tsai
/
openiddict-core
mirror of https://github.com/openiddict/openiddict-core.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Backport the permissions changes to OpenIddict 1.x

pull/570/head
Kévin Chalet 8 years ago
parent
1353fa9179 f503fb7e7a
commit
a40c8bf7ed
24 changed files with 963 additions and 28 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 105
      src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
  2. 105
      src/OpenIddict.Core/Managers/OpenIddictScopeManager.cs
  3. 1
      src/OpenIddict.Core/OpenIddict.Core.csproj
  4. 1
      src/OpenIddict.Core/OpenIddictConstants.cs
  5. 22
      src/OpenIddict.Core/Stores/IOpenIddictScopeStore.cs
  6. 58
      src/OpenIddict.Core/Stores/OpenIddictApplicationStore.cs
  7. 16
      src/OpenIddict.Core/Stores/OpenIddictAuthorizationStore.cs
  8. 65
      src/OpenIddict.Core/Stores/OpenIddictScopeStore.cs
  9. 16
      src/OpenIddict.Core/Stores/OpenIddictTokenStore.cs
  10. 20
      src/OpenIddict.EntityFramework/Stores/OpenIddictApplicationStore.cs
  11. 20
      src/OpenIddict.EntityFramework/Stores/OpenIddictAuthorizationStore.cs
  12. 20
      src/OpenIddict.EntityFramework/Stores/OpenIddictScopeStore.cs
  13. 20
      src/OpenIddict.EntityFramework/Stores/OpenIddictTokenStore.cs
  14. 20
      src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictApplicationStore.cs
  15. 20
      src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs
  16. 20
      src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictScopeStore.cs
  17. 20
      src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
  18. 16
      src/OpenIddict/OpenIddictExtensions.cs
  19. 6
      src/OpenIddict/OpenIddictOptions.cs
  20. 41
      src/OpenIddict/OpenIddictProvider.Authentication.cs
  21. 43
      src/OpenIddict/OpenIddictProvider.Exchange.cs
  22. 171
      test/OpenIddict.Tests/OpenIddictProviderTests.Authentication.cs
  23. 153
      test/OpenIddict.Tests/OpenIddictProviderTests.Exchange.cs
  24. 12
      test/OpenIddict.Tests/OpenIddictProviderTests.cs

105
src/OpenIddict.Core/Managers/OpenIddictApplicationManager.cs
View File

@ -484,7 +484,110 @@ namespace OpenIddict.Core
throw new ArgumentNullException(nameof(application));
}
return (await Store.GetPermissionsAsync(application, cancellationToken)).Contains(permission, StringComparer.OrdinalIgnoreCase);
if (string.IsNullOrEmpty(permission))
{
throw new ArgumentException("The permission name cannot be null or empty.", nameof(permission));
}
var permissions = await Store.GetPermissionsAsync(application, cancellationToken);
bool HasPermission(string name)
{
if (permissions.IsEmpty)
{
return false;
}
return permissions.Contains(name);
}
bool HasEndpointPermission(string name)
{
// If the requested permission is an "endpoint" permission, return true if it has been
// explicitly granted OR if no other endpoint permission has been explicitly registered.
if (permissions.IsEmpty || HasPermission(name))
{
return true;
}
if (permissions.Any(element => element.StartsWith(OpenIddictConstants.Permissions.Prefixes.Endpoint)))
{
return false;
}
return true;
}
bool HasGrantTypePermission(string name)
{
// If the requested permission is a "grant_type" permission, return true if it has been
// explicitly granted OR if the application is allowed to use the corresponding endpoint
// AND no other grant type permission has been explicitly registered.
if (permissions.IsEmpty || HasPermission(name))
{
return true;
}
if (permissions.Any(element => element.StartsWith(OpenIddictConstants.Permissions.Prefixes.GrantType)))
{
return false;
}
switch (permission)
{
case OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode:
return HasEndpointPermission(OpenIddictConstants.Permissions.Endpoints.Authorization) &&
HasEndpointPermission(OpenIddictConstants.Permissions.Endpoints.Token);
case OpenIddictConstants.Permissions.GrantTypes.Implicit:
return HasEndpointPermission(OpenIddictConstants.Permissions.Endpoints.Authorization);
default:
case OpenIddictConstants.Permissions.GrantTypes.ClientCredentials:
case OpenIddictConstants.Permissions.GrantTypes.Password:
case OpenIddictConstants.Permissions.GrantTypes.RefreshToken:
return HasEndpointPermission(OpenIddictConstants.Permissions.Endpoints.Token);
}
}
bool HasScopePermission(string name)
{
// If the requested permission is a "scope" permission, return true if it has been
// explicitly granted OR if the application is allowed to use the authorization or
// token endpoints AND no other scope permission has been explicitly registered.
if (permissions.IsEmpty || HasPermission(name))
{
return true;
}
if (permissions.Any(element => element.StartsWith(OpenIddictConstants.Permissions.Prefixes.Scope)))
{
return false;
}
return HasEndpointPermission(OpenIddictConstants.Permissions.Endpoints.Authorization) ||
HasEndpointPermission(OpenIddictConstants.Permissions.Endpoints.Token);
}
if (permission.StartsWith(OpenIddictConstants.Permissions.Prefixes.Endpoint))
{
return HasEndpointPermission(permission);
}
if (permission.StartsWith(OpenIddictConstants.Permissions.Prefixes.GrantType))
{
return HasGrantTypePermission(permission);
}
if (permission.StartsWith(OpenIddictConstants.Permissions.Prefixes.Scope))
{
return HasScopePermission(permission);
}
return HasPermission(permission);
}
/// <summary>

