You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
626 lines
29 KiB
626 lines
29 KiB
/*
|
|
* Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
|
|
* See https://github.com/openiddict/openiddict-core for more information concerning
|
|
* the license and the contributors participating to this project.
|
|
*/
|
|
|
|
using System.Collections.Immutable;
|
|
using System.Text.Json;
|
|
using Microsoft.Extensions.Logging;
|
|
using Microsoft.IdentityModel.Tokens;
|
|
|
|
namespace OpenIddict.Validation;
|
|
|
|
public static partial class OpenIddictValidationHandlers
|
|
{
|
|
public static class Discovery
|
|
{
|
|
public static ImmutableArray<OpenIddictValidationHandlerDescriptor> DefaultHandlers { get; } =
|
|
[
|
|
/*
|
|
* Configuration response handling:
|
|
*/
|
|
ValidateWellKnownConfigurationParameters.Descriptor,
|
|
HandleConfigurationErrorResponse.Descriptor,
|
|
ValidateIssuer.Descriptor,
|
|
ExtractJsonWebKeySetEndpoint.Descriptor,
|
|
ExtractIntrospectionEndpoint.Descriptor,
|
|
ExtractMtlsIntrospectionEndpoint.Descriptor,
|
|
ExtractIntrospectionEndpointClientAuthenticationMethods.Descriptor,
|
|
|
|
/*
|
|
* JSON Web Key Set response handling:
|
|
*/
|
|
ValidateWellKnownJsonWebKeySetParameters.Descriptor,
|
|
HandleJsonWebKeySetErrorResponse.Descriptor,
|
|
ExtractSigningKeys.Descriptor
|
|
];
|
|
|
|
/// <summary>
|
|
/// Contains the logic responsible for validating the well-known parameters contained in the configuration response.
|
|
/// </summary>
|
|
public sealed class ValidateWellKnownConfigurationParameters : IOpenIddictValidationHandler<HandleConfigurationResponseContext>
|
|
{
|
|
/// <summary>
|
|
/// Gets the default descriptor definition assigned to this handler.
|
|
/// </summary>
|
|
public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
|
|
= OpenIddictValidationHandlerDescriptor.CreateBuilder<HandleConfigurationResponseContext>()
|
|
.UseSingletonHandler<ValidateWellKnownConfigurationParameters>()
|
|
.SetOrder(int.MinValue + 100_000)
|
|
.SetType(OpenIddictValidationHandlerType.BuiltIn)
|
|
.Build();
|
|
|
|
/// <inheritdoc/>
|
|
public ValueTask HandleAsync(HandleConfigurationResponseContext context)
|
|
{
|
|
if (context is null)
|
|
{
|
|
throw new ArgumentNullException(nameof(context));
|
|
}
|
|
|
|
foreach (var parameter in context.Response.GetParameters())
|
|
{
|
|
if (!ValidateParameterType(parameter.Key, parameter.Value))
|
|
{
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.FormatID2107(parameter.Key),
|
|
uri: SR.FormatID8000(SR.ID2107));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
}
|
|
|
|
return ValueTask.CompletedTask;
|
|
|
|
// Note: in the typical case, the response parameters should be deserialized from a
|
|
// JSON response and thus natively stored as System.Text.Json.JsonElement instances.
|
|
//
|
|
// In the rare cases where the underlying value wouldn't be a JsonElement instance
|
|
// (e.g when custom parameters are manually added to the response), the static
|
|
// conversion operator would take care of converting the underlying value to a
|
|
// JsonElement instance using the same value type as the original parameter value.
