public Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { Check.NotNull(context, nameof(context)); var audience = context.Result.ValidatedRequest.Raw["aud"]; if (audience is { } && (!_fhirServerConfig.Value?.FHIR_BASE_URL.Equals(audience) ?? false))
public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { _logger.LogInformation("Start token request validator"); var validatedRequest = context.Result.ValidatedRequest; if (validatedRequest.Client.ClientId.Contains("SPA", StringComparison.OrdinalIgnoreCase)) { _logger.LogInformation("ClientId is SPA, no further validation required"); return; } var parameters = context.Result.ValidatedRequest.Raw; const string requestParam = "request"; var requestFromParameters = parameters.Get("request"); if (string.IsNullOrWhiteSpace(requestFromParameters)) { _logger.LogError($"{requestParam} is missing from the request parameters."); context.Result.IsError = true; context.Result.Error = OidcConstants.TokenErrors.InvalidRequest; return; } var requestValidationResult = await _assertionManager.ValidateAsync(requestFromParameters); if (!requestValidationResult.Success) { context.Result.IsError = true; context.Result.Error = OidcConstants.TokenErrors.InvalidClient; } var jwt = _assertionManager.Parse(requestFromParameters); _logger.LogInformation("TokenRequestValidator is valid for {client}", validatedRequest.Client.ClientId); }
public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { var scopeTask = _scopeQuery.Get(new GetScopeByNameRequest { Name = context.Result.ValidatedRequest.RequestedScopes.First() }); var applicationTask = _query.Get(new GetApplicationByIdRequest() { ClientId = context.Result.ValidatedRequest.ClientId }); Task.WaitAll(scopeTask, applicationTask); if (scopeTask.Result == null || applicationTask.Result == null) { context.Result.IsError = true; context.Result.Error = scopeTask.Result == null ? "unknown scope" : "unknown client id"; } var result = await _authCommand.Execute(new InsertAuthRequestRequest { AuthRequest = new Domain.AuthRequest { ClientId = context.Result.ValidatedRequest.ClientId, Scope = context.Result.ValidatedRequest.RequestedScopes.First(), RedirectUri = context.Result.ValidatedRequest.RedirectUri, CreationDate = DateTime.Now } }); context.Result.ValidatedRequest.Options.UserInteraction.LoginUrl = context.Result.ValidatedRequest.Options.UserInteraction.LoginUrl.Replace("auth_id=0", $"auth_id={result.Id}"); }
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { var request = context.Result.ValidatedRequest; var identity = request.Subject?.Identity; var name = identity?.Name; var sub = identity?.IsAuthenticated == true?identity.GetSubjectId() : null; return(Task.CompletedTask); }
public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { foreach (var validator in _validators) { await validator.ValidateAsync(context); if (context.Result.IsError) { break; } } _logger.LogDebug("All custom token request validators evaluated to valid."); }
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { if (!context.Result.IsError) { var TenantClaim = _context.GetTenantTokenClaim(); if (TenantClaim != null) { context.Result.ValidatedRequest.ClientClaims.Add(TenantClaim); } } return(Task.CompletedTask); }
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { //var x = context.Result.Subject; //var user = await _userManager.FindByNameAsync(x.UserName); if (!context.Result.IsError) { //if (user != null && user.LockoutEnd.HasValue) context.Result.Error = OidcConstants.AuthorizeErrors.UnauthorizedClient; } context.Result.Error = OidcConstants.AuthorizeErrors.ConsentRequired; return(Task.CompletedTask); }
public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { var user = context.Result.ValidatedRequest.Subject; if (user.Identity.IsAuthenticated) { if (!await UserCanAccessClient(user, context.Result.ValidatedRequest.ClientClaims, db)) { context.Result.IsError = true; context.Result.Error = "app_denied"; context.Result.ErrorDescription = $"Access to this application has been denied to {user.Identity.Name} ({user.FindFirst("email").Value})."; } } return; }