105
src/OpenIddict.Core/Managers/OpenIddictScopeManager.cs
View File

@ -162,6 +162,45 @@ namespace OpenIddict.Core
return Store.FindByIdAsync(identifier, cancellationToken);
}
/// <summary>
/// Retrieves a scope using its name.
/// </summary>
/// <param name="name">The name associated with the scope.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the scope corresponding to the specified name.
/// </returns>
public virtual Task<TScope> FindByNameAsync([NotNull] string name, CancellationToken cancellationToken = default)
{
if (string.IsNullOrEmpty(name))
{
throw new ArgumentException("The scope name cannot be null or empty.", nameof(name));
}
return Store.FindByNameAsync(name, cancellationToken);
}
/// <summary>
/// Retrieves a list of scopes using their name.
/// </summary>
/// <param name="names">The names associated with the scopes.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the scopes corresponding to the specified names.
/// </returns>
public virtual Task<ImmutableArray<TScope>> FindByNamesAsync(
ImmutableArray<string> names, CancellationToken cancellationToken = default)
{
if (names.Any(name => string.IsNullOrEmpty(name)))
{
throw new ArgumentException("Scope names cannot be null or empty.", nameof(names));
}
return Store.FindByNamesAsync(names, cancellationToken);
}
/// <summary>
/// Executes the specified query and returns the first element.
/// </summary>
@ -202,6 +241,25 @@ namespace OpenIddict.Core
return Store.GetAsync(query, state, cancellationToken);
}
/// <summary>
/// Retrieves the description associated with a scope.
/// </summary>
/// <param name="scope">The scope.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the description associated with the specified scope.
/// </returns>
public virtual Task<string> GetDescriptionAsync([NotNull] TScope scope, CancellationToken cancellationToken = default)
{
if (scope == null)
{
throw new ArgumentNullException(nameof(scope));
}
return Store.GetDescriptionAsync(scope, cancellationToken);
}
/// <summary>
/// Retrieves the unique identifier associated with a scope.
/// </summary>
@ -221,6 +279,25 @@ namespace OpenIddict.Core
return Store.GetIdAsync(scope, cancellationToken);
}
/// <summary>
/// Retrieves the name associated with a scope.
/// </summary>
/// <param name="scope">The scope.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the name associated with the specified scope.
/// </returns>
public virtual Task<string> GetNameAsync([NotNull] TScope scope, CancellationToken cancellationToken = default)
{
if (scope == null)
{
throw new ArgumentNullException(nameof(scope));
}
return Store.GetIdAsync(scope, cancellationToken);
}
/// <summary>
/// Executes the specified query and returns all the corresponding elements.
/// </summary>
@ -356,6 +433,34 @@ namespace OpenIddict.Core
return results.ToImmutable();
}
/// <summary>
/// Validates the list of scopes to ensure they correspond to existing elements in the database.
/// </summary>
/// <param name="scopes">The scopes.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns><c>true</c> if the list of scopes is valid, <c>false</c> otherwise.</returns>
public virtual async Task<bool> ValidateScopesAsync(ImmutableArray<string> scopes, CancellationToken cancellationToken = default)
{
if (scopes.Length == 0)
{
return true;
}
async Task<ImmutableHashSet<string>> GetScopesAsync()
{
var names = ImmutableHashSet.CreateBuilder(StringComparer.Ordinal);
foreach (var scope in await FindByNamesAsync(scopes, cancellationToken))
{
names.Add(await GetNameAsync(scope, cancellationToken));
}
return names.ToImmutable();
}
return (await GetScopesAsync()).IsSupersetOf(scopes);
}
/// <summary>
/// Populates the scope using the specified descriptor.
/// </summary>

1
src/OpenIddict.Core/OpenIddict.Core.csproj
View File

@ -19,6 +19,7 @@
<ItemGroup>
<PackageReference Include="CryptoHelper.StrongName" Version="$(CryptoHelperVersion)" />
<PackageReference Include="JetBrains.Annotations" Version="$(JetBrainsVersion)" PrivateAssets="All" />
<PackageReference Include="Microsoft.Extensions.Caching.Abstractions" Version="$(AspNetCoreVersion)" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="$(AspNetCoreVersion)" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="$(AspNetCoreVersion)" />
<PackageReference Include="Microsoft.Extensions.Options" Version="$(AspNetCoreVersion)" />

1
src/OpenIddict.Core/OpenIddictConstants.cs
View File

@ -61,6 +61,7 @@ namespace OpenIddict.Core
{
public const string Endpoint = "ept:";
public const string GrantType = "gt:";
public const string Scope = "scp:";
}
}

22
src/OpenIddict.Core/Stores/IOpenIddictScopeStore.cs
View File

@ -73,6 +73,28 @@ namespace OpenIddict.Core
/// </returns>
Task<TScope> FindByIdAsync([NotNull] string identifier, CancellationToken cancellationToken);
/// <summary>
/// Retrieves a scope using its name.
/// </summary>
/// <param name="name">The name associated with the scope.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the scope corresponding to the specified name.
/// </returns>
Task<TScope> FindByNameAsync([NotNull] string name, CancellationToken cancellationToken);
/// <summary>
/// Retrieves a list of scopes using their name.
/// </summary>
/// <param name="names">The names associated with the scopes.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the scopes corresponding to the specified names.
/// </returns>
Task<ImmutableArray<TScope>> FindByNamesAsync(ImmutableArray<string> names, CancellationToken cancellationToken);
/// <summary>
/// Executes the specified query and returns the first element.
/// </summary>

