public override async Task ValidateLogoutRequest([NotNull] ValidateLogoutRequestContext context)
{
var services = context.HttpContext.RequestServices.GetRequiredService <OpenIddictServices <TUser, TApplication> >();
// Skip validation if the optional post_logout_redirect_uri
// parameter was missing from the logout request.
if (string.IsNullOrEmpty(context.PostLogoutRedirectUri))
{
context.Skip();
return;
}
var application = await services.Applications.FindApplicationByLogoutRedirectUri(context.PostLogoutRedirectUri);
if (application == null)
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "Invalid post_logout_redirect_uri.");
return;
}
context.Validate();
}
public override async Task ValidateLogoutRequest([NotNull] ValidateLogoutRequestContext context)
{
var services = context.HttpContext.RequestServices.GetRequiredService <OpenIddictServices <TApplication, TAuthorization, TScope, TToken> >();
// Skip validation if the optional post_logout_redirect_uri
// parameter was missing from the logout request.
if (string.IsNullOrEmpty(context.PostLogoutRedirectUri))
{
services.Logger.LogInformation("The logout request validation process was skipped because " +
"the post_logout_redirect_uri parameter was missing.");
context.Skip();
return;
}
var application = await services.Applications.FindByLogoutRedirectUri(context.PostLogoutRedirectUri);
if (application == null)
{
services.Logger.LogError("The logout request was rejected because the client application corresponding " +
"to the specified post_logout_redirect_uri was not found in the database: " +
"'{PostLogoutRedirectUri}'.", context.PostLogoutRedirectUri);
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "Invalid post_logout_redirect_uri.");
return;
}
context.Validate();
}
public override async Task ValidateLogoutRequest(ValidateLogoutRequestContext context)
{
var database = context.HttpContext.RequestServices.GetRequiredService <ApplicationContext>();
// Skip validation if the post_logout_redirect_uri parameter was missing.
if (string.IsNullOrEmpty(context.PostLogoutRedirectUri))
{
context.Skip();
return;
}
// Note: ValidateClientLogoutRedirectUri is not invoked when post_logout_redirect_uri is null.
// When provided, post_logout_redirect_uri must exactly match the address registered by the client application.
if (!await database.Applications.AnyAsync(application => application.LogoutRedirectUri == context.PostLogoutRedirectUri))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "Invalid post_logout_redirect_uri");
return;
}
context.Validate();
}
public override async Task ValidateLogoutRequest([NotNull] ValidateLogoutRequestContext context)
{
var applications = context.HttpContext.RequestServices.GetRequiredService <OpenIddictApplicationManager <TApplication> >();
var logger = context.HttpContext.RequestServices.GetRequiredService <ILogger <OpenIddictProvider <TApplication, TAuthorization, TScope, TToken> > >();
// If an optional post_logout_redirect_uri was provided, validate it.
if (!string.IsNullOrEmpty(context.PostLogoutRedirectUri))
{
var application = await applications.FindByLogoutRedirectUri(context.PostLogoutRedirectUri, context.HttpContext.RequestAborted);
if (application == null)
{
logger.LogError("The logout request was rejected because the client application corresponding " +
"to the specified post_logout_redirect_uri was not found in the database: " +
"'{PostLogoutRedirectUri}'.", context.PostLogoutRedirectUri);
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "Invalid post_logout_redirect_uri.");
return;
}
}
context.Validate();
}
public override async Task ValidateLogoutRequest(ValidateLogoutRequestContext context)
{
// When provided, post_logout_redirect_uri must exactly
// match the address registered by the client application.
if (!string.IsNullOrEmpty(context.PostLogoutRedirectUri) &&
!await _database.Applications.AnyAsync(application => application.LogoutRedirectUri == context.PostLogoutRedirectUri))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The specified 'post_logout_redirect_uri' is invalid.");
return;
}
context.Validate();
}
public override async Task ValidateLogoutRequest([NotNull] ValidateLogoutRequestContext context)
{
// If an optional post_logout_redirect_uri was provided, validate it.
if (!string.IsNullOrEmpty(context.PostLogoutRedirectUri))
{
if (!Uri.TryCreate(context.PostLogoutRedirectUri, UriKind.Absolute, out Uri uri) || !uri.IsWellFormedOriginalString())
{
Logger.LogError("The logout request was rejected because the specified post_logout_redirect_uri was not " +
"a valid absolute URL: {PostLogoutRedirectUri}.", context.PostLogoutRedirectUri);
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The 'post_logout_redirect_uri' parameter must be a valid absolute URL.");
return;
}
if (!string.IsNullOrEmpty(uri.Fragment))
{
Logger.LogError("The logout request was rejected because the 'post_logout_redirect_uri' contained " +
"a URL fragment: {PostLogoutRedirectUri}.", context.PostLogoutRedirectUri);
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The 'post_logout_redirect_uri' parameter must not include a fragment.");
return;
}
if (!await Applications.ValidatePostLogoutRedirectUriAsync(context.PostLogoutRedirectUri))
{
Logger.LogError("The logout request was rejected because the specified post_logout_redirect_uri " +
"was unknown: {PostLogoutRedirectUri}.", context.PostLogoutRedirectUri);
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The specified 'post_logout_redirect_uri' parameter is not valid.");
return;
}
}
context.Validate();
}
/// <summary>
/// Represents an event called for each request to the logout endpoint
/// to determine if the request is valid and should continue.
