private static void ValidateScopes(AuthorizeRequest request, ValidatedRequest validatedRequest)
{
// validate scopes
if (string.IsNullOrEmpty(request.scope))
{
throw new AuthorizeRequestClientException(
"Missing scope.",
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.InvalidScope,
validatedRequest.ResponseType,
validatedRequest.State);
}
var requestedScopes = request.scope.Split(' ').ToList();
List <Scope> resultingScopes;
if (validatedRequest.Application.Scopes.TryValidateScopes(validatedRequest.Client.ClientId, requestedScopes, out resultingScopes))
{
validatedRequest.Scopes = resultingScopes;
Tracing.InformationFormat("Requested scopes: {0}", request.scope);
}
else
{
throw new AuthorizeRequestClientException(
"Invalid scope.",
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.InvalidScope,
validatedRequest.ResponseType,
validatedRequest.State);
}
}
// GET /{appName}/oauth/authorize
//
public ActionResult Index(string appName, AuthorizeRequest request)
{
Tracing.Start("OAuth2 Authorize Endoint");
// make sure application is registered
var application = _config.FindApplication(appName);
if (application == null)
{
Tracing.Error("Application not found: " + appName);
return HttpNotFound();
}
ValidatedRequest validatedRequest;
try
{
validatedRequest = new AuthorizeRequestValidator().Validate(application, request);
}
catch (AuthorizeRequestValidationException ex)
{
Tracing.Error("Aborting OAuth2 authorization request");
return this.AuthorizeValidationError(ex);
}
if (validatedRequest.ShowConsent)
{
// show consent screen
Tracing.Verbose("Showing consent screen");
return View("Consent", validatedRequest);
}
Tracing.Verbose("No consent configured for application/client");
return PerformGrant(validatedRequest);
}
private void ValidateCodeResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
{
// make sure response type allowed for this client
if (validatedRequest.Client.Flow != OAuthFlow.Code)
{
throw new AuthorizeRequestClientException(
"response_type is not allowed: " + request.response_type,
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.UnsupportedResponseType,
request.response_type,
validatedRequest.State);
}
if (validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken)
{
Tracing.Information("The request allows arefresh token.");
validatedRequest.RequestingRefreshToken = true;
}
if (validatedRequest.Client.RequireConsent || validatedRequest.Application.RequireConsent)
{
Tracing.Information("Consent is required.");
validatedRequest.ShowConsent = true;
}
}
// GET /{appName}/oauth/authorize
//
public ActionResult Index(string appName, AuthorizeRequest request)
{
Tracing.Start("OAuth2 Authorize Endoint");
// make sure application is registered
var application = _config.FindApplication(appName);
if (application == null)
{
Tracing.Error("Application not found: " + appName);
return(HttpNotFound());
}
ValidatedRequest validatedRequest;
try
{
validatedRequest = new AuthorizeRequestValidator().Validate(application, request);
}
catch (AuthorizeRequestValidationException ex)
{
Tracing.Error("Aborting OAuth2 authorization request");
return(this.AuthorizeValidationError(ex));
}
if (validatedRequest.ShowConsent)
{
validatedRequest.RememberOptions = GetRememberOptions(application);
// todo: check first if a remembered consent decision exists
if (validatedRequest.ResponseType == OAuthConstants.ResponseTypes.Token)
{
var handle = _handleManager.Find(
ClaimsPrincipal.Current.GetSubject(),
validatedRequest.Client,
validatedRequest.Application,
validatedRequest.Scopes,
StoredGrantType.ConsentDecision);
if (handle != null)
{
Tracing.Verbose("Stored consent decision found.");
return(PerformGrant(validatedRequest));
}
}
// show consent screen
Tracing.Verbose("Showing consent screen");
return(View("Consent", validatedRequest));
}
Tracing.Verbose("No consent configured for application/client");
// workaround for bug #139
validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddYears(50);
return(PerformGrant(validatedRequest));
}
// GET /{appName}/oauth/authorize
//
public ActionResult Index(string appName, AuthorizeRequest request)
{
Tracing.Start("OAuth2 Authorize Endoint");
// make sure application is registered
var application = _config.FindApplication(appName);
if (application == null)
{
Tracing.Error("Application not found: " + appName);
return HttpNotFound();
}
ValidatedRequest validatedRequest;
try
{
validatedRequest = new AuthorizeRequestValidator().Validate(application, request);
}
catch (AuthorizeRequestValidationException ex)
{
Tracing.Error("Aborting OAuth2 authorization request");
return this.AuthorizeValidationError(ex);
}
if (validatedRequest.ShowConsent)
{
validatedRequest.RememberOptions = GetRememberOptions(application);
// todo: check first if a remembered consent decision exists
if (validatedRequest.ResponseType == OAuthConstants.ResponseTypes.Token)
{
var handle = _handleManager.Find(
ClaimsPrincipal.Current.GetSubject(),
validatedRequest.Client,
validatedRequest.Application,
validatedRequest.Scopes,
StoredGrantType.ConsentDecision);
if (handle != null)
{
Tracing.Verbose("Stored consent decision found.");
return PerformGrant(validatedRequest);
}
}
// show consent screen
Tracing.Verbose("Showing consent screen");
return View("Consent", validatedRequest);
}
Tracing.Verbose("No consent configured for application/client");
// workaround for bug #139
validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddYears(50);
return PerformGrant(validatedRequest);
}
private void ValidateTokenResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
{
if (validatedRequest.Client.Flow != OAuthFlow.Implicit)
{
throw new AuthorizeRequestClientException(
"response_type is not allowed: " + request.response_type,
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.UnsupportedResponseType,
request.response_type,
validatedRequest.State);
}
}
public ActionResult HandleConsentResponse(string appName, string button, string[] scopes, AuthorizeRequest request, int? rememberDuration = null)
{
Tracing.Start("OAuth2 Authorize Endoint - Consent response");
// make sure application is registered
var application = _config.FindApplication(appName);
if (application == null)
{
Tracing.Error("Application not found: " + appName);
return HttpNotFound();
}
if (button == "no")
{
Tracing.Information("User denies access token request.");
return new ClientErrorResult(new Uri(request.redirect_uri), OAuthConstants.Errors.AccessDenied, request.response_type, request.state);
}
if (button == "yes")
{
Tracing.Information("User allows access token request.");
ValidatedRequest validatedRequest;
try
{
validatedRequest = new AuthorizeRequestValidator().Validate(application, request);
}
catch (AuthorizeRequestValidationException ex)
{
Tracing.Error("Aborting OAuth2 authorization request");
return this.AuthorizeValidationError(ex);
}
if (scopes == null || scopes.Length == 0)
{
ModelState.AddModelError("", "Please choose at least one permission.");
return View("Consent", validatedRequest);
}
// todo: parse scopes form post and substitue scopes
validatedRequest.Scopes.RemoveAll(x => !scopes.Contains(x.Name));
var grantResult = PerformGrant(validatedRequest);
if (grantResult != null) return grantResult;
}
return new ClientErrorResult(
new Uri(request.redirect_uri),
OAuthConstants.Errors.InvalidRequest,
request.response_type,
request.state);
}
public void ValidRequestMultipleScope()
{
var validator = new AuthorizeRequestValidator(_clientManager);
var app = _testConfig.FindApplication("test");
var request = new AuthorizeRequest
{
client_id = "codeclient",
response_type = "code",
scope = "read search",
redirect_uri = "https://prod.local"
};
var result = validator.Validate(app, request);
}
public void ValidRequestMultipleScope()
{
var validator = new AuthorizeRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new AuthorizeRequest
