public async Task IsActiveAsync(IsActiveContext context) { var client = Mapper.Map<IdentityServerClient, DomainClient>(context.Client); var result = await domainService.IsActiveAsync(context.Subject, client); context.IsActive = result; }
public override async Task IsActiveAsync(IsActiveContext context) { var userName = context.Subject.Identity.Name; using (var client = new HttpClient { BaseAddress = new Uri(this.usersApiUri) }) { context.IsActive = await UserExistsAsync(client, userName); } }
public async Task IsActiveAsync(IsActiveContext context) { context.IsActive = false; foreach (var service in this.services) { await service.IsActiveAsync(context); if (context.IsActive) { return; } } }
/// <summary> /// Custom validation logic for access tokens. /// </summary> /// <param name="result">The validation result so far.</param> /// <returns> /// The validation result /// </returns> public virtual async Task<TokenValidationResult> ValidateAccessTokenAsync(TokenValidationResult result) { if (result.IsError) { return result; } // make sure user is still active (if sub claim is present) var subClaim = result.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.Subject); if (subClaim != null) { var principal = Principal.Create("tokenvalidator", result.Claims.ToArray()); if (result.ReferenceTokenId.IsPresent()) { principal.Identities.First().AddClaim(new Claim(Constants.ClaimTypes.ReferenceTokenId, result.ReferenceTokenId)); } var isActiveCtx = new IsActiveContext(principal, result.Client); await _users.IsActiveAsync(isActiveCtx); if (isActiveCtx.IsActive == false) { Logger.Warn("User marked as not active: " + subClaim.Value); result.IsError = true; result.Error = Constants.ProtectedResourceErrors.InvalidToken; result.Claims = null; return result; } } // make sure client is still active (if client_id claim is present) var clientClaim = result.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.ClientId); if (clientClaim != null) { var client = await _clients.FindClientByIdAsync(clientClaim.Value); if (client == null || client.Enabled == false) { Logger.Warn("Client deleted or disabled: " + clientClaim.Value); result.IsError = true; result.Error = Constants.ProtectedResourceErrors.InvalidToken; result.Claims = null; return result; } } return result; }
public override Task IsActiveAsync(IdentityServer3.Core.Models.IsActiveContext context) { if (context.Subject == null) { throw new ArgumentNullException("subject"); } var subjectId = context.Subject.GetSubjectId(); var user = _userManager.Users.FirstOrDefault(u => u.Id == subjectId); // set whether or not the user is active context.IsActive = (user != null) && user.IsActive; return(Task.FromResult(0)); }
public override Task IsActiveAsync(IdentityServer3.Core.Models.IsActiveContext context) { using (var userRepository = new UserRepository()) { if (context.Subject == null) { throw new ArgumentNullException("subject"); } var user = userRepository.GetUser(context.Subject.GetSubjectId()); // set whether or not the user is active context.IsActive = (user != null) && user.IsActive; return(Task.FromResult(0)); } }
private async Task<TokenRequestValidationResult> ValidateAuthorizationCodeRequestAsync(NameValueCollection parameters) { Logger.Info("Start validation of authorization code token request"); ///////////////////////////////////////////// // check if client is authorized for grant type ///////////////////////////////////////////// if (_validatedRequest.Client.Flow != Flows.AuthorizationCode && _validatedRequest.Client.Flow != Flows.Hybrid) { LogError("Client not authorized for code flow"); return Invalid(Constants.TokenErrors.UnauthorizedClient); } ///////////////////////////////////////////// // validate authorization code ///////////////////////////////////////////// var code = parameters.Get(Constants.TokenRequest.Code); if (code.IsMissing()) { var error = "Authorization code is missing."; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(null, error); return Invalid(Constants.TokenErrors.InvalidGrant); } if (code.Length > _options.InputLengthRestrictions.AuthorizationCode) { var error = "Authorization code is too long."; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(null, error); return Invalid(Constants.TokenErrors.InvalidGrant); } _validatedRequest.AuthorizationCodeHandle = code; var authZcode = await _authorizationCodes.GetAsync(code); if (authZcode == null) { LogError("Invalid authorization code: " + code); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, "Invalid handle"); return Invalid(Constants.TokenErrors.InvalidGrant); } await _authorizationCodes.RemoveAsync(code); ///////////////////////////////////////////// // populate session id ///////////////////////////////////////////// if (authZcode.SessionId.IsPresent()) { _validatedRequest.SessionId = authZcode.SessionId; } ///////////////////////////////////////////// // validate