/// <summary>
/// Validates that the requested scopes is contained in the store, and the client is allowed to request it.
/// </summary>
/// <param name="client"></param>
/// <param name="resourcesFromStore"></param>
/// <param name="requestedScope"></param>
/// <param name="result"></param>
/// <returns></returns>
protected override async Task ValidateScopeAsync(Client client, Resources resourcesFromStore,
ParsedScopeValue requestedScope, ResourceValidationResult result)
{
var parameters = await _scopedHttpContextRequestForm.GetFormCollectionAsync();
var grantType = parameters.Get(OidcConstants.TokenRequest.GrantType);
if (grantType == null)
{
// check if this is deviceauthorizaiton.
if (_httpContextAccessor.HttpContext.Request.Path.ToString().Contains("deviceauthorization"))
{
grantType = Constants.GrantType.DeviceAuthorization;
}
}
switch (grantType)
{
case Constants.GrantType.DeviceCode:
case Constants.GrantType.DeviceAuthorization:
case Constants.GrantType.TokenExchangeMutate:
case Constants.GrantType.TokenExchange:
case Constants.GrantType.ArbitraryToken:
case Constants.GrantType.ArbitraryIdentity:
if (requestedScope.ParsedName == IdentityServerConstants.StandardScopes.OfflineAccess)
{
if (await IsClientAllowedOfflineAccessAsync(client))
{
result.Resources.OfflineAccess = true;
result.ParsedScopes.Add(new ParsedScopeValue(IdentityServerConstants.StandardScopes.OfflineAccess));
}
else
{
result.InvalidScopes.Add(IdentityServerConstants.StandardScopes.OfflineAccess);
}
}
else
{
result.ParsedScopes.Add(requestedScope);
}
break;
default:
await base.ValidateScopeAsync(client, resourcesFromStore, requestedScope, result);
break;
}
}
/// <summary>
/// Validates that the requested scopes is contained in the store, and the client is allowed to request it.
/// </summary>
/// <param name="client"></param>
/// <param name="resourcesFromStore"></param>
/// <param name="requestedScope"></param>
/// <param name="result"></param>
/// <returns></returns>
protected virtual async Task ValidateScopeAsync(
Client client,
Resources resourcesFromStore,
ParsedScopeValue requestedScope,
ResourceValidationResult result)
{
if (requestedScope.Name == IdentityServerConstants.StandardScopes.OfflineAccess)
{
if (await IsClientAllowedOfflineAccessAsync(client))
{
result.Resources.OfflineAccess = true;
result.ParsedScopes.Add(new ParsedScopeValue(IdentityServerConstants.StandardScopes.OfflineAccess));
}
else
{
result.InvalidScopes.Add(IdentityServerConstants.StandardScopes.OfflineAccess);
}
}
else
{
var identity = resourcesFromStore.FindIdentityResourcesByScope(requestedScope.Name);
if (identity != null)
{
if (await IsClientAllowedIdentityResourceAsync(client, identity))
{
result.ParsedScopes.Add(requestedScope);
result.Resources.IdentityResources.Add(identity);
}
else
{
result.InvalidScopes.Add(requestedScope.Value);
}
}
else
{
var apiScope = resourcesFromStore.FindApiScope(requestedScope.Name);
if (apiScope != null)
{
if (await IsClientAllowedApiScopeAsync(client, apiScope))
{
result.ParsedScopes.Add(requestedScope);
result.Resources.ApiScopes.Add(apiScope);
var apis = resourcesFromStore.FindApiResourcesByScope(apiScope.Name);
foreach (var api in apis)
{
result.Resources.ApiResources.Add(api);
}
}
else
{
result.InvalidScopes.Add(requestedScope.Value);
}
}
else
{
_logger.LogError("Scope {scope} not found in store.", requestedScope.Name);
result.InvalidScopes.Add(requestedScope.Value);
}
}
}
}