58
src/OpenIddict.Core/Stores/OpenIddictApplicationStore.cs
View File

@ -12,6 +12,7 @@ using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
using Microsoft.Extensions.Caching.Memory;
using Newtonsoft.Json;
using Newtonsoft.Json.Linq;
using OpenIddict.Models;
@ -32,6 +33,21 @@ namespace OpenIddict.Core
where TToken : OpenIddictToken<TKey, TApplication, TAuthorization>, new()
where TKey : IEquatable<TKey>
{
protected OpenIddictApplicationStore([NotNull] IMemoryCache cache)
{
if (cache == null)
{
throw new ArgumentNullException(nameof(cache));
}
Cache = cache;
}
/// <summary>
/// Gets the memory cached associated with the current store.
/// </summary>
protected IMemoryCache Cache { get; }
/// <summary>
/// Determines the number of applications that exist in the database.
/// </summary>
@ -351,7 +367,19 @@ namespace OpenIddict.Core
return Task.FromResult(ImmutableArray.Create<string>());
}
return Task.FromResult(JArray.Parse(application.Permissions).Select(element => (string) element).ToImmutableArray());
// Note: parsing the stringified permissions is an expensive operation.
// To mitigate that, the resulting array is stored in the memory cache.
var key = string.Concat(nameof(GetPermissionsAsync), "\x1e", application.Permissions);
var permissions = Cache.Get(key) as ImmutableArray<string>?;
if (permissions == null)
{
permissions = Cache.Set(key, JArray.Parse(application.Permissions)
.Select(element => (string) element)
.ToImmutableArray());
}
return Task.FromResult(permissions.GetValueOrDefault());
}
/// <summary>
@ -375,7 +403,19 @@ namespace OpenIddict.Core
return Task.FromResult(ImmutableArray.Create<string>());
}
return Task.FromResult(JArray.Parse(application.PostLogoutRedirectUris).Select(element => (string) element).ToImmutableArray());
// Note: parsing the stringified addresses is an expensive operation.
// To mitigate that, the resulting array is stored in the memory cache.
var key = string.Concat(nameof(GetPostLogoutRedirectUrisAsync), "\x1e", application.PostLogoutRedirectUris);
var addresses = Cache.Get(key) as ImmutableArray<string>?;
if (addresses == null)
{
addresses = Cache.Set(key, JArray.Parse(application.PostLogoutRedirectUris)
.Select(element => (string) element)
.ToImmutableArray());
}
return Task.FromResult(addresses.GetValueOrDefault());
}
/// <summary>
@ -423,7 +463,19 @@ namespace OpenIddict.Core
return Task.FromResult(ImmutableArray.Create<string>());
}
return Task.FromResult(JArray.Parse(application.RedirectUris).Select(element => (string) element).ToImmutableArray());
// Note: parsing the stringified addresses is an expensive operation.
// To mitigate that, the resulting array is stored in the memory cache.
var key = string.Concat(nameof(GetRedirectUrisAsync), "\x1e", application.RedirectUris);
var addresses = Cache.Get(key) as ImmutableArray<string>?;
if (addresses == null)
{
addresses = Cache.Set(key, JArray.Parse(application.RedirectUris)
.Select(element => (string) element)
.ToImmutableArray());
}
return Task.FromResult(addresses.GetValueOrDefault());
}
/// <summary>

16
src/OpenIddict.Core/Stores/OpenIddictAuthorizationStore.cs
View File

@ -12,6 +12,7 @@ using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
using Microsoft.Extensions.Caching.Memory;
using Newtonsoft.Json;
using Newtonsoft.Json.Linq;
using OpenIddict.Models;
@ -32,6 +33,21 @@ namespace OpenIddict.Core
where TToken : OpenIddictToken<TKey, TApplication, TAuthorization>, new()
where TKey : IEquatable<TKey>
{
protected OpenIddictAuthorizationStore([NotNull] IMemoryCache cache)
{
if (cache == null)
{
throw new ArgumentNullException(nameof(cache));
}
Cache = cache;
}
/// <summary>
/// Gets the memory cached associated with the current store.
/// </summary>
protected IMemoryCache Cache { get; }
/// <summary>
/// Determines the number of authorizations that exist in the database.
/// </summary>

