private static void ValidateScopes(AuthorizeRequest request, ValidatedRequest validatedRequest)
{
// validate scopes
if (string.IsNullOrEmpty(request.scope))
{
throw new AuthorizeRequestClientException(
"Missing scope.",
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.InvalidScope,
validatedRequest.ResponseType,
validatedRequest.State);
}
var requestedScopes = request.scope.Split(' ').ToList();
List <Scope> resultingScopes;
if (validatedRequest.Application.Scopes.TryValidateScopes(validatedRequest.Client.ClientId, requestedScopes, out resultingScopes))
{
validatedRequest.Scopes = resultingScopes;
Tracing.InformationFormat("Requested scopes: {0}", request.scope);
}
else
{
throw new AuthorizeRequestClientException(
"Invalid scope.",
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.InvalidScope,
validatedRequest.ResponseType,
validatedRequest.State);
}
}
private static void ValidateScopes(ValidatedRequest validatedRequest, TokenRequest request)
{
// validate scope
if (string.IsNullOrWhiteSpace(request.Scope))
{
throw new TokenRequestValidationException(
"Missing scope",
OAuthConstants.Errors.InvalidScope);
}
// make sure client is allowed to request all scope
var requestedScopes = request.Scope.Split(' ').ToList();
List <Scope> resultingScopes;
if (validatedRequest.Application.Scopes.TryValidateScopes(validatedRequest.Client.ClientId, requestedScopes, out resultingScopes))
{
validatedRequest.Scopes = resultingScopes;
Tracing.InformationFormat("Requested scopes: {0}", request.Scope);
}
else
{
throw new TokenRequestValidationException(
"Invalid scope",
OAuthConstants.Errors.InvalidScope);
}
}
public ValidatedRequest Validate(Application application, AuthorizeRequest request)
{
// If the request fails due to a missing, invalid, or mismatching
// redirection URI, or if the client identifier is missing or invalid,
// the authorization server SHOULD inform the resource owner of the
// error and MUST NOT automatically redirect the user-agent to the
// invalid redirection URI.
var validatedRequest = new ValidatedRequest();
// validate request model binding
if (request == null)
{
throw new AuthorizeRequestResourceOwnerException("Invalid request parameters.");
}
validatedRequest.Application = application;
Tracing.InformationFormat("OAuth2 application: {0} ({1})",
validatedRequest.Application.Name,
validatedRequest.Application.Namespace);
validatedRequest.ShowRememberConsent = application.AllowRememberConsentDecision;
// make sure redirect uri is present
if (string.IsNullOrWhiteSpace(request.redirect_uri))
{
throw new AuthorizeRequestResourceOwnerException("Missing redirect URI");
}
// validate client
if (string.IsNullOrWhiteSpace(request.client_id))
{
throw new AuthorizeRequestResourceOwnerException("Missing client identifier");
}
var client = validatedRequest.Application.Clients.Get(request.client_id);
if (client == null || client.Enabled == false)
{
throw new AuthorizeRequestResourceOwnerException("Invalid client or not enabled: " + request.client_id);
}
validatedRequest.Client = client;
Tracing.InformationFormat("Client: {0} ({1})",
validatedRequest.Client.Name,
validatedRequest.Client.ClientId);
// make sure redirect_uri is a valid uri, and in case of http is over ssl
Uri redirectUri;
if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri))
{
if (redirectUri.Scheme == Uri.UriSchemeHttp)
{
throw new AuthorizeRequestResourceOwnerException("Redirect URI not over SSL : " + request.redirect_uri);
}
// make sure redirect uri is registered with client
var validUri = validatedRequest.Client.RedirectUris.Get(request.redirect_uri);
if (validUri == null)
{
throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
}
validatedRequest.RedirectUri = validUri;
Tracing.InformationFormat("Redirect URI: {0} ({1})",
validatedRequest.RedirectUri.Uri,
validatedRequest.RedirectUri.Description);
}
else
{
var message = "Invalid redirect URI: " + request.redirect_uri;
Tracing.Error(message);
throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
}
// check state
if (!string.IsNullOrWhiteSpace(request.state))
{
validatedRequest.State = request.state;
Tracing.Information("State: " + validatedRequest.State);
}
else
{
Tracing.Information("No state supplied.");
}
// validate response type
if (String.IsNullOrWhiteSpace(request.response_type))
{
throw new AuthorizeRequestClientException(
"response_type is null or empty",
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.InvalidRequest,
string.Empty,
validatedRequest.State);
}
// check response type (only code and token are supported)
if (!request.response_type.Equals(OAuthConstants.ResponseTypes.Token, StringComparison.Ordinal) &&
!request.response_type.Equals(OAuthConstants.ResponseTypes.Code, StringComparison.Ordinal))
{
