public async Task FailsToCreateAuthorizationRequest_RedirectUris_IsNotValid()
{
// Arrange
var parameters =
new Dictionary <string, string[]>
{
[OpenIdConnectParameterNames.State] = new[] { "state" },
[OpenIdConnectParameterNames.ClientId] = new[] { "a" },
[OpenIdConnectParameterNames.RedirectUri] = new[] { "http://www.example.com/callback" }
};
var expectedError = new AuthorizationRequestError(ProtocolErrorProvider.InvalidRedirectUri("http://www.example.com/callback"), null, null);
expectedError.Message.State = "state";
var factory = CreateAuthorizationRequestFactory(validRedirectUri: false);
// Act
var result = await factory.CreateAuthorizationRequestAsync(parameters);
// Assert
Assert.False(result.IsValid);
Assert.Equal(expectedError, result.Error, IdentityServiceErrorComparer.Instance);
Assert.Null(result.Error.RedirectUri);
Assert.Null(result.Error.ResponseMode);
}
public async Task <RedirectUriResolutionResult> ResolveRedirectUriAsync(string clientId, string redirectUrl)
{
if (clientId == null)
{
throw new ArgumentNullException(nameof(clientId));
}
var app = await _applicationManager.FindByClientIdAsync(clientId);
if (app == null)
{
return(RedirectUriResolutionResult.Invalid(_errorProvider.InvalidClientId(clientId)));
}
var redirectUris = await _applicationManager.FindRegisteredUrisAsync(app);
if (redirectUrl == null && redirectUris.Count() == 1)
{
return(RedirectUriResolutionResult.Valid(redirectUris.Single()));
}
foreach (var uri in redirectUris)
{
if (string.Equals(uri, redirectUrl, StringComparison.Ordinal))
{
return(RedirectUriResolutionResult.Valid(redirectUrl));
}
}
return(RedirectUriResolutionResult.Invalid(_errorProvider.InvalidRedirectUri(redirectUrl)));
}
private async Task <OpenIdConnectMessage> ValidateAuthorizationCode(
IDictionary <string, string[]> requestParameters,
string clientId,
AuthorizationGrant consentGrant)
{
if (!(consentGrant.Token is AuthorizationCode code))
{
throw new InvalidOperationException("Granted token must be an authorization code.");
}
var(redirectUri, redirectUriError) = RequestParametersHelper.ValidateOptionalParameterIsUnique(requestParameters, OpenIdConnectParameterNames.RedirectUri, _errorProvider);
if (redirectUriError != null)
{
return(redirectUriError);
}
var tokenRedirectUri = code.RedirectUri;
if (redirectUri == null && tokenRedirectUri != null)
{
return(_errorProvider.MissingRequiredParameter(OpenIdConnectParameterNames.RedirectUri));
}
if (!string.Equals(redirectUri, tokenRedirectUri, StringComparison.Ordinal))
{
return(_errorProvider.MismatchedRedirectUrl(redirectUri));
}
var resolution = await _redirectUriValidator.ResolveRedirectUriAsync(clientId, redirectUri);
if (!resolution.IsValid)
{
return(_errorProvider.InvalidRedirectUri(redirectUri));
}
if (code.CodeChallenge != null)
{
if (!ProofOfKeyForCodeExchangeChallengeMethods.SHA256.Equals(code.CodeChallengeMethod, StringComparison.Ordinal))
{
throw new InvalidOperationException("Unsupported code challenge method.");
}
var(verifier, verifierError) = RequestParametersHelper.ValidateParameterIsUnique(requestParameters, ProofOfKeyForCodeExchangeParameterNames.CodeVerifier, _errorProvider);
if (verifierError != null)
{
return(verifierError);
}
// code-verifier = [a-zA-Z0-9\-._~]{43,128}
if (verifier.Length < 43 || verifier.Length > 128)
{
return(_errorProvider.InvalidCodeVerifier());
}
for (var i = 0; i < verifier.Length; i++)
{
if (verifier[i] > 127 || !ValidCodeVerifierCharacters[verifier[i]])
{
return(_errorProvider.InvalidCodeVerifier());
}
}
if (!string.Equals(code.CodeChallenge, GetComputedChallenge(verifier), StringComparison.Ordinal))
{
return(_errorProvider.InvalidCodeVerifier());
}
}
return(null);
}
