Introduce additional checks in OpenIddictApplicationManager

9 years ago · 5635e211f9
3 changed files with 51 additions and 1 deletions
--- a/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
+++ b/src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
@ -84,6 +84,13 @@ namespace OpenIddict.Core {
                throw new ArgumentException("The client secret hash cannot be directly set on the application entity.");
            }

+            var type = await Store.GetClientTypeAsync(application, cancellationToken);
+            if (!string.IsNullOrEmpty(type) &&
+                !string.Equals(type, OpenIddictConstants.ClientTypes.Confidential, StringComparison.OrdinalIgnoreCase)) {
+                throw new InvalidOperationException("The client type must be set to 'confidential' when creating an application with a client secret." +
+                                                    "To create a public application, use the CreateAsync() overload that doesn't take a secret parameter.");
+            }
+
            await Store.SetClientTypeAsync(application, OpenIddictConstants.ClientTypes.Confidential, cancellationToken);
            await Store.SetHashedSecretAsync(application, Crypto.HashPassword(secret), cancellationToken);
            await ValidateAsync(application, cancellationToken);
@ -362,7 +369,7 @@ namespace OpenIddict.Core {
            }

            // When a redirect_uri is specified, ensure it is valid and spec-compliant.
-                // See https://tools.ietf.org/html/rfc6749#section-3.1 for more information.
+            // See https://tools.ietf.org/html/rfc6749#section-3.1 for more information.
            var address = await Store.GetRedirectUriAsync(application, cancellationToken);
            if (!string.IsNullOrEmpty(address)) {
                Uri uri;
@ -376,6 +383,21 @@ namespace OpenIddict.Core {
                    throw new ArgumentException("The redirect_uri cannot contain a fragment.");
                }
            }
+
+            // When a post_logout_redirect_uri is specified, ensure it is valid.
+            address = await Store.GetLogoutRedirectUriAsync(application, cancellationToken);
+            if (!string.IsNullOrEmpty(address)) {
+                Uri uri;
+                // Ensure the post_logout_redirect_uri is a valid and absolute URL.
+                if (!Uri.TryCreate(address, UriKind.Absolute, out uri)) {
+                    throw new ArgumentException("The post_logout_redirect_uri must be an absolute URL.");
+                }
+
+                // Ensure the post_logout_redirect_uri doesn't contain a fragment.
+                if (!string.IsNullOrEmpty(uri.Fragment)) {
+                    throw new ArgumentException("The post_logout_redirect_uri cannot contain a fragment.");
+                }
+            }
        }

        /// <summary>
--- a/src/OpenIddict.Core/Stores/IOpenIddictApplicationStore.cs
+++ b/src/OpenIddict.Core/Stores/IOpenIddictApplicationStore.cs
@ -113,6 +113,17 @@ namespace OpenIddict.Core {
        /// </returns>
        Task<string> GetHashedSecretAsync([NotNull] TApplication application, CancellationToken cancellationToken);

+        /// <summary>
+        /// Retrieves the logout callback address associated with an application.
+        /// </summary>
+        /// <param name="application">The application.</param>
+        /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
+        /// <returns>
+        /// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
+        /// whose result returns the post_logout_redirect_uri associated with the application.
+        /// </returns>
+        Task<string> GetLogoutRedirectUriAsync([NotNull] TApplication application, CancellationToken cancellationToken);
+
        /// <summary>
        /// Retrieves the callback address associated with an application.
        /// </summary>
--- a/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictApplicationStore.cs
+++ b/src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictApplicationStore.cs
@ -209,6 +209,23 @@ namespace OpenIddict.EntityFrameworkCore {
            return Task.FromResult(application.ClientSecret);
        }

+        /// <summary>
+        /// Retrieves the logout callback address associated with an application.
+        /// </summary>
+        /// <param name="application">The application.</param>
+        /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
+        /// <returns>
+        /// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
+        /// whose result returns the post_logout_redirect_uri associated with the application.
+        /// </returns>
+        public virtual Task<string> GetLogoutRedirectUriAsync([NotNull] TApplication application, CancellationToken cancellationToken) {
+            if (application == null) {
+                throw new ArgumentNullException(nameof(application));
+            }
+
+            return Task.FromResult(application.LogoutRedirectUri);
+        }
+
        /// <summary>
        /// Retrieves the callback address associated with an application.
        /// </summary>