throw new AuthorizeRequestClientException(
"response_type is not token or code: " + request.response_type,
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.UnsupportedResponseType,
string.Empty,
validatedRequest.State);
}
validatedRequest.ResponseType = request.response_type;
Tracing.Information("Response type: " + validatedRequest.ResponseType);
if (request.response_type == OAuthConstants.ResponseTypes.Code)
{
ValidateCodeResponseType(validatedRequest, request);
}
else if (request.response_type == OAuthConstants.ResponseTypes.Token)
{
ValidateTokenResponseType(validatedRequest, request);
}
else
{
throw new AuthorizeRequestClientException(
"Invalid response_type: " + request.response_type,
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.UnsupportedResponseType,
request.response_type,
validatedRequest.State);
}
ValidateScopes(request, validatedRequest);
// TODO: fix based upon past "remember me" settings
validatedRequest.ShowConsent = client.RequireConsent || application.RequireConsent;
Tracing.Information("Authorize request validation successful.");
return(validatedRequest);
}
public ValidatedRequest Validate(TokenRequest request, ClaimsPrincipal clientPrincipal)
{
var validatedRequest = new ValidatedRequest();
// validate request model binding
if (request == null)
{
throw new TokenRequestValidationException(
"Invalid request parameters.",
OAuth2Constants.Errors.InvalidRequest);
}
// grant type is required
if (string.IsNullOrWhiteSpace(request.Grant_Type))
{
throw new TokenRequestValidationException(
"Missing grant_type",
OAuth2Constants.Errors.UnsupportedGrantType);
}
// check supported grant types
if (request.Grant_Type == OAuth2Constants.GrantTypes.AuthorizationCode ||
request.Grant_Type == OAuth2Constants.GrantTypes.RefreshToken)
{
validatedRequest.GrantType = request.Grant_Type;
Tracing.Information("Grant type: " + validatedRequest.GrantType);
}
else
{
throw new TokenRequestValidationException(
"Invalid grant_type: " + request.Grant_Type,
OAuth2Constants.Errors.UnsupportedGrantType);
}
// validate client credentials
var client = ValidateClient(clientPrincipal);
if (client == null)
{
throw new TokenRequestValidationException(
"Invalid client: " + clientPrincipal.Identity.Name,
OAuth2Constants.Errors.InvalidClient);
}
validatedRequest.Client = client;
Tracing.InformationFormat("Client: {0} ({1})",
validatedRequest.Client.Name,
validatedRequest.Client.ClientId);
switch (request.Grant_Type)
{
case OAuth2Constants.GrantTypes.AuthorizationCode:
ValidateCodeGrant(validatedRequest, request);
break;
case OAuth2Constants.GrantTypes.RefreshToken:
ValidateRefreshTokenGrant(validatedRequest, request);
break;
default:
throw new TokenRequestValidationException(
"Invalid grant_type: " + request.Grant_Type,
OAuth2Constants.Errors.UnsupportedGrantType);
}
Tracing.Information("Token request validation successful.");
return(validatedRequest);
}
public ValidatedRequest Validate(Application application, TokenRequest request, ClaimsPrincipal clientPrincipal)
{
var validatedRequest = new ValidatedRequest();
// validate request model binding
if (request == null)
{
throw new TokenRequestValidationException(
"Invalid request parameters.",
OAuthConstants.Errors.InvalidRequest);
}
validatedRequest.Application = application;
Tracing.InformationFormat("OAuth2 application: {0} ({1})",
validatedRequest.Application.Name,
validatedRequest.Application.Namespace);
// grant type is required
if (string.IsNullOrWhiteSpace(request.Grant_Type))
{
throw new TokenRequestValidationException(
"Missing grant_type",
OAuthConstants.Errors.UnsupportedGrantType);
}
// check supported grant types
if (request.Grant_Type == OAuthConstants.GrantTypes.AuthorizationCode ||
request.Grant_Type == OAuthConstants.GrantTypes.ClientCredentials ||
request.Grant_Type == OAuthConstants.GrantTypes.RefreshToken ||
request.Grant_Type == OAuthConstants.GrantTypes.Password)
{
validatedRequest.GrantType = request.Grant_Type;
Tracing.Information("Grant type: " + validatedRequest.GrantType);
}
else if (!string.IsNullOrWhiteSpace(request.Assertion))
{
validatedRequest.GrantType = OAuthConstants.GrantTypes.Assertion;
validatedRequest.AssertionType = request.Grant_Type;
validatedRequest.Assertion = request.Assertion;
Tracing.Information("Grant type: " + validatedRequest.GrantType);
}
else
{
throw new TokenRequestValidationException(
"Invalid grant_type: " + request.Grant_Type,
OAuthConstants.Errors.UnsupportedGrantType);
}
// validate client credentials
var client = ValidateClient(clientPrincipal, validatedRequest.Application);
if (client == null || client.Enabled == false)
{
throw new TokenRequestValidationException(
"Invalid client or not enabled: " + ClaimsPrincipal.Current.Identity.Name,
OAuthConstants.Errors.InvalidClient);
