private static void ValidateScopes(AuthorizeRequest request, ValidatedRequest validatedRequest) { // validate scopes if (string.IsNullOrEmpty(request.scope)) { throw new AuthorizeRequestClientException( "Missing scope.", new Uri(validatedRequest.RedirectUri.Uri), OAuthConstants.Errors.InvalidScope, validatedRequest.ResponseType, validatedRequest.State); } var requestedScopes = request.scope.Split(' ').ToList(); List <Scope> resultingScopes; if (validatedRequest.Application.Scopes.TryValidateScopes(validatedRequest.Client.ClientId, requestedScopes, out resultingScopes)) { validatedRequest.Scopes = resultingScopes; Tracing.InformationFormat("Requested scopes: {0}", request.scope); } else { throw new AuthorizeRequestClientException( "Invalid scope.", new Uri(validatedRequest.RedirectUri.Uri), OAuthConstants.Errors.InvalidScope, validatedRequest.ResponseType, validatedRequest.State); } }
private static void ValidateScopes(ValidatedRequest validatedRequest, TokenRequest request) { // validate scope if (string.IsNullOrWhiteSpace(request.Scope)) { throw new TokenRequestValidationException( "Missing scope", OAuthConstants.Errors.InvalidScope); } // make sure client is allowed to request all scope var requestedScopes = request.Scope.Split(' ').ToList(); List <Scope> resultingScopes; if (validatedRequest.Application.Scopes.TryValidateScopes(validatedRequest.Client.ClientId, requestedScopes, out resultingScopes)) { validatedRequest.Scopes = resultingScopes; Tracing.InformationFormat("Requested scopes: {0}", request.Scope); } else { throw new TokenRequestValidationException( "Invalid scope", OAuthConstants.Errors.InvalidScope); } }
public ValidatedRequest Validate(Application application, AuthorizeRequest request) { // If the request fails due to a missing, invalid, or mismatching // redirection URI, or if the client identifier is missing or invalid, // the authorization server SHOULD inform the resource owner of the // error and MUST NOT automatically redirect the user-agent to the // invalid redirection URI. var validatedRequest = new ValidatedRequest(); // validate request model binding if (request == null) { throw new AuthorizeRequestResourceOwnerException("Invalid request parameters."); } validatedRequest.Application = application; Tracing.InformationFormat("OAuth2 application: {0} ({1})", validatedRequest.Application.Name, validatedRequest.Application.Namespace); validatedRequest.ShowRememberConsent = application.AllowRememberConsentDecision; // make sure redirect uri is present if (string.IsNullOrWhiteSpace(request.redirect_uri)) { throw new AuthorizeRequestResourceOwnerException("Missing redirect URI"); } // validate client if (string.IsNullOrWhiteSpace(request.client_id)) { throw new AuthorizeRequestResourceOwnerException("Missing client identifier"); } var client = validatedRequest.Application.Clients.Get(request.client_id); if (client == null || client.Enabled == false) { throw new AuthorizeRequestResourceOwnerException("Invalid client or not enabled: " + request.client_id); } validatedRequest.Client = client; Tracing.InformationFormat("Client: {0} ({1})", validatedRequest.Client.Name, validatedRequest.Client.ClientId); // make sure redirect_uri is a valid uri, and in case of http is over ssl Uri redirectUri; if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri)) { if (redirectUri.Scheme == Uri.UriSchemeHttp) { throw new AuthorizeRequestResourceOwnerException("Redirect URI not over SSL : " + request.redirect_uri); } // make sure redirect uri is registered with client var validUri = validatedRequest.Client.RedirectUris.Get(request.redirect_uri); if (validUri == null) { throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri); } validatedRequest.RedirectUri = validUri; Tracing.InformationFormat("Redirect URI: {0} ({1})", validatedRequest.RedirectUri.Uri, validatedRequest.RedirectUri.Description); } else { var message = "Invalid redirect URI: " + request.redirect_uri; Tracing.Error(message); throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri); } // check state if (!string.IsNullOrWhiteSpace(request.state)) { validatedRequest.State = request.state; Tracing.Information("State: " + validatedRequest.State); } else { Tracing.Information("No state supplied."); } // validate response type if (String.IsNullOrWhiteSpace(request.response_type)) { throw new AuthorizeRequestClientException( "response_type is null or empty", new Uri(validatedRequest.RedirectUri.Uri), OAuthConstants.Errors.InvalidRequest, string.Empty, validatedRequest.State); } // check response type (only code and token are supported) if (!request.response_type.Equals(OAuthConstants.ResponseTypes.Token, StringComparison.Ordinal) && !request.response_type.Equals(OAuthConstants.ResponseTypes.Code, StringComparison.Ordinal)) { throw