Implement built-in audiences and resources indicators validation

Author: kevinchalet

shared/OpenIddict.Extensions/OpenIddictHelpers.cs

@@ -406,7 +406,7 @@ public static IReadOnlyDictionary<string, StringValues> ParseQuery(string query)
                 Value: parts.Length > 1 && parts[1] is string value ? Uri.UnescapeDataString(value) : null))
             .Where(static pair => !string.IsNullOrEmpty(pair.Key))
             .GroupBy(static pair => pair.Key)
-            .ToDictionary(static pair => pair.Key!, static pair => new StringValues(pair.Select(parts => parts.Value).ToArray()));
+            .ToDictionary(static pair => pair.Key!, static pair => new StringValues([.. pair.Select(parts => parts.Value)]));
     }
 
     /// <summary>
@@ -430,7 +430,7 @@ public static IReadOnlyDictionary<string, StringValues> ParseFragment(string fra
                 Value: parts.Length > 1 && parts[1] is string value ? Uri.UnescapeDataString(value) : null))
             .Where(static pair => !string.IsNullOrEmpty(pair.Key))
             .GroupBy(static pair => pair.Key)
-            .ToDictionary(static pair => pair.Key!, static pair => new StringValues(pair.Select(parts => parts.Value).ToArray()));
+            .ToDictionary(static pair => pair.Key!, static pair => new StringValues([.. pair.Select(parts => parts.Value)]));
     }
 
     /// <summary>

src/OpenIddict.Abstractions/OpenIddictConstants.cs

@@ -423,9 +423,11 @@ public static class GrantTypes
 
         public static class Prefixes
         {
+            public const string Audience = "aud:";
             public const string Endpoint = "ept:";
             public const string GrantType = "gt:";
             public const string ResponseType = "rst:";
+            public const string Resource = "rsrc:";
             public const string Scope = "scp:";
         }
 

src/OpenIddict.Abstractions/OpenIddictResources.resx

@@ -1793,6 +1793,9 @@ Alternatively, any value respecting the '[region]-[subregion]-[identifier]' patt
   <data name="ID0494" xml:space="preserve">
     <value>The type of the actor token cannot be resolved from the authentication context.</value>
   </data>
+  <data name="ID0495" xml:space="preserve">
+    <value>The '{0}' parameter cannot contain values that are not valid absolute URIs containing no fragment component.</value>
+  </data>
   <data name="ID2000" xml:space="preserve">
     <value>The security token is missing.</value>
   </data>
@@ -2360,6 +2363,24 @@ Alternatively, any value respecting the '[region]-[subregion]-[identifier]' patt
   <data name="ID2189" xml:space="preserve">
     <value>The specified actor token cannot be used by this client application.</value>
   </data>
+  <data name="ID2190" xml:space="preserve">
+    <value>One of the specified '{0}' parameters is invalid.</value>
+  </data>
+  <data name="ID2191" xml:space="preserve">
+    <value>This client application is not allowed to use the specified audience(s).</value>
+  </data>
+  <data name="ID2192" xml:space="preserve">
+    <value>This client application is not allowed to use the specified resource(s).</value>
+  </data>
+  <data name="ID2193" xml:space="preserve">
+    <value>The '{0}' parameter is not allowed in authorization requests.</value>
+  </data>
+  <data name="ID2194" xml:space="preserve">
+    <value>The '{0}' parameter is not allowed in pushed authorization requests.</value>
+  </data>
+  <data name="ID2195" xml:space="preserve">
+    <value>The '{0}' parameter is only allowed for OAuth 2.0 Token Exchange requests.</value>
+  </data>
   <data name="ID4000" xml:space="preserve">
     <value>The '{0}' parameter shouldn't be null or empty at this point.</value>
   </data>
@@ -3137,6 +3158,36 @@ This may indicate that the hashed entry is corrupted or malformed.</value>
   <data name="ID6271" xml:space="preserve">
     <value>The token request was rejected because the actor token was issued to a different client or for another resource server.</value>
   </data>
+  <data name="ID6272" xml:space="preserve">
+    <value>The token request was rejected because invalid audiences were specified: {Audiences}.</value>
+  </data>
+  <data name="ID6273" xml:space="preserve">
+    <value>The token request was rejected because invalid resources were specified: {Resources}.</value>
+  </data>
+  <data name="ID6274" xml:space="preserve">
+    <value>The authorization request was rejected because invalid resources were specified: {Resources}.</value>
+  </data>
+  <data name="ID6275" xml:space="preserve">
+    <value>The pushed authorization request was rejected because invalid resources were specified: {Resources}.</value>
+  </data>
+  <data name="ID6276" xml:space="preserve">
+    <value>The token request was rejected because the application '{ClientId}' was not allowed to use the audience {Audience}.</value>
+  </data>
+  <data name="ID6277" xml:space="preserve">
+    <value>The token request was rejected because the application '{ClientId}' was not allowed to use the resource {Resource}.</value>
+  </data>
+  <data name="ID6278" xml:space="preserve">
+    <value>The authorization request was rejected because the application '{ClientId}' was not allowed to use the resource {Resource}.</value>
+  </data>
+  <data name="ID6279" xml:space="preserve">
+    <value>The pushed authorization request was rejected because the application '{ClientId}' was not allowed to use the resource {Resource}.</value>
+  </data>
+  <data name="ID6280" xml:space="preserve">
+    <value>The token request was rejected because the '{Parameter}' parameter wasn't a valid absolute URI: {RedirectUri}.</value>
+  </data>
+  <data name="ID6281" xml:space="preserve">
+    <value>The token request was rejected because the '{Parameter}' contained a URI fragment: {RedirectUri}.</value>
+  </data>
   <data name="ID8000" xml:space="preserve">
     <value>https://documentation.openiddict.com/errors/{0}</value>
   </data>

