diff --git a/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Authentication.cs b/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Authentication.cs
index 45f30d3e..15bae320 100644
--- a/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Authentication.cs
+++ b/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Authentication.cs
@@ -103,8 +103,7 @@ namespace OpenIddict.Infrastructure {
}
// Reject code flow authorization requests if the authorization code flow is not enabled.
- if (context.Request.IsAuthorizationCodeFlow() &&
- !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode)) {
+ if (context.Request.IsAuthorizationCodeFlow() && !services.Options.IsAuthorizationCodeFlowEnabled()) {
services.Logger.LogError("The authorization request was rejected because " +
"the authorization code flow was not enabled.");
@@ -116,7 +115,7 @@ namespace OpenIddict.Infrastructure {
}
// Reject implicit flow authorization requests if the implicit flow is not enabled.
- if (context.Request.IsImplicitFlow() && !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Implicit)) {
+ if (context.Request.IsImplicitFlow() && !services.Options.IsImplicitFlowEnabled()) {
services.Logger.LogError("The authorization request was rejected because the implicit flow was not enabled.");
context.Reject(
@@ -127,8 +126,8 @@ namespace OpenIddict.Infrastructure {
}
// Reject hybrid flow authorization requests if the authorization code or the implicit flows are not enabled.
- if (context.Request.IsHybridFlow() && (!services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode) ||
- !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Implicit))) {
+ if (context.Request.IsHybridFlow() && (!services.Options.IsAuthorizationCodeFlowEnabled() ||
+ !services.Options.IsImplicitFlowEnabled())) {
services.Logger.LogError("The authorization request was rejected because the " +
"authorization code flow or the implicit flow was not enabled.");
@@ -140,8 +139,7 @@ namespace OpenIddict.Infrastructure {
}
// Reject authorization requests that specify scope=offline_access if the refresh token flow is not enabled.
- if (context.Request.HasScope(OpenIdConnectConstants.Scopes.OfflineAccess) &&
- !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken)) {
+ if (context.Request.HasScope(OpenIdConnectConstants.Scopes.OfflineAccess) && !services.Options.IsRefreshTokenFlowEnabled()) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The 'offline_access' scope is not allowed.");
diff --git a/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Exchange.cs b/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Exchange.cs
index bee83461..d11a67fc 100644
--- a/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Exchange.cs
+++ b/src/OpenIddict.Core/Infrastructure/OpenIddictProvider.Exchange.cs
@@ -12,6 +12,7 @@ using AspNet.Security.OpenIdConnect.Extensions;
using AspNet.Security.OpenIdConnect.Server;
using JetBrains.Annotations;
using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Http.Authentication;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
@@ -39,8 +40,7 @@ namespace OpenIddict.Infrastructure {
// Reject token requests using grant_type=authorization_code
// if the authorization code flow support is not enabled.
- if (context.Request.IsAuthorizationCodeGrantType() &&
- !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode)) {
+ if (context.Request.IsAuthorizationCodeGrantType() && !services.Options.IsAuthorizationCodeFlowEnabled()) {
services.Logger.LogError("The token request was rejected because the authorization code flow was not enabled.");
context.Reject(
@@ -52,8 +52,7 @@ namespace OpenIddict.Infrastructure {
// Reject token requests using grant_type=client_credentials
// if the client credentials flow support is not enabled.
- else if (context.Request.IsClientCredentialsGrantType() &&
- !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.ClientCredentials)) {
+ else if (context.Request.IsClientCredentialsGrantType() && !services.Options.IsClientCredentialsFlowEnabled()) {
services.Logger.LogError("The token request was rejected because the client credentials flow was not enabled.");
context.Reject(
@@ -65,8 +64,7 @@ namespace OpenIddict.Infrastructure {
// Reject token requests using grant_type=password if the
// resource owner password credentials flow support is not enabled.
- else if (context.Request.IsPasswordGrantType() &&
- !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Password)) {
+ else if (context.Request.IsPasswordGrantType() && !services.Options.IsPasswordFlowEnabled()) {
services.Logger.LogError("The token request was rejected because the resource " +
"owner password credentials flow was not enabled.");
@@ -79,8 +77,7 @@ namespace OpenIddict.Infrastructure {
// Reject token requests using grant_type=refresh_token
// if the refresh token flow support is not enabled.