client binding ///////////////////////////////////////////// if (authZcode.Client.ClientId != _validatedRequest.Client.ClientId) { LogError(string.Format("Client {0} is trying to use a code from client {1}", _validatedRequest.Client.ClientId, authZcode.Client.ClientId)); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, "Invalid client binding"); return Invalid(Constants.TokenErrors.InvalidGrant); } ///////////////////////////////////////////// // validate code expiration ///////////////////////////////////////////// if (authZcode.CreationTime.HasExceeded(_validatedRequest.Client.AuthorizationCodeLifetime)) { var error = "Authorization code is expired"; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error); return Invalid(Constants.TokenErrors.InvalidGrant); } _validatedRequest.AuthorizationCode = authZcode; ///////////////////////////////////////////// // validate redirect_uri ///////////////////////////////////////////// var redirectUri = parameters.Get(Constants.TokenRequest.RedirectUri); if (redirectUri.IsMissing()) { var error = "Redirect URI is missing."; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error); return Invalid(Constants.TokenErrors.UnauthorizedClient); } if (redirectUri.Equals(_validatedRequest.AuthorizationCode.RedirectUri, StringComparison.Ordinal) == false) { var error = "Invalid redirect_uri: " + redirectUri; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error); return Invalid(Constants.TokenErrors.UnauthorizedClient); } ///////////////////////////////////////////// // validate scopes are present ///////////////////////////////////////////// if (_validatedRequest.AuthorizationCode.RequestedScopes == null || !_validatedRequest.AuthorizationCode.RequestedScopes.Any()) { var error = "Authorization code has no associated scopes."; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error); return Invalid(Constants.TokenErrors.InvalidRequest); } ///////////////////////////////////////////// // make sure user is enabled ///////////////////////////////////////////// var isActiveCtx = new IsActiveContext(_validatedRequest.AuthorizationCode.Subject, _validatedRequest.Client); await _users.IsActiveAsync(isActiveCtx); if (isActiveCtx.IsActive == false) { var error = "User has been disabled: " + _validatedRequest.AuthorizationCode.Subject; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error); return Invalid(Constants.TokenErrors.InvalidRequest); } Logger.Info("Validation of authorization code token request success"); await RaiseSuccessfulAuthorizationCodeRedeemedEventAsync(); return Valid(); }
public async Task IsActiveAsync(IsActiveContext context) { await this.inMemoryUserService.IsActiveAsync(context); }
/// <summary> /// This method gets called whenever identity server needs to determine if the user is valid or active (e.g. during token issuance or validation) /// </summary> /// <param name="context">The context.</param> /// <returns></returns> /// <exception cref="System.ArgumentNullException">subject</exception> public override Task IsActiveAsync(IsActiveContext context) { if (context.Subject == null) throw new ArgumentNullException("subject"); var query = from u in _users where u.Subject == context.Subject.GetSubjectId() select u; var user = query.SingleOrDefault(); context.IsActive = (user != null) && user.Enabled; return Task.FromResult(0); }
public Task IsActiveAsync(IsActiveContext context) { context.IsActive = true; return Task.FromResult(0); }
private async Task<TokenRequestValidationResult> ValidateAuthorizationCodeRequestAsync(NameValueCollection parameters) { Logger.Info("Start validation of authorization code token request"); ///////////////////////////////////////////// // check if client is authorized for grant type ///////////////////////////////////////////// if (Constants.AllowedFlowsForAuthorizationCodeGrantType.Contains(_validatedRequest.Client.Flow) == false) { LogError("Client not authorized for code flow"); return Invalid(Constants.TokenErrors.UnauthorizedClient); } ///////////////////////////////////////////// // validate authorization code ///////////////////////////////////////////// var code = parameters.Get(Constants.TokenRequest.Code); if (code.IsMissing()) { var error = "Authorization code is missing."; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(null, error); return Invalid(Constants.TokenErrors.InvalidGrant); } if (code.Length > _options.InputLengthRestrictions.AuthorizationCode) { var error = "Authorization code is too long."; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(null, error); return Invalid(Constants.TokenErrors.InvalidGrant); } _validatedRequest.AuthorizationCodeHandle = code; var authZcode = await _authorizationCodes.GetAsync(code); if (authZcode == null) { LogError("Invalid authorization code: " + code); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, "Invalid handle"); return Invalid(Constants.TokenErrors.InvalidGrant); } await _authorizationCodes.RemoveAsync(code); ///////////////////////////////////////////// // populate session id ///////////////////////////////////////////// if (authZcode.SessionId.IsPresent()) { _validatedRequest.SessionId = authZcode.SessionId; } ///////////////////////////////////////////// // validate client binding ///////////////////////////////////////////// if (authZcode.Client.ClientId != _validatedRequest.Client.ClientId) { LogError(string.Format("Client {0} is trying to use a code from client {1}", _validatedRequest.Client.ClientId, authZcode.Client.ClientId)); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, "Invalid client binding"); return Invalid(Constants.TokenErrors.InvalidGrant); } ///////////////////////////////////////////// // validate PKCE parameters ///////////////////////////////////////////// var codeVerifier = parameters.Get(Constants.TokenRequest.CodeVerifier); if (authZcode.Client.Flow == Flows.AuthorizationCodeWithProofKey || authZcode.Client.Flow == Flows.HybridWithProofKey) { var proofKeyResult = ValidateAuthorizationCodeWithProofKeyParameters(codeVerifier, authZcode); if (proofKeyResult.IsError) { return proofKeyResult; } _validatedRequest.CodeVerifier = codeVerifier; } else { if (codeVerifier.IsPresent()) { LogError("Unexpected code_verifier with Flow " + authZcode.Client.Flow.ToString()); return Invalid(Constants.TokenErrors.InvalidGrant); } } ///////////////////////////////////////////// // validate code expiration ///////////////////////////////////////////// if (authZcode.CreationTime.HasExceeded(_validatedRequest.Client.AuthorizationCodeLifetime)) { var error = "Authorization code is expired"; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error); return Invalid(Constants.TokenErrors.InvalidGrant); } _validatedRequest.AuthorizationCode = authZcode; ///////////////////////////////////////////// // validate redirect_uri ///////////////////////////////////////////// var redirectUri = parameters.Get(Constants.TokenRequest.RedirectUri); if (redirectUri.IsMissing()) { var error = "Redirect URI is missing."; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error); return Invalid(Constants.TokenErrors.UnauthorizedClient); } if (redirectUri.Equals(_validatedRequest.AuthorizationCode.RedirectUri, StringComparison.Ordinal) == false) { var error = "Invalid redirect_uri: " + redirectUri; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error); return Invalid(Constants.TokenErrors.UnauthorizedClient); } ///////////////////////////////////////////// // validate scopes are present ///////////////////////////////////////////// if (_validatedRequest.AuthorizationCode.RequestedScopes == null || !_validatedRequest.AuthorizationCode.RequestedScopes.Any()) { var error = "Authorization code has no associated scopes."; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error); return Invalid(Constants.TokenErrors.InvalidRequest); } ///////////////////////////////////////////// // make sure user is enabled ///////////////////////////////////////////// var isActiveCtx = new IsActiveContext(_validatedRequest.AuthorizationCode.Subject, _validatedRequest.Client); await _users.IsActiveAsync(isActiveCtx); if (isActiveCtx.IsActive == false) { var error = "User has been disabled: " + _validatedRequest.AuthorizationCode.Subject; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error); return Invalid(Constants.TokenErrors.InvalidRequest); } ///////////////////////////////////////////// // validate token type and PoP parameters if pop token is requested ///////////////////////////////////////////// var tokenType = parameters.Get("token_type"); if (tokenType != null && tokenType == Constants.ResponseTokenTypes.PoP) { var result = ValidatePopParameters(parameters); if (result.IsError) { var error = "PoP parameter validation failed: " + result.ErrorDescription; LogError(error); await RaiseFailedAuthorizationCodeRedeemedEventAsync(code, error); return Invalid(result.Error, result.ErrorDescription); } else { _validatedRequest.RequestedTokenType = RequestedTokenTypes.PoP; } } Logger.Info("Validation of authorization code token request success"); await RaiseSuccessfulAuthorizationCodeRedeemedEventAsync(); return Valid(); }
public Task IsActiveAsync(IsActiveContext context) { return inner.IsActiveAsync(context); }
public override async Task IsActiveAsync(IsActiveContext context) { var username = GetName(context.Subject); using (var client = await CreateClientAsync()) { context.IsActive = await UserExistsAsync(client, username); } }
public override Task IsActiveAsync(IsActiveContext context) { var subject = context.Subject; //Should be the objectid of the user. //TODO Check with graph client that the account is enabled. See properties of GetAllUsers in unit tests return base.IsActiveAsync(context); }