}
validatedRequest.Client = client;
Tracing.InformationFormat("Client: {0} ({1})",
validatedRequest.Client.Name,
validatedRequest.Client.ClientId);
switch (validatedRequest.GrantType)
{
case OAuthConstants.GrantTypes.AuthorizationCode:
ValidateCodeGrant(validatedRequest, request);
break;
case OAuthConstants.GrantTypes.Password:
ValidatePasswordGrant(validatedRequest, request);
break;
case OAuthConstants.GrantTypes.RefreshToken:
ValidateRefreshTokenGrant(validatedRequest, request);
break;
case OAuthConstants.GrantTypes.ClientCredentials:
ValidateClientCredentialsGrant(validatedRequest, request);
break;
case OAuthConstants.GrantTypes.Assertion:
ValidateAssertionGrant(validatedRequest, request);
break;
default:
throw new TokenRequestValidationException(
"Invalid grant_type: " + request.Grant_Type,
OAuthConstants.Errors.UnsupportedGrantType);
}
Tracing.Information("Token request validation successful.");
return(validatedRequest);
}
public ValidatedRequest Validate(AuthorizeRequest request)
{
var validatedRequest = new ValidatedRequest();
// validate request model binding
if (request == null)
{
throw new AuthorizeRequestResourceOwnerException("Invalid request parameters.");
}
// make sure redirect uri is present
if (string.IsNullOrWhiteSpace(request.redirect_uri))
{
throw new AuthorizeRequestResourceOwnerException("Missing redirect URI");
}
// validate client
if (string.IsNullOrWhiteSpace(request.client_id))
{
throw new AuthorizeRequestResourceOwnerException("Missing client identifier");
}
var client = Clients.Get(request.client_id);
if (client == null)
{
throw new AuthorizeRequestResourceOwnerException("Invalid client: " + request.client_id);
}
validatedRequest.Client = client;
Tracing.InformationFormat("Client: {0} ({1})",
validatedRequest.Client.Name,
validatedRequest.Client.ClientId);
// make sure redirect_uri is a valid uri, and in case of http is over ssl
Uri redirectUri;
if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri))
{
if (redirectUri.Scheme == Uri.UriSchemeHttp)
{
throw new AuthorizeRequestClientException(
"Redirect URI not over SSL : " + request.redirect_uri,
new Uri(request.redirect_uri),
OAuth2Constants.Errors.InvalidRequest,
string.Empty,
validatedRequest.State);
}
// make sure redirect uri is registered with client
if (!validatedRequest.Client.RedirectUris.Contains(request.redirect_uri))
{
throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
}
validatedRequest.RedirectUri = request.redirect_uri;
Tracing.InformationFormat("Redirect URI: {0}",
validatedRequest.RedirectUri);
}
else
{
throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
}
// check state
if (!string.IsNullOrWhiteSpace(request.state))
{
validatedRequest.State = request.state;
Tracing.Information("State: " + validatedRequest.State);
}
else
{
Tracing.Information("No state supplied.");
}
// validate response type
if (string.IsNullOrWhiteSpace(request.response_type))
{
throw new AuthorizeRequestClientException(
"response_type is null or empty",
new Uri(validatedRequest.RedirectUri),
OAuth2Constants.Errors.InvalidRequest,
string.Empty,
validatedRequest.State);
}
// check response type (only code and token are supported)
if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) &&
!request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal))
{
throw new AuthorizeRequestClientException(
"response_type is not token or code: " + request.response_type,
new Uri(validatedRequest.RedirectUri),
OAuth2Constants.Errors.UnsupportedResponseType,
string.Empty,
validatedRequest.State);
}
validatedRequest.ResponseType = request.response_type;
Tracing.Information("Response type: " + validatedRequest.ResponseType);
// scope is required
if (string.IsNullOrWhiteSpace(request.scope))
{
throw new AuthorizeRequestClientException(
"Missing scope",
new Uri(validatedRequest.RedirectUri),
OAuth2Constants.Errors.InvalidScope,
validatedRequest.ResponseType,
validatedRequest.State);
}
// validate scopes
if (!request.scope.StartsWith("openid"))
{
throw new AuthorizeRequestClientException(
"Invalid scope: " + request.scope,
new Uri(validatedRequest.RedirectUri),
OAuth2Constants.Errors.InvalidScope,
validatedRequest.ResponseType,
validatedRequest.State);
}
validatedRequest.Scopes = request.scope;
if (request.response_type == OAuth2Constants.ResponseTypes.Code)
{
ValidateCodeResponseType(validatedRequest, request);
}
else if (request.response_type == OAuth2Constants.ResponseTypes.Token)
{
ValidateTokenResponseType(validatedRequest, request);
}
else
{
throw new AuthorizeRequestClientException(
"Invalid response_type: " + request.response_type,
new Uri(validatedRequest.RedirectUri),
OAuth2Constants.Errors.UnsupportedResponseType,
request.response_type,
validatedRequest.State);
}
return(validatedRequest);
}