65
src/OpenIddict.Core/Stores/OpenIddictScopeStore.cs
View File

@ -12,6 +12,7 @@ using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
using Microsoft.Extensions.Caching.Memory;
using Newtonsoft.Json;
using Newtonsoft.Json.Linq;
using OpenIddict.Models;
@ -28,6 +29,21 @@ namespace OpenIddict.Core
where TScope : OpenIddictScope<TKey>, new()
where TKey : IEquatable<TKey>
{
protected OpenIddictScopeStore([NotNull] IMemoryCache cache)
{
if (cache == null)
{
throw new ArgumentNullException(nameof(cache));
}
Cache = cache;
}
/// <summary>
/// Gets the memory cached associated with the current store.
/// </summary>
protected IMemoryCache Cache { get; }
/// <summary>
/// Determines the number of scopes that exist in the database.
/// </summary>
@ -97,6 +113,55 @@ namespace OpenIddict.Core
return GetAsync((scopes, key) => Query(scopes, key), ConvertIdentifierFromString(identifier), cancellationToken);
}
/// <summary>
/// Retrieves a scope using its name.
/// </summary>
/// <param name="name">The name associated with the scope.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the scope corresponding to the specified name.
/// </returns>
public virtual Task<TScope> FindByNameAsync([NotNull] string name, CancellationToken cancellationToken)
{
if (string.IsNullOrEmpty(name))
{
throw new ArgumentException("The scope name cannot be null or empty.", nameof(name));
}
IQueryable<TScope> Query(IQueryable<TScope> scopes, string state)
=> from scope in scopes
where scope.Name == state
select scope;
return GetAsync((scopes, state) => Query(scopes, state), name, cancellationToken);
}
/// <summary>
/// Retrieves a list of scopes using their name.
/// </summary>
/// <param name="names">The names associated with the scopes.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the scopes corresponding to the specified names.
/// </returns>
public virtual Task<ImmutableArray<TScope>> FindByNamesAsync(
ImmutableArray<string> names, CancellationToken cancellationToken)
{
if (names.Any(name => string.IsNullOrEmpty(name)))
{
throw new ArgumentException("Scope names cannot be null or empty.", nameof(names));
}
IQueryable<TScope> Query(IQueryable<TScope> scopes, string[] values)
=> from scope in scopes
where values.Contains(scope.Name)
select scope;
return ListAsync((scopes, values) => Query(scopes, values), names.ToArray(), cancellationToken);
}
/// <summary>
/// Executes the specified query and returns the first element.
/// </summary>

16
src/OpenIddict.Core/Stores/OpenIddictTokenStore.cs
View File

@ -12,6 +12,7 @@ using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
using Microsoft.Extensions.Caching.Memory;
using Newtonsoft.Json;
using Newtonsoft.Json.Linq;
using OpenIddict.Models;
@ -32,6 +33,21 @@ namespace OpenIddict.Core
where TAuthorization : OpenIddictAuthorization<TKey, TApplication, TToken>, new()
where TKey : IEquatable<TKey>
{
protected OpenIddictTokenStore([NotNull] IMemoryCache cache)
{
if (cache == null)
{
throw new ArgumentNullException(nameof(cache));
}
Cache = cache;
}
/// <summary>
/// Gets the memory cached associated with the current store.
/// </summary>
protected IMemoryCache Cache { get; }
/// <summary>
/// Determines the number of tokens that exist in the database.
/// </summary>

20
src/OpenIddict.EntityFramework/Stores/OpenIddictApplicationStore.cs
View File

@ -12,6 +12,7 @@ using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
using Microsoft.Extensions.Caching.Memory;
using OpenIddict.Core;
using OpenIddict.Models;
@ -27,7 +28,12 @@ namespace OpenIddict.EntityFramework
OpenIddictToken, TContext, string>
where TContext : DbContext
{
public OpenIddictApplicationStore([NotNull] TContext context) : base(context) { }
public OpenIddictApplicationStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -42,7 +48,12 @@ namespace OpenIddict.EntityFramework
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictApplicationStore([NotNull] TContext context) : base(context) { }
public OpenIddictApplicationStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -62,7 +73,10 @@ namespace OpenIddict.EntityFramework
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictApplicationStore([NotNull] TContext context)
public OpenIddictApplicationStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(cache)
{
if (context == null)
{

20
src/OpenIddict.EntityFramework/Stores/OpenIddictAuthorizationStore.cs
View File

@ -12,6 +12,7 @@ using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
using Microsoft.Extensions.Caching.Memory;
using OpenIddict.Core;
using OpenIddict.Models;
@ -27,7 +28,12 @@ namespace OpenIddict.EntityFramework
OpenIddictToken, TContext, string>
where TContext : DbContext
{
public OpenIddictAuthorizationStore([NotNull] TContext context) : base(context) { }
public OpenIddictAuthorizationStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -42,7 +48,12 @@ namespace OpenIddict.EntityFramework
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictAuthorizationStore([NotNull] TContext context) : base(context) { }
public OpenIddictAuthorizationStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -62,7 +73,10 @@ namespace OpenIddict.EntityFramework
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictAuthorizationStore([NotNull] TContext context)
public OpenIddictAuthorizationStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(cache)
{
if (context == null)
{

20
src/OpenIddict.EntityFramework/Stores/OpenIddictScopeStore.cs
View File

@ -11,6 +11,7 @@ using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
using Microsoft.Extensions.Caching.Memory;
using OpenIddict.Core;
using OpenIddict.Models;
@ -24,7 +25,12 @@ namespace OpenIddict.EntityFramework
public class OpenIddictScopeStore<TContext> : OpenIddictScopeStore<OpenIddictScope, TContext, string>
where TContext : DbContext
{
public OpenIddictScopeStore([NotNull] TContext context) : base(context) { }
public OpenIddictScopeStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -37,7 +43,12 @@ namespace OpenIddict.EntityFramework
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictScopeStore([NotNull] TContext context) : base(context) { }
public OpenIddictScopeStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -52,7 +63,10 @@ namespace OpenIddict.EntityFramework
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictScopeStore([NotNull] TContext context)
public OpenIddictScopeStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(cache)
{
if (context == null)
{

20
src/OpenIddict.EntityFramework/Stores/OpenIddictTokenStore.cs
View File

@ -11,6 +11,7 @@ using System.Linq;
using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
using Microsoft.Extensions.Caching.Memory;
using OpenIddict.Core;
using OpenIddict.Models;
@ -26,7 +27,12 @@ namespace OpenIddict.EntityFramework
OpenIddictAuthorization, TContext, string>
where TContext : DbContext
{
public OpenIddictTokenStore([NotNull] TContext context) : base(context) { }
public OpenIddictTokenStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -41,7 +47,12 @@ namespace OpenIddict.EntityFramework
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictTokenStore([NotNull] TContext context) : base(context) { }
public OpenIddictTokenStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -61,7 +72,10 @@ namespace OpenIddict.EntityFramework
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictTokenStore([NotNull] TContext context)
public OpenIddictTokenStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(cache)
{
if (context == null)
{

