public async Task ShouldOnlyGetPublicScopes() { await _setup; var result = (await _scopeStore.GetScopesAsync(publicOnly: true)).ToArray(); foreach (var evenScopeName in _evenScopeNames) { Assert.DoesNotContain(evenScopeName, result.Select(x => x.Name)); } foreach (var oddScopeName in _oddScopeNames) { Assert.Contains(oddScopeName, result.Select(x => x.Name)); } }
public async Task <IEnumerable <string> > GetRequestedClaimTypesAsync(IEnumerable <string> scopes) { if (scopes == null || !scopes.Any()) { return(Enumerable.Empty <string>()); } var scopeString = string.Join(" ", scopes); Logger.InfoFormat("Scopes in access token: {0}", scopeString); var scopeDetails = await _scopes.GetScopesAsync(); var scopeClaims = new List <string>(); foreach (var scope in scopes) { var scopeDetail = scopeDetails.FirstOrDefault(s => s.Name == scope); if (scopeDetail != null) { if (scopeDetail.Type == ScopeType.Identity) { scopeClaims.AddRange(scopeDetail.Claims.Select(c => c.Name)); } } } return(scopeClaims); }
public async Task VerifyAdd() { Assert.Empty(await _scopeStore.GetScopesAsync(false)); _ps.Invoke(); var result = (await _scopeStore.GetScopesAsync(false)).ToArray(); Assert.Equal(1, result.Length); var scope = result.Single(); Assert.Equal("unit_test_scope", scope.Name); Assert.Equal("displayName", scope.DisplayName); Assert.Equal("claim description", scope.Description); Assert.Equal("customRuleName", scope.ClaimsRule); Assert.True(scope.Emphasize); Assert.True(scope.Enabled); Assert.True(scope.IncludeAllClaimsForUser); Assert.True(scope.Required); Assert.True(scope.ShowInDiscoveryDocument); Assert.Equal(ScopeType.Identity, scope.Type); Assert.Equal(2, scope.Claims.Count()); var first = scope.Claims.OrderBy(x => x.Name).First(); Assert.Equal("unit_test_claim1", first.Name); Assert.Equal("Sample description for unit test", first.Description); Assert.True(first.AlwaysIncludeInIdToken); var second = scope.Claims.OrderBy(x => x.Name).Skip(1).First(); Assert.Equal("unit_test_claim2", second.Name); Assert.Equal("Sample description", second.Description); Assert.False(second.AlwaysIncludeInIdToken); Assert.True(scope.AllowUnrestrictedIntrospection); Assert.Equal(new List <Secret> { new Secret("secret1"), new Secret("secret2", "description", new DateTimeOffset(2000, 1, 1, 1, 1, 1, 1, TimeSpan.Zero)) { Type = "SomeOtherType" } }.Select(TestData.ToTestableString), scope.ScopeSecrets.Select(TestData.ToTestableString)); }
public async Task <IEnumerable <Scope> > GetScopesAsync(bool publicOnly = true) { var key = GetKey(publicOnly); var scopes = await _cache.GetAsync(key, _options.CachingOptions.ScopeStoreExpiration, () => _inner.GetScopesAsync(publicOnly), _logger); return(scopes); }
public async Task VerifyAllBuiltInScopes() { _ps.Invoke(); Assert.Null(_data.GetPowershellErrors()); Assert.Equal( ReadScopes.BuiltInScopes() .OrderBy(x => x.Name) .Select(TestData.ToTestableString), (await _scopeStore.GetScopesAsync(false)) .OrderBy(x => x.Name) .Select(TestData.ToTestableString) ); }
/// <summary> /// Gets the client permissions asynchronous. /// </summary> /// <param name="subject">The subject identifier.</param> /// <returns> /// A list of client permissions /// </returns> /// <exception cref="System.ArgumentNullException">subject</exception> public async Task <IEnumerable <ClientPermission> > GetClientPermissionsAsync(string subject) { if (String.IsNullOrWhiteSpace(subject)) { throw new ArgumentNullException("subject"); } var consents = await this.permissionsStore.LoadAllAsync(subject); var list = new List <ClientPermission>(); foreach (var consent in consents) { var client = await clientStore.FindClientByIdAsync(consent.ClientId); if (client != null) { var scopes = await scopeStore.GetScopesAsync(); var identityScopes = scopes.Where(x => x.Type == ScopeType.Identity && consent.Scopes.Contains(x.Name)).Select(x => new PermissionDescription { DisplayName = x.DisplayName, Description = x.Description }); var resourceScopes = scopes.Where(x => x.Type == ScopeType.Resource && consent.Scopes.Contains(x.Name)).Select(x => new PermissionDescription { DisplayName = x.DisplayName, Description = x.Description }); list.Add(new ClientPermission { ClientId = client.ClientId, ClientName = client.ClientName, ClientUrl = client.ClientUri, ClientLogoUrl = client.LogoUri.AbsoluteUri, IdentityPermissions = identityScopes, ResourcePermissions = resourceScopes }); } } return(list); }
