public async Task <ValidationResult> ValidateAsync(NameValueCollection parameters, ClaimsPrincipal subject) { _validatedRequest.Raw = parameters; _validatedRequest.Subject = subject; if (!subject.Identity.IsAuthenticated) { return(Invalid()); } var idTokenHint = parameters.Get(Constants.EndSessionRequest.IdTokenHint); if (idTokenHint.IsPresent()) { // validate id_token - no need to validate token life time var tokenValidationResult = await _tokenValidator.ValidateIdentityTokenAsync(idTokenHint, null, false); if (tokenValidationResult.IsError) { return(Invalid()); } _validatedRequest.Client = tokenValidationResult.Client; // validate sub claim against currently logged on user var subClaim = tokenValidationResult.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.Subject); if (subClaim != null) { if (subject.GetSubjectId() != subClaim.Value) { return(Invalid()); } } var redirectUri = parameters.Get(Constants.EndSessionRequest.PostLogoutRedirectUri); if (redirectUri.IsPresent()) { Uri uri; if (Uri.TryCreate(redirectUri, UriKind.Absolute, out uri)) { if (_validatedRequest.Client.PostLogoutRedirectUris.Contains(uri)) { _validatedRequest.PostLogOutUri = uri; } else { return(Invalid()); } } var state = parameters.Get(Constants.EndSessionRequest.State); if (state.IsPresent()) { _validatedRequest.State = state; } } } return(Valid()); }
public async Task <ValidationResult> ValidateAsync(NameValueCollection parameters, ClaimsPrincipal subject) { Logger.Info("Start end session request validation"); _validatedRequest.Raw = parameters; _validatedRequest.Subject = subject; if (!subject.Identity.IsAuthenticated) { Logger.Warn("User is anonymous. Ignoring end session parameters"); return(Invalid()); } var idTokenHint = parameters.Get(Constants.EndSessionRequest.IdTokenHint); if (idTokenHint.IsPresent()) { // validate id_token - no need to validate token life time var tokenValidationResult = await _tokenValidator.ValidateIdentityTokenAsync(idTokenHint, null, false); if (tokenValidationResult.IsError) { LogError("Error validating id token hint."); return(Invalid()); } _validatedRequest.Client = tokenValidationResult.Client; // validate sub claim against currently logged on user var subClaim = tokenValidationResult.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.Subject); if (subClaim != null) { if (subject.GetSubjectId() != subClaim.Value) { LogError("Current user does not match identity token"); return(Invalid()); } } var redirectUri = parameters.Get(Constants.EndSessionRequest.PostLogoutRedirectUri); if (redirectUri.IsPresent()) { _validatedRequest.PostLogOutUri = redirectUri; if (await _uriValidator.IsPostLogoutRedirectUriValidAsync(redirectUri, _validatedRequest.Client) == false) { LogError("Invalid post logout URI"); return(Invalid()); } var state = parameters.Get(Constants.EndSessionRequest.State); if (state.IsPresent()) { _validatedRequest.State = state; } } } LogSuccess(); return(Valid()); }