Exemplo n.º 1
0
        public override async Task ValidateAuthorizationRequest(ValidateAuthorizationRequestContext context)
        {
            _vService = context.HttpContext.RequestServices.GetRequiredService <ValidationService>();
            if (!context.Request.IsAuthorizationCodeFlow() && !context.Request.IsImplicitFlow())
            {
                context.Reject(OpenIdConnectConstants.Errors.UnsupportedResponseType,
                               "Only authorization code, refresh token, and token grant types are accepted by this authorization server.");

                return;
            }

            var clientId = context.ClientId;
            var rdi      = context.Request.RedirectUri;
            var state    = context.Request.State;
            var scope    = context.Request.Scope;

            if (string.IsNullOrWhiteSpace(clientId))
            {
                context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_id cannot be empty");
                return;
            }

            if (string.IsNullOrWhiteSpace(rdi))
            {
                context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "redirect_uri cannot be empty");
                return;
            }

            if (!await _vService.CheckClientIdIsValid(clientId))
            {
                context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id does not exist");
                return;
            }

            if (!await _vService.CheckRedirectUriMatchesClientId(clientId, rdi))
            {
                context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied redirect uri is incorrect");
                return;
            }

            if (!_vService.CheckScopesAreValid(scope))
            {
                context.Reject(OpenIdConnectConstants.Errors.InvalidRequest, "One or all of the supplied scopes are invalid");
                return;
            }

            context.Validate();
        }
Exemplo n.º 2
0
        public override async Task ValidateTokenRequest(ValidateTokenRequestContext context)
        {
            _vService = context.HttpContext.RequestServices.GetRequiredService <ValidationService>();

            // We only accept "authorization_code", "refresh", "token" for this endpoint.
            if (!context.Request.IsAuthorizationCodeGrantType() &&
                !context.Request.IsRefreshTokenGrantType() &&
                !context.Request.IsClientCredentialsGrantType())
            {
                context.Reject(OpenIdConnectConstants.Errors.UnsupportedGrantType,
                               "Only authorization code, refresh token, and token grant types are accepted by this authorization server.");
            }

            var clientId     = context.ClientId;
            var clientSecret = context.ClientSecret;
            var redirectUri  = context.Request.RedirectUri;
            var codeVerifier = context.Request.CodeVerifier;

            // Validating the Authorization Code Token Request
            if (context.Request.IsAuthorizationCodeGrantType())
            {
                if (string.IsNullOrWhiteSpace(clientId))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_id cannot be empty");
                    return;
                }

                if (string.IsNullOrWhiteSpace(clientSecret) && string.IsNullOrEmpty(codeVerifier))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_secret cannot be empty");
                    return;
                }

                if (string.IsNullOrWhiteSpace(redirectUri))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "redirect_uri cannot be empty");
                    return;
                }

                if (!await _vService.CheckClientIdIsValid(clientId))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id was does not exist");
                    return;
                }

                if (string.IsNullOrEmpty(codeVerifier) && !await _vService.CheckClientIdAndSecretIsValid(clientId, clientSecret))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client secret is invalid");
                    return;
                }

                if (!await _vService.CheckRedirectUriMatchesClientId(clientId, redirectUri))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied redirect uri is incorrect");
                    return;
                }

                context.Validate();
                return;
            }

            // Validating the Refresh Code Token Request
            if (context.Request.IsRefreshTokenGrantType())
            {
                clientId     = context.Request.ClientId;
                clientSecret = context.Request.ClientSecret;
                var refreshToken = context.Request.RefreshToken;
                if (string.IsNullOrWhiteSpace(clientId))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_id cannot be empty");
                    return;
                }

                if (string.IsNullOrWhiteSpace(clientSecret))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_secret cannot be empty");
                    return;
                }

                if (!await _vService.CheckClientIdIsValid(clientId))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id does not exist");
                    return;
                }

                if (!await _vService.CheckClientIdAndSecretIsValid(clientId, clientSecret))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client secret is invalid");
                    return;
                }

                if (!await _vService.CheckRefreshTokenIsValid(refreshToken))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied refresh token is invalid");
                    return;
                }

                context.Validate();
                return;
            }

            // Validating Client Credentials Request, aka, 'token'
            if (context.Request.IsClientCredentialsGrantType())
            {
                clientId     = context.ClientId;
                clientSecret = context.ClientSecret;
                if (string.IsNullOrWhiteSpace(clientId))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_id cannot be empty");
                    return;
                }

                if (string.IsNullOrWhiteSpace(clientSecret))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "client_secret cannot be empty");
                    return;
                }

                if (!await _vService.CheckClientIdIsValid(clientId))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id does not exist");
                    return;
                }

                if (!await _vService.CheckClientIdAndSecretIsValid(clientId, clientSecret))
                {
                    context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client secret is invalid");
                    return;
                }

                context.Validate();
                return;
            }

            context.Reject(OpenIdConnectConstants.Errors.ServerError, "Could not validate the token request");
        }