Merge pull request #78 from jokk-itu/feature/scope-resource

Feature/scope resource

Author: jokk-itu

src/AuthServer.TestIdentityProvider/Pages/Consent.cshtml.cs

@@ -45,7 +45,7 @@ public class ClaimDto
         public bool IsGranted { get; set; }
     }
 
-    public async Task OnGet(string returnUrl, CancellationToken cancellationToken)
+    public async Task<IActionResult> OnGet(string returnUrl, CancellationToken cancellationToken)
     {
         ReturnUrl = returnUrl ?? Url.Content("~/");
 
@@ -59,25 +59,34 @@ public async Task OnGet(string returnUrl, CancellationToken cancellationToken)
         var consentGrantDto = await _consentGrantService.GetConsentGrantDto(subject.Subject, clientId, cancellationToken);
 
         var requestedScope = request.Scope.ToList();
+        var requestedClaims = ClaimsHelper.MapToClaims(requestedScope).ToList();
 
         // Display requested claims, also if they are already consented. This makes sure the end-user can change their full consent.
-        var requestedClaims = ClaimsHelper.MapToClaims(requestedScope)
+        var requestedClaimDtos = requestedClaims
             .Select(x => new ClaimDto
             {
                 Name = x,
                 IsGranted = consentGrantDto.ConsentedClaims.Any(y => y == x)
             })
             .ToList();
 
+        if (!consentGrantDto.ClientRequiresConsent)
+        {
+            await _consentGrantService.HandleConsent(subject.Subject, clientId, requestedScope, requestedClaims, cancellationToken);
+            return Redirect(ReturnUrl);
+        }
+
         Input = new InputModel
         {
             ClientName = consentGrantDto.ClientName,
             ClientUri = consentGrantDto.ClientUri,
             ClientLogoUri = consentGrantDto.ClientLogoUri,
             Username = consentGrantDto.Username,
             RequestedScope = requestedScope,
-            RequestedClaims = requestedClaims
+            RequestedClaims = requestedClaimDtos
         };
+
+        return Page();
     }
 
     public async Task<IActionResult> OnPostAccept(string returnUrl, CancellationToken cancellationToken)

src/AuthServer.TestIdentityProvider/Pages/SignIn.cshtml

@@ -4,8 +4,6 @@
     ViewData["Title"] = "Sign In";
 }
 
-
-
 <h1>@ViewData["Title"]</h1>
 <hr/>
 <div class="row">

src/AuthServer.TestIdentityProvider/Program.cs

@@ -125,6 +125,13 @@
         options.VerificationUri = identity.GetValue<string>("VerificationUri");
     });
 
+builder.Services
+    .AddOptions<TokenValidationOptions>()
+    .Configure(options =>
+    {
+        options.ClockSkew = TimeSpan.FromSeconds(10);
+    });
+
 builder.Services.AddSingleton<IDistributedCache, InMemoryCache>();
 builder.Services.AddScoped<IUserClaimService, UserClaimService>();
 builder.Services.AddScoped<IAuthenticatedUserAccessor, AuthenticatedUserAccessor>();

src/AuthServer/Authentication/Abstractions/IAuthenticatedUserAccessor.cs

@@ -6,4 +6,5 @@ public interface IAuthenticatedUserAccessor
 {
     Task<AuthenticatedUser?> GetAuthenticatedUser();
     Task<int> CountAuthenticatedUsers();
+    Task ClearAuthenticatedUser();
 }