{
client_id = "implicitclient",
response_type = "token",
scope = "read browse",
redirect_uri = "https://test2.local"
};
var result = validator.Validate(app, request);
}
public void DisabledClient()
{
var validator = new AuthorizeRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new AuthorizeRequest
{
client_id = "disabledclient",
response_type = "code",
scope = "read",
redirect_uri = "https://prod.local"
};
try
{
var result = validator.Validate(app, request);
}
catch (AuthorizeRequestResourceOwnerException ex)
{
return;
}
Assert.Fail("No exception thrown.");
}
public void MissingRedirectUri()
{
var validator = new AuthorizeRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new AuthorizeRequest
{
client_id = "codeclient",
response_type = "code",
scope = "read"
};
try
{
var result = validator.Validate(app, request);
}
catch (AuthorizeRequestResourceOwnerException ex)
{
// todo: check error code
return;
}
Assert.Fail("No exception thrown.");
}
public void UnauthorizedResponseType()
{
var validator = new AuthorizeRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new AuthorizeRequest
{
client_id = "implicitclient",
response_type = "code",
scope = "read",
redirect_uri = "https://test2.local"
};
try
{
var result = validator.Validate(app, request);
}
catch (AuthorizeRequestClientException ex)
{
Assert.IsTrue(ex.Error == OAuthConstants.Errors.UnsupportedResponseType);
return;
}
Assert.Fail("No exception thrown.");
}
public void UnauthorizedRedirectUri()
{
var validator = new AuthorizeRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new AuthorizeRequest
{
client_id = "implicitclient",
response_type = "token",
scope = "read",
redirect_uri = "https://unauthorized.com"
};
try
{
var result = validator.Validate(app, request);
}
catch (AuthorizeRequestResourceOwnerException ex)
{
// todo: check error code
return;
}
Assert.Fail("No exception thrown.");
}
private void ValidateTokenResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
{
if (validatedRequest.Client.Flow != OAuthFlow.Implicit)
{
throw new AuthorizeRequestClientException(
"response_type is not allowed: " + request.response_type,
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.UnsupportedResponseType,
request.response_type,
validatedRequest.State);
}
}
public ActionResult HandleConsentResponse(string appName, string button, string[] scopes, AuthorizeRequest request, int? rememberDuration = null)
{
Tracing.Start("OAuth2 Authorize Endoint - Consent response");
// make sure application is registered
var application = _config.FindApplication(appName);
if (application == null)
{
Tracing.Error("Application not found: " + appName);
return HttpNotFound();
}
if (button == "no")
{
Tracing.Information("User denies access token request.");
return new ClientErrorResult(new Uri(request.redirect_uri), OAuthConstants.Errors.AccessDenied, request.response_type, request.state);
}
if (button == "yes")
{
Tracing.Information("User allows access token request.");
ValidatedRequest validatedRequest;
try
{
validatedRequest = new AuthorizeRequestValidator().Validate(application, request);
}
catch (AuthorizeRequestValidationException ex)
{
Tracing.Error("Aborting OAuth2 authorization request");
return this.AuthorizeValidationError(ex);
}
if (scopes == null || scopes.Length == 0)
{
ModelState.AddModelError("", "Please choose at least one permission.");
return View("Consent", validatedRequest);
}
// parse scopes form post and substitue scopes
validatedRequest.Scopes.RemoveAll(x => !scopes.Contains(x.Name));
// store consent decision if
// checkbox was checked
// and storage is allowed
// and flow == implicit
if (validatedRequest.Application.AllowRememberConsentDecision &&
validatedRequest.ResponseType == OAuthConstants.ResponseTypes.Token &&
rememberDuration == -1)
{
var handle = StoredGrant.CreateConsentDecision(
ClaimsPrincipal.Current.GetSubject(),
validatedRequest.Client,
validatedRequest.Application,
