示例#1
0
        private ITokenManager GetTestTokenManager(
            Token token     = null,
            string userId   = null,
            string clientId = null,
            IEnumerable <string> grantedTokens = null,
            IEnumerable <string> grantedScopes = null)
        {
            userId        = userId ?? "userId";
            clientId      = clientId ?? "clientId";
            grantedTokens = grantedTokens ?? Enumerable.Empty <string>();
            var parsedScopes = grantedScopes?.Select(s => ApplicationScope.CanonicalScopes.TryGetValue(s, out var found) ? found : new ApplicationScope(clientId, s)) ??
                               new[] { ApplicationScope.OpenId, ApplicationScope.OfflineAccess };

            var mock = new Mock <ITokenManager>();

            if (token == null)
            {
                mock.Setup(m => m.ExchangeTokenAsync(It.IsAny <OpenIdConnectMessage>()))
                .ReturnsAsync(AuthorizationGrant.Invalid(ProtocolErrorProvider.InvalidGrant()));
            }
            else
            {
                mock.Setup(m => m.ExchangeTokenAsync(It.IsAny <OpenIdConnectMessage>()))
                .ReturnsAsync(AuthorizationGrant.Valid(
                                  userId,
                                  clientId,
                                  grantedTokens,
                                  parsedScopes,
                                  token));
            }

            return(mock.Object);
        }
示例#2
0
        public async Task <AuthorizationGrant> ExchangeTokenAsync(OpenIdConnectMessage message)
        {
            switch (message.GrantType)
            {
            case OpenIdConnectGrantTypes.AuthorizationCode:
                return(await _codeIssuer.ExchangeAuthorizationCodeAsync(message));

            case OpenIdConnectGrantTypes.RefreshToken:
                return(await _refreshTokenIssuer.ExchangeRefreshTokenAsync(message));

            default:
                return(AuthorizationGrant.Invalid(_errorProvider.InvalidGrantType(message.GrantType)));
            }
        }
示例#3
0
        public Task <AuthorizationGrant> ExchangeRefreshTokenAsync(OpenIdConnectMessage message)
        {
            var refreshToken = _dataFormat.Unprotect(message.RefreshToken);

            var resource = refreshToken.Resource;
            var scopes   = refreshToken.Scopes
                           .Select(s => ApplicationScope.CanonicalScopes.TryGetValue(s, out var scope) ? scope : new ApplicationScope(resource, s));

            return(Task.FromResult(AuthorizationGrant.Valid(
                                       refreshToken.UserId,
                                       refreshToken.ClientId,
                                       refreshToken.GrantedTokens,
                                       scopes,
                                       refreshToken)));
        }
        public Task <AuthorizationGrant> ExchangeAuthorizationCodeAsync(OpenIdConnectMessage message)
        {
            var code = _dataFormat.Unprotect(message.Code);

            if (code == null)
            {
                return(Task.FromResult(AuthorizationGrant.Invalid(_errorProvider.InvalidAuthorizationCode())));
            }

            var userId   = code.UserId;
            var clientId = code.ClientId;
            var scopes   = code.Scopes;
            var resource = code.Resource;
            var nonce    = code.Nonce;

            var tokenTypes    = code.GrantedTokens;
            var grantedScopes = scopes.SelectMany(s => s.Split(new[] { ' ' }, StringSplitOptions.RemoveEmptyEntries))
                                .Select(s => ApplicationScope.CanonicalScopes.TryGetValue(s, out var canonicalScope) ? canonicalScope : new ApplicationScope(resource, s))
                                .ToList();

            return(Task.FromResult(AuthorizationGrant.Valid(userId, clientId, tokenTypes, grantedScopes, code)));
        }
示例#5
0
        private async Task <OpenIdConnectMessage> ValidateAuthorizationCode(
            IDictionary <string, string[]> requestParameters,
            string clientId,
            AuthorizationGrant consentGrant)
        {
            if (!(consentGrant.Token is AuthorizationCode code))
            {
                throw new InvalidOperationException("Granted token must be an authorization code.");
            }

            var(redirectUri, redirectUriError) = RequestParametersHelper.ValidateOptionalParameterIsUnique(requestParameters, OpenIdConnectParameterNames.RedirectUri, _errorProvider);
            if (redirectUriError != null)
            {
                return(redirectUriError);
            }

            var tokenRedirectUri = code.RedirectUri;

            if (redirectUri == null && tokenRedirectUri != null)
            {
                return(_errorProvider.MissingRequiredParameter(OpenIdConnectParameterNames.RedirectUri));
            }

            if (!string.Equals(redirectUri, tokenRedirectUri, StringComparison.Ordinal))
            {
                return(_errorProvider.MismatchedRedirectUrl(redirectUri));
            }

            var resolution = await _redirectUriValidator.ResolveRedirectUriAsync(clientId, redirectUri);

            if (!resolution.IsValid)
            {
                return(_errorProvider.InvalidRedirectUri(redirectUri));
            }

            if (code.CodeChallenge != null)
            {
                if (!ProofOfKeyForCodeExchangeChallengeMethods.SHA256.Equals(code.CodeChallengeMethod, StringComparison.Ordinal))
                {
                    throw new InvalidOperationException("Unsupported code challenge method.");
                }

                var(verifier, verifierError) = RequestParametersHelper.ValidateParameterIsUnique(requestParameters, ProofOfKeyForCodeExchangeParameterNames.CodeVerifier, _errorProvider);
                if (verifierError != null)
                {
                    return(verifierError);
                }

                // code-verifier = [a-zA-Z0-9\-._~]{43,128}
                if (verifier.Length < 43 || verifier.Length > 128)
                {
                    return(_errorProvider.InvalidCodeVerifier());
                }

                for (var i = 0; i < verifier.Length; i++)
                {
                    if (verifier[i] > 127 || !ValidCodeVerifierCharacters[verifier[i]])
                    {
                        return(_errorProvider.InvalidCodeVerifier());
                    }
                }

                if (!string.Equals(code.CodeChallenge, GetComputedChallenge(verifier), StringComparison.Ordinal))
                {
                    return(_errorProvider.InvalidCodeVerifier());
                }
            }

            return(null);
        }