From 1c64cc5b3f3aea670bcbb98edf1f8b703c211838 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Chalet?= <kevinchalet@gmail.com>
Date: Fri, 6 Nov 2015 23:43:07 +0100
Subject: [PATCH] Reject prompt=none requests when the user is not
 authenticated

---
 src/OpenIddict.Core/OpenIddictProvider.cs | 25 +++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/src/OpenIddict.Core/OpenIddictProvider.cs b/src/OpenIddict.Core/OpenIddictProvider.cs
index c0aaec75..82e763d0 100644
--- a/src/OpenIddict.Core/OpenIddictProvider.cs
+++ b/src/OpenIddict.Core/OpenIddictProvider.cs
@@ -7,6 +7,7 @@
 using System;
 using System.Diagnostics;
 using System.IdentityModel.Tokens.Jwt;
+using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
 using AspNet.Security.OpenIdConnect.Extensions;
@@ -162,6 +163,16 @@ namespace OpenIddict {
             }
 
             if (string.Equals(context.Request.Prompt, "none", StringComparison.Ordinal)) {
+                // If the user is not authenticated, return an error to the client application.
+                // See http://openid.net/specs/openid-connect-core-1_0.html#Authenticates
+                if (!context.HttpContext.User.Identities.Any(identity => identity.IsAuthenticated)) {
+                    context.Rejected(
+                        error: OpenIdConnectConstants.Errors.LoginRequired,
+                        description: "The user must be authenticated.");
+
+                    return;
+                }
+
                 // Extract the principal contained in the id_token_hint parameter.
                 // If no principal can be extracted, an error is returned to the client application.
                 var principal = await context.HttpContext.Authentication.AuthenticateAsync(context.Options.AuthenticationScheme);
@@ -173,7 +184,17 @@ namespace OpenIddict {
                     return;
                 }
 
-                if (!string.Equals(principal.FindFirstValue(JwtRegisteredClaimNames.Aud), context.Request.ClientId)) {
+                // Ensure the client application is listed as a valid audience in the identity token.
+                if (!principal.HasClaim(JwtRegisteredClaimNames.Aud, context.Request.ClientId)) {
+                    context.Rejected(
+                        error: OpenIdConnectConstants.Errors.InvalidRequest,
+                        description: "The id_token_hint parameter is invalid.");
+
+                    return;
+                }
+
+                // Ensure the identity token corresponds to the authenticated user.
+                if (!principal.HasClaim(ClaimTypes.NameIdentifier, context.HttpContext.User.GetClaim(ClaimTypes.NameIdentifier))) {
                     context.Rejected(
                         error: OpenIdConnectConstants.Errors.InvalidRequest,
                         description: "The id_token_hint parameter is invalid.");
@@ -181,7 +202,7 @@ namespace OpenIddict {
                     return;
                 }
 
-                // Ensure the user still exists.
+                // Ensure the user profile still exists in the database.
                 var user = await manager.FindByIdAsync(principal.GetUserId());
                 if (user == null) {
                     context.Rejected(