public void Parse_Scopes_with_Empty_Scope_List()
{
var validator = new ScopeValidator(_logger);
var scopes = validator.ParseScopes("");
Assert.IsNull(scopes);
}
public void Parse_Scopes_with_Sorting()
{
var validator = new ScopeValidator(_logger);
var scopes = validator.ParseScopes("scope3 scope2 scope1");
Assert.AreEqual(scopes.Count, 3);
Assert.AreEqual(scopes[0], "scope1");
Assert.AreEqual(scopes[1], "scope2");
Assert.AreEqual(scopes[2], "scope3");
}
public void Parse_Scopes_with_Extra_Spaces()
{
var validator = new ScopeValidator();
var scopes = validator.ParseScopes(" scope3 scope2 scope1 ");
Assert.AreEqual(scopes.Count, 3);
Assert.AreEqual(scopes[0], "scope1");
Assert.AreEqual(scopes[1], "scope2");
Assert.AreEqual(scopes[2], "scope3");
}
private async Task <bool> ValidateRequestedScopesAsync(NameValueCollection parameters)
{
var scopeValidator = new ScopeValidator();
var requestedScopes = scopeValidator.ParseScopes(parameters.Get(Constants.TokenRequest.Scope));
if (requestedScopes == null)
{
return(false);
}
if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, requestedScopes))
{
return(false);
}
if (!scopeValidator.AreScopesValid(requestedScopes, await _scopes.GetScopesAsync()))
{
return(false);
}
_validatedRequest.Scopes = requestedScopes;
_validatedRequest.ValidatedScopes = scopeValidator;
return(true);
}
public async Task<ValidationResult> ValidateClientAsync()
{
if (_validatedRequest.ClientId.IsMissing())
{
throw new InvalidOperationException("ClientId is empty. Validate protocol first.");
}
//////////////////////////////////////////////////////////
// check for valid client
//////////////////////////////////////////////////////////
var client = await _core.FindClientByIdAsync(_validatedRequest.ClientId);
if (client == null)
{
_logger.ErrorFormat("Unknown client: {0}", _validatedRequest.ClientId);
return Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient);
}
_logger.InformationFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName);
_validatedRequest.Client = client;
//////////////////////////////////////////////////////////
// check if redirect_uri is valid
//////////////////////////////////////////////////////////
if (!_validatedRequest.Client.RedirectUris.Contains(_validatedRequest.RedirectUri))
{
_logger.ErrorFormat("Invalid redirect_uri: {0}", _validatedRequest.RedirectUri);
return Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient);
}
//////////////////////////////////////////////////////////
// check if flow is allowed for client
//////////////////////////////////////////////////////////
if (_validatedRequest.Flow != _validatedRequest.Client.Flow)
{
_logger.ErrorFormat("Invalid flow for client: {0}", _validatedRequest.Flow);
return Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient);
}
//////////////////////////////////////////////////////////
// check scopes and scope restrictions
//////////////////////////////////////////////////////////
var scopeValidator = new ScopeValidator(_logger);
if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes))
{
return Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient);
}
//////////////////////////////////////////////////////////
// check if scopes are valid/supported and check for resource scopes
//////////////////////////////////////////////////////////
if (!scopeValidator.AreScopesValid(_validatedRequest.RequestedScopes, await _core.GetScopesAsync()))
{
return Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope);
}
if (scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest)
{
_logger.Error("Identity related scope requests, but no openid scope");
return Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope);
}
if (scopeValidator.ContainsResourceScopes)
{
_validatedRequest.IsResourceRequest = true;
}
_validatedRequest.ValidatedScopes = scopeValidator;
//////////////////////////////////////////////////////////
// check id vs resource scopes and response types plausability
//////////////////////////////////////////////////////////
if (!scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType))
{
return Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope);
}
return await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest, _users);
}
public void Parse_Scopes_with_Duplicate_Scope()
{
var validator = new ScopeValidator(_logger);
var scopes = validator.ParseScopes("scope2 scope1 scope2");
Assert.AreEqual(scopes.Count, 2);
Assert.AreEqual(scopes[0], "scope1");
Assert.AreEqual(scopes[1], "scope2");
}
public void Contains_Identity_Scopes_Only()
{
var validator = new ScopeValidator(_logger);
var scopes = validator.ParseScopes("openid email");
var result = validator.AreScopesValid(scopes, _allScopes);
Assert.IsTrue(result);
Assert.IsTrue(validator.ContainsOpenIdScopes);
Assert.IsFalse(validator.ContainsResourceScopes);
}
public void Restricted_Scopes()
{
var validator = new ScopeValidator(_logger);
var scopes = validator.ParseScopes("openid email resource1 resource2");
var result = validator.AreScopesAllowed(_restrictedClient, scopes);
Assert.IsFalse(result);
}
public void All_Scopes_Allowed_For_Restricted_Client()
{