|
|
static bool ValidateParameterType(string name, OpenIddictParameter value) => name switch
|
|
{
|
|
// Error parameters MUST be formatted as unique strings:
|
|
Parameters.Error or Parameters.ErrorDescription or Parameters.ErrorUri
|
|
=> ((JsonElement) value).ValueKind is JsonValueKind.String,
|
|
|
|
// The following parameters MUST be formatted as unique strings:
|
|
Metadata.IntrospectionEndpoint or
|
|
Metadata.Issuer
|
|
=> ((JsonElement) value).ValueKind is JsonValueKind.String,
|
|
|
|
// The following parameters MUST be formatted as arrays of strings:
|
|
Metadata.IntrospectionEndpointAuthMethodsSupported
|
|
=> ((JsonElement) value) is JsonElement element &&
|
|
element.ValueKind is JsonValueKind.Array &&
|
|
OpenIddictHelpers.ValidateArrayElements(element, JsonValueKind.String),
|
|
|
|
// The following parameters MUST be formatted as JSON objects and only contain string values:
|
|
Metadata.MtlsEndpointAliases
|
|
=> ((JsonElement) value) is JsonElement element &&
|
|
element.ValueKind is JsonValueKind.Object &&
|
|
OpenIddictHelpers.ValidateObjectElements(element, JsonValueKind.String),
|
|
|
|
// Parameters that are not in the well-known list can be of any type.
|
|
_ => true
|
|
};
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Contains the logic responsible for surfacing potential errors from the configuration response.
|
|
/// </summary>
|
|
public sealed class HandleConfigurationErrorResponse : IOpenIddictValidationHandler<HandleConfigurationResponseContext>
|
|
{
|
|
/// <summary>
|
|
/// Gets the default descriptor definition assigned to this handler.
|
|
/// </summary>
|
|
public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
|
|
= OpenIddictValidationHandlerDescriptor.CreateBuilder<HandleConfigurationResponseContext>()
|
|
.UseSingletonHandler<HandleConfigurationErrorResponse>()
|
|
.SetOrder(ValidateWellKnownConfigurationParameters.Descriptor.Order + 1_000)
|
|
.SetType(OpenIddictValidationHandlerType.BuiltIn)
|
|
.Build();
|
|
|
|
/// <inheritdoc/>
|
|
public ValueTask HandleAsync(HandleConfigurationResponseContext context)
|
|
{
|
|
if (context is null)
|
|
{
|
|
throw new ArgumentNullException(nameof(context));
|
|
}
|
|
|
|
// Note: the specification doesn't define a standard way to return an error other than
|
|
// returning a 4xx status code. That said, some implementations are known to return
|
|
// JSON payloads similar to standard errored token responses. For more information, see
|
|
// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse.
|
|
if (!string.IsNullOrEmpty(context.Response.Error))
|
|
{
|
|
context.Logger.LogInformation(6203, SR.GetResourceString(SR.ID6203), context.Response);
|
|
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.GetResourceString(SR.ID2144),
|
|
uri: SR.FormatID8000(SR.ID2144));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Contains the logic responsible for extracting the issuer from the discovery document.
|
|
/// </summary>
|
|
public sealed class ValidateIssuer : IOpenIddictValidationHandler<HandleConfigurationResponseContext>
|
|
{
|
|
/// <summary>
|
|
/// Gets the default descriptor definition assigned to this handler.
|
|
/// </summary>
|
|
public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
|
|
= OpenIddictValidationHandlerDescriptor.CreateBuilder<HandleConfigurationResponseContext>()
|
|
.UseSingletonHandler<ValidateIssuer>()
|
|
.SetOrder(HandleConfigurationErrorResponse.Descriptor.Order + 1_000)
|
|
.SetType(OpenIddictValidationHandlerType.BuiltIn)
|
|
.Build();
|
|
|
|
/// <inheritdoc/>
|
|
public ValueTask HandleAsync(HandleConfigurationResponseContext context)
|
|
{
|
|
if (context is null)
|
|
{
|
|
throw new ArgumentNullException(nameof(context));
|
|
}
|
|
|
|
// Note: the issuer returned in the discovery document must exactly match the URI used to access it.
|
|
// See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation.
|
|
|
|
var issuer = (string?) context.Response[Metadata.Issuer];
|
|
if (string.IsNullOrEmpty(issuer))
|
|
{
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.GetResourceString(SR.ID2096),
|
|
uri: SR.FormatID8000(SR.ID2096));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
|
|
if (!Uri.TryCreate(issuer, UriKind.Absolute, out Uri? uri))
|
|
{
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.GetResourceString(SR.ID2097),
|
|
uri: SR.FormatID8000(SR.ID2097));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
|
|
// Ensure the issuer matches the expected value.
|
|
if (uri != context.Options.Issuer)
|
|
{
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.GetResourceString(SR.ID2098),
|
|
uri: SR.FormatID8000(SR.ID2098));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
|
|
context.Configuration.Issuer = uri;
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Contains the logic responsible for extracting the JSON Web Key Set endpoint URI from the discovery document.
