diff --git a/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs b/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs index a6fa2961..a720559e 100644 --- a/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs +++ b/src/OpenIddict.Server.DataProtection/OpenIddictServerDataProtectionHandlers.Protection.cs @@ -98,49 +98,49 @@ namespace OpenIddict.Server.DataProtection 0 => context.TokenTypeHint switch { TokenTypeHints.AuthorizationCode => - ValidateToken(context.Token, TokenTypeHints.AuthorizationCode) ?? - ValidateToken(context.Token, TokenTypeHints.AccessToken) ?? - ValidateToken(context.Token, TokenTypeHints.RefreshToken) ?? - ValidateToken(context.Token, TokenTypeHints.DeviceCode) ?? - ValidateToken(context.Token, TokenTypeHints.UserCode), + ValidateToken(TokenTypeHints.AuthorizationCode) ?? + ValidateToken(TokenTypeHints.AccessToken) ?? + ValidateToken(TokenTypeHints.RefreshToken) ?? + ValidateToken(TokenTypeHints.DeviceCode) ?? + ValidateToken(TokenTypeHints.UserCode), TokenTypeHints.DeviceCode => - ValidateToken(context.Token, TokenTypeHints.DeviceCode) ?? - ValidateToken(context.Token, TokenTypeHints.AccessToken) ?? - ValidateToken(context.Token, TokenTypeHints.RefreshToken) ?? - ValidateToken(context.Token, TokenTypeHints.AuthorizationCode) ?? - ValidateToken(context.Token, TokenTypeHints.UserCode), + ValidateToken(TokenTypeHints.DeviceCode) ?? + ValidateToken(TokenTypeHints.AccessToken) ?? + ValidateToken(TokenTypeHints.RefreshToken) ?? + ValidateToken(TokenTypeHints.AuthorizationCode) ?? + ValidateToken(TokenTypeHints.UserCode), TokenTypeHints.RefreshToken => - ValidateToken(context.Token, TokenTypeHints.RefreshToken) ?? - ValidateToken(context.Token, TokenTypeHints.AccessToken) ?? - ValidateToken(context.Token, TokenTypeHints.AuthorizationCode) ?? - ValidateToken(context.Token, TokenTypeHints.DeviceCode) ?? - ValidateToken(context.Token, TokenTypeHints.UserCode), + ValidateToken(TokenTypeHints.RefreshToken) ?? + ValidateToken(TokenTypeHints.AccessToken) ?? + ValidateToken(TokenTypeHints.AuthorizationCode) ?? + ValidateToken(TokenTypeHints.DeviceCode) ?? + ValidateToken(TokenTypeHints.UserCode), TokenTypeHints.UserCode => - ValidateToken(context.Token, TokenTypeHints.UserCode) ?? - ValidateToken(context.Token, TokenTypeHints.AccessToken) ?? - ValidateToken(context.Token, TokenTypeHints.RefreshToken) ?? - ValidateToken(context.Token, TokenTypeHints.AuthorizationCode) ?? - ValidateToken(context.Token, TokenTypeHints.DeviceCode), + ValidateToken(TokenTypeHints.UserCode) ?? + ValidateToken(TokenTypeHints.AccessToken) ?? + ValidateToken(TokenTypeHints.RefreshToken) ?? + ValidateToken(TokenTypeHints.AuthorizationCode) ?? + ValidateToken(TokenTypeHints.DeviceCode), _ => - ValidateToken(context.Token, TokenTypeHints.AccessToken) ?? - ValidateToken(context.Token, TokenTypeHints.RefreshToken) ?? - ValidateToken(context.Token, TokenTypeHints.AuthorizationCode) ?? - ValidateToken(context.Token, TokenTypeHints.DeviceCode) ?? - ValidateToken(context.Token, TokenTypeHints.UserCode), + ValidateToken(TokenTypeHints.AccessToken) ?? + ValidateToken(TokenTypeHints.RefreshToken) ?? + ValidateToken(TokenTypeHints.AuthorizationCode) ?? + ValidateToken(TokenTypeHints.DeviceCode) ?? + ValidateToken(TokenTypeHints.UserCode), }, // If a single valid token type was set, ignore the specified token type hint. 1 => context.ValidTokenTypes.ElementAt(0) switch { - TokenTypeHints.AccessToken => ValidateToken(context.Token, TokenTypeHints.AccessToken), - TokenTypeHints.RefreshToken => ValidateToken(context.Token, TokenTypeHints.RefreshToken), - TokenTypeHints.AuthorizationCode => ValidateToken(context.Token, TokenTypeHints.AuthorizationCode), - TokenTypeHints.DeviceCode => ValidateToken(context.Token, TokenTypeHints.DeviceCode), - TokenTypeHints.UserCode => ValidateToken(context.Token, TokenTypeHints.UserCode), + TokenTypeHints.AccessToken => ValidateToken(TokenTypeHints.AccessToken), + TokenTypeHints.RefreshToken => ValidateToken(TokenTypeHints.RefreshToken), + TokenTypeHints.AuthorizationCode => ValidateToken(TokenTypeHints.AuthorizationCode), + TokenTypeHints.DeviceCode => ValidateToken(TokenTypeHints.DeviceCode), + TokenTypeHints.UserCode => ValidateToken(TokenTypeHints.UserCode), _ => null // The token type is not supported by the Data Protection integration (e.g identity