public void Totally_different_words() { ResponseTypeEqualityComparer comparer = new ResponseTypeEqualityComparer(); string x = "blerg smoo"; string y = "token code"; var result = comparer.Equals(x, y); result.Should().BeFalse(); }
public void Same_length_different_count() { ResponseTypeEqualityComparer comparer = new ResponseTypeEqualityComparer(); string x = "code id_token token"; string y = "tokenizer bleegerfi"; var result = comparer.Equals(x, y); result.Should().BeFalse(); }
public void code_id_token_token_combo2() { ResponseTypeEqualityComparer comparer = new ResponseTypeEqualityComparer(); string x = "code id_token token"; string y = "token id_token code"; var result = comparer.Equals(x, y); result.Should().BeTrue(); }
public void code_id_token_token_missing_code_and_token() { ResponseTypeEqualityComparer comparer = new ResponseTypeEqualityComparer(); string x = "code id_token token"; string y = "id_token"; var result = comparer.Equals(x, y); result.Should().BeFalse(); }
public void Right_null_other_not() { ResponseTypeEqualityComparer comparer = new ResponseTypeEqualityComparer(); string x = ""; string y = null; var result = comparer.Equals(x, y); var expected = (x == y); result.Should().Be(expected); }
public void code_token_both_ways() { ResponseTypeEqualityComparer comparer = new ResponseTypeEqualityComparer(); string x = "code token"; string y = "token code"; var result = comparer.Equals(x, y); result.Should().BeTrue(); }
public void id_token_token() { ResponseTypeEqualityComparer comparer = new ResponseTypeEqualityComparer(); string x = "id_token"; string y = "token"; var result = comparer.Equals(x, y); var expected = (x == y); result.Should().Be(expected); }
public void Both_null() { ResponseTypeEqualityComparer comparer = new ResponseTypeEqualityComparer(); string x = null; string y = null; var result = comparer.Equals(x, y); var expected = (x == y); result.Should().Be(expected); }
public async Task <AuthorizeRequestValidationResult> ValidateAsync(ValidatedAuthorizeRequest request) { var parameters = request.Raw; request.Nonce = parameters.Get(OidcConstants.AuthorizeRequest.Nonce); var state = parameters.Get(OidcConstants.AuthorizeRequest.State); if (state.IsPresent()) { request.State = state; } ////////////////////////////////////////////////////////// // redirect_uri must be present and supported ////////////////////////////////////////////////////////// var redirectUri = parameters.Get(OidcConstants.AuthorizeRequest.RedirectUri); if (redirectUri.IsMissing()) { _logger.LogError($"Missing {OidcConstants.AuthorizeRequest.RedirectUri}"); return(Invalid(request, OidcConstants.AuthorizeErrors.InvalidRequestUri, $"Missing {OidcConstants.AuthorizeRequest.RedirectUri}")); } ////////////////////////////////////////////////////////// // response_type must be present and supported ////////////////////////////////////////////////////////// var responseType = parameters.Get(OidcConstants.AuthorizeRequest.ResponseType); if (responseType.IsMissing()) { _logger.LogError($"Missing {OidcConstants.AuthorizeRequest.ResponseType}"); return(Invalid(request, OidcConstants.AuthorizeErrors.UnsupportedResponseType, $"Missing {OidcConstants.AuthorizeRequest.ResponseType}")); } if (!SupportedResponseTypes.Contains(responseType, _responseTypeEqualityComparer)) { _logger.LogError("Response type not supported", responseType); return(Invalid(request, OidcConstants.AuthorizeErrors.UnsupportedResponseType, "Response type not supported")); } request.ResponseType = SupportedResponseTypes.First( supportedResponseType => _responseTypeEqualityComparer.Equals(supportedResponseType, responseType)); ////////////////////////////////////////////////////////// // match response_type to grant type ////////////////////////////////////////////////////////// request.GrantType = Constants.ResponseTypeToGrantTypeMapping[responseType]; ////////////////////////////////////////////////////////// // check if flow is allowed at authorize endpoint ////////////////////////////////////////////////////////// if (!Constants.AllowedGrantTypesForAuthorizeEndpoint.Contains(request.GrantType)) { LogError("Invalid grant type", request.GrantType, request); return(Invalid(request, description: "Invalid response_type")); } // set default response mode for flow; this is needed for any client error processing below request.ResponseMode = Constants.AllowedResponseModesForGrantType[request.GrantType].First(); ////////////////////////////////////////////////////////// // client_id