|
|
/// </summary>
|
|
public sealed class ExtractJsonWebKeySetEndpoint : IOpenIddictValidationHandler<HandleConfigurationResponseContext>
|
|
{
|
|
/// <summary>
|
|
/// Gets the default descriptor definition assigned to this handler.
|
|
/// </summary>
|
|
public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
|
|
= OpenIddictValidationHandlerDescriptor.CreateBuilder<HandleConfigurationResponseContext>()
|
|
.UseSingletonHandler<ExtractJsonWebKeySetEndpoint>()
|
|
.SetOrder(ValidateIssuer.Descriptor.Order + 1_000)
|
|
.SetType(OpenIddictValidationHandlerType.BuiltIn)
|
|
.Build();
|
|
|
|
/// <inheritdoc/>
|
|
public ValueTask HandleAsync(HandleConfigurationResponseContext context)
|
|
{
|
|
if (context is null)
|
|
{
|
|
throw new ArgumentNullException(nameof(context));
|
|
}
|
|
|
|
// Note: the jwks_uri node is required by the OpenID Connect discovery specification.
|
|
// See https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation.
|
|
var endpoint = (string?) context.Response[Metadata.JwksUri];
|
|
if (string.IsNullOrEmpty(endpoint))
|
|
{
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.GetResourceString(SR.ID2099),
|
|
uri: SR.FormatID8000(SR.ID2099));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
|
|
if (!Uri.TryCreate(endpoint, UriKind.Absolute, out Uri? uri) || OpenIddictHelpers.IsImplicitFileUri(uri))
|
|
{
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.FormatID2100(Metadata.JwksUri),
|
|
uri: SR.FormatID8000(SR.ID2100));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
|
|
context.Configuration.JsonWebKeySetUri = uri;
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Contains the logic responsible for extracting the introspection endpoint URI from the discovery document.
|
|
/// </summary>
|
|
public sealed class ExtractIntrospectionEndpoint : IOpenIddictValidationHandler<HandleConfigurationResponseContext>
|
|
{
|
|
/// <summary>
|
|
/// Gets the default descriptor definition assigned to this handler.
|
|
/// </summary>
|
|
public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
|
|
= OpenIddictValidationHandlerDescriptor.CreateBuilder<HandleConfigurationResponseContext>()
|
|
.UseSingletonHandler<ExtractIntrospectionEndpoint>()
|
|
.SetOrder(ExtractJsonWebKeySetEndpoint.Descriptor.Order + 1_000)
|
|
.SetType(OpenIddictValidationHandlerType.BuiltIn)
|
|
.Build();
|
|
|
|
/// <inheritdoc/>
|
|
public ValueTask HandleAsync(HandleConfigurationResponseContext context)
|
|
{
|
|
if (context is null)
|
|
{
|
|
throw new ArgumentNullException(nameof(context));
|
|
}
|
|
|
|
var endpoint = (string?) context.Response[Metadata.IntrospectionEndpoint];
|
|
if (!string.IsNullOrEmpty(endpoint))
|
|
{
|
|
if (!Uri.TryCreate(endpoint, UriKind.Absolute, out Uri? uri) || OpenIddictHelpers.IsImplicitFileUri(uri))
|
|
{
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.FormatID2100(Metadata.IntrospectionEndpoint),
|
|
uri: SR.FormatID8000(SR.ID2100));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
|
|
context.Configuration.IntrospectionEndpoint = uri;
|
|
}
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Contains the logic responsible for extracting the mTLS-enabled
|
|
/// introspection endpoint URI from the discovery document.
|
|
/// </summary>
|
|
public sealed class ExtractMtlsIntrospectionEndpoint : IOpenIddictValidationHandler<HandleConfigurationResponseContext>
|
|
{
|
|
/// <summary>
|
|
/// Gets the default descriptor definition assigned to this handler.
