/*
* Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
* See https://github.com/openiddict/openiddict-core for more information concerning
* the license and the contributors participating to this project.
*/
using System;
using System.Text;
using JetBrains.Annotations;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using OpenIddict.Server;
namespace OpenIddict.Validation.ServerIntegration
{
///
/// Contains the methods required to ensure that the OpenIddict validation/server integration configuration is valid.
///
public class OpenIddictValidationServerIntegrationConfiguration : IConfigureOptions,
IPostConfigureOptions
{
private readonly IOptionsMonitor _options;
///
/// Creates a new instance of the class.
///
/// The OpenIddict server options.
public OpenIddictValidationServerIntegrationConfiguration([NotNull] IOptionsMonitor options)
=> _options = options;
///
/// Populates the default OpenIddict validation/server integration options
/// and ensures that the configuration is in a consistent and valid state.
///
/// The options instance to initialize.
public void Configure([NotNull] OpenIddictValidationOptions options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
// Note: the issuer may be null. In this case, it will be usually provided by
// a validation handler registered by the host (e.g ASP.NET Core or OWIN/Katana).
options.Configuration = new OpenIdConnectConfiguration
{
Issuer = _options.CurrentValue.Issuer?.AbsoluteUri
};
// Import the signing keys from the server configuration.
foreach (var credentials in _options.CurrentValue.SigningCredentials)
{
options.Configuration.SigningKeys.Add(credentials.Key);
}
// Import the encryption keys from the server configuration.
foreach (var credentials in _options.CurrentValue.EncryptionCredentials)
{
options.EncryptionCredentials.Add(credentials);
}
// Note: token entry validation must be enabled to be able to validate reference access tokens.
options.EnableTokenEntryValidation = _options.CurrentValue.UseReferenceAccessTokens;
}
///
/// Populates the default OpenIddict validation/server integration options
/// and ensures that the configuration is in a consistent and valid state.
///
/// The name of the options instance to configure, if applicable.
/// The options instance to initialize.
public void PostConfigure([CanBeNull] string name, [NotNull] OpenIddictValidationOptions options)
{
if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
if (options.ValidationType != OpenIddictValidationType.Direct)
{
throw new InvalidOperationException("The local server integration can only be used with direct validation.");
}
// Note: authorization validation requires that authorizations have an entry
// in the database (containing at least the authorization metadata), which is
// not created if the authorization storage is disabled in the server options.
if (options.EnableAuthorizationEntryValidation && _options.CurrentValue.DisableAuthorizationStorage)
{
throw new InvalidOperationException(new StringBuilder()
.Append("Authorization entry validation cannot be enabled when authorization ")
.Append("storage is disabled in the OpenIddict server options.")
.ToString());
}
// Note: token validation requires that tokens have an entry in the database
// (containing at least the token metadata), which is not created if the
// token storage is disabled in the OpenIddict server options.
if (options.EnableTokenEntryValidation && _options.CurrentValue.DisableTokenStorage)
{
throw new InvalidOperationException(new StringBuilder()
.Append("Token entry validation cannot be enabled when token storage ")
.Append("is disabled in the OpenIddict server options.")
.ToString());
}
}
}
}