private ITokenManager GetTestTokenManager(
Token token = null,
string userId = null,
string clientId = null,
IEnumerable <string> grantedTokens = null,
IEnumerable <string> grantedScopes = null)
{
userId = userId ?? "userId";
clientId = clientId ?? "clientId";
grantedTokens = grantedTokens ?? Enumerable.Empty <string>();
var parsedScopes = grantedScopes?.Select(s => ApplicationScope.CanonicalScopes.TryGetValue(s, out var found) ? found : new ApplicationScope(clientId, s)) ??
new[] { ApplicationScope.OpenId, ApplicationScope.OfflineAccess };
var mock = new Mock <ITokenManager>();
if (token == null)
{
mock.Setup(m => m.ExchangeTokenAsync(It.IsAny <OpenIdConnectMessage>()))
.ReturnsAsync(AuthorizationGrant.Invalid(ProtocolErrorProvider.InvalidGrant()));
}
else
{
mock.Setup(m => m.ExchangeTokenAsync(It.IsAny <OpenIdConnectMessage>()))
.ReturnsAsync(AuthorizationGrant.Valid(
userId,
clientId,
grantedTokens,
parsedScopes,
token));
}
return(mock.Object);
}
public async Task <AuthorizationGrant> ExchangeTokenAsync(OpenIdConnectMessage message)
{
switch (message.GrantType)
{
case OpenIdConnectGrantTypes.AuthorizationCode:
return(await _codeIssuer.ExchangeAuthorizationCodeAsync(message));
case OpenIdConnectGrantTypes.RefreshToken:
return(await _refreshTokenIssuer.ExchangeRefreshTokenAsync(message));
default:
return(AuthorizationGrant.Invalid(_errorProvider.InvalidGrantType(message.GrantType)));
}
}
public Task <AuthorizationGrant> ExchangeRefreshTokenAsync(OpenIdConnectMessage message)
{
var refreshToken = _dataFormat.Unprotect(message.RefreshToken);
var resource = refreshToken.Resource;
var scopes = refreshToken.Scopes
.Select(s => ApplicationScope.CanonicalScopes.TryGetValue(s, out var scope) ? scope : new ApplicationScope(resource, s));
return(Task.FromResult(AuthorizationGrant.Valid(
refreshToken.UserId,
refreshToken.ClientId,
refreshToken.GrantedTokens,
scopes,
refreshToken)));
}
public Task <AuthorizationGrant> ExchangeAuthorizationCodeAsync(OpenIdConnectMessage message)
{
var code = _dataFormat.Unprotect(message.Code);
if (code == null)
{
return(Task.FromResult(AuthorizationGrant.Invalid(_errorProvider.InvalidAuthorizationCode())));
}
var userId = code.UserId;
var clientId = code.ClientId;
var scopes = code.Scopes;
var resource = code.Resource;
var nonce = code.Nonce;
var tokenTypes = code.GrantedTokens;
var grantedScopes = scopes.SelectMany(s => s.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries))
.Select(s => ApplicationScope.CanonicalScopes.TryGetValue(s, out var canonicalScope) ? canonicalScope : new ApplicationScope(resource, s))
.ToList();
return(Task.FromResult(AuthorizationGrant.Valid(userId, clientId, tokenTypes, grantedScopes, code)));
}
private async Task <OpenIdConnectMessage> ValidateAuthorizationCode(
IDictionary <string, string[]> requestParameters,
string clientId,
AuthorizationGrant consentGrant)
{
if (!(consentGrant.Token is AuthorizationCode code))
{
throw new InvalidOperationException("Granted token must be an authorization code.");
}
var(redirectUri, redirectUriError) = RequestParametersHelper.ValidateOptionalParameterIsUnique(requestParameters, OpenIdConnectParameterNames.RedirectUri, _errorProvider);
if (redirectUriError != null)
{
return(redirectUriError);
}
var tokenRedirectUri = code.RedirectUri;
if (redirectUri == null && tokenRedirectUri != null)
{
return(_errorProvider.MissingRequiredParameter(OpenIdConnectParameterNames.RedirectUri));
}
if (!string.Equals(redirectUri, tokenRedirectUri, StringComparison.Ordinal))
{
return(_errorProvider.MismatchedRedirectUrl(redirectUri));
}
var resolution = await _redirectUriValidator.ResolveRedirectUriAsync(clientId, redirectUri);
if (!resolution.IsValid)
{
return(_errorProvider.InvalidRedirectUri(redirectUri));
}
if (code.CodeChallenge != null)
{
if (!ProofOfKeyForCodeExchangeChallengeMethods.SHA256.Equals(code.CodeChallengeMethod, StringComparison.Ordinal))
{
throw new InvalidOperationException("Unsupported code challenge method.");
}
var(verifier, verifierError) = RequestParametersHelper.ValidateParameterIsUnique(requestParameters, ProofOfKeyForCodeExchangeParameterNames.CodeVerifier, _errorProvider);
if (verifierError != null)
{
return(verifierError);
}
// code-verifier = [a-zA-Z0-9\-._~]{43,128}
if (verifier.Length < 43 || verifier.Length > 128)
{
return(_errorProvider.InvalidCodeVerifier());
}
for (var i = 0; i < verifier.Length; i++)
{
if (verifier[i] > 127 || !ValidCodeVerifierCharacters[verifier[i]])
{
return(_errorProvider.InvalidCodeVerifier());
}
}
if (!string.Equals(code.CodeChallenge, GetComputedChallenge(verifier), StringComparison.Ordinal))
{
return(_errorProvider.InvalidCodeVerifier());
}
}
return(null);
}