|
|
/// </summary>
|
|
public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
|
|
= OpenIddictValidationHandlerDescriptor.CreateBuilder<HandleConfigurationResponseContext>()
|
|
.UseSingletonHandler<ExtractMtlsIntrospectionEndpoint>()
|
|
.SetOrder(ExtractIntrospectionEndpoint.Descriptor.Order + 1_000)
|
|
.SetType(OpenIddictValidationHandlerType.BuiltIn)
|
|
.Build();
|
|
|
|
/// <inheritdoc/>
|
|
public ValueTask HandleAsync(HandleConfigurationResponseContext context)
|
|
{
|
|
if (context is null)
|
|
{
|
|
throw new ArgumentNullException(nameof(context));
|
|
}
|
|
|
|
// Note: as recommended by the specification, values present in the "mtls_endpoint_aliases" node
|
|
// that can't be recognized as OAuth 2.0 endpoints or are not valid URIs are simply ignored.
|
|
var endpoint = (string?) context.Response[Metadata.MtlsEndpointAliases]?[Metadata.IntrospectionEndpoint];
|
|
if (Uri.TryCreate(endpoint, UriKind.Absolute, out Uri? uri) && !OpenIddictHelpers.IsImplicitFileUri(uri))
|
|
{
|
|
context.Configuration.MtlsIntrospectionEndpoint = uri;
|
|
}
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Contains the logic responsible for extracting the authentication methods
|
|
/// supported by the introspection endpoint from the discovery document.
|
|
/// </summary>
|
|
public sealed class ExtractIntrospectionEndpointClientAuthenticationMethods : IOpenIddictValidationHandler<HandleConfigurationResponseContext>
|
|
{
|
|
/// <summary>
|
|
/// Gets the default descriptor definition assigned to this handler.
|
|
/// </summary>
|
|
public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
|
|
= OpenIddictValidationHandlerDescriptor.CreateBuilder<HandleConfigurationResponseContext>()
|
|
.UseSingletonHandler<ExtractIntrospectionEndpointClientAuthenticationMethods>()
|
|
.SetOrder(ExtractMtlsIntrospectionEndpoint.Descriptor.Order + 1_000)
|
|
.SetType(OpenIddictValidationHandlerType.BuiltIn)
|
|
.Build();
|
|
|
|
/// <inheritdoc/>
|
|
public ValueTask HandleAsync(HandleConfigurationResponseContext context)
|
|
{
|
|
if (context is null)
|
|
{
|
|
throw new ArgumentNullException(nameof(context));
|
|
}
|
|
|
|
// Resolve the client authentication methods supported by the introspection endpoint, if available.
|
|
foreach (var method in (ImmutableArray<string?>?) context.Response[Metadata.IntrospectionEndpointAuthMethodsSupported] ?? [])
|
|
{
|
|
if (!string.IsNullOrEmpty(method))
|
|
{
|
|
context.Configuration.IntrospectionEndpointAuthMethodsSupported.Add(method);
|
|
}
|
|
}
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Contains the logic responsible for validating the well-known parameters contained in the JSON Web Key Set response.
|
|
/// </summary>
|
|
public sealed class ValidateWellKnownJsonWebKeySetParameters : IOpenIddictValidationHandler<HandleJsonWebKeySetResponseContext>
|
|
{
|
|
/// <summary>
|
|
/// Gets the default descriptor definition assigned to this handler.
|
|
/// </summary>
|
|
public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
|
|
= OpenIddictValidationHandlerDescriptor.CreateBuilder<HandleJsonWebKeySetResponseContext>()
|
|
.UseSingletonHandler<ValidateWellKnownJsonWebKeySetParameters>()
|
|
.SetOrder(int.MinValue + 100_000)
|
|
.SetType(OpenIddictValidationHandlerType.BuiltIn)
|
|
.Build();
|
|
|
|
/// <inheritdoc/>
|
|
public ValueTask HandleAsync(HandleJsonWebKeySetResponseContext context)
|
|
{
|
|
if (context is null)
|
|
{
|
|
throw new ArgumentNullException(nameof(context));
|
|
}
|
|
|
|
foreach (var parameter in context.Response.GetParameters())
|
|
{
|
|
if (!ValidateParameterType(parameter.Key, parameter.Value))
|
|
{
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.FormatID2107(parameter.Key),
|
|
uri: SR.FormatID8000(SR.ID2107));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
}
|
|
|
|
return ValueTask.CompletedTask;
|
|
|
|
// Note: in the typical case, the response parameters should be deserialized from a
|
|
// JSON response and thus natively stored as System.Text.Json.JsonElement instances.
