public async override Task <DeviceAuthorizationRequestValidationResult> Validate(NameValueCollection parameters, string accessToken = null) { Logger.LogDebug($"{nameof(DeviceAuthorizationRequestValidator)}: Started trusted device authorization request validation."); // Validate that the consumer specified all required parameters. var parametersToValidate = new[] { RegistrationRequestParameters.ClientId, RegistrationRequestParameters.CodeChallenge, RegistrationRequestParameters.DeviceId, RegistrationRequestParameters.Scope }; foreach (var parameter in parametersToValidate) { var parameterValue = parameters.Get(parameter); if (string.IsNullOrWhiteSpace(parameterValue)) { return(Error(OidcConstants.TokenErrors.InvalidRequest, $"Parameter '{parameter}' is not specified.")); } } // Load device. var device = await UserDeviceStore.GetByDeviceId(parameters.Get(RegistrationRequestParameters.DeviceId)); if (device == null || !device.SupportsFingerprintLogin) { return(Error(OidcConstants.TokenErrors.InvalidRequest, "Device cannot initiate fingerprint login.")); } // Load and validate client. var client = await LoadClient(parameters.Get(RegistrationRequestParameters.ClientId)); if (client == null) { return(Error(OidcConstants.AuthorizeErrors.UnauthorizedClient, "Client is unknown or not enabled.")); } if (client.ProtocolType != IdentityServerConstants.ProtocolTypes.OpenIdConnect) { return(Error(OidcConstants.AuthorizeErrors.UnauthorizedClient, "Invalid protocol.")); } // Validate requested scopes. var isOpenIdRequest = false; var requestedScopes = parameters.Get(RegistrationRequestParameters.Scope).Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries); if (requestedScopes.Contains(IdentityServerConstants.StandardScopes.OpenId)) { isOpenIdRequest = true; } var validatedResources = await ResourceValidator.ValidateRequestedResourcesAsync(new ResourceValidationRequest { Client = client, Scopes = requestedScopes }); if (!validatedResources.Succeeded) { return(Error(OidcConstants.AuthorizeErrors.InvalidScope, "Invalid scope.")); } if (validatedResources.Resources.IdentityResources.Any() && !isOpenIdRequest) { return(Error(OidcConstants.AuthorizeErrors.InvalidScope, "Identity scopes requested, but openid scope is missing.")); } // Finally return result. return(new DeviceAuthorizationRequestValidationResult { IsError = false, Client = client, CodeChallenge = parameters.Get(RegistrationRequestParameters.CodeChallenge), Device = device, InteractionMode = InteractionMode.Fingerprint, IsOpenIdRequest = isOpenIdRequest, RequestedScopes = requestedScopes, UserId = device.UserId }); }