validatedRequest.Scopes);
_handleManager.Add(handle);
Tracing.Information("Consent decision stored.");
}
// parse refresh token lifetime if
// code flow is used
// and refresh tokens are allowed
if (validatedRequest.RequestingRefreshToken &&
rememberDuration != null &&
validatedRequest.Client.Flow == OAuthFlow.Code)
{
if (rememberDuration == -1)
{
validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddYears(50);
}
else
{
validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddHours(rememberDuration.Value);
}
Tracing.Information("Selected refresh token lifetime in hours: " + rememberDuration);
}
var grantResult = PerformGrant(validatedRequest);
if (grantResult != null) return grantResult;
}
return new ClientErrorResult(
new Uri(request.redirect_uri),
OAuthConstants.Errors.InvalidRequest,
request.response_type,
request.state);
}
public void UnauthorizedResponseType()
{
var validator = new AuthorizeRequestValidator(_clientManager);
var app = _testConfig.FindApplication("test");
var request = new AuthorizeRequest
{
client_id = "codeclient",
response_type = "token",
scope = "read",
redirect_uri = "https://prod.local"
};
try
{
var result = validator.Validate(app, request);
}
catch (AuthorizeRequestClientException ex)
{
Assert.AreEqual(OAuthConstants.Errors.UnsupportedResponseType, ex.Error);
return;
}
Assert.Fail("No exception thrown.");
}
public void UnauthorizedScopeMultiple()
{
var validator = new AuthorizeRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new AuthorizeRequest
{
client_id = "implicitclient",
response_type = "token",
scope = "read write",
redirect_uri = "https://test2.local"
};
try
{
var result = validator.Validate(app, request);
}
catch (AuthorizeRequestClientException ex)
{
Assert.AreEqual(OAuthConstants.Errors.InvalidScope, ex.Error);
return;
}
Assert.Fail("No exception thrown.");
}
private static void ValidateScopes(AuthorizeRequest request, ValidatedRequest validatedRequest)
{
// validate scopes
if (string.IsNullOrEmpty(request.scope))
{
throw new AuthorizeRequestClientException(
"Missing scope.",
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.InvalidScope,
validatedRequest.ResponseType,
validatedRequest.State);
}
var requestedScopes = request.scope.Split(' ').ToList();
List<Scope> resultingScopes;
if (validatedRequest.Application.Scopes.TryValidateScopes(validatedRequest.Client.ClientId, requestedScopes, out resultingScopes))
{
validatedRequest.Scopes = resultingScopes;
Tracing.InformationFormat("Requested scopes: {0}", request.scope);
}
else
{
throw new AuthorizeRequestClientException(
"Invalid scope.",
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.InvalidScope,
validatedRequest.ResponseType,
validatedRequest.State);
}
}
private void ValidateCodeResponseType(ValidatedRequest validatedRequest, AuthorizeRequest request)
{
// make sure response type allowed for this client
if (validatedRequest.Client.Flow != OAuthFlow.Code)
{
throw new AuthorizeRequestClientException(
"response_type is not allowed: " + request.response_type,
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.UnsupportedResponseType,
request.response_type,
validatedRequest.State);
}
if (validatedRequest.Client.AllowRefreshToken && validatedRequest.Application.AllowRefreshToken)
{
Tracing.Information("The request allows arefresh token.");
validatedRequest.RequestingRefreshToken = true;
}
if (validatedRequest.Client.RequireConsent || validatedRequest.Application.RequireConsent)
{
Tracing.Information("Consent is required.");
validatedRequest.ShowConsent = true;
}
}
public ValidatedRequest Validate(Application application, AuthorizeRequest request)
{
// If the request fails due to a missing, invalid, or mismatching
// redirection URI, or if the client identifier is missing or invalid,
// the authorization server SHOULD inform the resource owner of the
// error and MUST NOT automatically redirect the user-agent to the
// invalid redirection URI.