/// <summary> /// Check exited user by Subject from client /// </summary> /// <param name="ctx"></param> /// <returns></returns> public override async Task IsActiveAsync(IsActiveContext ctx) { var subject = ctx.Subject; if (subject == null) throw new ArgumentNullException("subject"); //get username in token var id = subject.GetSubjectId(); ctx.IsActive = true; //check active using (var aduser = GetUser(id)) { if (aduser != null && !aduser.IsAccountLockedOut()) { ctx.IsActive = true; } } }
/// <summary> /// This method gets called whenever identity server needs to determine if the user is valid or active (e.g. if the user's account has been deactivated since they logged in). /// (e.g. during token issuance or validation). /// </summary> /// <param name="context">The context.</param> /// <returns></returns> public virtual Task IsActiveAsync(IsActiveContext context) { return Task.FromResult(0); }
public override Task IsActiveAsync(IsActiveContext context) { if(context.Subject == null) { throw new ArgumentException("subject"); } //var currentUser = dbContext.UserProfiles.FirstOrDefault(x => x.Id.ToString() == context.Subject.GetSubjectId()); // Todo: Check active flag on the user and set it context.IsActive = true; return Task.FromResult(0); }
private async Task<TokenRequestValidationResult> ValidateRefreshTokenRequestAsync(NameValueCollection parameters) { Logger.Info("Start validation of refresh token request"); var refreshTokenHandle = parameters.Get(Constants.TokenRequest.RefreshToken); if (refreshTokenHandle.IsMissing()) { var error = "Refresh token is missing"; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(null, error); return Invalid(Constants.TokenErrors.InvalidRequest); } if (refreshTokenHandle.Length > _options.InputLengthRestrictions.RefreshToken) { var error = "Refresh token too long"; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(null, error); return Invalid(Constants.TokenErrors.InvalidGrant); } _validatedRequest.RefreshTokenHandle = refreshTokenHandle; ///////////////////////////////////////////// // check if refresh token is valid ///////////////////////////////////////////// var refreshToken = await _refreshTokens.GetAsync(refreshTokenHandle); if (refreshToken == null) { var error = "Refresh token is invalid"; LogWarn(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); return Invalid(Constants.TokenErrors.InvalidGrant); } ///////////////////////////////////////////// // check if refresh token has expired ///////////////////////////////////////////// if (refreshToken.CreationTime.HasExceeded(refreshToken.LifeTime)) { var error = "Refresh token has expired"; LogWarn(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); await _refreshTokens.RemoveAsync(refreshTokenHandle); return Invalid(Constants.TokenErrors.InvalidGrant); } ///////////////////////////////////////////// // check if client belongs to requested refresh token ///////////////////////////////////////////// if (_validatedRequest.Client.ClientId != refreshToken.ClientId) { LogError(string.Format("Client {0} tries to refresh token belonging to client {1}", _validatedRequest.Client.ClientId, refreshToken.ClientId)); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, "Invalid client binding"); return Invalid(Constants.TokenErrors.InvalidGrant); } ///////////////////////////////////////////// // check if client still has offline_access scope ///////////////////////////////////////////// if (!_validatedRequest.Client.AllowAccessToAllScopes) { if (!_validatedRequest.Client.AllowedScopes.Contains(Constants.StandardScopes.OfflineAccess)) { var error = "Client does not have access to offline_access scope anymore"; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); return Invalid(Constants.TokenErrors.InvalidGrant); } } _validatedRequest.RefreshToken = refreshToken; ///////////////////////////////////////////// // make sure user is enabled ///////////////////////////////////////////// var principal = IdentityServerPrincipal.FromSubjectId(_validatedRequest.RefreshToken.SubjectId, refreshToken.AccessToken.Claims); var isActiveCtx = new IsActiveContext(principal, _validatedRequest.Client); await _users.IsActiveAsync(isActiveCtx); if (isActiveCtx.IsActive == false) { var error = "User has been disabled: " + _validatedRequest.RefreshToken.SubjectId; LogError(error); await RaiseRefreshTokenRefreshFailureEventAsync(refreshTokenHandle, error); return Invalid(Constants.TokenErrors.InvalidRequest); } Logger.Info("Validation of refresh token request success"); return Valid(); }
