private async Task <bool> ValidateRequestedScopesAsync(NameValueCollection parameters) { var scopes = parameters.Get(OidcConstants.TokenRequest.Scope); if (scopes.IsMissingOrTooLong(_options.InputLengthRestrictions.Scope)) { _logger.LogError("Scopes missing or too long"); return(false); } var requestedScopes = scopes.ParseScopesString(); if (requestedScopes == null) { return(false); } if (!_scopeValidator.AreScopesAllowed(_validatedRequest.Client, requestedScopes)) { return(false); } if (!await _scopeValidator.AreScopesValidAsync(requestedScopes)) { return(false); } _validatedRequest.Scopes = requestedScopes; _validatedRequest.ValidatedScopes = _scopeValidator; return(true); }
private async Task <bool> ValidateRequestedScopesAsync(NameValueCollection parameters) { var scopes = parameters.Get(OidcConstants.TokenRequest.Scope); if (scopes.IsMissing()) { _logger.LogTrace("Client provided no scopes - checking allowed scopes list"); if (!_validatedRequest.Client.AllowedScopes.IsNullOrEmpty()) { scopes = _validatedRequest.Client.AllowedScopes.ToSpaceSeparatedString(); _logger.LogTrace("Defaulting to: {scopes}", scopes); } else { LogError("No allowed scopes configured for {clientId}", _validatedRequest.Client.ClientId); return(false); } } if (scopes.Length > _options.InputLengthRestrictions.Scope) { LogError("Scope parameter exceeds max allowed length"); return(false); } var requestedScopes = scopes.ParseScopesString(); if (requestedScopes == null) { LogError("No scopes found in request"); return(false); } if (!_scopeValidator.AreScopesAllowed(_validatedRequest.Client, requestedScopes)) { LogError(); return(false); } if (!await _scopeValidator.AreScopesValidAsync(requestedScopes)) { LogError(); return(false); } _validatedRequest.Scopes = requestedScopes; _validatedRequest.ValidatedScopes = _scopeValidator; return(true); }
private async Task <AuthorizeRequestValidationResult> ValidateScopeAsync(ValidatedAuthorizeRequest request) { ////////////////////////////////////////////////////////// // scope must be present ////////////////////////////////////////////////////////// var scope = request.Raw.Get(OidcConstants.AuthorizeRequest.Scope); if (scope.IsMissing()) { LogError("scope is missing", request); return(Invalid(request)); } if (scope.Length > _options.InputLengthRestrictions.Scope) { LogError("scopes too long.", request); return(Invalid(request)); } request.RequestedScopes = scope.FromSpaceSeparatedString().Distinct().ToList(); if (request.RequestedScopes.Contains(Constants.StandardScopes.OpenId)) { request.IsOpenIdRequest = true; } ////////////////////////////////////////////////////////// // check scope vs response_type plausability ////////////////////////////////////////////////////////// var requirement = Constants.ResponseTypeToScopeRequirement[request.ResponseType]; if (requirement == Constants.ScopeRequirement.Identity || requirement == Constants.ScopeRequirement.IdentityOnly) { if (request.IsOpenIdRequest == false) { LogError("response_type requires the openid scope", request); return(Invalid(request)); } } ////////////////////////////////////////////////////////// // check if scopes are valid/supported and check for resource scopes ////////////////////////////////////////////////////////// if (await _scopeValidator.AreScopesValidAsync(request.RequestedScopes) == false) { return(Invalid(request, OidcConstants.AuthorizeErrors.InvalidScope)); } if (_scopeValidator.ContainsOpenIdScopes && !request.IsOpenIdRequest) { LogError("Identity related scope requests, but no openid scope", request); return(Invalid(request, OidcConstants.AuthorizeErrors.InvalidScope)); } if (_scopeValidator.ContainsResourceScopes) { request.IsResourceRequest = true; } ////////////////////////////////////////////////////////// // check scopes and scope restrictions ////////////////////////////////////////////////////////// if (!_scopeValidator.AreScopesAllowed(request.Client, request.RequestedScopes)) { return(Invalid(request, OidcConstants.AuthorizeErrors.UnauthorizedClient)); } request.ValidatedScopes = _scopeValidator; ////////////////////////////////////////////////////////// // check id vs resource scopes and response types plausability ////////////////////////////////////////////////////////// if (!_scopeValidator.IsResponseTypeValid(request.ResponseType)) { return(Invalid(request, OidcConstants.AuthorizeErrors.InvalidScope)); } return(Valid(request)); }