|
|
//
|
|
// In the rare cases where the underlying value wouldn't be a JsonElement instance
|
|
// (e.g when custom parameters are manually added to the response), the static
|
|
// conversion operator would take care of converting the underlying value to a
|
|
// JsonElement instance using the same value type as the original parameter value.
|
|
static bool ValidateParameterType(string name, OpenIddictParameter value) => name switch
|
|
{
|
|
// Error parameters MUST be formatted as unique strings:
|
|
Parameters.Error or Parameters.ErrorDescription or Parameters.ErrorUri
|
|
=> ((JsonElement) value).ValueKind is JsonValueKind.String,
|
|
|
|
// The following parameters MUST be formatted as arrays of objects:
|
|
JsonWebKeySetParameterNames.Keys => ((JsonElement) value) is JsonElement element &&
|
|
element.ValueKind is JsonValueKind.Array &&
|
|
OpenIddictHelpers.ValidateArrayElements(element, JsonValueKind.Object),
|
|
|
|
// Parameters that are not in the well-known list can be of any type.
|
|
_ => true
|
|
};
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Contains the logic responsible for surfacing potential errors from the JSON Web Key Set response.
|
|
/// </summary>
|
|
public sealed class HandleJsonWebKeySetErrorResponse : IOpenIddictValidationHandler<HandleJsonWebKeySetResponseContext>
|
|
{
|
|
/// <summary>
|
|
/// Gets the default descriptor definition assigned to this handler.
|
|
/// </summary>
|
|
public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
|
|
= OpenIddictValidationHandlerDescriptor.CreateBuilder<HandleJsonWebKeySetResponseContext>()
|
|
.UseSingletonHandler<HandleJsonWebKeySetErrorResponse>()
|
|
.SetOrder(ValidateWellKnownJsonWebKeySetParameters.Descriptor.Order + 1_000)
|
|
.SetType(OpenIddictValidationHandlerType.BuiltIn)
|
|
.Build();
|
|
|
|
/// <inheritdoc/>
|
|
public ValueTask HandleAsync(HandleJsonWebKeySetResponseContext context)
|
|
{
|
|
if (context is null)
|
|
{
|
|
throw new ArgumentNullException(nameof(context));
|
|
}
|
|
|
|
// Note: the specification doesn't define a standard way to return an error other than
|
|
// returning a 4xx status code. That said, some implementations are known to return
|
|
// JSON payloads similar to standard errored token responses. For more information, see
|
|
// https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse.
|
|
if (!string.IsNullOrEmpty(context.Response.Error))
|
|
{
|
|
context.Logger.LogInformation(6204, SR.GetResourceString(SR.ID6204), context.Response);
|
|
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.GetResourceString(SR.ID2145),
|
|
uri: SR.FormatID8000(SR.ID2145));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Contains the logic responsible for extracting the signing keys from the JSON Web Key Set document.
|
|
/// </summary>
|
|
public sealed class ExtractSigningKeys : IOpenIddictValidationHandler<HandleJsonWebKeySetResponseContext>
|
|
{
|
|
/// <summary>
|
|
/// Gets the default descriptor definition assigned to this handler.
|
|
/// </summary>
|
|
public static OpenIddictValidationHandlerDescriptor Descriptor { get; }
|
|
= OpenIddictValidationHandlerDescriptor.CreateBuilder<HandleJsonWebKeySetResponseContext>()
|
|
.UseSingletonHandler<ExtractSigningKeys>()
|
|
.SetOrder(HandleJsonWebKeySetErrorResponse.Descriptor.Order + 1_000)
|
|
.SetType(OpenIddictValidationHandlerType.BuiltIn)
|
|
.Build();
|
|
|
|
/// <inheritdoc/>
|
|
public ValueTask HandleAsync(HandleJsonWebKeySetResponseContext context)
|
|
{
|
|
if (context is null)
|
|
{
|
|
throw new ArgumentNullException(nameof(context));
|
|
}
|
|
|
|
var keys = context.Response[JsonWebKeySetParameterNames.Keys]?.GetUnnamedParameters();
|
|
if (keys is not { Count: > 0 })
|
|
{
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.FormatID2102(JsonWebKeySetParameterNames.Keys),
|
|
uri: SR.FormatID8000(SR.ID2102));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
|
|
for (var index = 0; index < keys.Count; index++)
|
|
{
|
|
// Note: the "use" parameter is defined as optional by the JSON Web Key Set specification
|
|
// but is required by the OpenID Connect discovery specification if both signing
|
|
// and encryption keys are present in the returned list. If the "use" parameter
|
|
// is not explicitly specified or has an empty value, assume it is a signing key.