private async Task <bool> ValidateRequestedScopesAsync(NameValueCollection parameters) { var scopeValidator = new ScopeValidator(); var requestedScopes = scopeValidator.ParseScopes(parameters.Get(Constants.TokenRequest.Scope)); if (requestedScopes == null) { return(false); } if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, requestedScopes)) { return(false); } if (!scopeValidator.AreScopesValid(requestedScopes, await _scopes.GetScopesAsync())) { return(false); } _validatedRequest.Scopes = requestedScopes; _validatedRequest.ValidatedScopes = scopeValidator; return(true); }
private async Task <IEndpointResult> ExecuteDiscoDocAsync(HttpContext context) { _logger.LogTrace("Start discovery request"); var baseUrl = _context.GetIdentityServerBaseUrl().EnsureTrailingSlash(); var allScopes = await _scopes.GetScopesAsync(publicOnly : true); var showScopes = new List <Scope>(); var document = new DiscoveryDocument { issuer = _context.GetIssuerUri(), subject_types_supported = new[] { "public" }, id_token_signing_alg_values_supported = new[] { Constants.SigningAlgorithms.RSA_SHA_256 } }; // scopes if (_options.DiscoveryOptions.ShowIdentityScopes) { showScopes.AddRange(allScopes.Where(s => s.Type == ScopeType.Identity)); } if (_options.DiscoveryOptions.ShowResourceScopes) { showScopes.AddRange(allScopes.Where(s => s.Type == ScopeType.Resource)); } if (showScopes.Any()) { document.scopes_supported = showScopes.Where(s => s.ShowInDiscoveryDocument).Select(s => s.Name).ToArray(); } // claims if (_options.DiscoveryOptions.ShowClaims) { var claims = new List <string>(); foreach (var s in allScopes) { claims.AddRange(from c in s.Claims where s.Type == ScopeType.Identity select c.Name); } document.claims_supported = claims.Distinct().ToArray(); } // grant types if (_options.DiscoveryOptions.ShowGrantTypes) { var standardGrantTypes = Constants.SupportedGrantTypes.AsEnumerable(); if (this._options.AuthenticationOptions.EnableLocalLogin == false) { standardGrantTypes = standardGrantTypes.Where(type => type != OidcConstants.GrantTypes.Password); } var showGrantTypes = new List <string>(standardGrantTypes); if (_options.DiscoveryOptions.ShowCustomGrantTypes) { showGrantTypes.AddRange(_customGrants.GetAvailableGrantTypes()); } document.grant_types_supported = showGrantTypes.ToArray(); } // response types if (_options.DiscoveryOptions.ShowResponseTypes) { document.response_types_supported = Constants.SupportedResponseTypes.ToArray(); } // response modes if (_options.DiscoveryOptions.ShowResponseModes) { document.response_modes_supported = Constants.SupportedResponseModes.ToArray(); } // token endpoint authentication methods if (_options.DiscoveryOptions.ShowTokenEndpointAuthenticationMethods) { document.token_endpoint_auth_methods_supported = _parsers.GetAvailableAuthenticationMethods().ToArray(); } // endpoints if (_options.DiscoveryOptions.ShowEndpoints) { if (_options.Endpoints.EnableEndSessionEndpoint) { document.http_logout_supported = true; } if (_options.Endpoints.EnableAuthorizeEndpoint) { document.authorization_endpoint = baseUrl + Constants.RoutePaths.Oidc.Authorize; } if (_options.Endpoints.EnableTokenEndpoint) { document.token_endpoint = baseUrl + Constants.RoutePaths.Oidc.Token; } if (_options.Endpoints.EnableUserInfoEndpoint) { document.userinfo_endpoint = baseUrl + Constants.RoutePaths.Oidc.UserInfo; } if (_options.Endpoints.EnableEndSessionEndpoint) { document.end_session_endpoint = baseUrl + Constants.RoutePaths.Oidc.EndSession; } if (_options.Endpoints.EnableCheckSessionEndpoint) { document.check_session_iframe = baseUrl + Constants.RoutePaths.Oidc.CheckSession; } if (_options.Endpoints.EnableTokenRevocationEndpoint) { document.revocation_endpoint = baseUrl + Constants.RoutePaths.Oidc.Revocation; } if (_options.Endpoints.EnableIntrospectionEndpoint) { document.introspection_endpoint = baseUrl + Constants.RoutePaths.Oidc.Introspection; } } if (_options.DiscoveryOptions.ShowKeySet) { if (_options.SigningCertificate != null) { document.jwks_uri = baseUrl + Constants.RoutePaths.Oidc.DiscoveryWebKeys; } } return(new DiscoveryDocumentResult(document, _options.DiscoveryOptions.CustomEntries)); }
