|
|
@ -154,31 +154,25 @@ namespace OpenIddict.Infrastructure { |
|
|
return; |
|
|
return; |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
// If the user is connected, ensure that a corresponding profile exists and that
|
|
|
// Ensure that the appropriate set of scopes is requested to prevent personal data leakage when possible.
|
|
|
// the appropriate set of scopes is requested to prevent personal data leakage.
|
|
|
if (services.Users.SupportsUserEmail && context.HttpContext.User.Identities.Any(identity => identity.IsAuthenticated) && |
|
|
if (context.HttpContext.User.Identities.Any(identity => identity.IsAuthenticated)) { |
|
|
context.Request.HasScope(OpenIdConnectConstants.Scopes.Profile) && |
|
|
// Ensure the user profile still exists in the database.
|
|
|
!context.Request.HasScope(OpenIdConnectConstants.Scopes.Email)) { |
|
|
|
|
|
// Skip scope validation if the user cannot be found in the database.
|
|
|
var user = await services.Users.GetUserAsync(context.HttpContext.User); |
|
|
var user = await services.Users.GetUserAsync(context.HttpContext.User); |
|
|
if (user == null) { |
|
|
if (user == null) { |
|
|
services.Logger.LogError("The authorization request was rejected because the profile corresponding " + |
|
|
services.Logger.LogWarning("The authorization request was not fully validated because the profile corresponding " + |
|
|
"to the logged in user was not found in the database: {Identifier}.", |
|
|
"to the logged in user was not found in the database: {Identifier}.", |
|
|
context.HttpContext.User.GetClaim(ClaimTypes.NameIdentifier)); |
|
|
context.HttpContext.User.GetClaim(ClaimTypes.NameIdentifier)); |
|
|
|
|
|
|
|
|
context.Reject( |
|
|
|
|
|
error: OpenIdConnectConstants.Errors.ServerError, |
|
|
|
|
|
description: "An internal error has occurred."); |
|
|
|
|
|
|
|
|
|
|
|
return; |
|
|
|
|
|
} |
|
|
} |
|
|
|
|
|
|
|
|
// Return an error if the username corresponds to the registered
|
|
|
else { |
|
|
// email address and if the "email" scope has not been requested.
|
|
|
|
|
|
if (services.Users.SupportsUserEmail && context.Request.HasScope(OpenIdConnectConstants.Scopes.Profile) && |
|
|
|
|
|
!context.Request.HasScope(OpenIdConnectConstants.Scopes.Email)) { |
|
|
|
|
|
// Retrieve the username and the email address associated with the user.
|
|
|
// Retrieve the username and the email address associated with the user.
|
|
|
var username = await services.Users.GetUserNameAsync(user); |
|
|
var username = await services.Users.GetUserNameAsync(user); |
|
|
var email = await services.Users.GetEmailAsync(user); |
|
|
var email = await services.Users.GetEmailAsync(user); |
|
|
|
|
|
|
|
|
|
|
|
// Return an error if the username corresponds to the registered
|
|
|
|
|
|
// email address and if the "email" scope has not been requested.
|
|
|
if (!string.IsNullOrEmpty(email) && string.Equals(username, email, StringComparison.OrdinalIgnoreCase)) { |
|
|
if (!string.IsNullOrEmpty(email) && string.Equals(username, email, StringComparison.OrdinalIgnoreCase)) { |
|
|
services.Logger.LogError("The authorization request was rejected because the 'email' scope was not requested: " + |
|
|
services.Logger.LogError("The authorization request was rejected because the 'email' scope was not requested: " + |
|
|
"to prevent data leakage, the 'email' scope must be granted when the username " + |
|
|
"to prevent data leakage, the 'email' scope must be granted when the username " + |
|
|
|
Kévin Chalet
10 years ago