From 4e006968f38dcc3f79f77d50e9c697554aa08c0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Chalet?= Date: Sun, 7 Jun 2020 02:58:02 +0200 Subject: [PATCH] Update OpenIddictValidationService to propagate the error details during introspection --- ...nIddictValidationHandlers.Introspection.cs | 26 ++++--- .../OpenIddictValidationService.cs | 76 +++++++++++++++++++ 2 files changed, 91 insertions(+), 11 deletions(-) diff --git a/src/OpenIddict.Validation/OpenIddictValidationHandlers.Introspection.cs b/src/OpenIddict.Validation/OpenIddictValidationHandlers.Introspection.cs index 3288aa72..150699cb 100644 --- a/src/OpenIddict.Validation/OpenIddictValidationHandlers.Introspection.cs +++ b/src/OpenIddict.Validation/OpenIddictValidationHandlers.Introspection.cs @@ -27,7 +27,7 @@ namespace OpenIddict.Validation * Introspection response handling: */ AttachCredentials.Descriptor, - AttachAccessToken.Descriptor, + AttachToken.Descriptor, /* * Introspection response handling: @@ -75,16 +75,16 @@ namespace OpenIddict.Validation } /// - /// Contains the logic responsible of attaching the access token to the introspection request. + /// Contains the logic responsible of attaching the token to the introspection request. /// - public class AttachAccessToken : IOpenIddictValidationHandler + public class AttachToken : IOpenIddictValidationHandler { /// /// Gets the default descriptor definition assigned to this handler. /// public static OpenIddictValidationHandlerDescriptor Descriptor { get; } = OpenIddictValidationHandlerDescriptor.CreateBuilder() - .UseSingletonHandler() + .UseSingletonHandler() .SetOrder(AttachCredentials.Descriptor.Order + 100_000) .Build(); @@ -372,15 +372,19 @@ namespace OpenIddict.Validation // OpenIddict-based authorization servers always return the actual token type using // the special "token_usage" claim, that helps resource servers determine whether the - // introspected token is an access token and thus prevent token substitution attacks. - var usage = (string) context.Response[Claims.TokenUsage]; - if (!string.IsNullOrEmpty(usage) && !string.Equals(usage, context.TokenType, StringComparison.OrdinalIgnoreCase)) + // introspected token is of the expected type and prevent token substitution attacks. + if (!string.IsNullOrEmpty(context.TokenType)) { - context.Reject( - error: Errors.InvalidToken, - description: "The introspected token is not an access token."); + var usage = (string) context.Response[Claims.TokenUsage]; + if (!string.IsNullOrEmpty(usage) && + !string.Equals(usage, context.TokenType, StringComparison.OrdinalIgnoreCase)) + { + context.Reject( + error: Errors.InvalidToken, + description: "The type of the introspection token doesn't match the expected type."); - return default; + return default; + } } return default; diff --git a/src/OpenIddict.Validation/OpenIddictValidationService.cs b/src/OpenIddict.Validation/OpenIddictValidationService.cs index c9756c38..ddf248d5 100644 --- a/src/OpenIddict.Validation/OpenIddictValidationService.cs +++ b/src/OpenIddict.Validation/OpenIddictValidationService.cs @@ -90,7 +90,9 @@ namespace OpenIddict.Validation var message = new StringBuilder() .AppendLine("An error occurred while preparing the configuration request.") .AppendFormat("Error: {0}", context.Error ?? "(not available)") + .AppendLine() .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)") + .AppendLine() .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)") .ToString(); @@ -115,7 +117,9 @@ namespace OpenIddict.Validation var message = new StringBuilder() .AppendLine("An error occurred while sending the configuration request.") .AppendFormat("Error: {0}", context.Error ?? "(not available)") + .AppendLine() .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)") + .AppendLine() .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)") .ToString(); @@ -140,7 +144,9 @@ namespace OpenIddict.Validation var message = new StringBuilder() .AppendLine("An error occurred while extracting the configuration response.") .AppendFormat("Error: {0}", context.Error ?? "(not available)") + .AppendLine() .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)") + .AppendLine() .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)") .ToString(); @@ -166,7 +172,9 @@ namespace OpenIddict.Validation var message = new StringBuilder() .AppendLine("An error occurred while handling the configuration response.") .AppendFormat("Error: {0}", context.Error ?? "(not available)") + .AppendLine() .