20
src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictApplicationStore.cs
View File

@ -12,6 +12,7 @@ using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Caching.Memory;
using OpenIddict.Core;
using OpenIddict.Models;
@ -27,7 +28,12 @@ namespace OpenIddict.EntityFrameworkCore
OpenIddictToken, TContext, string>
where TContext : DbContext
{
public OpenIddictApplicationStore([NotNull] TContext context) : base(context) { }
public OpenIddictApplicationStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -42,7 +48,12 @@ namespace OpenIddict.EntityFrameworkCore
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictApplicationStore([NotNull] TContext context) : base(context) { }
public OpenIddictApplicationStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -62,7 +73,10 @@ namespace OpenIddict.EntityFrameworkCore
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictApplicationStore([NotNull] TContext context)
public OpenIddictApplicationStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(cache)
{
if (context == null)
{

20
src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs
View File

@ -12,6 +12,7 @@ using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Caching.Memory;
using OpenIddict.Core;
using OpenIddict.Models;
@ -27,7 +28,12 @@ namespace OpenIddict.EntityFrameworkCore
OpenIddictToken, TContext, string>
where TContext : DbContext
{
public OpenIddictAuthorizationStore([NotNull] TContext context) : base(context) { }
public OpenIddictAuthorizationStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -42,7 +48,12 @@ namespace OpenIddict.EntityFrameworkCore
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictAuthorizationStore([NotNull] TContext context) : base(context) { }
public OpenIddictAuthorizationStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -62,7 +73,10 @@ namespace OpenIddict.EntityFrameworkCore
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictAuthorizationStore([NotNull] TContext context)
public OpenIddictAuthorizationStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(cache)
{
if (context == null)
{

20
src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictScopeStore.cs
View File

@ -11,6 +11,7 @@ using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Caching.Memory;
using OpenIddict.Core;
using OpenIddict.Models;
@ -24,7 +25,12 @@ namespace OpenIddict.EntityFrameworkCore
public class OpenIddictScopeStore<TContext> : OpenIddictScopeStore<OpenIddictScope, TContext, string>
where TContext : DbContext
{
public OpenIddictScopeStore([NotNull] TContext context) : base(context) { }
public OpenIddictScopeStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -37,7 +43,12 @@ namespace OpenIddict.EntityFrameworkCore
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictScopeStore([NotNull] TContext context) : base(context) { }
public OpenIddictScopeStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -52,7 +63,10 @@ namespace OpenIddict.EntityFrameworkCore
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictScopeStore([NotNull] TContext context)
public OpenIddictScopeStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(cache)
{
if (context == null)
{

20
src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
View File

@ -11,6 +11,7 @@ using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Caching.Memory;
using OpenIddict.Core;
using OpenIddict.Models;
@ -26,7 +27,12 @@ namespace OpenIddict.EntityFrameworkCore
OpenIddictAuthorization, TContext, string>
where TContext : DbContext
{
public OpenIddictTokenStore([NotNull] TContext context) : base(context) { }
public OpenIddictTokenStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -41,7 +47,12 @@ namespace OpenIddict.EntityFrameworkCore
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictTokenStore([NotNull] TContext context) : base(context) { }
public OpenIddictTokenStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(context, cache)
{
}
}
/// <summary>
@ -61,7 +72,10 @@ namespace OpenIddict.EntityFrameworkCore
where TContext : DbContext
where TKey : IEquatable<TKey>
{
public OpenIddictTokenStore([NotNull] TContext context)
public OpenIddictTokenStore(
[NotNull] TContext context,
[NotNull] IMemoryCache cache)
: base(cache)
{
if (context == null)
{

16
src/OpenIddict/OpenIddictExtensions.cs
View File

@ -22,6 +22,7 @@ using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
using OpenIddict;
using OpenIddict.Core;
namespace Microsoft.AspNetCore.Builder
{
@ -797,6 +798,21 @@ namespace Microsoft.AspNetCore.Builder
return builder.Configure(options => options.UserinfoEndpointPath = path);
}
/// <summary>
/// Rejects authorization and token requests that specify scopes that have not been
/// registered in the database using <see cref="OpenIddictScopeManager{TScope}"/>.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
public static OpenIddictBuilder ValidateScopes([NotNull] this OpenIddictBuilder builder)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
return builder.Configure(options => options.ValidateScopes = true);
}
/// <summary>
/// Makes client identification mandatory so that token and revocation
/// requests that don't specify a client_id are automatically rejected.

