public async Task <IActionResult> Index(ConfirmConsentsViewModel confirmConsentsViewModel, CancellationToken token)
{
try
{
var unprotectedUrl = _dataProtector.Unprotect(confirmConsentsViewModel.ReturnUrl);
var query = unprotectedUrl.GetQueries().ToJObj();
var nameIdentifier = GetNameIdentifier();
var user = await _oauthUserRepository.FindOAuthUserByLogin(nameIdentifier, token);
var consent = _userConsentFetcher.FetchFromAuthorizationRequest(user, query);
if (consent == null)
{
consent = _userConsentFetcher.BuildFromAuthorizationRequest(query);
var scopes = await _oauthScopeRepository.FindOAuthScopesByNames(consent.Scopes.Select(s => s.Name), token);
consent.Scopes = scopes;
user.Consents.Add(consent);
await _oauthUserRepository.Update(user, token);
await _oauthUserRepository.SaveChanges(token);
}
return(Redirect(unprotectedUrl));
}
catch (CryptographicException)
{
ModelState.AddModelError("invalid_request", "invalid_request");
return(View(confirmConsentsViewModel));
}
}
protected virtual async Task UpdateClient(BaseClient oauthClient, BaseClient extractClient, CancellationToken cancellationToken)
{
var scopeNames = extractClient.AllowedScopes.Select(s => s.Name);
var scopes = await _oauthScopeRepository.FindOAuthScopesByNames(scopeNames, cancellationToken);
oauthClient.SetClientNames(extractClient.ClientNames);
oauthClient.SetLogoUris(extractClient.LogoUris);
oauthClient.TokenEndPointAuthMethod = extractClient.TokenEndPointAuthMethod;
oauthClient.SetAllowedScopes(scopes);
oauthClient.RedirectionUrls = extractClient.RedirectionUrls;
oauthClient.TokenExpirationTimeInSeconds = extractClient.TokenExpirationTimeInSeconds;
oauthClient.RefreshTokenExpirationTimeInSeconds = extractClient.RefreshTokenExpirationTimeInSeconds;
oauthClient.GrantTypes = extractClient.GrantTypes;
oauthClient.UpdateDateTime = DateTime.UtcNow;
}
public virtual async Task Validate(BaseClient client, CancellationToken cancellationToken)
{
var authGrantTypes = _responseTypeHandlers.Select(r => r.GrantType);
var supportedGrantTypes = _grantTypeHandlers.Select(g => g.GrantType).Union(authGrantTypes).Distinct();
var notSupportedGrantTypes = client.GrantTypes.Where(gt => !supportedGrantTypes.Any(sgt => sgt == gt));
if (notSupportedGrantTypes.Any())
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_METADATA, string.Format(ErrorMessages.UNSUPPORTED_GRANT_TYPES, string.Join(",", notSupportedGrantTypes)));
}
if (!string.IsNullOrWhiteSpace(client.TokenEndPointAuthMethod) && !_oauthClientAuthenticationHandlers.Any(o => o.AuthMethod == client.TokenEndPointAuthMethod))
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_METADATA, string.Format(ErrorMessages.UNKNOWN_AUTH_METHOD, client.TokenEndPointAuthMethod));
}
var supportedResponseTypeHandlers = _responseTypeHandlers.Where(r => client.GrantTypes.Contains(r.GrantType));
if (supportedResponseTypeHandlers.Any())
{
var supportedResponseTypes = supportedResponseTypeHandlers.Select(s => s.ResponseType);
var unSupportedResponseTypes = client.ResponseTypes.Where(r => !supportedResponseTypes.Contains(r));
if (unSupportedResponseTypes.Any())
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_METADATA, string.Format(ErrorMessages.BAD_RESPONSE_TYPES, string.Join(",", unSupportedResponseTypes)));
}
}
foreach (var kvp in supportedResponseTypeHandlers.GroupBy(k => k.GrantType))
{
if (!kvp.Any(k => client.ResponseTypes.Contains(k.ResponseType)))
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_METADATA, string.Format(ErrorMessages.MISSING_RESPONSE_TYPE, kvp.Key));
}
}
if (supportedResponseTypeHandlers.Any())
{
if (client.RedirectionUrls == null || !client.RedirectionUrls.Any())
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_METADATA, string.Format(ErrorMessages.MISSING_PARAMETER, OAuthClientParameters.RedirectUris));
}
foreach (var redirectUrl in client.RedirectionUrls)
{
CheckRedirectUrl(client, redirectUrl);
}
}
var scopes = client.AllowedScopes.Select(_ => _.Name);
var existingScopes = (await _oauthScopeRepository.FindOAuthScopesByNames(scopes, cancellationToken));
