/*
* Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
* See https://github.com/openiddict/openiddict-core for more information concerning
* the license and the contributors participating to this project.
*/
using System;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using OpenIddict.Server;
using SR = OpenIddict.Abstractions.OpenIddictResources;
namespace OpenIddict.Validation.ServerIntegration
{
///
/// Contains the methods required to ensure that the OpenIddict validation/server integration configuration is valid.
///
public class OpenIddictValidationServerIntegrationConfiguration : IConfigureOptions,
IPostConfigureOptions
{
private readonly IOptionsMonitor _options;
///
/// Creates a new instance of the class.
///
/// The OpenIddict server options.
public OpenIddictValidationServerIntegrationConfiguration(IOptionsMonitor options)
=> _options = options;
///
/// Populates the default OpenIddict validation/server integration options
/// and ensures that the configuration is in a consistent and valid state.
///
/// The options instance to initialize.
public void Configure(OpenIddictValidationOptions options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
// Note: the issuer may be null. In this case, it will be usually provided by
// a validation handler registered by the host (e.g ASP.NET Core or OWIN/Katana).
options.Configuration = new OpenIdConnectConfiguration
{
Issuer = _options.CurrentValue.Issuer?.AbsoluteUri
};
// Import the signing keys from the server configuration.
foreach (var credentials in _options.CurrentValue.SigningCredentials)
{
options.Configuration.SigningKeys.Add(credentials.Key);
}
// Import the encryption keys from the server configuration.
options.EncryptionCredentials.AddRange(_options.CurrentValue.EncryptionCredentials);
// Note: token entry validation must be enabled to be able to validate reference access tokens.
options.EnableTokenEntryValidation = _options.CurrentValue.UseReferenceAccessTokens;
}
///
/// Populates the default OpenIddict validation/server integration options
/// and ensures that the configuration is in a consistent and valid state.
///
/// The name of the options instance to configure, if applicable.
/// The options instance to initialize.
public void PostConfigure(string name, OpenIddictValidationOptions options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
if (options.ValidationType != OpenIddictValidationType.Direct)
{
throw new InvalidOperationException(SR.GetResourceString(SR.ID1169));
}
// Note: authorization validation requires that authorizations have an entry
// in the database (containing at least the authorization metadata), which is
// not created if the authorization storage is disabled in the server options.
if (options.EnableAuthorizationEntryValidation && _options.CurrentValue.DisableAuthorizationStorage)
{
throw new InvalidOperationException(SR.GetResourceString(SR.ID1170));
}
// Note: token validation requires that tokens have an entry in the database
// (containing at least the token metadata), which is not created if the
// token storage is disabled in the OpenIddict server options.
if (options.EnableTokenEntryValidation && _options.CurrentValue.DisableTokenStorage)
{
throw new InvalidOperationException(SR.GetResourceString(SR.ID1171));
}
}
}
}