var validator = new ScopeValidator(_logger);
var scopes = validator.ParseScopes("openid resource1");
var result = validator.AreScopesAllowed(_restrictedClient, scopes);
Assert.IsTrue(result);
}
public void Invalid_Scope()
{
var validator = new ScopeValidator(_logger);
var scopes = validator.ParseScopes("openid email resource1 resource2 unknown");
var result = validator.AreScopesValid(scopes, _allScopes);
Assert.IsFalse(result);
}
public void All_Scopes_Valid()
{
var validator = new ScopeValidator(_logger);
var scopes = validator.ParseScopes("openid email resource1 resource2");
var result = validator.AreScopesValid(scopes, _allScopes);
Assert.IsTrue(result);
}
public async Task <ValidationResult> ValidateClientAsync()
{
if (_validatedRequest.ClientId.IsMissing())
{
throw new InvalidOperationException("ClientId is empty. Validate protocol first.");
}
//////////////////////////////////////////////////////////
// check for valid client
//////////////////////////////////////////////////////////
var client = await _clients.FindClientByIdAsync(_validatedRequest.ClientId);
if (client == null || client.Enabled == false)
{
_logger.ErrorFormat("Unknown client or not enabled: {0}", _validatedRequest.ClientId);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
_logger.InfoFormat("Client found in registry: {0} / {1}", client.ClientId, client.ClientName);
_validatedRequest.Client = client;
//////////////////////////////////////////////////////////
// check if redirect_uri is valid
//////////////////////////////////////////////////////////
if (!_validatedRequest.Client.RedirectUris.Contains(_validatedRequest.RedirectUri))
{
_logger.ErrorFormat("Invalid redirect_uri: {0}", _validatedRequest.RedirectUri);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
//////////////////////////////////////////////////////////
// check if flow is allowed for client
//////////////////////////////////////////////////////////
if (_validatedRequest.Flow != _validatedRequest.Client.Flow)
{
_logger.ErrorFormat("Invalid flow for client: {0}", _validatedRequest.Flow);
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
//////////////////////////////////////////////////////////
// check scopes and scope restrictions
//////////////////////////////////////////////////////////
var scopeValidator = new ScopeValidator();
if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, _validatedRequest.RequestedScopes))
{
return(Invalid(ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient));
}
//////////////////////////////////////////////////////////
// check if scopes are valid/supported and check for resource scopes
//////////////////////////////////////////////////////////
if (!scopeValidator.AreScopesValid(_validatedRequest.RequestedScopes, await _scopes.GetScopesAsync()))
{
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (scopeValidator.ContainsOpenIdScopes && !_validatedRequest.IsOpenIdRequest)
{
_logger.Error("Identity related scope requests, but no openid scope");
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
if (scopeValidator.ContainsResourceScopes)
{
_validatedRequest.IsResourceRequest = true;
}
_validatedRequest.ValidatedScopes = scopeValidator;
//////////////////////////////////////////////////////////
// check id vs resource scopes and response types plausability
//////////////////////////////////////////////////////////
if (!scopeValidator.IsResponseTypeValid(_validatedRequest.ResponseType))
{
return(Invalid(ErrorTypes.Client, Constants.AuthorizeErrors.InvalidScope));
}
return(await _customValidator.ValidateAuthorizeRequestAsync(_validatedRequest, _users));
}
public void Contains_Resource_Scopes_Only()
{
var validator = new ScopeValidator();
var scopes = validator.ParseScopes("resource1 resource2");
var result = validator.AreScopesValid(scopes, _allScopes);
Assert.IsTrue(result);
Assert.IsFalse(validator.ContainsOpenIdScopes);
Assert.IsTrue(validator.ContainsResourceScopes);
}
public void Contains_Resource_and_Identity_Scopes()
{
var validator = new ScopeValidator();
var scopes = validator.ParseScopes("openid email resource1 resource2");
var result = validator.AreScopesValid(scopes, _allScopes);
Assert.IsTrue(result);
Assert.IsTrue(validator.ContainsOpenIdScopes);
Assert.IsTrue(validator.ContainsResourceScopes);
}
public void All_Scopes_Allowed_For_Unrestricted_Client()
{
var validator = new ScopeValidator();
var scopes = validator.ParseScopes("openid email resource1 resource2");
var result = validator.AreScopesAllowed(_unrestrictedClient, scopes);
Assert.IsTrue(result);
}
private async Task<bool> ValidateRequestedScopesAsync(NameValueCollection parameters)
{
var scopeValidator = new ScopeValidator(_logger);
var requestedScopes = scopeValidator.ParseScopes(parameters.Get(Constants.TokenRequest.Scope));
if (requestedScopes == null)
{
return false;
}
if (!scopeValidator.AreScopesAllowed(_validatedRequest.Client, requestedScopes))
{
return false;
}
if (!scopeValidator.AreScopesValid(requestedScopes, await _settings.GetScopesAsync()))
{
return false;
}
_validatedRequest.Scopes = requestedScopes;
_validatedRequest.ValidatedScopes = scopeValidator;
return true;
}