public async Task<InteractionResponse> ProcessInteractionAsync(ValidatedAuthorizeRequest request, ConsentResponse consent = null)
{
var result = await ProcessLoginAsync(request);
if (result.IsLogin || result.IsError)
{
return result;
}
return await ProcessConsentAsync(request, consent);
}
public ConsentResult(string requestId, ConsentResponse response)
{
_requestId = requestId;
_response = response;
}
async Task CreateConsentResponse(HttpContext ctx)
{
if (ConsentResponse != null)
{
var interaction = ctx.RequestServices.GetRequiredService<ConsentInteraction>();
await interaction.ProcessResponseAsync(ctx.Request.Query["id"].First(), ConsentResponse);
ConsentResponse = null;
}
}
public async Task ProcessConsentAsync_AllowConsentSelected_SavesConsent()
{
RequiresConsent(true);
var client = new Client { AllowRememberConsent = true };
var user = new ClaimsPrincipal();
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = OidcConstants.ResponseModes.Fragment,
State = "12345",
RedirectUri = "https://client.com/callback",
ValidatedScopes = new ScopeValidator(new InMemoryScopeStore(GetScopes()), new FakeLoggerFactory()),
Client = client,
Subject = user
};
await request.ValidatedScopes.AreScopesValidAsync(new string[] { "read", "write" });
var consent = new ConsentResponse
{
RememberConsent = true,
ScopesConsented = new string[] { "read" }
};
var result = _subject.ProcessConsentAsync(request, consent).Result;
AssertUpdateConsentCalled(client, user, "read");
}
public async Task ProcessConsentAsync_PromptModeConsent_ConsentGranted_ScopesSelected_ReturnsConsentResult()
{
RequiresConsent(true);
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = OidcConstants.ResponseModes.Fragment,
State = "12345",
RedirectUri = "https://client.com/callback",
ValidatedScopes = new ScopeValidator(new InMemoryScopeStore(GetScopes()), new FakeLoggerFactory()),
Client = new Client {
AllowRememberConsent = false
}
};
await request.ValidatedScopes.AreScopesValidAsync(new string[] { "read", "write" });
var consent = new ConsentResponse
{
RememberConsent = false,
ScopesConsented = new string[] { "read" }
};
var result = _subject.ProcessConsentAsync(request, consent).Result;
request.ValidatedScopes.GrantedScopes.Count.Should().Be(1);
"read".Should().Be(request.ValidatedScopes.GrantedScopes.First().Name);
request.WasConsentShown.Should().BeTrue();
result.IsConsent.Should().BeFalse();
AssertUpdateConsentNotCalled();
}
public void ProcessConsentAsync_NoPromptMode_ConsentServiceRequiresConsent_ConsentGrantedButMissingRequiredScopes_ReturnsErrorResult()
{
RequiresConsent(true);
var client = new Client {};
var scopeValidator = new ScopeValidator(new InMemoryScopeStore(GetScopes()), new FakeLoggerFactory());
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = OidcConstants.ResponseModes.Fragment,
State = "12345",
RedirectUri = "https://client.com/callback",
RequestedScopes = new List<string> { "openid", "read" },
ValidatedScopes = scopeValidator,
Client = client
};
var valid = scopeValidator.AreScopesValidAsync(request.RequestedScopes).Result;
var consent = new ConsentResponse
{
RememberConsent = false,
ScopesConsented = new string[] { "read" }
};
var result = _subject.ProcessConsentAsync(request, consent).Result;
result.IsError.Should().BeTrue();
result.Error.ErrorType.Should().Be(ErrorTypes.Client);
result.Error.Error.Should().Be(OidcConstants.AuthorizeErrors.AccessDenied);
AssertErrorReturnsRequestValues(result.Error, request);
AssertUpdateConsentNotCalled();
}
public void ProcessConsentAsync_NoPromptMode_ConsentServiceRequiresConsent_ConsentNotGranted_ReturnsErrorResult()
{
RequiresConsent(true);
var request = new ValidatedAuthorizeRequest()
{
ResponseMode = OidcConstants.ResponseModes.Fragment,
State = "12345",
RedirectUri = "https://client.com/callback",
};
var consent = new ConsentResponse
{
RememberConsent = false,
ScopesConsented = new string[] {}
};
var result = _subject.ProcessConsentAsync(request, consent).Result;
request.WasConsentShown.Should().BeTrue();