src/AuthServer/Authorization/Abstractions/IScopeResourceService.cs

@@ -0,0 +1,34 @@
+using AuthServer.Authorization.Models;
+
+namespace AuthServer.Authorization.Abstractions;
+
+internal interface IScopeResourceService
+{
+    /// <summary>
+    /// 
+    /// </summary>
+    /// <param name="scopes"></param>
+    /// <param name="resources"></param>
+    /// <param name="authorizationGrantId"></param>
+    /// <param name="cancellationToken"></param>
+    /// <returns></returns>
+    Task<ScopeResourceValidationResult> ValidateScopeResourceForGrant(
+        IReadOnlyCollection<string> scopes,
+        IReadOnlyCollection<string> resources,
+        string authorizationGrantId,
+        CancellationToken cancellationToken);
+
+    /// <summary>
+    /// 
+    /// </summary>
+    /// <param name="scopes"></param>
+    /// <param name="resources"></param>
+    /// <param name="clientId"></param>
+    /// <param name="cancellationToken"></param>
+    /// <returns></returns>
+    Task<ScopeResourceValidationResult> ValidateScopeResourceForClient(
+        IReadOnlyCollection<string> scopes,
+        IReadOnlyCollection<string> resources,
+        string clientId,
+        CancellationToken cancellationToken);
+}

src/AuthServer/Authorization/BaseAuthorizeValidator.cs

@@ -84,7 +84,7 @@ protected async Task<bool> HasUniqueNonce(string? nonce, CancellationToken cance
         => string.IsNullOrEmpty(nonce) || !await _nonceRepository.IsNonceReplay(nonce, cancellationToken);
 
     protected async Task<bool> HasValidResource(IReadOnlyCollection<string> resources, IReadOnlyCollection<string> scopes, CancellationToken cancellationToken)
-        => resources.Count != 0 && await _clientRepository.DoesResourcesExist(resources, scopes, cancellationToken);
+        => resources.Count != 0 && await _clientRepository.AreResourcesAuthorizedForScope(resources, scopes, cancellationToken);
 
     protected bool HasValidEmptyRequest(string? requestObject, string? requestUri, bool isRequiredByClient)
         => !string.IsNullOrEmpty(requestObject) || !string.IsNullOrEmpty(requestUri) || (!isRequiredByClient && !_discoveryDocumentOptions.Value.RequireSignedRequestObject);

src/AuthServer/Authorization/Models/ScopeResourceError.cs

@@ -0,0 +1,10 @@
+namespace AuthServer.Authorization.Models;
+
+internal enum ScopeResourceError
+{
+    ConsentNotFound,
+    ScopeExceedsConsent,
+    ResourceExceedsConsent,
+    UnauthorizedClientForScope,
+    UnauthorizedResourceForScope
+}

src/AuthServer/Authorization/Models/ScopeResourceValidationResult.cs

@@ -0,0 +1,12 @@
+namespace AuthServer.Authorization.Models;
+
+internal class ScopeResourceValidationResult
+{
+    public IReadOnlyCollection<string> Scopes { get; init; } = [];
+
+    public IReadOnlyCollection<string> Resources { get; init; } = [];
+
+    public ScopeResourceError? Error { get; init; }
+
+    public bool IsValid => Error is null;
+};