var validatedRequest = new ValidatedRequest();
// validate request model binding
if (request == null)
{
throw new AuthorizeRequestResourceOwnerException("Invalid request parameters.");
}
validatedRequest.Application = application;
Tracing.InformationFormat("OAuth2 application: {0} ({1})",
validatedRequest.Application.Name,
validatedRequest.Application.Namespace);
validatedRequest.ShowRememberConsent = application.AllowRememberConsentDecision;
// make sure redirect uri is present
if (string.IsNullOrWhiteSpace(request.redirect_uri))
{
throw new AuthorizeRequestResourceOwnerException("Missing redirect URI");
}
// validate client
if (string.IsNullOrWhiteSpace(request.client_id))
{
throw new AuthorizeRequestResourceOwnerException("Missing client identifier");
}
var client = _clientManager.Get(request.client_id);
if (client == null)
{
throw new AuthorizeRequestResourceOwnerException("Invalid client: " + request.client_id);
}
validatedRequest.Client = client;
Tracing.InformationFormat("Client: {0} ({1})",
validatedRequest.Client.Name,
validatedRequest.Client.ClientId);
// make sure redirect_uri is a valid uri, and in case of http is over ssl
Uri redirectUri;
if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri))
{
if (redirectUri.Scheme == Uri.UriSchemeHttp)
{
throw new AuthorizeRequestClientException(
"Redirect URI not over SSL : " + request.redirect_uri,
new Uri(request.redirect_uri),
OAuthConstants.Errors.InvalidRequest,
string.Empty,
validatedRequest.State);
}
// make sure redirect uri is registered with client
var validUri = validatedRequest.Client.RedirectUris.Get(request.redirect_uri);
if (validUri == null)
{
throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
}
validatedRequest.RedirectUri = validUri;
Tracing.InformationFormat("Redirect URI: {0} ({1})",
validatedRequest.RedirectUri.Uri,
validatedRequest.RedirectUri.Description);
}
else
{
var message = "Invalid redirect URI: " + request.redirect_uri;
Tracing.Error(message);
throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
}
// check state
if (!string.IsNullOrWhiteSpace(request.state))
{
validatedRequest.State = request.state;
Tracing.Information("State: " + validatedRequest.State);
}
else
{
Tracing.Information("No state supplied.");
}
// validate response type
if (String.IsNullOrWhiteSpace(request.response_type))
{
throw new AuthorizeRequestClientException(
"response_type is null or empty",
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.InvalidRequest,
string.Empty,
validatedRequest.State);
}
// check response type (only code and token are supported)
if (!request.response_type.Equals(OAuthConstants.ResponseTypes.Token, StringComparison.Ordinal) &&
!request.response_type.Equals(OAuthConstants.ResponseTypes.Code, StringComparison.Ordinal))
{
throw new AuthorizeRequestClientException(
"response_type is not token or code: " + request.response_type,
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.UnsupportedResponseType,
string.Empty,
validatedRequest.State);
}
validatedRequest.ResponseType = request.response_type;
Tracing.Information("Response type: " + validatedRequest.ResponseType);
if (request.response_type == OAuthConstants.ResponseTypes.Code)
{
ValidateCodeResponseType(validatedRequest, request);
}
else if (request.response_type == OAuthConstants.ResponseTypes.Token)
{
ValidateTokenResponseType(validatedRequest, request);
}
else
{