tokens). }, @@ -162,11 +162,11 @@ namespace OpenIddict.Server.DataProtection }) .Select(type => type switch { - TokenTypeHints.AccessToken => ValidateToken(context.Token, TokenTypeHints.AccessToken), - TokenTypeHints.RefreshToken => ValidateToken(context.Token, TokenTypeHints.RefreshToken), - TokenTypeHints.AuthorizationCode => ValidateToken(context.Token, TokenTypeHints.AuthorizationCode), - TokenTypeHints.DeviceCode => ValidateToken(context.Token, TokenTypeHints.DeviceCode), - TokenTypeHints.UserCode => ValidateToken(context.Token, TokenTypeHints.UserCode), + TokenTypeHints.AccessToken => ValidateToken(TokenTypeHints.AccessToken), + TokenTypeHints.RefreshToken => ValidateToken(TokenTypeHints.RefreshToken), + TokenTypeHints.AuthorizationCode => ValidateToken(TokenTypeHints.AuthorizationCode), + TokenTypeHints.DeviceCode => ValidateToken(TokenTypeHints.DeviceCode), + TokenTypeHints.UserCode => ValidateToken(TokenTypeHints.UserCode), _ => null // The token type is not supported by the Data Protection integration (e.g identity tokens). }) @@ -190,7 +190,7 @@ namespace OpenIddict.Server.DataProtection return default; - ClaimsPrincipal? ValidateToken(string token, string type) + ClaimsPrincipal? ValidateToken(string type) { // Create a Data Protection protector using the provider registered in the options. var protector = _options.CurrentValue.DataProtectionProvider.CreateProtector(type switch @@ -221,7 +221,7 @@ namespace OpenIddict.Server.DataProtection try { - using var buffer = new MemoryStream(protector.Unprotect(Base64UrlEncoder.DecodeBytes(token))); + using var buffer = new MemoryStream(protector.Unprotect(Base64UrlEncoder.DecodeBytes(context.Token))); using var reader = new BinaryReader(buffer); // Note: since the data format relies on a data protector using different "purposes" strings @@ -231,7 +231,7 @@ namespace OpenIddict.Server.DataProtection catch (Exception exception) { - context.Logger.LogTrace(exception, SR.GetResourceString(SR.ID6153), token); + context.Logger.LogTrace(exception, SR.GetResourceString(SR.ID6153), context.Token); return null; } diff --git a/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.Protection.cs b/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.Protection.cs index e83506a5..778450a8 100644 --- a/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.Protection.cs +++ b/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.Protection.cs @@ -73,9 +73,16 @@ namespace OpenIddict.Validation.DataProtection // Note: unlike the equivalent handler in the server stack, the logic used here is // simpler as only access tokens are currently supported by the validation stack. - var principal = context.ValidTokenTypes.Count is 0 || context.ValidTokenTypes.Contains(TokenTypeHints.AccessToken) ? - ValidateToken(context.Token, TokenTypeHints.AccessToken) : - null; + var principal = context.ValidTokenTypes.Count switch + { + // If no valid token type was set, all supported token types are allowed. + 0 => ValidateToken(TokenTypeHints.AccessToken), + + _ when context.ValidTokenTypes.Contains(TokenTypeHints.AccessToken) + => ValidateToken(TokenTypeHints.AccessToken), + + _ => null // The token type is not supported by the Data Protection integration (e.g identity tokens). + }; if (principal is null) { @@ -93,7 +100,7 @@ namespace OpenIddict.Validation.DataProtection return default; - ClaimsPrincipal? ValidateToken(string token, string type) + ClaimsPrincipal? ValidateToken(string type) { // Create a Data Protection protector using the provider registered in the options. var protector = _options.CurrentValue.DataProtectionProvider.CreateProtector(type switch @@ -108,7 +115,7 @@ namespace OpenIddict.Validation.DataProtection try { - using var buffer = new MemoryStream(protector.Unprotect(Base64UrlEncoder.DecodeBytes(token))); + using var buffer = new MemoryStream(protector.Unprotect(Base64UrlEncoder.DecodeBytes(context.Token))); using var reader = new BinaryReader(buffer); // Note: since the data format relies on a data protector using different "purposes" strings @@ -118,7 +125,7 @@ namespace OpenIddict.Validation.DataProtection catch (Exception exception) { - context.Logger.LogTrace(exception, SR.GetResourceString(SR.ID6153), token); + context.Logger.LogTrace(exception, SR.GetResourceString(SR.ID6153), context.Token); return null; }