public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
context.Result.ValidatedRequest.Client.AlwaysSendClientClaims = true;
context.Result.ValidatedRequest.ClientClaims.Add(new Claim("Employee", "Mosalla"));
return(Task.FromResult(0));
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
var client = context.Result.ValidatedRequest.Client;
if (!client.AllowedGrantTypes.Contains(GrantType.ClientCredentials))
{
return(Task.CompletedTask);
}
if (!Convert.ToBoolean(configuration["APIEnableScopePerClaim"]))
{
return(Task.CompletedTask);
}
if (string.IsNullOrEmpty(configuration["APIClientScopes"]))
{
return(Task.CompletedTask);
}
var scopes = configuration["APIClientScopes"]?.Split(" ", StringSplitOptions.RemoveEmptyEntries);
foreach (var scope in scopes)
{
client.Claims.Add(new Claim(scope, "true"));
}
return(Task.CompletedTask);
}
public async Task ValidateAsync_ForDifferentIsErrorCombinations_ExpectedIsError(
bool firstValidator, bool secondValidator, bool expected)
{
//Arrange
var context = new CustomTokenRequestValidationContext()
{
Result = new TokenRequestValidationResult(new ValidatedTokenRequest())
};
var validator1Mock = new Mock <ICustomTokenRequestValidator>();
validator1Mock
.Setup(c => c.ValidateAsync(It.IsAny <CustomTokenRequestValidationContext>()))
.Returns(Task.CompletedTask)
.Callback(() => context.Result.IsError = firstValidator);
var validator2Mock = new Mock <ICustomTokenRequestValidator>();
validator2Mock
.Setup(c => c.ValidateAsync(It.IsAny <CustomTokenRequestValidationContext>()))
.Returns(Task.CompletedTask)
.Callback(() => context.Result.IsError = secondValidator);
var sut = new AllOrNothingTokenRequestValidator(new[]
{
validator1Mock.Object,
validator2Mock.Object
}, new LoggerFactory().CreateLogger <AllOrNothingTokenRequestValidator>());
//Act
await sut.ValidateAsync(context);
//Assert
context.Result.IsError.ShouldBe(expected);
}
/// <summary>
/// Custom validation logic for a token request.
/// </summary>
/// <param name="context">The context.</param>
public async Task ValidateAsync(CustomTokenRequestValidationContext context)
{
HttpRequest httpRequest = _httpContextAccessor.HttpContext?.Request;
if (httpRequest != null && httpRequest.Form.TryGetValue(IdentityServerConstants.ORGANIZATION, out StringValues stringValues) && stringValues.Any())
{
ICollection <Claim> clientClaims = context.Result.ValidatedRequest.ClientClaims;
clientClaims.Add(new Claim(ORGANIZATION_ID, 1.ToString()));
if (!clientClaims.Any(c => c.Type.Equals(ORGANIZATION_ID, StringComparison.OrdinalIgnoreCase)))
{
//long? organizationId = (await _organizationRepository.GetByShortNameAndOrganizationTypeWithCacheAsync(stringValues[0], null))?.OrganizationId;
//if (organizationId.HasValue)
//{
// clientClaims.Add(new Claim(ORGANIZATION_ID, organizationId.Value.ToString()));
//}
//else
//{
// context.Result.IsError = true;
// // context.Result.Error = ValidationMessages.DB_ORGANIZATION_NOT_EXIST;
//}
}
}
}
private async Task <TokenRequestValidationResult> RunValidationAsync(Func <NameValueCollection, Task <TokenRequestValidationResult> > validationFunc, NameValueCollection parameters)
{
// run standard validation
var result = await validationFunc(parameters);
if (result.IsError)
{
return(result);
}
// run custom validation
_logger.LogTrace("Calling into custom request validator: {type}", _customRequestValidator.GetType().FullName);
var customValidationContext = new CustomTokenRequestValidationContext {
Result = result
};
await _customRequestValidator.ValidateAsync(customValidationContext);
if (customValidationContext.Result.IsError)
{
if (customValidationContext.Result.Error.IsPresent())
{
LogError("Custom token request validator", new { error = customValidationContext.Result.Error });
}
else
{
LogError("Custom token request validator error");
}
return(customValidationContext.Result);
}
LogSuccess();
return(customValidationContext.Result);
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
if (context.Result.CustomResponse is null)
{
context.Result.CustomResponse = new Dictionary <string, object>();
var(type, value) = ClaimToCustomResponse(Config.GetDefaultPatientClaim());
context.Result.CustomResponse.Add(type, value);