public async Task IsActiveAsync(IsActiveContext context) { if (context.Subject == null) throw new ArgumentNullException("Subject"); var userId = Guid.Parse(context.Subject.GetSubjectId()); var user = await this.userManager.FindByIdAsync(userId); if (user == null) { context.IsActive = false; return; } if (this.userManager.SupportsUserSecurityStamp) { var securityStamp = context.Subject.Claims.Where(x => x.Type == SecurityStampClaimType).Select(x => x.Value).SingleOrDefault(); if (securityStamp != null && securityStamp != user.SecurityStamp) { context.IsActive = false; return; } } context.IsActive = true; }
public override async Task IsActiveAsync(IsActiveContext context) { var user = await _userRepository.GetUserAsync(context.Subject.GetSubjectId()); context.IsActive = user != null && user.IsActive; }
public async Task<LoginInteractionResponse> ProcessLoginAsync(ValidatedAuthorizeRequest request, ClaimsPrincipal user) { // let the login page know the client requesting authorization _signIn.ClientId = request.ClientId; // pass through display mode to signin service if (request.DisplayMode.IsPresent()) { _signIn.DisplayMode = request.DisplayMode; } // pass through ui locales to signin service if (request.UiLocales.IsPresent()) { _signIn.UiLocales = request.UiLocales; } // pass through login_hint if (request.LoginHint.IsPresent()) { _signIn.LoginHint = request.LoginHint; } // process acr values var acrValues = request.AuthenticationContextReferenceClasses.Distinct().ToList(); // look for well-known acr value -- idp var idp = acrValues.FirstOrDefault(x => x.StartsWith(Constants.KnownAcrValues.HomeRealm)); if (idp.IsPresent()) { _signIn.IdP = idp.Substring(Constants.KnownAcrValues.HomeRealm.Length); acrValues.Remove(idp); } // look for well-known acr value -- tenant var tenant = acrValues.FirstOrDefault(x => x.StartsWith(Constants.KnownAcrValues.Tenant)); if (tenant.IsPresent()) { _signIn.Tenant = tenant.Substring(Constants.KnownAcrValues.Tenant.Length); acrValues.Remove(tenant); } // pass through any remaining acr values if (acrValues.Any()) { _signIn.AcrValues = acrValues; } if (request.PromptMode == Constants.PromptModes.Login) { // remove prompt so when we redirect back in from login page // we won't think we need to force a prompt again request.Raw.Remove(Constants.AuthorizeRequest.Prompt); Logger.Info("Redirecting to login page because of prompt=login"); return new LoginInteractionResponse { SignInMessage = _signIn }; } // unauthenticated user var isAuthenticated = user.Identity.IsAuthenticated; if (!isAuthenticated) Logger.Info("User is not authenticated. Redirecting to login."); // user de-activated bool isActive = false; if (isAuthenticated) { var isActiveCtx = new IsActiveContext(user, request.Client); await _users.IsActiveAsync(isActiveCtx); isActive = isActiveCtx.IsActive; if (!isActive) Logger.Info("User is not active. Redirecting to login."); } if (!isAuthenticated || !isActive) { // prompt=none means user must be signed in already if (request.PromptMode == Constants.PromptModes.None) { Logger.Info("prompt=none was requested. But user is not authenticated."); return new LoginInteractionResponse { Error = new AuthorizeError { ErrorType = ErrorTypes.Client, Error = Constants.AuthorizeErrors.LoginRequired, ResponseMode = request.ResponseMode, ErrorUri = request.RedirectUri, State = request.State } }; } return new LoginInteractionResponse { SignInMessage = _signIn }; } // check current idp var currentIdp = user.GetIdentityProvider(); // check if idp login hint matches current provider if (_signIn.IdP.IsPresent()) { if (_signIn.IdP != currentIdp) { Logger.Info("Current IdP is not the requested IdP. Redirecting to login"); Logger.InfoFormat("Current: {0} -- Requested: {1}", currentIdp, _signIn.IdP); return new LoginInteractionResponse { SignInMessage = _signIn }; } } // check authentication freshness if (request.MaxAge.HasValue) { var authTime = user.GetAuthenticationTime(); if (DateTimeOffsetHelper.UtcNow > authTime.AddSeconds(request.MaxAge.Value)) { Logger.Info("Requested MaxAge exceeded. Redirecting to login"); return new LoginInteractionResponse { SignInMessage = _signIn }; } } return new LoginInteractionResponse(); }
/// <summary> /// Custom validation logic for identity tokens. /// </summary> /// <param name="result">The validation result so far.</param> /// <returns> /// The validation result /// </returns> public virtual async Task<TokenValidationResult> ValidateIdentityTokenAsync(TokenValidationResult result) { // make sure user is still active (if sub claim is present) var subClaim = result.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.Subject); if (subClaim != null) { var principal = Principal.Create("tokenvalidator", result.Claims.ToArray()); var isActiveCtx = new IsActiveContext(principal, result.Client); await _users.IsActiveAsync(isActiveCtx); if (isActiveCtx.IsActive == false) { Logger.Warn("User marked as not active: " + subClaim.Value); result.IsError = true; result.Error = Constants.ProtectedResourceErrors.InvalidToken; result.Claims = null; return result; } } return result; }