src/AuthServer/Authorization/ScopeResourceService.cs

@@ -0,0 +1,137 @@
+using AuthServer.Authorization.Abstractions;
+using AuthServer.Authorization.Models;
+using AuthServer.Cache.Abstractions;
+using AuthServer.Extensions;
+using AuthServer.Repositories.Abstractions;
+using Microsoft.Extensions.Logging;
+
+namespace AuthServer.Authorization;
+
+internal class ScopeResourceService : IScopeResourceService
+{
+    private readonly ICachedClientStore _cachedClientStore;
+    private readonly IConsentRepository _consentRepository;
+    private readonly IClientRepository _clientRepository;
+    private readonly ILogger<ScopeResourceService> _logger;
+
+    public ScopeResourceService(
+        ICachedClientStore cachedClientStore,
+        IConsentRepository consentRepository,
+        IClientRepository clientRepository,
+        ILogger<ScopeResourceService> logger)
+    {
+        _cachedClientStore = cachedClientStore;
+        _consentRepository = consentRepository;
+        _clientRepository = clientRepository;
+        _logger = logger;
+    }
+
+    /// <inheritdocs/>
+    public async Task<ScopeResourceValidationResult> ValidateScopeResourceForGrant(
+        IReadOnlyCollection<string> scopes,
+        IReadOnlyCollection<string> resources,
+        string authorizationGrantId,
+        CancellationToken cancellationToken)
+    {
+        var grantConsentScopes = await _consentRepository.GetGrantConsentedScopes(authorizationGrantId, cancellationToken);
+        if (grantConsentScopes.Count == 0)
+        {
+            return new ScopeResourceValidationResult
+            {
+                Error = ScopeResourceError.ConsentNotFound
+            };
+        }
+
+        var requestedScopes = scopes.Count != 0
+            ? scopes
+            : grantConsentScopes
+                .Select(x => x.Name)
+                .ToList();
+
+        var requestedResources = resources.Count != 0
+            ? resources
+            : grantConsentScopes
+                .Select(x => x.Resource)
+                .Distinct()
+                .ToList();
+
+        _logger.LogDebug(
+            "Scopes {@Scopes} and Resources {@Resource} deduced for grant {AuthorizationGrantId}",
+            requestedScopes,
+            requestedResources,
+            authorizationGrantId);
+
+        if (requestedScopes.IsNotSubset(grantConsentScopes.Select(x => x.Name)))
+        {
+            return new ScopeResourceValidationResult
+            {
+                Error = ScopeResourceError.ScopeExceedsConsent
+            };
+        }
+
+        if (requestedResources.IsNotSubset(grantConsentScopes.Select(x => x.Resource)))
+        {
+            return new ScopeResourceValidationResult
+            {
+                Error = ScopeResourceError.ResourceExceedsConsent
+            };
+        }
+
+        var areResourcesAuthorizedForScope = await _clientRepository.AreResourcesAuthorizedForScope(
+            requestedResources,
+            requestedScopes,
+            cancellationToken);
+
+        if (!areResourcesAuthorizedForScope)
+        {
+            return new ScopeResourceValidationResult
+            {
+                Error = ScopeResourceError.UnauthorizedResourceForScope
+            };
+        }
+
+        return new ScopeResourceValidationResult
+        {
+            Scopes = requestedScopes,
+            Resources = requestedResources
+        };
+    }
+
+    /// <inheritdocs/>
+    public async Task<ScopeResourceValidationResult> ValidateScopeResourceForClient(
+        IReadOnlyCollection<string> scopes,
+        IReadOnlyCollection<string> resources,
+        string clientId,
+        CancellationToken cancellationToken)
+    {
+        var cachedClient = await _cachedClientStore.Get(clientId, cancellationToken);
+        var requestedScopes = scopes.Count == 0 ? cachedClient.Scopes : scopes;
+        if (requestedScopes.IsNotSubset(cachedClient.Scopes))
+        {
+            return new ScopeResourceValidationResult
+            {
+                Error = ScopeResourceError.UnauthorizedClientForScope
+            };
+        }
+
+        if (resources.Count == 0)
+        {
+            throw new ArgumentException("resources must be provided");
+        }
+
+        var areResourcesAuthorizedForScope = await _clientRepository.AreResourcesAuthorizedForScope(resources, requestedScopes, cancellationToken);
+        if (!areResourcesAuthorizedForScope)
+        {
+            return new ScopeResourceValidationResult
+            {
+                Error = ScopeResourceError.UnauthorizedResourceForScope
+            };
+        }
+
+        return new ScopeResourceValidationResult
+        {
+            Scopes = requestedScopes,
+            Resources = resources
+        };
+    }
+}

src/AuthServer/Authorize/AuthorizeInteractionService.cs

@@ -139,12 +139,6 @@ private async Task<InteractionResult> GetPrompt(AuthorizeUser authorizeUser, Aut
             return grantIdPrompt;
         }
 
-        if (!authorizationGrant.Client.RequireConsent)
-        {
-            _logger.LogDebug("Client {ClientId} does not require consent, deducing prompt {Prompt}", authorizeRequest.ClientId, PromptConstants.None);
-            return InteractionResult.Success(authorizeUser.SubjectIdentifier, authorizeUser.AuthorizationGrantId);
-        }
-
         var consentedScope = await _consentGrantRepository.GetClientConsentedScopes(authorizeUser.SubjectIdentifier, authorizeRequest.ClientId!, cancellationToken);
         if (authorizeRequest.Scope.IsNotSubset(consentedScope))
         {