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { _logger.LogInformation("Start token request validator"); var validatedRequest = context.Result.ValidatedRequest; if (validatedRequest.Client.ClientId.Contains("SPA", StringComparison.OrdinalIgnoreCase)) { _logger.LogInformation("ClientId is SPA, no further validation required"); return(Task.CompletedTask); } var parameters = context.Result.ValidatedRequest.Raw; if (IsAnyRequiredParameterMissing(parameters)) { MutateContextToError(context); return(Task.CompletedTask); } if (IsAnyRequiredPayloadParameterMissing(validatedRequest.RequestObjectValues)) { MutateContextToError(context); return(Task.CompletedTask); } if (IsScopeInvalid(validatedRequest.RequestObjectValues["scope"])) { MutateContextToError(context); return(Task.CompletedTask); } if (IsLanguageInvalid(validatedRequest)) { MutateContextToError(context); return(Task.CompletedTask); } _logger.LogInformation("TokenRequestValidator is valid for {client}", validatedRequest.Client.ClientId); return(Task.CompletedTask); }
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { var subject = context.Result.ValidatedRequest.Subject.Claims.SingleOrDefault(c => c.Type == "sub")?.Value; var loginHint = context.Result.ValidatedRequest.LoginHint; if (loginHint.IsPresent() && subject != loginHint) { _logger.LogInformation($"Impersonating subject {loginHint}."); // Replace the subject with the person being impersonated in login_hint context.Result.ValidatedRequest.Subject = new ClaimsPrincipal(new ClaimsIdentity(new List <Claim> { new Claim("sub", loginHint), new Claim("auth_time", DateTime.UtcNow.ToEpochTime().ToString()), new Claim("idp", "local") }, AuthenticationType)); } return(Task.CompletedTask); }
public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { await Task.CompletedTask; }
private static void MutateContextToError(CustomAuthorizeRequestValidationContext context) { context.Result.IsError = true; context.Result.Error = OidcConstants.TokenErrors.InvalidRequest; }
public async Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { context.Result.IsError = false; await Task.CompletedTask; }
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { WasCalled = true; Callback?.Invoke(context); return(Task.CompletedTask); }
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { WasCalled = true; Callback?.Invoke(context); return(Task.FromResult(0)); }
public Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { throw new NotImplementedException(); }
/// <summary> /// Custom validation logic for the authorize request. /// </summary> /// <param name="context">The context.</param> public Task ValidateAsync(CustomAuthorizeRequestValidationContext context) { return(Task.CompletedTask); }
public async Task <AuthorizeRequestValidationResult> ValidateAsync(NameValueCollection parameters, ClaimsPrincipal subject = null) { using var activity = Tracing.BasicActivitySource.StartActivity("AuthorizeRequestValidator.Validate"); _logger.LogDebug("Start authorize request protocol validation"); var request = new ValidatedAuthorizeRequest { Options = _options, IssuerName = await _issuerNameService.GetCurrentAsync(), Subject = subject ?? Principal.Anonymous, Raw = parameters ?? throw new ArgumentNullException(nameof(parameters)) }; // load client_id // client_id must always be present on the request var loadClientResult = await LoadClientAsync(request); if (loadClientResult.IsError) { return(loadClientResult); } // load request object var roLoadResult = await LoadRequestObjectAsync(request); if (roLoadResult.IsError) { return(roLoadResult); } // validate request object var roValidationResult = await ValidateRequestObjectAsync(request); if (roValidationResult.IsError) { return(roValidationResult); } // validate client_id and redirect_uri var clientResult = await ValidateClientAsync(request); if (clientResult.IsError) { return(clientResult); } // state, response_type, response_mode var mandatoryResult = ValidateCoreParameters(request); if (mandatoryResult.IsError) { return(mandatoryResult); } // scope, scope restrictions and plausability, and resource indicators var scopeResult = await ValidateScopeAndResourceAsync(request); if (scopeResult.IsError) { return(scopeResult); } // nonce, prompt, acr_values, login_hint etc. var optionalResult = await ValidateOptionalParametersAsync(request); if (optionalResult.IsError) { return(optionalResult); } // custom validator _logger.LogDebug("Calling into custom validator: {type}", _customValidator.GetType().FullName); var context = new CustomAuthorizeRequestValidationContext { Result = new AuthorizeRequestValidationResult(request) }; await _customValidator.ValidateAsync(context); var customResult = context.Result; if (customResult.IsError) { LogError("Error in custom validation", customResult.Error, request); return(Invalid(request, customResult.Error, customResult.ErrorDescription)); } _logger.LogTrace("Authorize request protocol validation successful"); LicenseValidator.ValidateClient(request.ClientId); return(Valid(request)); }