); var validator = new ScopeValidator(_store); var result = await validator.AreScopesValidAsync(scopes); result.Should().BeTrue(); validator.ContainsOpenIdScopes.Should().BeTrue(); validator.ContainsResourceScopes.Should().BeFalse(); }
public void Restricted_Scopes() { var scopes = ScopeValidator.ParseScopesString("openid email resource1 resource2"); var validator = new ScopeValidator(_store); var result = validator.AreScopesAllowed(_restrictedClient, scopes); result.Should().BeFalse(); }
public void All_Scopes_Allowed_For_Restricted_Client() { var scopes = ScopeValidator.ParseScopesString("openid resource1"); var validator = new ScopeValidator(_store); var result = validator.AreScopesAllowed(_restrictedClient, scopes); result.Should().BeTrue(); }
public async Task All_Scopes_Valid() { var scopes = ScopeValidator.ParseScopesString("openid email resource1 resource2"); var validator = new ScopeValidator(_store); var result = await validator.AreScopesValidAsync(scopes); result.Should().BeTrue(); }