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)") + .AppendLine() .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)") .ToString(); @@ -254,7 +262,9 @@ namespace OpenIddict.Validation var message = new StringBuilder() .AppendLine("An error occurred while preparing the cryptography request.") .AppendFormat("Error: {0}", context.Error ?? "(not available)") + .AppendLine() .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)") + .AppendLine() .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)") .ToString(); @@ -279,7 +289,9 @@ namespace OpenIddict.Validation var message = new StringBuilder() .AppendLine("An error occurred while sending the cryptography request.") .AppendFormat("Error: {0}", context.Error ?? "(not available)") + .AppendLine() .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)") + .AppendLine() .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)") .ToString(); @@ -304,7 +316,9 @@ namespace OpenIddict.Validation var message = new StringBuilder() .AppendLine("An error occurred while extracting the cryptography response.") .AppendFormat("Error: {0}", context.Error ?? "(not available)") + .AppendLine() .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)") + .AppendLine() .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)") .ToString(); @@ -330,7 +344,9 @@ namespace OpenIddict.Validation var message = new StringBuilder() .AppendLine("An error occurred while handling the cryptography response.") .AppendFormat("Error: {0}", context.Error ?? "(not available)") + .AppendLine() .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)") + .AppendLine() .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)") .ToString(); @@ -433,6 +449,21 @@ namespace OpenIddict.Validation await provider.DispatchAsync(context); + if (context.IsRejected) + { + var message = new StringBuilder() + .AppendLine("An error occurred while preparing the introspection request.") + .AppendFormat("Error: {0}", context.Error ?? "(not available)") + .AppendLine() + .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)") + .AppendLine() + .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)") + .ToString(); + + throw new OpenIddictExceptions.GenericException(message, + context.Error, context.ErrorDescription, context.ErrorUri); + } + return context.Request; } @@ -445,6 +476,21 @@ namespace OpenIddict.Validation await provider.DispatchAsync(context); + if (context.IsRejected) + { + var message = new StringBuilder() + .AppendLine("An error occurred while sending the introspection request.") + .AppendFormat("Error: {0}", context.Error ?? "(not available)") + .AppendLine() + .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)") + .AppendLine() + .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)") + .ToString(); + + throw new OpenIddictExceptions.GenericException(message, + context.Error, context.ErrorDescription, context.ErrorUri); + } + return context.Request; } @@ -457,6 +503,21 @@ namespace OpenIddict.Validation await provider.DispatchAsync(context); + if (context.IsRejected) + { + var message = new StringBuilder() + .AppendLine("An error occurred while extracting the introspection response.") + .AppendFormat("Error: {0}", context.Error ?? "(not available)") + .AppendLine() + .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)") + .AppendLine() + .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)") + .ToString(); + + throw new OpenIddictExceptions.GenericException(message, + context.Error, context.ErrorDescription, context.ErrorUri); + } + return context.Response; } @@ -472,6 +533,21 @@ namespace OpenIddict.Validation await provider.DispatchAsync(context); + if (context.IsRejected) + { + var message = new StringBuilder() + .AppendLine("An error occurred while handling the introspection response.") + .AppendFormat("Error: {0}", context.Error ?? "(not available)") + .AppendLine() + .AppendFormat("Error description: {0}", context.ErrorDescription ?? "(not available)") + .AppendLine() + .AppendFormat("Error URI: {0}", context.ErrorUri ?? "(not available)") + .ToString(); + + throw new OpenIddictExceptions.GenericException(message, + context.Error, context.ErrorDescription, context.ErrorUri); + } + return context.Principal; } }