6
src/OpenIddict/OpenIddictOptions.cs
View File

@ -67,6 +67,12 @@ namespace OpenIddict
/// </summary>
public RandomNumberGenerator RandomNumberGenerator { get; set; } = RandomNumberGenerator.Create();
/// <summary>
/// Gets or sets a boolean indicating whether scopes that are not explicitly registered
/// in the database are automatically rejected. This option is not enabled by default.
/// </summary>
public bool ValidateScopes { get; set; }
/// <summary>
/// Gets or sets a boolean determining whether client identification is required.
/// Enabling this option requires registering a client application and sending a

41
src/OpenIddict/OpenIddictProvider.Authentication.cs
View File

@ -5,6 +5,7 @@
*/
using System;
using System.Collections.Immutable;
using System.IO;
using System.Threading.Tasks;
using AspNet.Security.OpenIdConnect.Extensions;
@ -116,6 +117,7 @@ namespace OpenIddict
var applications = context.HttpContext.RequestServices.GetRequiredService<OpenIddictApplicationManager<TApplication>>();
var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<OpenIddictProvider<TApplication, TAuthorization, TScope, TToken>>>();
var scopes = context.HttpContext.RequestServices.GetRequiredService<OpenIddictScopeManager<TScope>>();
// Note: the OpenID Connect server middleware supports authorization code, implicit, hybrid,
// none and custom flows but OpenIddict uses a stricter policy rejecting none and custum flows.
@ -171,6 +173,22 @@ namespace OpenIddict
return;
}
// If the corresponding option was enabled, reject the request if scopes can't be validated.
if (options.ValidateScopes && !await scopes.ValidateScopesAsync(
context.Request.GetScopes()
.ToImmutableArray()
.Remove(OpenIdConnectConstants.Scopes.OfflineAccess)
.Remove(OpenIdConnectConstants.Scopes.OpenId)))
{
logger.LogError("The authorization request was rejected because an unregistered scope was specified.");
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The specified 'scope' parameter is not valid.");
return;
}
// Reject authorization requests that specify scope=offline_access if the refresh token flow is not enabled.
if (context.Request.HasScope(OpenIdConnectConstants.Scopes.OfflineAccess) &&
!options.GrantTypes.Contains(OpenIdConnectConstants.GrantTypes.RefreshToken))
@ -376,6 +394,29 @@ namespace OpenIddict
return;
}
foreach (var scope in context.Request.GetScopes())
{
// Avoid validating the "openid" and "offline_access" scopes as they represent protocol scopes.
if (string.Equals(scope, OpenIdConnectConstants.Scopes.OfflineAccess, StringComparison.Ordinal) ||
string.Equals(scope, OpenIdConnectConstants.Scopes.OpenId, StringComparison.Ordinal))
{
continue;
}
// Reject the request if the application is not allowed to use the iterated scope.
if (!await applications.HasPermissionAsync(application, OpenIddictConstants.Permissions.Prefixes.Scope + scope))
{
logger.LogError("The authorization request was rejected because the application '{ClientId}' " +
"was not allowed to use the scope {Scope}.", context.ClientId, scope);
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "This client application is not allowed to use the specified scope.");
return;
}
}
context.Validate();
}

43
src/OpenIddict/OpenIddictProvider.Exchange.cs
View File

@ -4,6 +4,8 @@
* the license and the contributors participating to this project.
*/
using System;
using System.Collections.Immutable;
using System.Diagnostics;
using System.Threading.Tasks;
using AspNet.Security.OpenIdConnect.Extensions;
@ -25,6 +27,7 @@ namespace OpenIddict
var applications = context.HttpContext.RequestServices.GetRequiredService<OpenIddictApplicationManager<TApplication>>();
var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<OpenIddictProvider<TApplication, TAuthorization, TScope, TToken>>>();
var scopes = context.HttpContext.RequestServices.GetRequiredService<OpenIddictScopeManager<TScope>>();
// Reject token requests that don't specify a supported grant type.
if (!options.GrantTypes.Contains(context.Request.GrantType))
@ -64,6 +67,22 @@ namespace OpenIddict
return;
}
// If the corresponding option was enabled, reject the request if scopes can't be validated.
if (options.ValidateScopes && !await scopes.ValidateScopesAsync(
context.Request.GetScopes()
.ToImmutableArray()
.Remove(OpenIdConnectConstants.Scopes.OfflineAccess)
.Remove(OpenIdConnectConstants.Scopes.OpenId)))
{
logger.LogError("The token request was rejected because an unregistered scope was specified.");
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The specified 'scope' parameter is not valid.");
return;
}
// Note: the OpenID Connect server middleware allows returning a refresh token with grant_type=client_credentials,
// though it's usually not recommended by the OAuth2 specification. To encourage developers to make a new
// grant_type=client_credentials request instead of using refresh tokens, OpenIddict uses a stricter policy
@ -230,6 +249,30 @@ namespace OpenIddict
return;
}
foreach (var scope in context.Request.GetScopes())
{
// Avoid validating the "openid" and "offline_access" scopes as they represent protocol scopes.
if (string.Equals(scope, OpenIdConnectConstants.Scopes.OfflineAccess, StringComparison.Ordinal) ||
string.Equals(scope, OpenIdConnectConstants.Scopes.OpenId, StringComparison.Ordinal))
{
continue;
}
// Reject the request if the application is not allowed to use the iterated scope.
if (!await applications.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope + scope))
{
logger.LogError("The token request was rejected because the application '{ClientId}' " +
"was not allowed to use the scope {Scope}.", context.ClientId, scope);
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "This client application is not allowed to use the specified scope.");
return;
}
}
context.Validate();
}