/// <summary> /// Gets all defined scopes. /// </summary> /// <param name="publicOnly">if set to <c>true</c> only public scopes are returned.</param> /// <returns></returns> public async Task <IEnumerable <Scope> > GetScopesAsync(bool publicOnly = true) { var key = GetKey(publicOnly); return(await cache.GetAsync(key, async() => await inner.GetScopesAsync(publicOnly))); }
public async Task <ValidationResult> ValidateClientAsync() { Logger.Info("Start client validation"); if (_validatedRequest.ClientId.IsMissing()) { throw new InvalidOperationException("ClientId is empty. Validate protocol first."); } ////////////////////////////////////////////////////////// // check for valid client ////////////////////////////////////////////////////////// var client = await _clients.FindClientByIdAsync(_validatedRequest.ClientId); if (client == null || client.Enabled == false) { Logger.ErrorFormat("Unknown client or not enabled: {0}", _validatedRequest.ClientId); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } Logger.InfoFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName); _validatedRequest.Client = client; ////////////////////////////////////////////////////////// // check if redirect_uri is valid ////////////////////////////////////////////////////////// if (!_validatedRequest.Client.RedirectUris.Contains(_validatedRequest.RedirectUri)) { Logger.ErrorFormat("Invalid redirect_uri: {0}", _validatedRequest.RedirectUri); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } ////////////////////////////////////////////////////////// // check if flow is allowed for client ////////////////////////////////////////////////////////// if (_validatedRequest.Flow != _validatedRequest.Client.Flow) { Logger.ErrorFormat("Invalid flow for client: {0}", _validatedRequest.Flow); return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } var scopeValidator = new ScopeValidator(); ////////////////////////////////////////////////////////// // check if scopes are valid/supported and check for resource scopes ////////////////////////////////////////////////////////// if (!scopeValidator.AreScopesValid(_validatedRequest.RequestedScopes, await _scopes.GetScopesAsync())) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest) { Logger.Error("Identity related scope requests, but no openid scope"); return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } if (scopeValidator.ContainsResourceScopes) { _validatedRequest.IsResourceRequest = true; } ////////////////////////////////////////////////////////// // check scopes and scope restrictions ////////////////////////////////////////////////////////// if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes)) { return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient)); } _validatedRequest.ValidatedScopes = scopeValidator; ////////////////////////////////////////////////////////// // check id vs resource scopes and response types plausability ////////////////////////////////////////////////////////// if (!scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType)) { return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope)); } var customResult = await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest); if (customResult.IsError) { Logger.Error("Error in custom validation: " + customResult.Error); } Logger.Info("Client validation successful"); return(customResult); }
public static async Task <IEnumerable <Scope> > GetEnabledScopesAsync(this IScopeStore store, bool publicOnly = true) { var scopes = await store.GetScopesAsync(publicOnly); return(scopes.Where(s => s.Enabled == true).ToArray()); }
/// <summary> /// Get Scope Secrets /// </summary> /// <param name="publicOnly">Public Only Flag</param> /// <returns>List of Scopes</returns> public Task <IEnumerable <Scope> > GetScopesAsync(bool publicOnly = true) { return(scopeStore.GetScopesAsync(publicOnly)); }