Skip to content

Commit

Permalink
Merge pull request #1632 from SimonCropp/better-perf-in-request-valid…
Browse files Browse the repository at this point in the history
…ation

better perf in request validation
  • Loading branch information
josephdecock authored Dec 10, 2024
2 parents c5dbbf9 + 2bbde03 commit e4a3de9
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 37 deletions.
36 changes: 21 additions & 15 deletions src/IdentityServer/Validation/Default/AuthorizeRequestValidator.cs
Original file line number Diff line number Diff line change
Expand Up @@ -463,26 +463,32 @@ private async Task<AuthorizeRequestValidationResult> ValidateScopeAndResourceAsy
//////////////////////////////////////////////////////////
// check for resource indicators and valid format
//////////////////////////////////////////////////////////
var resourceIndicators = request.Raw.GetValues(OidcConstants.AuthorizeRequest.Resource) ?? Enumerable.Empty<string>();

if (resourceIndicators?.Any(x => x.Length > _options.InputLengthRestrictions.ResourceIndicatorMaxLength) == true)
var resourceIndicators = request.Raw.GetValues(OidcConstants.AuthorizeRequest.Resource);
if (resourceIndicators == null)
{
return Invalid(request, OidcConstants.AuthorizeErrors.InvalidTarget, "Resource indicator maximum length exceeded");
request.RequestedResourceIndicators = [];
}

if (!resourceIndicators.AreValidResourceIndicatorFormat(_logger))
else
{
return Invalid(request, OidcConstants.AuthorizeErrors.InvalidTarget, "Invalid resource indicator format");
}
if (resourceIndicators.Any(x => x.Length > _options.InputLengthRestrictions.ResourceIndicatorMaxLength))
{
return Invalid(request, OidcConstants.AuthorizeErrors.InvalidTarget, "Resource indicator maximum length exceeded");
}

// we don't want to allow resource indicators when "token" is requested to authorize endpoint
if (request.GrantType == GrantType.Implicit && resourceIndicators.Any())
{
// todo: correct error?
return Invalid(request, OidcConstants.AuthorizeErrors.InvalidTarget, "Resource indicators not allowed for response_type 'token'.");
if (!resourceIndicators.AreValidResourceIndicatorFormat(_logger))
{
return Invalid(request, OidcConstants.AuthorizeErrors.InvalidTarget, "Invalid resource indicator format");
}

// we don't want to allow resource indicators when "token" is requested to authorize endpoint
if (request.GrantType == GrantType.Implicit && resourceIndicators.Length != 0)
{
// todo: correct error?
return Invalid(request, OidcConstants.AuthorizeErrors.InvalidTarget, "Resource indicators not allowed for response_type 'token'.");
}

request.RequestedResourceIndicators = resourceIndicators;
}

request.RequestedResourceIndicators = resourceIndicators;

//////////////////////////////////////////////////////////
// check if scopes are valid/supported and check for resource scopes
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -136,19 +136,25 @@ public async Task<BackchannelAuthenticationRequestValidationResult> ValidateRequ
//////////////////////////////////////////////////////////
// check for resource indicators and valid format
//////////////////////////////////////////////////////////
var resourceIndicators = _validatedRequest.Raw.GetValues(OidcConstants.AuthorizeRequest.Resource) ?? Enumerable.Empty<string>();

if (resourceIndicators?.Any(x => x.Length > _options.InputLengthRestrictions.ResourceIndicatorMaxLength) == true)
var resourceIndicators = _validatedRequest.Raw.GetValues(OidcConstants.AuthorizeRequest.Resource);
if (resourceIndicators == null)
{
return Invalid(OidcConstants.BackchannelAuthenticationRequestErrors.InvalidTarget, "Resource indicator maximum length exceeded");
_validatedRequest.RequestedResourceIndicators = [];
}

if (!resourceIndicators.AreValidResourceIndicatorFormat(_logger))
else
{
return Invalid(OidcConstants.BackchannelAuthenticationRequestErrors.InvalidTarget, "Invalid resource indicator format");
}
if (resourceIndicators.Any(x => x.Length > _options.InputLengthRestrictions.ResourceIndicatorMaxLength))
{
return Invalid(OidcConstants.BackchannelAuthenticationRequestErrors.InvalidTarget, "Resource indicator maximum length exceeded");
}

_validatedRequest.RequestedResourceIndicators = resourceIndicators?.ToList();
if (!resourceIndicators.AreValidResourceIndicatorFormat(_logger))
{
return Invalid(OidcConstants.BackchannelAuthenticationRequestErrors.InvalidTarget, "Invalid resource indicator format");
}

_validatedRequest.RequestedResourceIndicators = resourceIndicators;
}

//////////////////////////////////////////////////////////
// check if scopes are valid/supported and check for resource scopes
Expand Down
33 changes: 20 additions & 13 deletions src/IdentityServer/Validation/Default/TokenRequestValidator.cs
Original file line number Diff line number Diff line change
Expand Up @@ -152,24 +152,31 @@ public async Task<TokenRequestValidationResult> ValidateRequestAsync(TokenReques
//////////////////////////////////////////////////////////
// check for resource indicator and basic formatting
//////////////////////////////////////////////////////////
var resourceIndicators = parameters.GetValues(OidcConstants.TokenRequest.Resource) ?? Enumerable.Empty<string>();

if (resourceIndicators?.Any(x => x.Length > _options.InputLengthRestrictions.ResourceIndicatorMaxLength) == true)
var resourceIndicators = parameters.GetValues(OidcConstants.TokenRequest.Resource);
if (resourceIndicators == null)
{
return Invalid(OidcConstants.AuthorizeErrors.InvalidTarget, "Resource indicator maximum length exceeded");
_validatedRequest.RequestedResourceIndicator = null;
}

if (!resourceIndicators.AreValidResourceIndicatorFormat(_logger))
else
{
return Invalid(OidcConstants.AuthorizeErrors.InvalidTarget, "Invalid resource indicator format");
}
if (resourceIndicators.Any(x => x.Length > _options.InputLengthRestrictions.ResourceIndicatorMaxLength))
{
return Invalid(OidcConstants.AuthorizeErrors.InvalidTarget, "Resource indicator maximum length exceeded");
}

if (resourceIndicators.Count() > 1)
{
return Invalid(OidcConstants.AuthorizeErrors.InvalidTarget, "Multiple resource indicators not supported on token endpoint.");
}
if (!resourceIndicators.AreValidResourceIndicatorFormat(_logger))
{
return Invalid(OidcConstants.AuthorizeErrors.InvalidTarget, "Invalid resource indicator format");
}

_validatedRequest.RequestedResourceIndicator = resourceIndicators.SingleOrDefault();
if (resourceIndicators.Length > 1)
{
return Invalid(OidcConstants.AuthorizeErrors.InvalidTarget,
"Multiple resource indicators not supported on token endpoint.");
}

_validatedRequest.RequestedResourceIndicator = resourceIndicators.SingleOrDefault();
}

//////////////////////////////////////////////////////////
// proof token validation
Expand Down

0 comments on commit e4a3de9

Please sign in to comment.