|
|
//
|
|
// For more information, see https://www.rfc-editor.org/rfc/rfc7517#section-4.2
|
|
// and https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata.
|
|
var use = (string?) keys[index][JsonWebKeyParameterNames.Use];
|
|
if (string.IsNullOrEmpty(use))
|
|
{
|
|
use = JsonWebKeyUseNames.Sig;
|
|
}
|
|
|
|
// Ignore security keys that are not used for signing.
|
|
if (!string.Equals(use, JsonWebKeyUseNames.Sig, StringComparison.Ordinal))
|
|
{
|
|
continue;
|
|
}
|
|
|
|
var key = (string?) keys[index][JsonWebKeyParameterNames.Kty] switch
|
|
{
|
|
JsonWebAlgorithmsKeyTypes.RSA => new JsonWebKey
|
|
{
|
|
Kty = JsonWebAlgorithmsKeyTypes.RSA,
|
|
E = (string?) keys[index][JsonWebKeyParameterNames.E],
|
|
N = (string?) keys[index][JsonWebKeyParameterNames.N]
|
|
},
|
|
|
|
JsonWebAlgorithmsKeyTypes.EllipticCurve => new JsonWebKey
|
|
{
|
|
Kty = JsonWebAlgorithmsKeyTypes.EllipticCurve,
|
|
Crv = (string?) keys[index][JsonWebKeyParameterNames.Crv],
|
|
X = (string?) keys[index][JsonWebKeyParameterNames.X],
|
|
Y = (string?) keys[index][JsonWebKeyParameterNames.Y]
|
|
},
|
|
|
|
_ => null
|
|
};
|
|
|
|
if (key is null)
|
|
{
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.GetResourceString(SR.ID2103),
|
|
uri: SR.FormatID8000(SR.ID2103));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
|
|
// If the key is a RSA key, ensure the mandatory parameters are all present.
|
|
if (string.Equals(key.Kty, JsonWebAlgorithmsKeyTypes.RSA, StringComparison.Ordinal) &&
|
|
(string.IsNullOrEmpty(key.E) || string.IsNullOrEmpty(key.N)))
|
|
{
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.GetResourceString(SR.ID2104),
|
|
uri: SR.FormatID8000(SR.ID2104));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
|
|
// If the key is an EC key, ensure the mandatory parameters are all present.
|
|
if (string.Equals(key.Kty, JsonWebAlgorithmsKeyTypes.EllipticCurve, StringComparison.Ordinal) &&
|
|
(string.IsNullOrEmpty(key.Crv) || string.IsNullOrEmpty(key.X) || string.IsNullOrEmpty(key.Y)))
|
|
{
|
|
context.Reject(
|
|
error: Errors.ServerError,
|
|
description: SR.GetResourceString(SR.ID2104),
|
|
uri: SR.FormatID8000(SR.ID2104));
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
|
|
key.KeyId = (string?) keys[index][JsonWebKeyParameterNames.Kid];
|
|
key.X5t = (string?) keys[index][JsonWebKeyParameterNames.X5t];
|
|
key.X5tS256 = (string?) keys[index][JsonWebKeyParameterNames.X5tS256];
|
|
|
|
if (keys[index].TryGetNamedParameter(JsonWebKeyParameterNames.X5c, out var chain))
|
|
{
|
|
foreach (string? certificate in chain.GetUnnamedParameters())
|
|
{
|
|
if (string.IsNullOrEmpty(certificate))
|
|
{
|
|
continue;
|
|
}
|
|
|
|
key.X5c.Add(certificate);
|
|
}
|
|
}
|
|
|
|
context.SecurityKeys.Keys.Add(key);
|
|
}
|
|
|
|
return ValueTask.CompletedTask;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|