(type, value) = ClaimToCustomResponse(Config.GetDefaultNeedPatientBanner());
context.Result.CustomResponse.Add(type, value);
var httpContext = _httpContextAccessor.HttpContext;
var identityServerBaseUrl = IdentityServerBaseUrl(httpContext);
(type, value) = ClaimToCustomResponse(Config.GetDefaultStyleUrl(identityServerBaseUrl));
context.Result.CustomResponse.Add(type, value);
}
else
{
throw new InvalidOperationException("CustomTokenRequestValidationContext - Unexpected CustomResponse was included included in validation context");
}
return(Task.CompletedTask);
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
//context.Result.IsError = true;
//context.Result.Error = "错误dsada";
//context.Result.CustomResponse = new Dictionary<string, object> { { "station", "站点" }, { "city", "城市" }, { "province", "省" } };
return(Task.CompletedTask);
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
context.Result = new TokenRequestValidationResult(new ValidatedTokenRequest()
{
});
return(Task.FromResult(0));
}
public async Task ValidateAsync(ExtensionGrantValidationContext context)
{
_logger.LogDebug("Start token request validation");
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
var raw = context.Request.Raw;
var validatedRequest = new ValidatedTokenRequest
{
Raw = raw ?? throw new ArgumentNullException(nameof(raw)),
Options = _options
};
var customTokenRequestValidationContext = new CustomTokenRequestValidationContext()
{
Result = new TokenRequestValidationResult(validatedRequest)
};
await _arbitraryNoSubjectRequestValidator.ValidateAsync(customTokenRequestValidationContext);
if (customTokenRequestValidationContext.Result.IsError)
{
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest,
customTokenRequestValidationContext.Result.Error);
return;
}
// validate HTTP for clients
if (HttpMethods.IsPost(_httpContextAccessor.HttpContext.Request.Method) && _httpContextAccessor.HttpContext.Request.HasFormContentType)
{
// validate client
var clientResult = await _clientValidator.ValidateAsync(_httpContextAccessor.HttpContext);
if (!clientResult.IsError)
{
validatedRequest.SetClient(clientResult.Client);
}
}
/////////////////////////////////////////////
// check grant type
/////////////////////////////////////////////
var grantType = validatedRequest.Raw.Get(OidcConstants.TokenRequest.GrantType);
if (grantType.IsMissing())
{
LogError("Grant type is missing");
context.Result = new GrantValidationResult(TokenRequestErrors.UnsupportedGrantType);
return;
}
if (grantType.Length > _options.InputLengthRestrictions.GrantType)
{
LogError("Grant type is too long");
context.Result = new GrantValidationResult(TokenRequestErrors.UnsupportedGrantType);
return;
}
validatedRequest.GrantType = grantType;
context.Result = new GrantValidationResult();
}
public async Task ValidateAsync(CustomTokenRequestValidationContext context)
{
//If Token grant_type id refresh_token we need to check weather request from mobile device with acr_values.
if (context?.Result?.ValidatedRequest?.GrantType != null && context.Result.ValidatedRequest.GrantType == OidcConstants.GrantTypes.RefreshToken)
{
var raw = context.Result.ValidatedRequest.Raw;
var acr_values = raw.ToNameValueCollection(OidcConstants.AuthorizeRequest.AcrValues);
var subject = context.Result.ValidatedRequest.Subject ?? context.Result.ValidatedRequest.AuthorizationCode?.Subject;
if (!string.IsNullOrEmpty(acr_values.Get("device_id")))
{
if (subject != null)
{
var user = await _userManager.FindByIdAsync(subject.Claims.FirstOrDefault(x => x.Type == "sub").Value);
if (user != null)
{
var claims = await _userManager.GetClaimsAsync(user);
if (claims.Any(x => x.Type == "device_id"))
{
var devid = claims.FirstOrDefault(x => x.Type == "device_id");
if (devid.Value.Trim().ToLower() != acr_values.Get("device_id").Trim().ToLower())
{
context.Result.Error = "Invalid device_id";
context.Result.ErrorDescription = "Invalid device_id. or may user login different device.";
context.Result.IsError = true;
}
}
}
}
}
}
}
public async Task ValidateAsync(CustomTokenRequestValidationContext context)
{
var client = context.Result.ValidatedRequest.Client;
// we want to add custom claims to our "poop" client
if (client.ClientName == "Aya Client")
{
// do some validation, etc.
