public override async Task ValidateIntrospectionRequest([NotNull] ValidateIntrospectionRequestContext context) { var services = context.HttpContext.RequestServices.GetRequiredService <OpenIddictServices <TApplication, TAuthorization, TScope, TToken> >(); // Note: the OpenID Connect server middleware supports unauthenticated introspection requests // but OpenIddict uses a stricter policy preventing unauthenticated/public applications // from using the introspection endpoint, as required by the specifications. // See https://tools.ietf.org/html/rfc7662#section-2.1 for more information. if (string.IsNullOrEmpty(context.ClientId) || string.IsNullOrEmpty(context.ClientSecret)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Clients must be authenticated to use the introspection endpoint."); return; } // Retrieve the application details corresponding to the requested client_id. var application = await services.Applications.FindByClientIdAsync(context.ClientId); if (application == null) { services.Logger.LogError("The introspection request was rejected because the client " + "application was not found: '{ClientId}'.", context.ClientId); context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "Application not found in the database: ensure that your client_id is correct."); return; } // Reject non-confidential applications. if (!await services.Applications.IsConfidentialAsync(application)) { services.Logger.LogError("The introspection request was rejected because the public application " + "'{ClientId}' was not allowed to use this endpoint.", context.ClientId); context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "Public applications are not allowed to use the introspection endpoint."); return; } // Validate the client credentials. if (!await services.Applications.ValidateSecretAsync(application, context.ClientSecret)) { services.Logger.LogError("The introspection request was rejected because the confidential application " + "'{ClientId}' didn't specify valid client credentials.", context.ClientId); context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "Invalid credentials: ensure that you specified a correct client_secret."); return; } context.Validate(); }
public override async Task ValidateIntrospectionRequest([NotNull] ValidateIntrospectionRequestContext context) { // Note: the OpenID Connect server middleware supports unauthenticated introspection requests // but OpenIddict uses a stricter policy preventing unauthenticated/public applications // from using the introspection endpoint, as required by the specifications. // See https://tools.ietf.org/html/rfc7662#section-2.1 for more information. if (string.IsNullOrEmpty(context.ClientId) || string.IsNullOrEmpty(context.ClientSecret)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidRequest, description: "The mandatory 'client_id' and/or 'client_secret' parameters are missing."); return; } // Retrieve the application details corresponding to the requested client_id. var application = await Applications.FindByClientIdAsync(context.ClientId, context.HttpContext.RequestAborted); if (application == null) { Logger.LogError("The introspection request was rejected because the client " + "application was not found: '{ClientId}'.", context.ClientId); context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "The specified 'client_id' parameter is invalid."); return; } // Reject introspection requests sent by public applications. if (await Applications.IsPublicAsync(application, context.HttpContext.RequestAborted)) { Logger.LogError("The introspection request was rejected because the public application " + "'{ClientId}' was not allowed to use this endpoint.", context.ClientId); context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "This client application is not allowed to use the introspection endpoint."); return; } // Validate the client credentials. if (!await Applications.ValidateClientSecretAsync(application, context.ClientSecret, context.HttpContext.RequestAborted)) { Logger.LogError("The introspection request was rejected because the confidential or hybrid application " + "'{ClientId}' didn't specify valid client credentials.", context.ClientId); context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "The specified client credentials are invalid."); return; } context.Validate(); }
public override async Task ValidateIntrospectionRequest(ValidateIntrospectionRequestContext context) { if (string.IsNullOrWhiteSpace(context.ClientId)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: InvalidClientMessage ); return; } var application = await BookingContext.Applications .Where(a => a.Id == context.ClientId) .SingleOrDefaultAsync(context.HttpContext.RequestAborted); if (application == null || application.Type != ApplicationType.Introspection) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: InvalidClientMessage ); return; } if (!PasswordHasher.VerifyHashedPassword(application.Secret, context.ClientSecret)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: InvalidClientMessage ); return; } context.Validate(); }