171
test/OpenIddict.Tests/OpenIddictProviderTests.Authentication.cs
View File

@ -4,6 +4,7 @@
* the license and the contributors participating to this project.
*/
using System.Collections.Immutable;
using System.IO;
using System.Security.Cryptography;
using System.Threading;
@ -193,6 +194,105 @@ namespace OpenIddict.Tests
Assert.Equal("The specified 'response_type' parameter is not allowed.", response.ErrorDescription);
}
[Fact]
public async Task ValidateAuthorizationRequest_RequestIsRejectedWhenUnregisteredScopeIsSpecified()
{
// Arrange
var manager = CreateScopeManager(instance =>
{
instance.Setup(mock => mock.ValidateScopesAsync(
It.Is<ImmutableArray<string>>(scopes => scopes[0] == "unregistered_scope"),
It.IsAny<CancellationToken>()))
.ReturnsAsync(false);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(manager);
builder.ValidateScopes();
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(AuthorizationEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
RedirectUri = "http://www.fabrikam.com/path",
ResponseType = OpenIdConnectConstants.ResponseTypes.Code,
Scope = "unregistered_scope"
});
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.InvalidRequest, response.Error);
Assert.Equal("The specified 'scope' parameter is not valid.", response.ErrorDescription);
}
[Fact]
public async Task ValidateAuthorizationRequest_RequestIsValidatedWhenRegisteredScopeIsSpecified()
{
// Arrange
var manager = CreateScopeManager(instance =>
{
instance.Setup(mock => mock.ValidateScopesAsync(
It.Is<ImmutableArray<string>>(scopes => scopes[0] == "registered_scope"),
It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(CreateApplicationManager(instance =>
{
var application = new OpenIddictApplication();
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.ValidateRedirectUriAsync(application, "http://www.fabrikam.com/path", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(OpenIddictConstants.ClientTypes.Public);
instance.Setup(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Endpoints.Authorization, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.GrantTypes.Implicit, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope + "registered_scope", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
}));
builder.Services.AddSingleton(manager);
builder.ValidateScopes();
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(AuthorizationEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
Nonce = "n-0S6_WzA2Mj",
RedirectUri = "http://www.fabrikam.com/path",
ResponseType = OpenIdConnectConstants.ResponseTypes.Token,
Scope = "registered_scope"
});
// Assert
Assert.Null(response.Error);
Assert.Null(response.ErrorDescription);
Assert.Null(response.ErrorUri);
Assert.NotNull(response.AccessToken);
}
[Fact]
public async Task ValidateAuthorizationRequest_RequestWithOfflineAccessScopeIsRejectedWhenRefreshTokenFlowIsDisabled()
{
@ -579,6 +679,77 @@ namespace OpenIddict.Tests
Mock.Get(manager).Verify(mock => mock.ValidateRedirectUriAsync(application, "http://www.fabrikam.com/path", It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task ValidateAuthorizationRequest_RequestIsRejectedWhenScopePermissionIsNotGranted()
{
// Arrange
var application = new OpenIddictApplication();
var manager = CreateApplicationManager(instance =>
{
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Endpoints.Authorization, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.ValidateRedirectUriAsync(application, "http://www.fabrikam.com/path", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope +
OpenIdConnectConstants.Scopes.Profile, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope +
OpenIdConnectConstants.Scopes.Email, It.IsAny<CancellationToken>()))
.ReturnsAsync(false);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(manager);
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(AuthorizationEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
RedirectUri = "http://www.fabrikam.com/path",
ResponseType = OpenIdConnectConstants.ResponseTypes.Code,
Scope = "openid offline_access profile email"
});
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.InvalidRequest, response.Error);
Assert.Equal("This client application is not allowed to use the specified scope.", response.ErrorDescription);
Mock.Get(manager).Verify(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope +
OpenIdConnectConstants.Scopes.OpenId, It.IsAny<CancellationToken>()), Times.Never());
Mock.Get(manager).Verify(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope +
OpenIdConnectConstants.Scopes.OfflineAccess, It.IsAny<CancellationToken>()), Times.Never());
Mock.Get(manager).Verify(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope +
OpenIdConnectConstants.Scopes.Profile, It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope +
OpenIdConnectConstants.Scopes.Email, It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task HandleAuthorizationRequest_RequestIsPersistedInDistributedCache()
{