throw new AuthorizeRequestClientException(
"Invalid response_type: " + request.response_type,
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.UnsupportedResponseType,
request.response_type,
validatedRequest.State);
}
ValidateScopes(request, validatedRequest);
// TODO: fix based upon past "remember me" settings
validatedRequest.ShowConsent = client.RequireConsent || application.RequireConsent;
Tracing.Information("Authorize request validation successful.");
return validatedRequest;
}
public ActionResult HandleConsentResponse(string appName, string button, string[] scopes, AuthorizeRequest request, int?rememberDuration = null)
{
Tracing.Start("OAuth2 Authorize Endoint - Consent response");
// make sure application is registered
var application = _config.FindApplication(appName);
if (application == null)
{
Tracing.Error("Application not found: " + appName);
return(HttpNotFound());
}
if (button == "no")
{
Tracing.Information("User denies access token request.");
return(new ClientErrorResult(new Uri(request.redirect_uri), OAuthConstants.Errors.AccessDenied, request.response_type, request.state));
}
if (button == "yes")
{
Tracing.Information("User allows access token request.");
ValidatedRequest validatedRequest;
try
{
validatedRequest = new AuthorizeRequestValidator().Validate(application, request);
}
catch (AuthorizeRequestValidationException ex)
{
Tracing.Error("Aborting OAuth2 authorization request");
return(this.AuthorizeValidationError(ex));
}
if (scopes == null || scopes.Length == 0)
{
ModelState.AddModelError("", "Please choose at least one permission.");
return(View("Consent", validatedRequest));
}
// parse scopes form post and substitue scopes
validatedRequest.Scopes.RemoveAll(x => !scopes.Contains(x.Name));
// store consent decision if
// checkbox was checked
// and storage is allowed
// and flow == implicit
if (validatedRequest.Application.AllowRememberConsentDecision &&
validatedRequest.ResponseType == OAuthConstants.ResponseTypes.Token &&
rememberDuration == -1)
{
var handle = StoredGrant.CreateConsentDecision(
ClaimsPrincipal.Current.GetSubject(),
validatedRequest.Client,
validatedRequest.Application,
validatedRequest.Scopes);
_handleManager.Add(handle);
Tracing.Information("Consent decision stored.");
}
// parse refresh token lifetime if
// code flow is used
// and refresh tokens are allowed
if (validatedRequest.RequestingRefreshToken &&
rememberDuration != null &&
validatedRequest.Client.Flow == OAuthFlow.Code)
{
if (rememberDuration == -1)
{
validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddYears(50);
}
else
{
validatedRequest.RequestedRefreshTokenExpiration = DateTime.UtcNow.AddHours(rememberDuration.Value);
}
Tracing.Information("Selected refresh token lifetime in hours: " + rememberDuration);
}
var grantResult = PerformGrant(validatedRequest);
if (grantResult != null)
{
return(grantResult);
}
}
return(new ClientErrorResult(
new Uri(request.redirect_uri),
OAuthConstants.Errors.InvalidRequest,
request.response_type,
request.state));
}
public ValidatedRequest Validate(Application application, AuthorizeRequest request)
{
// If the request fails due to a missing, invalid, or mismatching
// redirection URI, or if the client identifier is missing or invalid,
// the authorization server SHOULD inform the resource owner of the
// error and MUST NOT automatically redirect the user-agent to the
// invalid redirection URI.
