示例#1
0
        public override async Task ValidateTokenRequest(OAuthValidateTokenRequestContext context)
        {
            if (!ObjectId.TryParse(context.ClientContext.ClientId, out var mongoObjectId))
            {
                context.SetError("invalid_request");
                return;
            }
            var client = await _clientManager.FindClientByIdAsync(context.ClientContext.ClientId);

            if (client == null)
            {
                context.SetError("invalid_client");
            }
            else
            {
                context.Validated();
            }
        }
示例#2
0
        /// <summary>
        /// Called at the final stage of a successful Token endpoint request. An application may implement this call in order to do any final
        ///             modification of the claims being used to issue access or refresh tokens. This call may also be used in order to add additional
        ///             response parameters to the Token endpoint's json response body.
        /// </summary>
        /// <param name="context">The context of the event carries information in and results out.</param>
        /// <returns>
        /// Task to enable asynchronous execution
        /// </returns>
        /// <remarks>
        /// This validates the grant_type accepted and also processes CORS
        /// </remarks>
        public override Task ValidateTokenRequest(OAuthValidateTokenRequestContext context)
        {
            //TODO: Determine which grant types will will actually support - these will probably be the only ones
            if (!context.TokenRequest.IsAuthorizationCodeGrantType &&
                !context.TokenRequest.IsResourceOwnerPasswordCredentialsGrantType &&
                !context.TokenRequest.IsRefreshTokenGrantType)
            {
                context.Rejected();
                context.SetError("invalid_grant_type", "Only grant_type=authorization_code, grant_type=password or grant_type=refresh_token are accepted by this server.");
                return(Task.FromResult(0));
            }

            ProcessCors(context);

            return(base.ValidateTokenRequest(context));
        }
示例#3
0
        private void ProcessCors(OAuthValidateTokenRequestContext context)
        {
            var accessControlRequestMethodHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod);
            var originHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.Origin);
            var accessControlRequestHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod);
            var corsRequest = new CorsRequestContext
            {
                Host       = context.Request.Host.Value,
                HttpMethod = context.Request.Method,
                Origin     = originHeaders?.FirstOrDefault(),
                RequestUri = context.Request.Uri,
                AccessControlRequestMethod = accessControlRequestMethodHeaders?.FirstOrDefault()
            };

            if (accessControlRequestHeaders != null)
            {
                foreach (var header in context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod))
                {
                    corsRequest.AccessControlRequestHeaders.Add(header);
                }
            }

            var engine = new CorsEngine();

            if (corsRequest.IsPreflight)
            {
                try
                {
                    // Make sure Access-Control-Request-Method is valid.
                    var test = new HttpMethod(corsRequest.AccessControlRequestMethod);
                }
                catch (ArgumentException)
                {
                    context.Response.StatusCode = (int)HttpStatusCode.BadRequest;
                    context.SetError("Access Control Request Method Cannot Be Null Or Empty");
                    //context.RequestCompleted();
                    return;
                }
                catch (FormatException)
                {
                    context.Response.StatusCode = (int)HttpStatusCode.BadRequest;
                    context.SetError("Invalid Access Control Request Method");
                    //context.RequestCompleted();
                    return;
                }

                var result = engine.EvaluatePolicy(corsRequest, _options.CorsPolicy);

                if (!result.IsValid)
                {
                    context.Response.StatusCode = (int)HttpStatusCode.BadRequest;
                    context.SetError(string.Join(" | ", result.ErrorMessages));
                    //context.RequestCompleted();
                    return;
                }

                WriteCorsHeaders(result, context);
            }
            else
            {
                var result = engine.EvaluatePolicy(corsRequest, _options.CorsPolicy);

                if (result.IsValid)
                {
                    WriteCorsHeaders(result, context);
                }
            }
        }
        private void ProcessCors(OAuthValidateTokenRequestContext context)
        {
            var accessControlRequestMethodHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod);
            var originHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.Origin);
            var accessControlRequestHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod);
            var corsRequest = new CorsRequestContext
            {
                Host = context.Request.Host.Value,
                HttpMethod = context.Request.Method,
                Origin = originHeaders == null ? null : originHeaders.FirstOrDefault(),
                RequestUri = context.Request.Uri,
                AccessControlRequestMethod = accessControlRequestMethodHeaders == null ? null : accessControlRequestMethodHeaders.FirstOrDefault()
            };
            if (accessControlRequestHeaders != null)
            {
                foreach (var header in context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod))
                {
                    corsRequest.AccessControlRequestHeaders.Add(header);
                }
            }

            var engine = new CorsEngine();

            if (corsRequest.IsPreflight)
            {
                try
                {
                    // Make sure Access-Control-Request-Method is valid.
                    var test = new HttpMethod(corsRequest.AccessControlRequestMethod);
                }
                catch (ArgumentException)
                {
                    context.Response.StatusCode = (int)HttpStatusCode.BadRequest;
                    context.SetError("Access Control Request Method Cannot Be Null Or Empty");
                    //context.RequestCompleted();
                    return;
                }
                catch (FormatException)
                {
                    context.Response.StatusCode = (int)HttpStatusCode.BadRequest;
                    context.SetError("Invalid Access Control Request Method");
                    //context.RequestCompleted();
                    return;
                }

                var result = engine.EvaluatePolicy(corsRequest, _options.CorsPolicy);

                if (!result.IsValid)
                {
                    context.Response.StatusCode = (int)HttpStatusCode.BadRequest;
                    context.SetError(string.Join(" | ", result.ErrorMessages));
                    //context.RequestCompleted();
                    return;                    
                }

                WriteCorsHeaders(result, context);
            }
            else
            {
                var result = engine.EvaluatePolicy(corsRequest, _options.CorsPolicy);

                if (result.IsValid)
                {
                    WriteCorsHeaders(result, context);                    
                }
            }
        }