This post is the sixth part of a series of blog posts entitled Creating your own OpenID Connect server with ASOS:
- Introduction
- Choosing the right flow(s)
- Registering the middleware in the ASP.NET Core pipeline
- Creating your own authorization provider
- Implementing the resource owner password credentials grant
- Implementing the authorization code and implicit flows
- Adding custom claims and granting scopes
- Testing your authorization server with Postman
- Conclusion
To support interactive flows like the authorization code or the implicit flows, the ValidateAuthorizationRequest
event must be implemented to validate the authorization request sent by the client application.
Implementing ValidateAuthorizationRequest
to validate response_type
, client_id
and redirect_uri
To support interactive flows, you must implement ValidateAuthorizationRequest
to validate the client_id
and the redirect_uri
parameters provided by the client application to ensure they correspond to a registered client.
Ideally, the response_type
parameter should also be validated to ensure that a client_id
corresponding to a confidential application cannot be used with the implicit/hybrid flow to prevent [downgrade attacks](http://homakov.blogspot.com/2012/08/saferweb-OAuth 2.0a-or-lets-just-fix-it.html).
In pure OAuth 2.0, redirect_uri
was not mandatory but is now required by the OpenID Connect specification. To support legacy clients, ASOS doesn't reject authorization requests missing the redirect_uri
parameter if the openid
scope is not present, but in this case, it's up to you to call context.Validate(...)
with the redirect_uri
the user agent should be redirected to. If you don't need to support such clients, consider rejecting the authorization requests that don't specify a redirect_uri
.
While the OpenID Connect specification explicitly states that the redirect_uri
MUST exactly match one of the callback URLs associated with the client application, you're actually free to implement a relaxed comparison policy to support advanced scenarios (e.g domain-only/subdomain comparison or wildcard support): use this ability with extreme caution to avoid introducing an open redirect vulnerability.
Nothing surprising: the exact implementation of ValidateAuthorizationRequest
will depend on the flows you want to support (e.g authorization code/implicit/hybrid) and on how you store your application details (e.g hardcoded or in a database).