From db8eb98474728c8f145df144c4215972622dc92e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Chalet?= Date: Wed, 10 Jun 2020 16:48:09 +0200 Subject: [PATCH] Make the Data Protection validation handlers consistent with their server counterpart --- ...nIddictValidationDataProtectionHandlers.cs | 26 ++++++++++++------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.cs b/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.cs index d4b1982c..7a5e8aa4 100644 --- a/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.cs +++ b/src/OpenIddict.Validation.DataProtection/OpenIddictValidationDataProtectionHandlers.cs @@ -16,10 +16,11 @@ using Microsoft.Extensions.Options; using Microsoft.IdentityModel.Tokens; using OpenIddict.Abstractions; using static OpenIddict.Abstractions.OpenIddictConstants; -using static OpenIddict.Validation.DataProtection.OpenIddictValidationDataProtectionConstants; +using static OpenIddict.Validation.DataProtection.OpenIddictValidationDataProtectionConstants.Purposes; using static OpenIddict.Validation.OpenIddictValidationEvents; using static OpenIddict.Validation.OpenIddictValidationHandlers; using Properties = OpenIddict.Validation.OpenIddictValidationConstants.Properties; +using Schemes = OpenIddict.Validation.DataProtection.OpenIddictValidationDataProtectionConstants.Purposes.Schemes; namespace OpenIddict.Validation.DataProtection { @@ -80,12 +81,17 @@ namespace OpenIddict.Validation.DataProtection } // Create a Data Protection protector using the provider registered in the options. - var protector = context.Transaction.Properties.ContainsKey(Properties.ReferenceTokenIdentifier) ? - _options.CurrentValue.DataProtectionProvider.CreateProtector( - Purposes.Handlers.Server, Purposes.Formats.AccessToken, - Purposes.Features.ReferenceTokens, Purposes.Schemes.Server) : - _options.CurrentValue.DataProtectionProvider.CreateProtector( - Purposes.Handlers.Server, Purposes.Formats.AccessToken, Purposes.Schemes.Server); + var protector = _options.CurrentValue.DataProtectionProvider.CreateProtector(context.TokenType switch + { + null => throw new InvalidOperationException("Generic token validation is not supported by the validation handler."), + + TokenTypeHints.AccessToken when context.Transaction.Properties.ContainsKey(Properties.ReferenceTokenIdentifier) + => new[] { Handlers.Server, Formats.AccessToken, Features.ReferenceTokens, Schemes.Server }, + + TokenTypeHints.AccessToken => new[] { Handlers.Server, Formats.AccessToken, Schemes.Server }, + + _ => throw new InvalidOperationException("The specified token type is not supported.") + }); try { @@ -94,7 +100,7 @@ namespace OpenIddict.Validation.DataProtection // Note: since the data format relies on a data protector using different "purposes" strings // per token type, the token processed at this stage is guaranteed to be of the expected type. - context.Principal = _options.CurrentValue.Formatter.ReadToken(reader)?.SetTokenType(TokenTypeHints.AccessToken); + context.Principal = _options.CurrentValue.Formatter.ReadToken(reader)?.SetTokenType(context.TokenType); } catch (Exception exception) @@ -108,8 +114,8 @@ namespace OpenIddict.Validation.DataProtection return default; } - context.Logger.LogTrace("The self-contained DP token '{Token}' was successfully validated and the following " + - "claims could be extracted: {Claims}.", context.Token, context.Principal.Claims); + context.Logger.LogTrace("The DP token '{Token}' was successfully validated and the following claims " + + "could be extracted: {Claims}.", context.Token, context.Principal.Claims); return default; }