Introduce new OpenIddictOptions extensions

src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Authentication.cs

@@ -103,8 +103,7 @@ namespace OpenIddict.Infrastructure {
             }
 
             // Reject code flow authorization requests if the authorization code flow is not enabled.
-            if (context.Request.IsAuthorizationCodeFlow() &&
-               !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode)) {
+            if (context.Request.IsAuthorizationCodeFlow() && !services.Options.IsAuthorizationCodeFlowEnabled()) {
                 services.Logger.LogError("The authorization request was rejected because " +
                                          "the authorization code flow was not enabled.");
 
@@ -116,7 +115,7 @@ namespace OpenIddict.Infrastructure {
             }
 
             // Reject implicit flow authorization requests if the implicit flow is not enabled.
-            if (context.Request.IsImplicitFlow() && !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Implicit)) {
+            if (context.Request.IsImplicitFlow() && !services.Options.IsImplicitFlowEnabled()) {
                 services.Logger.LogError("The authorization request was rejected because the implicit flow was not enabled.");
 
                 context.Reject(
@@ -127,8 +126,8 @@ namespace OpenIddict.Infrastructure {
             }
 
             // Reject hybrid flow authorization requests if the authorization code or the implicit flows are not enabled.
-            if (context.Request.IsHybridFlow() && (!services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode) ||
-                                                   !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Implicit))) {
+            if (context.Request.IsHybridFlow() && (!services.Options.IsAuthorizationCodeFlowEnabled() ||
+                                                   !services.Options.IsImplicitFlowEnabled())) {
                 services.Logger.LogError("The authorization request was rejected because the " +
                                          "authorization code flow or the implicit flow was not enabled.");
 
@@ -140,8 +139,7 @@ namespace OpenIddict.Infrastructure {
             }
 
             // Reject authorization requests that specify scope=offline_access if the refresh token flow is not enabled.
-            if (context.Request.HasScope(OpenIdConnectConstants.Scopes.OfflineAccess) &&
-               !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken)) {
+            if (context.Request.HasScope(OpenIdConnectConstants.Scopes.OfflineAccess) && !services.Options.IsRefreshTokenFlowEnabled()) {
                 context.Reject(
                     error: OpenIdConnectConstants.Errors.InvalidRequest,
                     description: "The 'offline_access' scope is not allowed.");

src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Exchange.cs

@@ -12,6 +12,7 @@ using AspNet.Security.OpenIdConnect.Extensions;
 using AspNet.Security.OpenIdConnect.Server;
 using JetBrains.Annotations;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http.Authentication;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
@@ -39,8 +40,7 @@ namespace OpenIddict.Infrastructure {
 
             // Reject token requests using grant_type=authorization_code
             // if the authorization code flow support is not enabled.
-            if (context.Request.IsAuthorizationCodeGrantType() &&
-               !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode)) {
+            if (context.Request.IsAuthorizationCodeGrantType() && !services.Options.IsAuthorizationCodeFlowEnabled()) {
                 services.Logger.LogError("The token request was rejected because the authorization code flow was not enabled.");
 
                 context.Reject(
@@ -52,8 +52,7 @@ namespace OpenIddict.Infrastructure {
 
             // Reject token requests using grant_type=client_credentials
             // if the client credentials flow support is not enabled.
-            else if (context.Request.IsClientCredentialsGrantType() &&
-                    !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.ClientCredentials)) {
+            else if (context.Request.IsClientCredentialsGrantType() && !services.Options.IsClientCredentialsFlowEnabled()) {
                 services.Logger.LogError("The token request was rejected because the client credentials flow was not enabled.");
 
                 context.Reject(
@@ -65,8 +64,7 @@ namespace OpenIddict.Infrastructure {
 
             // Reject token requests using grant_type=password if the
             // resource owner password credentials flow support is not enabled.
-            else if (context.Request.IsPasswordGrantType() &&
-                    !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Password)) {
+            else if (context.Request.IsPasswordGrantType() && !services.Options.IsPasswordFlowEnabled()) {
                 services.Logger.LogError("The token request was rejected because the resource " +
                                          "owner password credentials flow was not enabled.");
 
@@ -79,8 +77,7 @@ namespace OpenIddict.Infrastructure {
 
             // Reject token requests using grant_type=refresh_token
             // if the refresh token flow support is not enabled.
-            else if (context.Request.IsRefreshTokenGrantType() &&
-                    !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken)) {
+            if (context.Request.IsRefreshTokenGrantType() && !services.Options.IsRefreshTokenFlowEnabled()) {
                 services.Logger.LogError("The token request was rejected because the refresh token flow was not enabled.");
 
                 context.Reject(
@@ -91,8 +88,7 @@ namespace OpenIddict.Infrastructure {
             }
 