src/OpenIddict.Abstractions/Primitives/OpenIddictExtensions.cs

@@ -38,6 +38,35 @@ public static ImmutableArray<string> GetAcrValues(this OpenIddictRequest request
         return GetValues(request.AcrValues, Separators.Space);
     }
 
+    /// <summary>
+    /// Extracts the audiences from an <see cref="OpenIddictRequest"/>.
+    /// </summary>
+    /// <param name="request">The <see cref="OpenIddictRequest"/> instance.</param>
+    public static ImmutableArray<string> GetAudiences(this OpenIddictRequest request)
+    {
+        if (request is null)
+        {
+            throw new ArgumentNullException(nameof(request));
+        }
+
+        if (request.Audiences is not { IsDefaultOrEmpty: false } audiences)
+        {
+            return [];
+        }
+
+        HashSet<string> set = [];
+
+        foreach (var audience in audiences)
+        {
+            if (!string.IsNullOrEmpty(audience))
+            {
+                set.Add(audience);
+            }
+        }
+
+        return [.. set];
+    }
+
     /// <summary>
     /// Extracts the prompt values from an <see cref="OpenIddictRequest"/>.
     /// </summary>
@@ -52,6 +81,35 @@ public static ImmutableArray<string> GetPromptValues(this OpenIddictRequest requ
         return GetValues(request.Prompt, Separators.Space);
     }
 
+    /// <summary>
+    /// Extracts the resources from an <see cref="OpenIddictRequest"/>.
+    /// </summary>
+    /// <param name="request">The <see cref="OpenIddictRequest"/> instance.</param>
+    public static ImmutableArray<string> GetResources(this OpenIddictRequest request)
+    {
+        if (request is null)
+        {
+            throw new ArgumentNullException(nameof(request));
+        }
+
+        if (request.Resources is not { IsDefaultOrEmpty: false } resources)
+        {
+            return [];
+        }
+
+        HashSet<string> set = [];
+
+        foreach (var resource in resources)
+        {
+            if (!string.IsNullOrEmpty(resource))
+            {
+                set.Add(resource);
+            }
+        }
+
+        return [.. set];
+    }
+
     /// <summary>
     /// Extracts the response types from an <see cref="OpenIddictRequest"/>.
     /// </summary>
@@ -94,30 +152,100 @@ public static bool HasAcrValue(this OpenIddictRequest request, string value)
 
         if (string.IsNullOrEmpty(value))
         {
-            throw new ArgumentException(SR.GetResourceString(SR.ID0177), nameof(value));
+            throw new ArgumentException(SR.FormatID0366(nameof(value)), nameof(value));
         }
 
         return HasValue(request.AcrValues, value, Separators.Space);
     }
 
+    /// <summary>
+    /// Determines whether the requested audiences contains the specified value.
+    /// </summary>
+    /// <param name="request">The <see cref="OpenIddictRequest"/> instance.</param>
+    /// <param name="audience">The value to look for in the parameters.</param>
+    public static bool HasAudience(this OpenIddictRequest request, string audience)
+    {
+        if (request is null)
+        {
+            throw new ArgumentNullException(nameof(request));
+        }
+
+        if (string.IsNullOrEmpty(audience))
+        {
+            throw new ArgumentException(SR.FormatID0366(nameof(audience)), nameof(audience));
+        }
+
+        var audiences = request.Audiences;
+        if (audiences is null or [])
+        {
+            return false;
+        }
+
+        for (var index = 0; index < audiences.Value.Length; index++)
+        {
+            if (audiences.Value[index] is { Length: > 0 } value &&
+                string.Equals(value, audience, StringComparison.Ordinal))
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     /// <summary>
     /// Determines whether the requested prompt contains the specified value.
     /// </summary>
     /// <param name="request">The <see cref="OpenIddictRequest"/> instance.</param>
-    /// <param name="prompt">The component to look for in the parameter.</param>
-    public static bool HasPromptValue(this OpenIddictRequest request, string prompt)
+    /// <param name="value">The component to look for in the parameter.</param>
+    public static bool HasPromptValue(this OpenIddictRequest request, string value)
+    {
+        if (request is null)
+        {
+            throw new ArgumentNullException(nameof(request));
+        }
+
+        if (string.IsNullOrEmpty(value))
+        {
+            throw new ArgumentException(SR.FormatID0366(nameof(value)), nameof(value));
+        }
+
+        return HasValue(request.Prompt, value, Separators.Space);
+    }
+
+    /// <summary>
+    /// Determines whether the requested resources contains the specified value.
+    /// </summary>
+    /// <param name="request">The <see cref="OpenIddictRequest"/> instance.</param>
+    /// <param name="resource">The value to look for in the parameters.</param>
+    public static bool HasResource(this OpenIddictRequest request, string resource)
     {
         if (request is null)
         {
             throw new ArgumentNullException(nameof(request));
         }
 