/// </summary>
/// <param name="context">The context instance associated with this event.</param>
public override async Task ValidateLogoutRequest(ValidateLogoutRequestContext context)
{
// When provided, post_logout_redirect_uri must exactly
// match the address registered by the client application.
if (!context.PostLogoutRedirectUri.IsNullOrWhiteSpace())
{
var rockContext = new RockContext();
var authClientService = new AuthClientService(rockContext);
var authClient = await authClientService.GetByPostLogoutRedirectUrlAsync(context.PostLogoutRedirectUri);
if (authClient == null)
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The specified 'post_logout_redirect_uri' is invalid.");
return;
}
}
context.Validate();
}
public override async Task ValidateLogoutRequest([NotNull] ValidateLogoutRequestContext context)
{
var clientMgr = context.HttpContext.RequestServices.GetRequiredService <OidcClientManager>();
// Skip validation if the post_logout_redirect_uri parameter was missing.
if (string.IsNullOrEmpty(context.PostLogoutRedirectUri))
{
context.Skip();
return;
}
// When provided, post_logout_redirect_uri must exactly match the address registered by the client application.
if (!clientMgr.IsValidPostLogoutRedirectUri(context.PostLogoutRedirectUri))
{
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "Invalid post_logout_redirect_uri");
return;
}
context.Validate();
}
public override async Task ValidateLogoutRequest(ValidateLogoutRequestContext context) {
var database = context.HttpContext.RequestServices.GetRequiredService<ApplicationContext>();
// Skip validation if the post_logout_redirect_uri parameter was missing.
if (string.IsNullOrEmpty(context.PostLogoutRedirectUri)) {
context.Skip();
return;
}
// When provided, post_logout_redirect_uri must exactly match the address registered by the client application.
if (!await database.Applications.AnyAsync(application => application.LogoutRedirectUri == context.PostLogoutRedirectUri)) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidClient,
description: "Invalid post_logout_redirect_uri");
return;
}
context.Validate();
}
public override async Task ValidateLogoutRequest([NotNull] ValidateLogoutRequestContext context)
{
var options = (OpenIddictServerOptions)context.Options;
// If an optional post_logout_redirect_uri was provided, validate it.
if (!string.IsNullOrEmpty(context.PostLogoutRedirectUri))
{
if (!Uri.TryCreate(context.PostLogoutRedirectUri, UriKind.Absolute, out Uri uri) || !uri.IsWellFormedOriginalString())
{
_logger.LogError("The logout request was rejected because the specified post_logout_redirect_uri was not " +
"a valid absolute URL: {PostLogoutRedirectUri}.", context.PostLogoutRedirectUri);
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The 'post_logout_redirect_uri' parameter must be a valid absolute URL.");
return;
}
if (!string.IsNullOrEmpty(uri.Fragment))
{
_logger.LogError("The logout request was rejected because the 'post_logout_redirect_uri' contained " +
"a URL fragment: {PostLogoutRedirectUri}.", context.PostLogoutRedirectUri);
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The 'post_logout_redirect_uri' parameter must not include a fragment.");
return;
}
async Task <bool> ValidatePostLogoutRedirectUriAsync(string address)
{
var applications = await _applicationManager.FindByPostLogoutRedirectUriAsync(address);
if (applications.IsDefaultOrEmpty)
{
return(false);
}
if (options.IgnoreEndpointPermissions)
{
return(true);
}
foreach (var application in applications)
{
if (await _applicationManager.HasPermissionAsync(
application, OpenIddictConstants.Permissions.Endpoints.Logout))
{
return(true);
}
}
return(false);
}
if (!await ValidatePostLogoutRedirectUriAsync(context.PostLogoutRedirectUri))
{
_logger.LogError("The logout request was rejected because the specified post_logout_redirect_uri " +
"was unknown: {PostLogoutRedirectUri}.", context.PostLogoutRedirectUri);
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The specified 'post_logout_redirect_uri' parameter is not valid.");
return;
}
}
context.Validate();
await _eventService.PublishAsync(new OpenIddictServerEvents.ValidateLogoutRequest(context));
}
public override Task ValidateLogoutRequest(ValidateLogoutRequestContext context)
{
// Don't validate logout url, as we don't have it
context.Validate();
return(Task.CompletedTask);
}