new AuthorizeRequestClientException( "response_type is not token or code: " + request.response_type, new Uri(validatedRequest.RedirectUri.Uri), OAuthConstants.Errors.UnsupportedResponseType, string.Empty, validatedRequest.State); } validatedRequest.ResponseType = request.response_type; Tracing.Information("Response type: " + validatedRequest.ResponseType); if (request.response_type == OAuthConstants.ResponseTypes.Code) { ValidateCodeResponseType(validatedRequest, request); } else if (request.response_type == OAuthConstants.ResponseTypes.Token) { ValidateTokenResponseType(validatedRequest, request); } else { throw new AuthorizeRequestClientException( "Invalid response_type: " + request.response_type, new Uri(validatedRequest.RedirectUri.Uri), OAuthConstants.Errors.UnsupportedResponseType, request.response_type, validatedRequest.State); } ValidateScopes(request, validatedRequest); // TODO: fix based upon past "remember me" settings validatedRequest.ShowConsent = client.RequireConsent || application.RequireConsent; Tracing.Information("Authorize request validation successful."); return(validatedRequest); }
public ValidatedRequest Validate(TokenRequest request, ClaimsPrincipal clientPrincipal) { var validatedRequest = new ValidatedRequest(); // validate request model binding if (request == null) { throw new TokenRequestValidationException( "Invalid request parameters.", OAuth2Constants.Errors.InvalidRequest); } // grant type is required if (string.IsNullOrWhiteSpace(request.Grant_Type)) { throw new TokenRequestValidationException( "Missing grant_type", OAuth2Constants.Errors.UnsupportedGrantType); } // check supported grant types if (request.Grant_Type == OAuth2Constants.GrantTypes.AuthorizationCode || request.Grant_Type == OAuth2Constants.GrantTypes.RefreshToken) { validatedRequest.GrantType = request.Grant_Type; Tracing.Information("Grant type: " + validatedRequest.GrantType); } else { throw new TokenRequestValidationException( "Invalid grant_type: " + request.Grant_Type, OAuth2Constants.Errors.UnsupportedGrantType); } // validate client credentials var client = ValidateClient(clientPrincipal); if (client == null) { throw new TokenRequestValidationException( "Invalid client: " + clientPrincipal.Identity.Name, OAuth2Constants.Errors.InvalidClient); } validatedRequest.Client = client; Tracing.InformationFormat("Client: {0} ({1})", validatedRequest.Client.Name, validatedRequest.Client.ClientId); switch (request.Grant_Type) { case OAuth2Constants.GrantTypes.AuthorizationCode: ValidateCodeGrant(validatedRequest, request); break; case OAuth2Constants.GrantTypes.RefreshToken: ValidateRefreshTokenGrant(validatedRequest, request); break; default: throw new TokenRequestValidationException( "Invalid grant_type: " + request.Grant_Type, OAuth2Constants.Errors.UnsupportedGrantType); } Tracing.Information("Token request validation successful."); return(validatedRequest); }
public ValidatedRequest Validate(Application application, TokenRequest request, ClaimsPrincipal clientPrincipal) { var validatedRequest = new ValidatedRequest(); // validate request model binding if (request == null) { throw new TokenRequestValidationException( "Invalid request parameters.", OAuthConstants.Errors.InvalidRequest); } validatedRequest.Application = application; Tracing.InformationFormat("OAuth2 application: {0} ({1})", validatedRequest.Application.Name, validatedRequest.Application.Namespace); // grant type is required if (string.IsNullOrWhiteSpace(request.Grant_Type)) { throw new TokenRequestValidationException( "Missing grant_type", OAuthConstants.Errors.UnsupportedGrantType); } // check supported grant types if (request.Grant_Type == OAuthConstants.GrantTypes.AuthorizationCode || request.Grant_Type == OAuthConstants.GrantTypes.ClientCredentials || request.Grant_Type == OAuthConstants.GrantTypes.RefreshToken || request.Grant_Type == OAuthConstants.GrantTypes.Password) { validatedRequest.GrantType = request.Grant_Type; Tracing.Information("Grant type: " + validatedRequest.GrantType); } else if (!string.IsNullOrWhiteSpace(request.Assertion)) { validatedRequest.GrantType = OAuthConstants.GrantTypes.Assertion; validatedRequest.AssertionType = request.Grant_Type; validatedRequest.Assertion = request.Assertion; Tracing.Information("Grant type: " + validatedRequest.GrantType); } else { throw new TokenRequestValidationException( "Invalid grant_type: " + request.Grant_Type, OAuthConstants.Errors.UnsupportedGrantType); } // validate client credentials var client = ValidateClient(clientPrincipal, validatedRequest.Application); if (client == null || client.Enabled == false) { throw new TokenRequestValidationException( "Invalid client or not enabled: " + ClaimsPrincipal.Current.Identity.Name, OAuthConstants.Errors.InvalidClient); } validatedRequest.Client = client; Tracing.InformationFormat("Client: {0} ({1})", validatedRequest.Client.Name, validatedRequest.Client.ClientId); switch (validatedRequest.GrantType) { case OAuthConstants.GrantTypes.AuthorizationCode: ValidateCodeGrant(validatedRequest, request); break; case OAuthConstants.GrantTypes.Password: ValidatePasswordGrant(validatedRequest, request); break; case OAuthConstants.GrantTypes.RefreshToken: ValidateRefreshTokenGrant(validatedRequest, request); break; case OAuthConstants.GrantTypes.ClientCredentials: ValidateClientCredentialsGrant(validatedRequest, request); break; case OAuthConstants.GrantTypes.Assertion: ValidateAssertionGrant(validatedRequest, request); break; default: throw new TokenRequestValidationException( "Invalid grant_type: " + request.Grant_Type, OAuthConstants.Errors.UnsupportedGrantType); } Tracing.Information("Token request validation successful."); return(validatedRequest); }
public ValidatedRequest Validate(AuthorizeRequest request) { var validatedRequest = new ValidatedRequest(); // validate request model binding if (request == null) { throw new AuthorizeRequestResourceOwnerException("Invalid request parameters."); } // make sure redirect uri is present if (string.IsNullOrWhiteSpace(request.redirect_uri)) { throw new AuthorizeRequestResourceOwnerException("Missing redirect URI"); } // validate client if (string.IsNullOrWhiteSpace(request.client_id)) { throw new AuthorizeRequestResourceOwnerException("Missing client identifier"); } var client = Clients.Get(request.client_id); if (client == null) { throw new AuthorizeRequestResourceOwnerException("Invalid client: " + request.client_id); } validatedRequest.Client = client; Tracing.InformationFormat("Client: {0} ({1})", validatedRequest.Client.Name, validatedRequest.Client.ClientId); // make sure redirect_uri is a valid uri, and in case of http is over ssl Uri redirectUri; if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri)) { if (redirectUri.Scheme == Uri.UriSchemeHttp) { throw new AuthorizeRequestClientException( "Redirect URI not over SSL : " + request.redirect_uri, new Uri(request.redirect_uri), OAuth2Constants.Errors.InvalidRequest, string.Empty, validatedRequest.State); } // make sure redirect uri is registered with client if (!validatedRequest.Client.RedirectUris.Contains(request.redirect_uri)) { throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri); } validatedRequest.RedirectUri = request.redirect_uri; Tracing.InformationFormat("Redirect URI: {0}", validatedRequest.RedirectUri); } else { throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri); } // check state if (!string.IsNullOrWhiteSpace(request.state)) { validatedRequest.State = request.state; Tracing.Information("State: " + validatedRequest.State); } else { Tracing.Information("No state supplied."); } // validate response type if (string.IsNullOrWhiteSpace(request.response_type)) { throw new AuthorizeRequestClientException( "response_type is null or empty", new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.InvalidRequest, string.Empty, validatedRequest.State); } // check response type (only code and token are supported) if (!request.response_type.Equals(OAuth2Constants.ResponseTypes.Token, StringComparison.Ordinal) && !request.response_type.Equals(OAuth2Constants.ResponseTypes.Code, StringComparison.Ordinal)) { throw new AuthorizeRequestClientException( "response_type is not token or code: " + request.response_type, new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.UnsupportedResponseType, string.Empty, validatedRequest.State); } validatedRequest.ResponseType = request.response_type; Tracing.Information("Response type: " + validatedRequest.ResponseType); // scope is required if (string.IsNullOrWhiteSpace(request.scope)) { throw new AuthorizeRequestClientException( "Missing scope", new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.InvalidScope, validatedRequest.ResponseType, validatedRequest.State); } // validate scopes if (!request.scope.StartsWith("openid")) { throw new AuthorizeRequestClientException( "Invalid scope: " + request.scope, new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.InvalidScope, validatedRequest.ResponseType, validatedRequest.State); } validatedRequest.Scopes = request.scope; if (request.response_type == OAuth2Constants.ResponseTypes.Code) { ValidateCodeResponseType(validatedRequest, request); } else if (request.response_type == OAuth2Constants.ResponseTypes.Token) { ValidateTokenResponseType(validatedRequest, request); } else { throw new AuthorizeRequestClientException( "Invalid response_type: " + request.response_type, new Uri(validatedRequest.RedirectUri), OAuth2Constants.Errors.UnsupportedResponseType, request.response_type, validatedRequest.State); } return(validatedRequest); }