var existingScopeNames = existingScopes.Select(s => s.Name);
var unsupportedScopes = scopes.Except(existingScopeNames);
if (unsupportedScopes.Any())
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_METADATA, string.Format(ErrorMessages.UNSUPPORTED_SCOPES, string.Join(",", unsupportedScopes)));
}
client.AllowedScopes = existingScopes;
CheckUri(client.JwksUri, ErrorMessages.BAD_JWKS_URI);
CheckUris(client.ClientUris, ErrorMessages.BAD_CLIENT_URI);
CheckUris(client.LogoUris, ErrorMessages.BAD_LOGO_URI);
CheckUris(client.TosUris, ErrorMessages.BAD_TOS_URI);
CheckUris(client.PolicyUris, ErrorMessages.BAD_POLICY_URI);
CheckSignature(client.TokenSignedResponseAlg, ErrorMessages.UNSUPPORTED_TOKEN_SIGNED_RESPONSE_ALG);
CheckEncryption(client.TokenEncryptedResponseAlg, client.TokenEncryptedResponseEnc, ErrorMessages.UNSUPPORTED_TOKEN_ENCRYPTED_RESPONSE_ALG, ErrorMessages.UNSUPPORTED_TOKEN_ENCRYPTED_RESPONSE_ENC, OAuthClientParameters.TokenEncryptedResponseAlg);
if (!string.IsNullOrWhiteSpace(client.JwksUri) && client.JsonWebKeys != null)
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT_METADATA, ErrorMessages.DUPLICATE_JWKS);
}
}
private async Task <IActionResult> Common(JObject content, CancellationToken cancellationToken)
{
try
{
var accessToken = ExtractAccessToken(content);
var jwsPayload = await Extract(accessToken, cancellationToken);
if (jwsPayload == null)
{
throw new OAuthException(ErrorCodes.INVALID_TOKEN, OAuth.ErrorMessages.BAD_TOKEN);
}
var subject = jwsPayload.GetSub();
var scopes = jwsPayload.GetScopes();
var audiences = jwsPayload.GetAudiences();
var claims = jwsPayload.GetClaimsFromAccessToken(AuthorizationRequestClaimTypes.UserInfo);
var authTime = jwsPayload.GetAuthTime();
var user = await _oauthUserRepository.FindOAuthUserByLogin(subject, cancellationToken);
if (user == null)
{
return(new UnauthorizedResult());
}
var filteredClients = await _oauthClientRepository.FindOAuthClientByIds(audiences, cancellationToken);
if (!filteredClients.Any())
{
throw new OAuthException(ErrorCodes.INVALID_CLIENT, ErrorMessages.INVALID_AUDIENCE);
}
var oauthClient = (OpenIdClient)filteredClients.First();
if (!user.HasOpenIDConsent(oauthClient.ClientId, scopes, claims, AuthorizationRequestClaimTypes.UserInfo))
{
throw new OAuthException(ErrorCodes.INVALID_REQUEST, ErrorMessages.NO_CONSENT);
}
var token = await _tokenRepository.Get(accessToken, cancellationToken);
if (token == null)
{
_logger.LogError("Cannot get user information because access token has been rejected");
throw new OAuthException(ErrorCodes.INVALID_TOKEN, OAuth.ErrorMessages.ACCESS_TOKEN_REJECTED);
}
var oauthScopes = await _oauthScopeRepository.FindOAuthScopesByNames(scopes, cancellationToken);
var payload = new JwsPayload();
IdTokenBuilder.EnrichWithScopeParameter(payload, oauthScopes, user, subject);
_claimsJwsPayloadEnricher.EnrichWithClaimsParameter(payload, claims, user, authTime, AuthorizationRequestClaimTypes.UserInfo);
foreach (var claimsSource in _claimsSources)
{
await claimsSource.Enrich(payload, oauthClient, cancellationToken);
}
string contentType = "application/json";
var result = JsonConvert.SerializeObject(payload).ToString();
if (!string.IsNullOrWhiteSpace(oauthClient.UserInfoSignedResponseAlg))
{
payload.Add(Jwt.Constants.OAuthClaims.Issuer, Request.GetAbsoluteUriWithVirtualPath());
payload.Add(Jwt.Constants.OAuthClaims.Audiences, new string[]
{
token.ClientId
});
result = await _jwtBuilder.BuildClientToken(oauthClient, payload, oauthClient.UserInfoSignedResponseAlg, oauthClient.UserInfoEncryptedResponseAlg, oauthClient.UserInfoEncryptedResponseEnc, cancellationToken);
contentType = "application/jwt";
}
return(new ContentResult
{
Content = result,
ContentType = contentType
});
}
catch (OAuthException ex)
{
var jObj = new JObject
{
{ ErrorResponseParameters.Error, ex.Code },
{ ErrorResponseParameters.ErrorDescription, ex.Message }
};
return(new ContentResult
{
Content = jObj.ToString(),
ContentType = "application/json",
StatusCode = (int)HttpStatusCode.BadRequest
});
}
}