//var result = await DoSomeProcessingAsync(client);
//
// }
// get list of custom claims we want to add
var claims = new List <Claim>
{
new Claim(ClaimTypes.Role, "Admin")
};
// add it
claims.ToList().ForEach(u => context.Result.ValidatedRequest.ClientClaims.Add(u));
// don't want it to be prefixed with "client_" ? we change it here (or from global settings)
context.Result.ValidatedRequest.Client.ClientClaimsPrefix = "";
}
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
//context.Result.ValidatedRequest.Scopes = new[] {"trieudk_scope"};
//context.Result.ValidatedRequest.ClientClaims = new List<Claim> {new Claim("trieudk_client_claims", "1")};
//context.Result.ValidatedRequest.AccessTokenLifetime = 3;
return(Task.FromResult(0));
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
context.Result.ValidatedRequest.ClientClaims.Add(new Claim("my:client", "is:special"));
return(Task.CompletedTask);
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
// overriding access_token_lifetime
var form = context.Result.ValidatedRequest.Raw;
var accessTokenLifetimeOverride = form.Get(Constants.AccessTokenLifetime);
if (!string.IsNullOrWhiteSpace(accessTokenLifetimeOverride))
{
// already been validated in a previous phase
int accessTokenLifetime = 0;
if (int.TryParse(accessTokenLifetimeOverride, out accessTokenLifetime))
{
context.Result.ValidatedRequest.AccessTokenLifetime = accessTokenLifetime;
}
}
var accessTokenTypeOverride = form.Get(Constants.AccessTokenType);
if (!string.IsNullOrWhiteSpace(accessTokenTypeOverride))
{
if (string.Compare(accessTokenTypeOverride, "Reference", true) == 0)
{
context.Result.ValidatedRequest.AccessTokenType = AccessTokenType.Reference;
}
else if (string.Compare(accessTokenTypeOverride, "Jwt", true) == 0)
{
context.Result.ValidatedRequest.AccessTokenType = AccessTokenType.Jwt;
}
}
return(Task.CompletedTask);
}
public async Task ValidateAsync(CustomTokenRequestValidationContext context)
{
var raw = context.Result.ValidatedRequest.Raw;
var rr = raw.AllKeys.ToDictionary(k => k, k => raw[(string)k]);
var error = false;
var los = new List <string>();
var oneMustExistResult = (from item in OneMustExitsArguments
where rr.Keys.Contains(item)
select item).ToList();
if (!oneMustExistResult.Any())
{
error = true;
los.AddRange(OneMustExitsArguments.Select(item => $"[one or the other] {item} is missing!"));
}
var result = RequiredArbitraryArguments.Except(rr.Keys);
if (result.Any())
{
error = true;
los.AddRange(result.Select(item => $"{item} is missing!"));
}
// make sure nothing is malformed
error = los.ValidateFormat <Dictionary <string, List <string> > >(Constants.ArbitraryAmrs, raw[Constants.ArbitraryClaims]) || error;
error = los.ValidateFormat <List <string> >(Constants.ArbitraryAmrs, raw[Constants.ArbitraryAmrs]) || error;
error = los.ValidateFormat <List <string> >(Constants.ArbitraryAmrs, raw[Constants.ArbitraryAudiences]) || error;
if (!error)
{
var arbitraryClaims = raw[Constants.ArbitraryClaims];
if (!string.IsNullOrWhiteSpace(arbitraryClaims))
{
var values =
JsonConvert.DeserializeObject <Dictionary <string, List <string> > >(arbitraryClaims);
var invalidClaims = (from o in values
join p in NotAllowedArbitraryClaims on o.Key equals p into t
from od in t.DefaultIfEmpty()
where od != null
select od).ToList();
if (invalidClaims.Any())
{
// not allowed.