- else if (context.Request.IsRefreshTokenGrantType() &&
- !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken)) {
+ if (context.Request.IsRefreshTokenGrantType() && !services.Options.IsRefreshTokenFlowEnabled()) {
services.Logger.LogError("The token request was rejected because the refresh token flow was not enabled.");
context.Reject(
@@ -91,8 +88,7 @@ namespace OpenIddict.Infrastructure {
}
// Reject token requests that specify scope=offline_access if the refresh token flow is not enabled.
- if (context.Request.HasScope(OpenIdConnectConstants.Scopes.OfflineAccess) &&
- !services.Options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken)) {
+ if (context.Request.HasScope(OpenIdConnectConstants.Scopes.OfflineAccess) && !services.Options.IsRefreshTokenFlowEnabled()) {
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The 'offline_access' scope is not allowed.");
diff --git a/src/OpenIddict.Core/OpenIddictExtensions.cs b/src/OpenIddict.Core/OpenIddictExtensions.cs
index 0a84da88..00b5c240 100644
--- a/src/OpenIddict.Core/OpenIddictExtensions.cs
+++ b/src/OpenIddict.Core/OpenIddictExtensions.cs
@@ -116,20 +116,18 @@ namespace Microsoft.AspNetCore.Builder {
// Ensure the authorization endpoint has been enabled when
// the authorization code or implicit grants are supported.
- if (!options.AuthorizationEndpointPath.HasValue &&
- (options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode) ||
- options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Implicit))) {
+ if (!options.AuthorizationEndpointPath.HasValue && (options.IsAuthorizationCodeFlowEnabled() ||
+ options.IsImplicitFlowEnabled())) {
throw new InvalidOperationException("The authorization endpoint must be enabled to use " +
"the authorization code and implicit flows.");
}
// Ensure the token endpoint has been enabled when the authorization code,
// client credentials, password or refresh token grants are supported.
- else if (!options.TokenEndpointPath.HasValue &&
- (options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode) ||
- options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.ClientCredentials) ||
- options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Password) ||
- options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken))) {
+ else if (!options.TokenEndpointPath.HasValue && (options.IsAuthorizationCodeFlowEnabled() ||
+ options.IsClientCredentialsFlowEnabled() ||
+ options.IsPasswordFlowEnabled() ||
+ options.IsRefreshTokenFlowEnabled())) {
throw new InvalidOperationException("The token endpoint must be enabled to use the authorization code, " +
"client credentials, password and refresh token flows.");
}
@@ -150,5 +148,70 @@ namespace Microsoft.AspNetCore.Builder {
return app;
}
+
+ ///
+ /// Determines whether the authorization code flow has been enabled.
+ ///
+ /// The OpenIddict options.
+ /// true if the authorization code flow has been enabled, false otherwise.
+ public static bool IsAuthorizationCodeFlowEnabled([NotNull] this OpenIddictOptions options) {
+ if (options == null) {
+ throw new ArgumentNullException(nameof(options));
+ }
+
+ return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.AuthorizationCode);
+ }
+
+ ///
+ /// Determines whether the client credentials flow has been enabled.
+ ///
+ /// The OpenIddict options.
+ /// true if the client credentials flow has been enabled, false otherwise.
+ public static bool IsClientCredentialsFlowEnabled([NotNull] this OpenIddictOptions options) {
+ if (options == null) {
+ throw new ArgumentNullException(nameof(options));
+ }
+
+ return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.ClientCredentials);
+ }
+
+ ///
+ /// Determines whether the implicit flow has been enabled.
+ ///
+ /// The OpenIddict options.
+ /// true if the implicit flow has been enabled, false otherwise.
+ public static bool IsImplicitFlowEnabled([NotNull] this OpenIddictOptions options) {
+ if (options == null) {
+ throw new ArgumentNullException(nameof(options));
+ }
+
+ return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Implicit);
+ }
+
+ ///
+ /// Determines whether the password flow has been enabled.
+ ///
+ /// The OpenIddict options.
+ /// true if the password flow has been enabled, false otherwise.
+ public static bool IsPasswordFlowEnabled([NotNull] this OpenIddictOptions options) {
+ if (options == null) {
+ throw new ArgumentNullException(nameof(options));
+ }
+
+ return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.Password);
+ }
+
+ ///
+ /// Determines whether the refresh token flow has been enabled.
+ ///
+ /// The OpenIddict options.
+ /// true if the refresh token flow has been enabled, false otherwise.
+ public static bool IsRefreshTokenFlowEnabled([NotNull] this OpenIddictOptions options) {
+ if (options == null) {
+ throw new ArgumentNullException(nameof(options));
+ }
+
+ return options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken);
+ }
}
}
\ No newline at end of file