result.IsError.Should().BeTrue();
result.Error.ErrorType.Should().Be(ErrorTypes.Client);
result.Error.Error.Should().Be(OidcConstants.AuthorizeErrors.AccessDenied);
AssertErrorReturnsRequestValues(result.Error, request);
AssertUpdateConsentNotCalled();
}
public Task<InteractionResponse> ProcessInteractionAsync(ValidatedAuthorizeRequest request, ConsentResponse consent = null)
{
return Task.FromResult(Response);
}
internal async Task<IEndpointResult> ProcessAuthorizeRequestAsync(NameValueCollection parameters, ClaimsPrincipal user, ConsentResponse consent)
{
if (user != null)
{
_logger.LogTrace("User in authorize request: name:{0}, sub:{1}", user.GetName(), user.GetSubjectId());
}
else
{
_logger.LogTrace("No user present in authorize request");
}
// validate request
var result = await _validator.ValidateAsync(parameters, user);
if (result.IsError)
{
return await ErrorPageAsync(
result.ErrorType,
result.Error,
result.ValidatedRequest);
}
var request = result.ValidatedRequest;
// determine user interaction
var interactionResult = await _interactionGenerator.ProcessInteractionAsync(request, consent);
if (interactionResult.IsError)
{
return await ErrorPageAsync(
interactionResult.Error.ErrorType,
interactionResult.Error.Error,
request);
}
if (interactionResult.IsLogin)
{
return await LoginPageAsync(request);
}
if (interactionResult.IsConsent)
{
return await ConsentPageAsync(request);
}
// issue response
return await SuccessfulAuthorizationAsync(request);
}
internal async Task<InteractionResponse> ProcessConsentAsync(ValidatedAuthorizeRequest request, ConsentResponse consent = null)
{
if (request == null) throw new ArgumentNullException("request");
if (request.PromptMode != null &&
request.PromptMode != OidcConstants.PromptModes.None &&
request.PromptMode != OidcConstants.PromptModes.Consent)
{
throw new ArgumentException("Invalid PromptMode");
}
var consentRequired = await _consent.RequiresConsentAsync(request.Client, request.Subject, request.RequestedScopes);
if (consentRequired && request.PromptMode == OidcConstants.PromptModes.None)
{
_logger.LogInformation("Prompt=none requested, but consent is required.");
return new InteractionResponse
{
Error = new AuthorizeError
{
ErrorType = ErrorTypes.Client,
Error = OidcConstants.AuthorizeErrors.ConsentRequired,
ResponseMode = request.ResponseMode,
ErrorUri = request.RedirectUri,
State = request.State
}
};
}
if (request.PromptMode == OidcConstants.PromptModes.Consent || consentRequired)
{
var response = new InteractionResponse();
// did user provide consent
if (consent == null)
{
// user was not yet shown conset screen
response.IsConsent = true;
}
else
{
request.WasConsentShown = true;
// user was shown consent -- did they say yes or no
if (consent.Granted == false)
{
// no need to show consent screen again
// build access denied error to return to client
response.Error = new AuthorizeError
{
ErrorType = ErrorTypes.Client,
Error = OidcConstants.AuthorizeErrors.AccessDenied,
ResponseMode = request.ResponseMode,
ErrorUri = request.RedirectUri,
State = request.State
};
}
else
{
// double check that required scopes are in the list of consented scopes
var valid = request.ValidatedScopes.ValidateRequiredScopes(consent.ScopesConsented);
if (valid == false)
{
response.Error = new AuthorizeError
{
ErrorType = ErrorTypes.Client,
Error = OidcConstants.AuthorizeErrors.AccessDenied,
ResponseMode = request.ResponseMode,
ErrorUri = request.RedirectUri,
State = request.State
};
}
else
{
// they said yes, set scopes they chose
request.ValidatedScopes.SetConsentedScopes(consent.ScopesConsented);
if (request.Client.AllowRememberConsent)
{
// remember consent
var scopes = Enumerable.Empty<string>();
if (consent.RememberConsent)
{
// remember what user actually selected
scopes = request.ValidatedScopes.GrantedScopes.Select(x => x.Name);
}
await _consent.UpdateConsentAsync(request.Client, request.Subject, scopes);
}
}
}
}
return response;
}
return new InteractionResponse();
}