error = true;
foreach (var invalidClaim in invalidClaims)
{
los.Add($"The arbitrary claim: '{invalidClaim}' is not allowed.");
}
}
}
}
if (error)
{
context.Result.IsError = true;
context.Result.Error = String.Join <string>(" | ", los);;
}
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
context.Result.ValidatedRequest.Client.AlwaysSendClientClaims = true;
var reqParamsDict = context.Result.ValidatedRequest.Raw["user_id"].ToString();
context.Result.ValidatedRequest.ClientClaims.Add(new Claim("user_id", reqParamsDict));
return(Task.CompletedTask);
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
context.Result.CustomResponse = new Dictionary <string, object>
{
{ "custom", "custom" }
};
return(Task.CompletedTask);
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
var request = context.Result.ValidatedRequest;
//sets token to 30 days expiry
request.AccessTokenLifetime = 86400 * 30;
return(Task.CompletedTask);
}
/// <summary>
///
/// </summary>
/// <param name="context"></param>
/// <returns></returns>
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
var numero_documento = context.Result.ValidatedRequest.Raw.Get("client_numero_documento");
var codigo_usuario = context.Result.ValidatedRequest.Raw.Get("client_codigo_usuario");
context.Result.ValidatedRequest.Client.AlwaysSendClientClaims = true;
context.Result.ValidatedRequest.ClientClaims.Add(new Claim("numero_documento", numero_documento));
context.Result.ValidatedRequest.ClientClaims.Add(new Claim("codigo_usuario", codigo_usuario));
return(Task.FromResult(0));
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
var claims = context.Result.ValidatedRequest.ClientClaims;
context.Result.ValidatedRequest.Client.ClientClaimsPrefix = "";
claims.Add(new Claim(CustomClaimTypes.TenantName, _tenantName));
claims.Add(new Claim(CustomClaimTypes.TenantId, _tenantId.ToString()));
return(Task.FromResult(0));
}
public async Task ValidateAsync(CustomTokenRequestValidationContext context)
{
var client = context.Result.ValidatedRequest.Client;
foreach (var key in client.Properties.Keys)
{
context.Result.ValidatedRequest.ClientClaims.Add(new Claim(key, client.Properties[key]));
}
context.Result.ValidatedRequest.Client.ClientClaimsPrefix = string.Empty;
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
var transaction = context.Result.ValidatedRequest.ValidatedResources.ParsedScopes.FirstOrDefault(x => x.ParsedName == "transaction");
if (transaction?.ParsedParameter != null)
{
context.Result.ValidatedRequest.ClientClaims.Add(new Claim(transaction.ParsedName, transaction.ParsedParameter));
}
return(Task.CompletedTask);
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
string userId = context.Result.ValidatedRequest.Raw[Const.USER_ID];
if (userId.IsNotNull())
{
context.Result.ValidatedRequest.ClientClaims.Add(new Claim(Const.USER_ID, userId));
}
return(Task.CompletedTask);
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
var hasClientCredentials = context.Result.ValidatedRequest.Client.AllowedGrantTypes.Contains("client_credentials");
if (hasClientCredentials && !_ipAddressValidator.IsIpAddressInternal())
{
context.Result.IsError = true;
context.Result.Error = OidcConstants.AuthorizeErrors.UnauthorizedClient;
}
return(Task.CompletedTask);
}
public async Task ValidateAsync(CustomTokenRequestValidationContext context)
{
///context.Result = new TokenRequestValidationResult(new ValidatedTokenRequest() { });
///
//context.Result = new TokenRequestValidationResult(new ValidatedTokenRequest() {
// AccessTokenLifetime = 31,
// RefreshToken = new RefreshToken() { AccessToken=new Token() { AccessTokenType= AccessTokenType .Jwt} },
//});
await Task.FromResult(true);
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
var tenant = context.Result.ValidatedRequest.Raw.Get(ExtJwtClaimTypes.TenantName);
// get tenant claim and remove it
var сlaimForRemoval = context.Result.ValidatedRequest.Client.Claims.FirstOrDefault(x => x.Type == ExtJwtClaimTypes.TenantName);
context.Result.ValidatedRequest.Client.Claims.Remove(сlaimForRemoval);
// add tenant claim to client
context.Result.ValidatedRequest.Client.Claims.Add(new Claim(ExtJwtClaimTypes.TenantName, tenant));
return(Task.FromResult(0));
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
if (!context.Result.IsError)
{
var TenantClaim = _context.GetTenantTokenClaim();
if (TenantClaim != null)
{
context.Result.ValidatedRequest.ClientClaims.Add(TenantClaim);
}
}
return(Task.CompletedTask);
}
public async Task ValidateAsync(CustomTokenRequestValidationContext context)
{
foreach (var validator in _validators)
{
await validator.ValidateAsync(context);
if (context.Result.IsError)
{
break;
}
}
_logger.LogDebug("All custom token request validators evaluated to valid.");
}
public Task ValidateAsync(CustomTokenRequestValidationContext context)
{
if (context.Result.ValidatedRequest.Subject.Identity is ClaimsIdentity identity)
{
var id = identity.Claims.FirstOrDefault(x => x.Type == "sub")?.Value;
var user = _userRepository.GetById(id);
context.Result.ValidatedRequest.ClientClaims.Add(new Claim(ClaimTypes.Name, user?.UserName));
}
else
{
context.Result.IsError = true;
}
return(Task.FromResult(0));
}
public async Task ValidateAsync(CustomTokenRequestValidationContext context)
{
if (context.Result.ValidatedRequest.Subject != null)
{
var user = await manager.FindByIdAsync(context.Result.ValidatedRequest.Subject.GetSubjectId());
if (!user.EmailConfirmed)
{
context.Result.Error = "not_confirmed";
context.Result.ErrorDescription = "Account is not confirmed";
context.Result.IsError = true;
}
}
}