var validatedRequest = new ValidatedRequest();
// validate request model binding
if (request == null)
{
throw new AuthorizeRequestResourceOwnerException("Invalid request parameters.");
}
validatedRequest.Application = application;
Tracing.InformationFormat("OAuth2 application: {0} ({1})",
validatedRequest.Application.Name,
validatedRequest.Application.Namespace);
validatedRequest.ShowRememberConsent = application.AllowRememberConsentDecision;
// make sure redirect uri is present
if (string.IsNullOrWhiteSpace(request.redirect_uri))
{
throw new AuthorizeRequestResourceOwnerException("Missing redirect URI");
}
// validate client
if (string.IsNullOrWhiteSpace(request.client_id))
{
throw new AuthorizeRequestResourceOwnerException("Missing client identifier");
}
var client = validatedRequest.Application.Clients.Get(request.client_id);
if (client == null || client.Enabled == false)
{
throw new AuthorizeRequestResourceOwnerException("Invalid client or not enabled: " + request.client_id);
}
validatedRequest.Client = client;
Tracing.InformationFormat("Client: {0} ({1})",
validatedRequest.Client.Name,
validatedRequest.Client.ClientId);
// make sure redirect_uri is a valid uri, and in case of http is over ssl
Uri redirectUri;
if (Uri.TryCreate(request.redirect_uri, UriKind.Absolute, out redirectUri))
{
if (redirectUri.Scheme == Uri.UriSchemeHttp)
{
throw new AuthorizeRequestResourceOwnerException("Redirect URI not over SSL : " + request.redirect_uri);
}
// make sure redirect uri is registered with client
var validUri = validatedRequest.Client.RedirectUris.Get(request.redirect_uri);
if (validUri == null)
{
throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
}
validatedRequest.RedirectUri = validUri;
Tracing.InformationFormat("Redirect URI: {0} ({1})",
validatedRequest.RedirectUri.Uri,
validatedRequest.RedirectUri.Description);
}
else
{
var message = "Invalid redirect URI: " + request.redirect_uri;
Tracing.Error(message);
throw new AuthorizeRequestResourceOwnerException("Invalid redirect URI: " + request.redirect_uri);
}
// check state
if (!string.IsNullOrWhiteSpace(request.state))
{
validatedRequest.State = request.state;
Tracing.Information("State: " + validatedRequest.State);
}
else
{
Tracing.Information("No state supplied.");
}
// validate response type
if (String.IsNullOrWhiteSpace(request.response_type))
{
throw new AuthorizeRequestClientException(
"response_type is null or empty",
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.InvalidRequest,
string.Empty,
validatedRequest.State);
}
// check response type (only code and token are supported)
if (!request.response_type.Equals(OAuthConstants.ResponseTypes.Token, StringComparison.Ordinal) &&
!request.response_type.Equals(OAuthConstants.ResponseTypes.Code, StringComparison.Ordinal))
{
throw new AuthorizeRequestClientException(
"response_type is not token or code: " + request.response_type,
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.UnsupportedResponseType,
string.Empty,
validatedRequest.State);
}
validatedRequest.ResponseType = request.response_type;
Tracing.Information("Response type: " + validatedRequest.ResponseType);
if (request.response_type == OAuthConstants.ResponseTypes.Code)
{
ValidateCodeResponseType(validatedRequest, request);
}
else if (request.response_type == OAuthConstants.ResponseTypes.Token)
{
ValidateTokenResponseType(validatedRequest, request);
}
else
{
throw new AuthorizeRequestClientException(
"Invalid response_type: " + request.response_type,
new Uri(validatedRequest.RedirectUri.Uri),
OAuthConstants.Errors.UnsupportedResponseType,
request.response_type,
validatedRequest.State);
}
ValidateScopes(request, validatedRequest);
// TODO: fix based upon past "remember me" settings
validatedRequest.ShowConsent = client.RequireConsent || application.RequireConsent;
Tracing.Information("Authorize request validation successful.");
return(validatedRequest);
}
public void MalformedRedirectUri1()
{
var validator = new AuthorizeRequestValidator(_clientManager);
var app = _testConfig.FindApplication("test");
var request = new AuthorizeRequest
{
client_id = "codeclient",
response_type = "code",
scope = "read",
redirect_uri = "https:/prod.local"
};
try
{
var result = validator.Validate(app, request);
}
catch (AuthorizeRequestResourceOwnerException ex)
{
// todo: check error code
return;
}
Assert.Fail("No exception thrown.");
}
public void NonSslRedirectUri()
{
var validator = new AuthorizeRequestValidator();
var app = _testConfig.FindApplication("test");
var request = new AuthorizeRequest
{
client_id = "codeclient",
response_type = "code",
scope = "read",
redirect_uri = "http://prod.local"
};
try
{
var result = validator.Validate(app, request);
}
catch (AuthorizeRequestClientException ex)
{
Assert.IsTrue(ex.Error == OAuthConstants.Errors.InvalidRequest);
return;
}
Assert.Fail("No exception thrown.");
}