Exemplo n.º 1
0
        public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context)
        {
            _logger.LogInformation("Start token request validator");
            var validatedRequest = context.Result.ValidatedRequest;

            if (validatedRequest.Client.ClientId.Contains("SPA", StringComparison.OrdinalIgnoreCase))
            {
                _logger.LogInformation("ClientId is SPA, no further validation required");
                return;
            }
            var          parameters            = context.Result.ValidatedRequest.Raw;
            const string requestParam          = "request";
            var          requestFromParameters = parameters.Get("request");

            if (string.IsNullOrWhiteSpace(requestFromParameters))
            {
                _logger.LogError($"{requestParam} is missing from the request parameters.");
                context.Result.IsError = true;
                context.Result.Error   = OidcConstants.TokenErrors.InvalidRequest;
                return;
            }
            var requestValidationResult = await _assertionManager.ValidateAsync(requestFromParameters);

            if (!requestValidationResult.Success)
            {
                context.Result.IsError = true;
                context.Result.Error   = OidcConstants.TokenErrors.InvalidClient;
            }
            var jwt = _assertionManager.Parse(requestFromParameters);

            _logger.LogInformation("TokenRequestValidator is valid for {client}", validatedRequest.Client.ClientId);
        }
Exemplo n.º 2
0
        public async Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
        {
            var assertion = _assertionManager.Parse(parsedSecret.Credential as string);

            var result = await _assertionManager.ValidateAsync(assertion);

            if (!result.Success)
            {
                return(result);
            }

            var validity = await _certificateTypeValidationService.Validate(assertion.Certificates, parsedSecret.Id);

            return(new SecretValidationResult {
                Success = validity
            });
        }
        public async Task <IdentityResult> Validate(DelegationMask mask)
        {
            try
            {
                if (mask.PreviousSteps != null)
                {
                    foreach (var step in mask.PreviousSteps)
                    {
                        var assertion = _assertionParser.Parse(step);
                        var result    = await _assertionParser.ValidateAsync(assertion);

                        if (!result.Success || !_defaultJwtValidator.IsValid(step,
                                                                             mask.DelegationRequest.Target.AccessSubject,      // client id should be access subject
                                                                             _context.HttpContext.User.GetRequestingClientId() // audience should be the requester id
                                                                             ))
                        {
                            return(IdentityResult.Failed(new IdentityError {
                                Code = "previous_steps_validation_error"
                            }));
                        }
                        if (mask.DelegationRequest.Target.AccessSubject != assertion.JwtToken.Issuer)
                        {
                            return(IdentityResult.Failed(new IdentityError {
                                Code = "invalid_delegation_assertion_pair"
                            }));
                        }
                    }
                }

                return(IdentityResult.Success);
            }
            catch (Exception ex)
            {
                _logger.LogWarning(ex, "Exception while authorizing previous steps");
                return(IdentityResult.Failed(new IdentityError {
                    Code = "previous_steps_validation_error", Description = ex.Message
                }));
            }
        }
Exemplo n.º 4
0
        public List <SecurityKey> ExtractSecurityKeys(string jwtTokenString)
        {
            var assertion = _assertionManager.Parse(jwtTokenString);

            var trustedKeys = new List <SecurityKey>();

            try
            {
                trustedKeys = GetTrustedKeys(assertion);
            }
            catch (Exception e)
            {
                _logger.LogError(e, "Could not parse assertion as JWT token");
            }

            if (!trustedKeys.Any())
            {
                _logger.LogError("There are no certificates available to validate client assertion.");
            }

            return(trustedKeys);
        }
Exemplo n.º 5
0
        public async Task <SecretValidationResult> ValidateAsync(IEnumerable <Secret> secrets, ParsedSecret parsedSecret)
        {
            var assertion = _assertionManager.Parse(parsedSecret.Credential as string);

            var result = await _assertionManager.ValidateAsync(assertion);

            if (!result.Success)
            {
                _logger.LogInformation("Service consumer validation failed for {issuer}.", assertion?.JwtToken?.Issuer ?? "[not present]");
                return(result);
            }

            _logger.LogInformation("Service consumer validation is valid. Continue with the {innerValidator}", _inner.Instance.GetType().Name);

            var allSecrets = secrets.ToList();

            allSecrets.AddRange(assertion.Certificates.Select(c => new Secret
            {
                Type  = IdentityServerConstants.SecretTypes.X509CertificateBase64,
                Value = c
            }));

            return(await _inner.Instance.ValidateAsync(allSecrets, parsedSecret));
        }