153
test/OpenIddict.Tests/OpenIddictProviderTests.Exchange.cs
View File

@ -103,6 +103,68 @@ namespace OpenIddict.Tests
Assert.Equal("The mandatory 'redirect_uri' parameter is missing.", response.ErrorDescription);
}
[Fact]
public async Task ValidateTokenRequest_RequestIsRejectedWhenUnregisteredScopeIsSpecified()
{
// Arrange
var server = CreateAuthorizationServer(options =>
{
options.ValidateScopes();
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
{
GrantType = OpenIdConnectConstants.GrantTypes.Password,
Username = "johndoe",
Password = "A3ddj3w",
Scope = "unregistered_scope"
});
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.InvalidRequest, response.Error);
Assert.Equal("The specified 'scope' parameter is not valid.", response.ErrorDescription);
}
[Fact]
public async Task ValidateTokenRequest_RequestIsValidatedWhenRegisteredScopeIsSpecified()
{
// Arrange
var manager = CreateScopeManager(instance =>
{
instance.Setup(mock => mock.ValidateScopesAsync(
It.Is<ImmutableArray<string>>(scopes => scopes[0] == "registered_scope"),
It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(manager);
builder.ValidateScopes();
builder.RegisterScopes("registered_scope");
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
{
GrantType = OpenIdConnectConstants.GrantTypes.Password,
Username = "johndoe",
Password = "A3ddj3w",
Scope = "registered_scope"
});
// Assert
Assert.Null(response.Error);
Assert.Null(response.ErrorDescription);
Assert.Null(response.ErrorUri);
Assert.NotNull(response.AccessToken);
}
[Fact]
public async Task ValidateTokenRequest_ClientCredentialsRequestWithOfflineAccessScopeIsRejected()
{
@ -552,6 +614,85 @@ namespace OpenIddict.Tests
Mock.Get(manager).Verify(mock => mock.ValidateClientSecretAsync(application, "7Fjfp0ZBr1KtDRbnfVdmIw", It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task ValidateTokenRequest_RequestIsRejectedWhenScopePermissionIsNotGranted()
{
// Arrange
var application = new OpenIddictApplication();
var manager = CreateApplicationManager(instance =>
{
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Endpoints.Token, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.GrantTypes.Password, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(OpenIddictConstants.ClientTypes.Confidential);
instance.Setup(mock => mock.ValidateClientSecretAsync(application, "7Fjfp0ZBr1KtDRbnfVdmIw", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope +
OpenIdConnectConstants.Scopes.Profile, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope +
OpenIdConnectConstants.Scopes.Email, It.IsAny<CancellationToken>()))
.ReturnsAsync(false);
instance.Setup(mock => mock.ValidateRedirectUriAsync(application, "http://www.fabrikam.com/path", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(manager);
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
ClientSecret = "7Fjfp0ZBr1KtDRbnfVdmIw",
GrantType = OpenIdConnectConstants.GrantTypes.Password,
Username = "johndoe",
Password = "A3ddj3w",
Scope = "openid offline_access profile email"
});
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.InvalidRequest, response.Error);
Assert.Equal("This client application is not allowed to use the specified scope.", response.ErrorDescription);
Mock.Get(manager).Verify(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope +
OpenIdConnectConstants.Scopes.OpenId, It.IsAny<CancellationToken>()), Times.Never());
Mock.Get(manager).Verify(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope +
OpenIdConnectConstants.Scopes.OfflineAccess, It.IsAny<CancellationToken>()), Times.Never());
Mock.Get(manager).Verify(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope +
OpenIdConnectConstants.Scopes.Profile, It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.HasPermissionAsync(application,
OpenIddictConstants.Permissions.Prefixes.Scope +
OpenIdConnectConstants.Scopes.Email, It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task HandleTokenRequest_AuthorizationCodeRevocationIsIgnoredWhenTokenRevocationIsDisabled()
{
@ -1168,6 +1309,12 @@ namespace OpenIddict.Tests
instance.Setup(mock => mock.GetIdAsync(tokens[0], It.IsAny<CancellationToken>()))
.ReturnsAsync("3E228451-1555-46F7-A471-951EFBA23A56");
instance.Setup(mock => mock.GetIdAsync(tokens[1], It.IsAny<CancellationToken>()))
.ReturnsAsync("481FCAC6-06BC-43EE-92DB-37A78AA09B59");
instance.Setup(mock => mock.GetIdAsync(tokens[2], It.IsAny<CancellationToken>()))
.ReturnsAsync("3BEA7A94-5ADA-49AF-9F41-8AB6156E31A8");
instance.Setup(mock => mock.GetAuthorizationIdAsync(tokens[0], It.IsAny<CancellationToken>()))
.ReturnsAsync("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
@ -1265,6 +1412,12 @@ namespace OpenIddict.Tests
instance.Setup(mock => mock.GetIdAsync(tokens[0], It.IsAny<CancellationToken>()))
.ReturnsAsync("3E228451-1555-46F7-A471-951EFBA23A56");
instance.Setup(mock => mock.GetIdAsync(tokens[1], It.IsAny<CancellationToken>()))
.ReturnsAsync("481FCAC6-06BC-43EE-92DB-37A78AA09B59");
instance.Setup(mock => mock.GetIdAsync(tokens[2], It.IsAny<CancellationToken>()))
.ReturnsAsync("3BEA7A94-5ADA-49AF-9F41-8AB6156E31A8");
instance.Setup(mock => mock.GetAuthorizationIdAsync(tokens[0], It.IsAny<CancellationToken>()))
.ReturnsAsync("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");

12
test/OpenIddict.Tests/OpenIddictProviderTests.cs
View File

@ -790,6 +790,12 @@ namespace OpenIddict.Tests
instance.Setup(mock => mock.GetIdAsync(tokens[0], It.IsAny<CancellationToken>()))
.ReturnsAsync("60FFF7EA-F98E-437B-937E-5073CC313103");
instance.Setup(mock => mock.GetIdAsync(tokens[1], It.IsAny<CancellationToken>()))
.ReturnsAsync("481FCAC6-06BC-43EE-92DB-37A78AA09B59");
instance.Setup(mock => mock.GetIdAsync(tokens[2], It.IsAny<CancellationToken>()))
.ReturnsAsync("3BEA7A94-5ADA-49AF-9F41-8AB6156E31A8");
instance.Setup(mock => mock.GetAuthorizationIdAsync(tokens[0], It.IsAny<CancellationToken>()))
.ReturnsAsync("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
@ -865,6 +871,12 @@ namespace OpenIddict.Tests
instance.Setup(mock => mock.GetIdAsync(tokens[0], It.IsAny<CancellationToken>()))
.ReturnsAsync("60FFF7EA-F98E-437B-937E-5073CC313103");
instance.Setup(mock => mock.GetIdAsync(tokens[1], It.IsAny<CancellationToken>()))
.ReturnsAsync("481FCAC6-06BC-43EE-92DB-37A78AA09B59");
instance.Setup(mock => mock.GetIdAsync(tokens[2], It.IsAny<CancellationToken>()))
.ReturnsAsync("3BEA7A94-5ADA-49AF-9F41-8AB6156E31A8");
instance.Setup(mock => mock.IsRedeemedAsync(tokens[0], It.IsAny<CancellationToken>()))
.ReturnsAsync(false);

Write Preview
Loading…
Cancel
Save