|
|
|
@ -84,46 +84,56 @@ namespace OpenIddict.Infrastructure { |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
// Reject tokens requests containing a client_secret if the client application is not confidential.
|
|
|
|
var type = await services.Applications.GetClientTypeAsync(application); |
|
|
|
if (!string.Equals(type, OpenIddictConstants.ClientTypes.Confidential, StringComparison.OrdinalIgnoreCase) && |
|
|
|
!string.IsNullOrEmpty(context.ClientSecret)) { |
|
|
|
services.Logger.LogError("The token request was rejected because the public application '{ClientId}' " + |
|
|
|
"was not allowed to send a client secret.", context.ClientId); |
|
|
|
if (string.Equals(type, OpenIddictConstants.ClientTypes.Public, StringComparison.OrdinalIgnoreCase)) { |
|
|
|
// Reject tokens requests containing a client_secret when the client is a public application.
|
|
|
|
if (!string.IsNullOrEmpty(context.ClientSecret)) { |
|
|
|
services.Logger.LogError("The token request was rejected because the public application '{ClientId}' " + |
|
|
|
"was not allowed to send a client secret.", context.ClientId); |
|
|
|
|
|
|
|
context.Reject( |
|
|
|
error: OpenIdConnectConstants.Errors.InvalidRequest, |
|
|
|
description: "Public clients are not allowed to send a client_secret."); |
|
|
|
context.Reject( |
|
|
|
error: OpenIdConnectConstants.Errors.InvalidRequest, |
|
|
|
description: "Public clients are not allowed to send a client_secret."); |
|
|
|
|
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
services.Logger.LogInformation("The token request validation process was not fully validated because " + |
|
|
|
"the client '{ClientId}' was a public application.", context.ClientId); |
|
|
|
|
|
|
|
// If client authentication cannot be enforced, call context.Skip() to inform
|
|
|
|
// the OpenID Connect server middleware that the caller cannot be fully trusted.
|
|
|
|
context.Skip(); |
|
|
|
|
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
// Confidential applications MUST authenticate to protect them from impersonation attacks.
|
|
|
|
else if (!string.Equals(type, OpenIddictConstants.ClientTypes.Public)) { |
|
|
|
if (string.IsNullOrEmpty(context.ClientSecret)) { |
|
|
|
services.Logger.LogError("The token request was rejected because the confidential application " + |
|
|
|
"'{ClientId}' didn't specify a client secret.", context.ClientId); |
|
|
|
if (string.IsNullOrEmpty(context.ClientSecret)) { |
|
|
|
services.Logger.LogError("The token request was rejected because the confidential application " + |
|
|
|
"'{ClientId}' didn't specify a client secret.", context.ClientId); |
|
|
|
|
|
|
|
context.Reject( |
|
|
|
error: OpenIdConnectConstants.Errors.InvalidClient, |
|
|
|
description: "Missing credentials: ensure that you specified a client_secret."); |
|
|
|
context.Reject( |
|
|
|
error: OpenIdConnectConstants.Errors.InvalidClient, |
|
|
|
description: "Missing credentials: ensure that you specified a client_secret."); |
|
|
|
|
|
|
|
return; |
|
|
|
} |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
if (!await services.Applications.ValidateSecretAsync(application, context.ClientSecret)) { |
|
|
|
services.Logger.LogError("The token request was rejected because the confidential application " + |
|
|
|
"'{ClientId}' didn't specify valid client credentials.", context.ClientId); |
|
|
|
if (!await services.Applications.ValidateSecretAsync(application, context.ClientSecret)) { |
|
|
|
services.Logger.LogError("The token request was rejected because the confidential application " + |
|
|
|
"'{ClientId}' didn't specify valid client credentials.", context.ClientId); |
|
|
|
|
|
|
|
context.Reject( |
|
|
|
error: OpenIdConnectConstants.Errors.InvalidClient, |
|
|
|
description: "Invalid credentials: ensure that you specified a correct client_secret."); |
|
|
|
context.Reject( |
|
|
|
error: OpenIdConnectConstants.Errors.InvalidClient, |
|
|
|
description: "Invalid credentials: ensure that you specified a correct client_secret."); |
|
|
|
|
|
|
|
return; |
|
|
|
} |
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
context.Validate(); |
|
|
|
|
|
|
|
return; |
|
|
|
} |
|
|
|
|
|
|
|
public override async Task HandleTokenRequest([NotNull] HandleTokenRequestContext context) { |
|
|
|
|
Kévin Chalet
10 years ago