must be present and supported ////////////////////////////////////////////////////////// request.ClientId = parameters.Get(OidcConstants.AuthorizeRequest.ClientId); if (request.ClientId.IsMissing()) { _logger.LogError($"Missing {OidcConstants.AuthorizeRequest.ClientId}"); return(Invalid(request, OidcConstants.AuthorizeErrors.UnauthorizedClient, $"Missing {OidcConstants.AuthorizeRequest.ClientId}")); } ////////////////////////////////////////////////////////// // redirect_uri must be present, and a valid uri ////////////////////////////////////////////////////////// request.RedirectUri = parameters.Get(OidcConstants.AuthorizeRequest.RedirectUri); if (request.RedirectUri.IsMissing()) { _logger.LogError($"Missing {OidcConstants.AuthorizeRequest.RedirectUri}"); return(Invalid(request, OidcConstants.AuthorizeRequest.RedirectUri, $"Missing {OidcConstants.AuthorizeRequest.RedirectUri}")); } var clientRecord = await _clientSecretStore.FetchClientRecordAsync(_options.Scheme, request.ClientId); if (clientRecord == null) { _logger.LogError($"Missing {OidcConstants.AuthorizeRequest.ClientId}"); return(Invalid(request, OidcConstants.AuthorizeErrors.UnauthorizedClient, $"Missing {OidcConstants.AuthorizeRequest.ClientId}")); } if (!clientRecord.RedirectUris.Contains(request.RedirectUri)) { _logger.LogError($"Missing {OidcConstants.AuthorizeRequest.RedirectUri}"); return(Invalid(request, OidcConstants.AuthorizeErrors.UnauthorizedClient, $"Missing {OidcConstants.AuthorizeRequest.ClientId}")); } ////////////////////////////////////////////////////////// // check response_mode parameter and set response_mode ////////////////////////////////////////////////////////// // check if response_mode parameter is present and valid var responseMode = parameters.Get(OidcConstants.AuthorizeRequest.ResponseMode); if (responseMode.IsPresent()) { if (Constants.SupportedResponseModes.Contains(responseMode)) { if (Constants.AllowedResponseModesForGrantType[request.GrantType].Contains(responseMode)) { request.ResponseMode = responseMode; } else { LogError("Invalid response_mode for flow", responseMode, request); return(Invalid(request, OidcConstants.AuthorizeErrors.UnsupportedResponseType, description: "Invalid response_mode")); } } else { LogError("Unsupported response_mode", responseMode, request); return(Invalid(request, OidcConstants.AuthorizeErrors.UnsupportedResponseType, description: "Invalid response_mode")); } } ////////////////////////////////////////////////////////// // check if PKCE is required and validate parameters ////////////////////////////////////////////////////////// if (request.GrantType == GrantType.AuthorizationCode || request.GrantType == GrantType.Hybrid) { _logger.LogDebug("Checking for PKCE parameters"); ///////////////////////////////////////////////////////////////////////////// // validate code_challenge and code_challenge_method ///////////////////////////////////////////////////////////////////////////// var proofKeyResult = ValidatePkceParameters(request); if (proofKeyResult.IsError) { return(proofKeyResult); } } return(Valid(request)); }
public void id_token_token_both_ways() { ResponseTypeEqualityComparer comparer = new ResponseTypeEqualityComparer(); string x = "id_token token"; string y = "token id_token"; var result = comparer.Equals(x, y); result.Should().BeTrue(); }
private AuthorizeRequestValidationResult ValidateCoreParameters(ValidatedAuthorizeRequest request) { ////////////////////////////////////////////////////////// // check state ////////////////////////////////////////////////////////// var state = request.Raw.Get(OidcConstants.AuthorizeRequest.State); if (state.IsPresent()) { request.State = state; } ////////////////////////////////////////////////////////// // response_type must be present and supported ////////////////////////////////////////////////////////// var responseType = request.Raw.Get(OidcConstants.AuthorizeRequest.ResponseType); if (responseType.IsMissing()) { LogError("Missing response_type", request); return(Invalid(request, OidcConstants.AuthorizeErrors.UnsupportedResponseType, "Missing response_type")); } // The responseType may come in in an unconventional order. // Use an IEqualityComparer that doesn't care about the order of multiple values. // Per https://tools.ietf.org/html/rfc6749#section-3.1.1 - // 'Extension response types MAY contain a space-delimited (%x20) list of // values, where the order of values does not matter (e.g., response // type "a b" is the same as "b a").' // http://openid.net/specs/oauth-v2-multiple-response-types-1_0-03.html#terminology - // 'If a response type contains one of more space characters (%20), it is compared // as a space-delimited list of values in which the order of values does not matter.' if (!Constants.SupportedResponseTypes.Contains(responseType, _responseTypeEqualityComparer)) { LogError("Response type not supported", responseType, request); return(Invalid(request, OidcConstants.AuthorizeErrors.UnsupportedResponseType, "Response type not supported")); } // Even though the responseType may have come in in an unconventional order, // we still need the request's ResponseType property to be set to the // conventional, supported response type. request.ResponseType = Constants.SupportedResponseTypes.First( supportedResponseType => _responseTypeEqualityComparer.Equals(supportedResponseType, responseType)); ////////////////////////////////////////////////////////// // match response_type to grant type ////////////////////////////////////////////////////////// request.GrantType = Constants.ResponseTypeToGrantTypeMapping[request.ResponseType]; // set default response mode for flow; this is needed for any client error processing below request.ResponseMode = Constants.AllowedResponseModesForGrantType[request.GrantType].First(); ////////////////////////////////////////////////////////// // check if flow is allowed at authorize endpoint ////////////////////////////////////////////////////////// if (!Constants.AllowedGrantTypesForAuthorizeEndpoint.Contains(request.GrantType)) { LogError("Invalid grant type", request.GrantType, request); return(Invalid(request, description: "Invalid response_type")); } ////////////////////////////////////////////////////////// // check if PKCE is required and validate parameters ////////////////////////////////////////////////////////// if (request.GrantType == GrantType.AuthorizationCode || request.GrantType == GrantType.Hybrid) { _logger.LogDebug("Checking for PKCE parameters"); ///////////////////////////////////////////////////////////////////////////// // validate code_challenge and code_challenge_method ///////////////////////////////////////////////////////////////////////////// var proofKeyResult = ValidatePkceParameters(request); if (proofKeyResult.IsError) { return(proofKeyResult); } } ////////////////////////////////////////////////////////// // check response_mode parameter and set response_mode ////////////////////////////////////////////////////////// // check if response_mode parameter is present and valid var responseMode = request.Raw.Get(OidcConstants.AuthorizeRequest.ResponseMode); if (responseMode.IsPresent()) { if (Constants.SupportedResponseModes.Contains(responseMode)) { if (Constants.AllowedResponseModesForGrantType[request.GrantType].Contains(responseMode)) { request.ResponseMode = responseMode; } else { LogError("Invalid response_mode for response_type", responseMode, request); return(Invalid(request, OidcConstants.AuthorizeErrors.InvalidRequest, description: "Invalid response_mode for response_type")); } } else { LogError("Unsupported response_mode", responseMode, request); return(Invalid(request, OidcConstants.AuthorizeErrors.UnsupportedResponseType, description: "Invalid response_mode")); } } ////////////////////////////////////////////////////////// // check if grant type is allowed for client ////////////////////////////////////////////////////////// if (!request.Client.AllowedGrantTypes.Contains(request.GrantType)) { LogError("Invalid grant type for client", request.GrantType, request); return(Invalid(request, OidcConstants.AuthorizeErrors.UnauthorizedClient, "Invalid grant type for client")); } ////////////////////////////////////////////////////////// // check if response type contains an access token, // and if client is allowed to request access token via browser ////////////////////////////////////////////////////////// var responseTypes = responseType.FromSpaceSeparatedString(); if (responseTypes.Contains(OidcConstants.ResponseTypes.Token)) { if (!request.Client.AllowAccessTokensViaBrowser) { LogError("Client requested access token - but client is not configured to receive access tokens via browser", request); return(Invalid(request, description: "Client not configured to receive access tokens via browser")); } } return(Valid(request)); }