             // Reject token requests that specify scope=offline_access if the refresh token flow is not enabled.
-            if (context.Request.HasScope(OpenIdConnectConstants.Scopes.OfflineAccess) &&
-               !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken)) {
+            if (context.Request.HasScope(OpenIdConnectConstants.Scopes.OfflineAccess) && !services.Options.IsRefreshTokenFlowEnabled()) {
                 context.Reject(
                     error: OpenIdConnectConstants.Errors.InvalidRequest,
                     description: "The 'offline_access' scope is not allowed.");

src/OpenIddict.Core/OpenIddictExtensions.cs

@@ -116,20 +116,18 @@ namespace Microsoft.AspNetCore.Builder {
 
             // Ensure the authorization endpoint has been enabled when
             // the authorization code or implicit grants are supported.
-            if (!options.AuthorizationEndpointPath.HasValue &&
-                (options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode) ||
-                 options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Implicit))) {
+            if (!options.AuthorizationEndpointPath.HasValue && (options.IsAuthorizationCodeFlowEnabled() ||
+                                                                options.IsImplicitFlowEnabled())) {
                 throw new InvalidOperationException("The authorization endpoint must be enabled to use " +
                                                     "the authorization code and implicit flows.");
             }
 
             // Ensure the token endpoint has been enabled when the authorization code,
             // client credentials, password or refresh token grants are supported.
-            else if (!options.TokenEndpointPath.HasValue && 
-                     (options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode) ||
-                      options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.ClientCredentials) ||
-                      options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Password) ||
-                      options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken))) {
+            else if (!options.TokenEndpointPath.HasValue && (options.IsAuthorizationCodeFlowEnabled() ||
+                                                             options.IsClientCredentialsFlowEnabled() ||
+                                                             options.IsPasswordFlowEnabled() ||
+                                                             options.IsRefreshTokenFlowEnabled())) {
                 throw new InvalidOperationException("The token endpoint must be enabled to use the authorization code, " +
                                                     "client credentials, password and refresh token flows.");
             }
@@ -150,5 +148,70 @@ namespace Microsoft.AspNetCore.Builder {
 
             return app;
         }
+
+        /// <summary>
+        /// Determines whether the authorization code flow has been enabled.
+        /// </summary>
+        /// <param name="options">The OpenIddict options.</param>
+        /// <returns><c>true</c> if the authorization code flow has been enabled, <c>false</c> otherwise.</returns>
+        public static bool IsAuthorizationCodeFlowEnabled([NotNull] this OpenIddictOptions options) {
+            if (options == null) {
+                throw new ArgumentNullException(nameof(options));
+            }
+
+            return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode);
+        }
+
+        /// <summary>
+        /// Determines whether the client credentials flow has been enabled.
+        /// </summary>
+        /// <param name="options">The OpenIddict options.</param>
+        /// <returns><c>true</c> if the client credentials flow has been enabled, <c>false</c> otherwise.</returns>
+        public static bool IsClientCredentialsFlowEnabled([NotNull] this OpenIddictOptions options) {
+            if (options == null) {
+                throw new ArgumentNullException(nameof(options));
+            }
+
+            return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.ClientCredentials);
+        }
+
+        /// <summary>
+        /// Determines whether the implicit flow has been enabled.
+        /// </summary>
+        /// <param name="options">The OpenIddict options.</param>
+        /// <returns><c>true</c> if the implicit flow has been enabled, <c>false</c> otherwise.</returns>
+        public static bool IsImplicitFlowEnabled([NotNull] this OpenIddictOptions options) {
+            if (options == null) {
+                throw new ArgumentNullException(nameof(options));
+            }
+
+            return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Implicit);
+        }
+
+        /// <summary>
+        /// Determines whether the password flow has been enabled.
+        /// </summary>
+        /// <param name="options">The OpenIddict options.</param>
+        /// <returns><c>true</c> if the password flow has been enabled, <c>false</c> otherwise.</returns>
+        public static bool IsPasswordFlowEnabled([NotNull] this OpenIddictOptions options) {
+            if (options == null) {
+                throw new ArgumentNullException(nameof(options));
+            }
+
+            return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Password);
+        }
+
+        /// <summary>
+        /// Determines whether the refresh token flow has been enabled.
+        /// </summary>
+        /// <param name="options">The OpenIddict options.</param>
+        /// <returns><c>true</c> if the refresh token flow has been enabled, <c>false</c> otherwise.</returns>
+        public static bool IsRefreshTokenFlowEnabled([NotNull] this OpenIddictOptions options) {
+            if (options == null) {
+                throw new ArgumentNullException(nameof(options));
+            }
+
+            return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken);
+        }
     }
 }