public override async Task ValidateIntrospectionRequest([NotNull] ValidateIntrospectionRequestContext context) { var services = context.HttpContext.RequestServices.GetRequiredService <OpenIddictServices <TUser, TApplication> >(); // Note: ASOS supports both GET and POST introspection requests but OpenIddict only accepts POST requests. if (!string.Equals(context.HttpContext.Request.Method, "POST", StringComparison.OrdinalIgnoreCase)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Introspection requests must use HTTP POST."); return; } // Note: ASOS supports unauthenticated introspection requests but OpenIddict uses // a stricter policy preventing unauthenticated/public applications from using // the introspection endpoint, as required by the specifications. // See https://tools.ietf.org/html/rfc7662 for more information. if (string.IsNullOrEmpty(context.ClientId) || string.IsNullOrEmpty(context.ClientSecret)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Clients must be authenticated to use the introspection endpoint."); return; } // Retrieve the application details corresponding to the requested client_id. var application = await services.Applications.FindApplicationByIdAsync(context.ClientId); if (application == null) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "Application not found in the database: ensure that your client_id is correct."); return; } // Reject non-confidential applications. if (await services.Applications.IsPublicApplicationAsync(application)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "Public applications are not allowed to use the introspection endpoint."); return; } // Validate the client credentials. if (!await services.Applications.ValidateSecretAsync(application, context.ClientSecret)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "Invalid credentials: ensure that you specified a correct client_secret."); return; } context.Validate(); }
public override async Task ValidateIntrospectionRequest([NotNull] ValidateIntrospectionRequestContext context) { var options = (OpenIddictServerOptions)context.Options; // Note: the OpenID Connect server middleware supports unauthenticated introspection requests // but OpenIddict uses a stricter policy preventing unauthenticated/public applications // from using the introspection endpoint, as required by the specifications. // See https://tools.ietf.org/html/rfc7662#section-2.1 for more information. if (string.IsNullOrEmpty(context.ClientId) || string.IsNullOrEmpty(context.ClientSecret)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidRequest, description: "The mandatory 'client_id' and/or 'client_secret' parameters are missing."); return; } // Retrieve the application details corresponding to the requested client_id. var application = await _applicationManager.FindByClientIdAsync(context.ClientId); if (application == null) { _logger.LogError("The introspection request was rejected because the client " + "application was not found: '{ClientId}'.", context.ClientId); context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "The specified 'client_id' parameter is invalid."); return; } // Store the application entity as a request property to make it accessible // from the other provider methods without having to call the store twice. context.Request.SetProperty($"{OpenIddictConstants.Properties.Application}:{context.ClientId}", application); // Reject the request if the application is not allowed to use the introspection endpoint. if (!options.IgnoreEndpointPermissions && !await _applicationManager.HasPermissionAsync(application, OpenIddictConstants.Permissions.Endpoints.Introspection)) { _logger.LogError("The introspection request was rejected because the application '{ClientId}' " + "was not allowed to use the introspection endpoint.", context.ClientId); context.Reject( error: OpenIdConnectConstants.Errors.UnauthorizedClient, description: "This client application is not allowed to use the introspection endpoint."); return; } // Reject introspection requests sent by public applications. if (await _applicationManager.IsPublicAsync(application)) { _logger.LogError("The introspection request was rejected because the public application " + "'{ClientId}' was not allowed to use this endpoint.", context.ClientId); context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "This client application is not allowed to use the introspection endpoint."); return; } // Validate the client credentials. if (!await _applicationManager.ValidateClientSecretAsync(application, context.ClientSecret)) { _logger.LogError("The introspection request was rejected because the confidential or hybrid application " + "'{ClientId}' didn't specify valid client credentials.", context.ClientId); context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "The specified client credentials are invalid."); return; } context.Validate(); await _eventService.PublishAsync(new OpenIddictServerEvents.ValidateIntrospectionRequest(context)); }