public async Task When_Client_Require_PKCE_And_NoCodeChallenge_Is_Passed_Then_Exception_Is_Thrown()
{
// ARRANGE
const string clientId = "clientId";
const string responseType = "id_token";
const string scope = "openid";
InitializeFakeObjects();
_authorizationCodeGrantTypeParameterAuthEdpValidatorFake.Setup(a => a.ValidateAsync(It.IsAny <AuthorizationParameter>()))
.Returns(Task.FromResult(new Core.Common.Models.Client
{
RequirePkce = true,
ClientId = clientId
}));
var authorizationParameter = new AuthorizationParameter
{
ClientId = clientId,
ResponseType = responseType,
Scope = scope,
};
// ACT & ASSERT
var result = await Assert.ThrowsAsync <IdentityServerExceptionWithState>(() => _authorizationActions.GetAuthorization(authorizationParameter, null, null));
Assert.True(result.Code == ErrorCodes.InvalidRequestCode);
Assert.True(result.Message == string.Format(ErrorDescriptions.TheClientRequiresPkce, clientId));
}
public async Task <Microsoft.AspNetCore.Mvc.ActionResult> Get()
{
var query = Request.Query;
if (query == null)
{
throw new IdentityServerException(
ErrorCodes.InvalidRequestCode,
ErrorDescriptions.RequestIsNotValid);
}
var serializer = new ParamSerializer();
var authorizationRequest = serializer.Deserialize <AuthorizationRequest>(query);
authorizationRequest = await ResolveAuthorizationRequest(authorizationRequest);
var authenticatedUser = await this.GetAuthenticatedUser(_authenticateOptions.CookieName);
var parameter = authorizationRequest.ToParameter();
var actionResult = await _authorizationActions.GetAuthorization(parameter, authenticatedUser);
if (actionResult.Type == TypeActionResult.RedirectToCallBackUrl)
{
var redirectUrl = new Uri(authorizationRequest.RedirectUri);
return(this.CreateRedirectHttpTokenResponse(redirectUrl,
_actionResultParser.GetRedirectionParameters(actionResult),
actionResult.RedirectInstruction.ResponseMode));
}
if (actionResult.Type == TypeActionResult.RedirectToAction)
{
if (actionResult.RedirectInstruction.Action == IdentityServerEndPoints.AuthenticateIndex ||
actionResult.RedirectInstruction.Action == IdentityServerEndPoints.ConsentIndex)
{
// Force the resource owner to be reauthenticated
if (actionResult.RedirectInstruction.Action == IdentityServerEndPoints.AuthenticateIndex)
{
authorizationRequest.Prompt = Enum.GetName(typeof(PromptParameter), PromptParameter.login);
}
// Set the process id into the request.
if (!string.IsNullOrWhiteSpace(actionResult.ProcessId))
{
authorizationRequest.ProcessId = actionResult.ProcessId;
}
// Add the encoded request into the query string
var encryptedRequest = _dataProtector.Protect(authorizationRequest);
actionResult.RedirectInstruction.AddParameter(Core.Constants.StandardAuthorizationResponseNames.AuthorizationCodeName,
encryptedRequest);
}
var url = GetRedirectionUrl(this.Request, actionResult.RedirectInstruction.Action);
var uri = new Uri(url);
var redirectionUrl = uri.AddParametersInQuery(_actionResultParser.GetRedirectionParameters(actionResult));
return(new RedirectResult(redirectionUrl.AbsoluteUri));
}
return(null);
}
public async Task <ActionResult> GetAuthorization([FromBody] PostAuthorization postAuthorization)
{
if (postAuthorization == null)
{
throw new ArgumentNullException(nameof(postAuthorization));
}
var parameter = postAuthorization.ToParameter();
var clientId = this.GetClientId();
var result = await _authorizationActions.GetAuthorization(parameter, clientId);
if (result.AuthorizationPolicyResult != AuthorizationPolicyResultEnum.Authorized)
{
return(GetErrorResponse(result.AuthorizationPolicyResult));
}
var content = new AuthorizationResponse
{
Rpt = result.Rpt
};
return(new OkObjectResult(content));
}
public async Task <IActionResult> Get()
{
var query = Request.Query;
if (query == null)
{
return(BuildError(ErrorCodes.InvalidRequestCode, "no parameter in body request", HttpStatusCode.BadRequest));
}
var originUrl = this.GetOriginUrl();
var sessionId = GetSessionId();
var serializer = new ParamSerializer();
var authorizationRequest = serializer.Deserialize <AuthorizationRequest>(query);
authorizationRequest = await ResolveAuthorizationRequest(authorizationRequest).ConfigureAwait(false);
authorizationRequest.OriginUrl = originUrl;
authorizationRequest.SessionId = sessionId;
var authenticatedUser = await _authenticationService.GetAuthenticatedUser(this, Constants.CookieNames.CookieName);
var parameter = authorizationRequest.ToParameter();
var issuerName = Request.GetAbsoluteUriWithVirtualPath();
string authenticatedSubject = null;
double?authInstant = null;
if (authenticatedUser != null)
{
authenticatedSubject = authenticatedUser.GetSubject();
var authInstantClaim = authenticatedUser.Claims.FirstOrDefault(c => c.Type == Core.Common.StandardClaimNames.AuthenticationTime || c.Type == ClaimTypes.AuthenticationInstant);
if (authInstantClaim != null)
{
authInstant = double.Parse(authInstantClaim.Value);
}
}
var actionResult = await _authorizationActions.GetAuthorization(parameter, issuerName, authenticatedSubject, authInstant);
if (actionResult.Type == TypeActionResult.RedirectToCallBackUrl)
{
var redirectUrl = new Uri(authorizationRequest.RedirectUri);
return(this.CreateRedirectHttpTokenResponse(redirectUrl,
_actionResultParser.GetRedirectionParameters(actionResult),
actionResult.RedirectInstruction.ResponseMode));
}
if (actionResult.Type == TypeActionResult.RedirectToAction)
{
if (actionResult.RedirectInstruction.Action == IdentityServerEndPoints.AuthenticateIndex ||
actionResult.RedirectInstruction.Action == IdentityServerEndPoints.ConsentIndex)
{
// Force the resource owner to be reauthenticated
if (actionResult.RedirectInstruction.Action == IdentityServerEndPoints.AuthenticateIndex)
{
authorizationRequest.Prompt = Enum.GetName(typeof(PromptParameter), PromptParameter.login);
}
// Set the process id into the request.
if (!string.IsNullOrWhiteSpace(actionResult.ProcessId))
{
authorizationRequest.ProcessId = actionResult.ProcessId;
}
// Add the encoded request into the query string
if (actionResult.AmrLst != null)
{
authorizationRequest.AmrValues = string.Join(" ", actionResult.AmrLst);
}
var encryptedRequest = _dataProtector.Protect(authorizationRequest);
actionResult.RedirectInstruction.AddParameter(Core.Constants.StandardAuthorizationResponseNames.AuthorizationCodeName, encryptedRequest);
}
var url = GetRedirectionUrl(Request, actionResult.AmrLst == null || !actionResult.AmrLst.Any() ? null : actionResult.AmrLst.First(), actionResult.RedirectInstruction.Action);
var uri = new Uri(url);
var redirectionUrl = uri.AddParametersInQuery(_actionResultParser.GetRedirectionParameters(actionResult));
return(new RedirectResult(redirectionUrl.AbsoluteUri));
}
return(null);
}
