public async Task FailsToCreateAuthorizationRequest_RedirectUris_IsNotValid() { // Arrange var parameters = new Dictionary <string, string[]> { [OpenIdConnectParameterNames.State] = new[] { "state" }, [OpenIdConnectParameterNames.ClientId] = new[] { "a" }, [OpenIdConnectParameterNames.RedirectUri] = new[] { "http://www.example.com/callback" } }; var expectedError = new AuthorizationRequestError(ProtocolErrorProvider.InvalidRedirectUri("http://www.example.com/callback"), null, null); expectedError.Message.State = "state"; var factory = CreateAuthorizationRequestFactory(validRedirectUri: false); // Act var result = await factory.CreateAuthorizationRequestAsync(parameters); // Assert Assert.False(result.IsValid); Assert.Equal(expectedError, result.Error, IdentityServiceErrorComparer.Instance); Assert.Null(result.Error.RedirectUri); Assert.Null(result.Error.ResponseMode); }
public async Task <RedirectUriResolutionResult> ResolveRedirectUriAsync(string clientId, string redirectUrl) { if (clientId == null) { throw new ArgumentNullException(nameof(clientId)); } var app = await _applicationManager.FindByClientIdAsync(clientId); if (app == null) { return(RedirectUriResolutionResult.Invalid(_errorProvider.InvalidClientId(clientId))); } var redirectUris = await _applicationManager.FindRegisteredUrisAsync(app); if (redirectUrl == null && redirectUris.Count() == 1) { return(RedirectUriResolutionResult.Valid(redirectUris.Single())); } foreach (var uri in redirectUris) { if (string.Equals(uri, redirectUrl, StringComparison.Ordinal)) { return(RedirectUriResolutionResult.Valid(redirectUrl)); } } return(RedirectUriResolutionResult.Invalid(_errorProvider.InvalidRedirectUri(redirectUrl))); }
private async Task <OpenIdConnectMessage> ValidateAuthorizationCode( IDictionary <string, string[]> requestParameters, string clientId, AuthorizationGrant consentGrant) { if (!(consentGrant.Token is AuthorizationCode code)) { throw new InvalidOperationException("Granted token must be an authorization code."); } var(redirectUri, redirectUriError) = RequestParametersHelper.ValidateOptionalParameterIsUnique(requestParameters, OpenIdConnectParameterNames.RedirectUri, _errorProvider); if (redirectUriError != null) { return(redirectUriError); } var tokenRedirectUri = code.RedirectUri; if (redirectUri == null && tokenRedirectUri != null) { return(_errorProvider.MissingRequiredParameter(OpenIdConnectParameterNames.RedirectUri)); } if (!string.Equals(redirectUri, tokenRedirectUri, StringComparison.Ordinal)) { return(_errorProvider.MismatchedRedirectUrl(redirectUri)); } var resolution = await _redirectUriValidator.ResolveRedirectUriAsync(clientId, redirectUri); if (!resolution.IsValid) { return(_errorProvider.InvalidRedirectUri(redirectUri)); } if (code.CodeChallenge != null) { if (!ProofOfKeyForCodeExchangeChallengeMethods.SHA256.Equals(code.CodeChallengeMethod, StringComparison.Ordinal)) { throw new InvalidOperationException("Unsupported code challenge method."); } var(verifier, verifierError) = RequestParametersHelper.ValidateParameterIsUnique(requestParameters, ProofOfKeyForCodeExchangeParameterNames.CodeVerifier, _errorProvider); if (verifierError != null) { return(verifierError); } // code-verifier = [a-zA-Z0-9\-._~]{43,128} if (verifier.Length < 43 || verifier.Length > 128) { return(_errorProvider.InvalidCodeVerifier()); } for (var i = 0; i < verifier.Length; i++) { if (verifier[i] > 127 || !ValidCodeVerifierCharacters[verifier[i]]) { return(_errorProvider.InvalidCodeVerifier()); } } if (!string.Equals(code.CodeChallenge, GetComputedChallenge(verifier), StringComparison.Ordinal)) { return(_errorProvider.InvalidCodeVerifier()); } } return(null); }