-        if (string.IsNullOrEmpty(prompt))
+        if (string.IsNullOrEmpty(resource))
+        {
+            throw new ArgumentException(SR.FormatID0366(nameof(resource)), nameof(resource));
+        }
+
+        var resources = request.Resources;
+        if (resources is null or [])
+        {
+            return false;
+        }
+
+        for (var index = 0; index < resources.Value.Length; index++)
         {
-            throw new ArgumentException(SR.GetResourceString(SR.ID0178), nameof(prompt));
+            if (resources.Value[index] is { Length: > 0 } value &&
+                string.Equals(value, resource, StringComparison.Ordinal))
+            {
+                return true;
+            }
         }
 
-        return HasValue(request.Prompt, prompt, Separators.Space);
+        return false;
     }
 
     /// <summary>
@@ -134,7 +262,7 @@ public static bool HasResponseType(this OpenIddictRequest request, string type)
 
         if (string.IsNullOrEmpty(type))
         {
-            throw new ArgumentException(SR.GetResourceString(SR.ID0179), nameof(type));
+            throw new ArgumentException(SR.FormatID0366(nameof(type)), nameof(type));
         }
 
         return HasValue(request.ResponseType, type, Separators.Space);
@@ -154,7 +282,7 @@ public static bool HasScope(this OpenIddictRequest request, string scope)
 
         if (string.IsNullOrEmpty(scope))
         {
-            throw new ArgumentException(SR.GetResourceString(SR.ID0180), nameof(scope));
+            throw new ArgumentException(SR.FormatID0366(nameof(scope)), nameof(scope));
         }
 
         return HasValue(request.Scope, scope, Separators.Space);

src/OpenIddict.Abstractions/Primitives/OpenIddictMessage.cs

@@ -182,7 +182,7 @@ public OpenIddictMessage(IEnumerable<KeyValuePair<string, ImmutableArray<string?
             // parameters with the same name to represent a multi-valued parameter.
             AddParameter(parameter.Key, parameter.Value switch
             {
-                   null or []  => default,
+                  null or []   => default,
                 [string value] => new OpenIddictParameter(value),
                  [..] values   => new OpenIddictParameter(values)
             });

src/OpenIddict.Abstractions/Primitives/OpenIddictParameter.cs

@@ -1165,7 +1165,7 @@ public static explicit operator StringValues(OpenIddictParameter? parameter)
             null or JsonElement { ValueKind: JsonValueKind.Null or JsonValueKind.Undefined } => null,
 
             // When the parameter is an array of strings, return a StringValues instance wrapping the cloned array.
-            string?[] value => new StringValues(value.ToArray().ToArray()),
+            string?[] value => new StringValues([.. value]),
 
             // When the parameter is a string value, return a StringValues instance with a single entry.
             string value => new StringValues(value),

src/OpenIddict.Client/OpenIddictClientBuilder.cs

@@ -1144,7 +1144,7 @@ public OpenIddictClientBuilder SetPostLogoutRedirectionEndpointUris(
             throw new ArgumentNullException(nameof(uris));
         }
 
-        return SetPostLogoutRedirectionEndpointUris(uris.Select(uri => new Uri(uri, UriKind.RelativeOrAbsolute)).ToArray());
+        return SetPostLogoutRedirectionEndpointUris([.. uris.Select(uri => new Uri(uri, UriKind.RelativeOrAbsolute))]);
     }
 
     /// <summary>
@@ -1197,7 +1197,7 @@ public OpenIddictClientBuilder SetRedirectionEndpointUris(
             throw new ArgumentNullException(nameof(uris));
         }
 
-        return SetRedirectionEndpointUris(uris.Select(uri => new Uri(uri, UriKind.RelativeOrAbsolute)).ToArray());
+        return SetRedirectionEndpointUris([.. uris.Select(uri => new Uri(uri, UriKind.RelativeOrAbsolute))]);
     }
 
     /// <summary>