public virtual async Task <RequestObjectValidatorResult> Validate(string request, BaseClient oauthClient, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_REQUEST_OBJECT)
{
if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request))
{
throw new OAuthException(errorCode, ErrorMessages.INVALID_REQUEST_PARAMETER);
}
var jws = request;
if (_jwtParser.IsJweToken(request))
{
jws = await _jwtParser.Decrypt(jws, cancellationToken);
if (string.IsNullOrWhiteSpace(jws))
{
throw new OAuthException(errorCode, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER);
}
}
JwsHeader header = null;
try
{
header = _jwtParser.ExtractJwsHeader(jws);
}
catch (InvalidOperationException)
{
throw new OAuthException(errorCode, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
JwsPayload jwsPayload;
try
{
jwsPayload = await _jwtParser.Unsign(jws, oauthClient, errorCode);
}
catch (JwtException ex)
{
throw new OAuthException(errorCode, ex.Message);
}
return(new RequestObjectValidatorResult(jwsPayload, header));
}
protected async Task <bool> CheckRequest(HandlerContext context, string request)
{
var openidClient = (OpenIdClient)context.Client;
if (!_jwtParser.IsJwsToken(request) && !_jwtParser.IsJweToken(request))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_REQUEST_PARAMETER);
}
var jws = request;
if (_jwtParser.IsJweToken(request))
{
jws = await _jwtParser.Decrypt(jws);
if (string.IsNullOrWhiteSpace(jws))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWE_REQUEST_PARAMETER);
}
}
JwsHeader header = null;
try
{
header = _jwtParser.ExtractJwsHeader(jws);
}
catch (InvalidOperationException)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
if (
(!string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != openidClient.RequestObjectSigningAlg) ||
(string.IsNullOrWhiteSpace(openidClient.RequestObjectSigningAlg) && header.Alg != NoneSignHandler.ALG_NAME)
)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_SIGNATURE_ALG);
}
var jwsPayload = await _jwtParser.Unsign(jws, context.Client);
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_JWS_REQUEST_PARAMETER);
}
if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ResponseType))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_RESPONSE_TYPE_CLAIM);
}
if (!jwsPayload.ContainsKey(OAuth.DTOs.AuthorizationRequestParameters.ClientId))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.MISSING_CLIENT_ID_CLAIM);
}
if (!jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ResponseType].ToString().Split(' ').OrderBy(s => s).SequenceEqual(context.Request.Data.GetResponseTypesFromAuthorizationRequest()))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_RESPONSE_TYPE_CLAIM);
}
if (jwsPayload[OAuth.DTOs.AuthorizationRequestParameters.ClientId].ToString() != context.Client.ClientId)
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.INVALID_CLIENT_ID_CLAIM);
}
context.Request.SetData(JObject.FromObject(jwsPayload));
return(true);
}
private async Task ExtractSoftwareStatement(JObject jObj)
{
var softwareStatement = jObj.GetSoftwareStatement();
if (string.IsNullOrWhiteSpace(softwareStatement))
{
return;
}
if (!_jwtParser.IsJwsToken(softwareStatement))
{
throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_JWS_SOFTWARE_STATEMENT);
}
SimpleIdServer.Jwt.Jws.JwsPayload jwsPayload;
SimpleIdServer.Jwt.Jws.JwsHeader header;
try
{
jwsPayload = _jwtParser.ExtractJwsPayload(softwareStatement);
header = _jwtParser.ExtractJwsHeader(softwareStatement);
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_JWS_SOFTWARE_STATEMENT);
}
}
catch
{
throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_JWS_SOFTWARE_STATEMENT);
}
var issuer = jwsPayload.GetIssuer();
var trustedParty = OauthHostOptions.SoftwareStatementTrustedParties.FirstOrDefault(s => s.Iss == issuer);
if (trustedParty == null)
{
throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_ISSUER_SOFTWARE_STATEMENT);
}
using (var httpClient = _httpClientFactory.GetHttpClient())
{
var json = await httpClient.GetStringAsync(trustedParty.JwksUrl);
var keysJson = JObject.Parse(json)["keys"].ToString();
var jsonWebKeys = JsonConvert.DeserializeObject <JArray>(keysJson).Select(k => SimpleIdServer.Jwt.JsonWebKey.Deserialize(k.ToString()));
var jsonWebKey = jsonWebKeys.FirstOrDefault(j => j.Kid == header.Kid);
jwsPayload = _jwtParser.Unsign(softwareStatement, jsonWebKey);
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_SOFTWARE_STATEMENT, ErrorMessages.BAD_SOFTWARE_STATEMENT_SIGNATURE);
}
foreach (var kvp in jwsPayload)
{
if (jObj.ContainsKey(kvp.Key))
{
jObj.Remove(kvp.Key);
}
jObj.Add(kvp.Key, JToken.FromObject(kvp.Value));
}
}
}