Skip to content

Commit a72fed5

Browse files
https-richardyhttps-richardy
committed
fix(#25): include client allowed audiences in user access token generation
1 parent ce16353 commit a72fed5

1 file changed

Lines changed: 20 additions & 2 deletions

File tree

Applications/Backend/Source/HttpsRichardy.Federation.Application/Handlers/Authorization/AuthorizationCodeGrantHandler.cs

Lines changed: 20 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
namespace HttpsRichardy.Federation.Application.Handlers.Authorization;
22

3-
public sealed class AuthorizationCodeGrantHandler(IRealmCollection realmCollection, IUserCollection userCollection, ISecurityTokenService tokenService, ITokenCollection tokenCollection) :
3+
public sealed class AuthorizationCodeGrantHandler(IRealmCollection realmCollection, IUserCollection userCollection, IClientCollection clientCollection, ISecurityTokenService tokenService, ITokenCollection tokenCollection) :
44
IAuthorizationFlowHandler
55
{
66
public Grant Grant => Grant.AuthorizationCode;
@@ -38,6 +38,24 @@ public async Task<Result<ClientAuthenticationResult>> HandleAsync(
3838
return Result<ClientAuthenticationResult>.Failure(AuthenticationErrors.ClientNotFound);
3939
}
4040

41+
var clientFilters = new ClientFiltersBuilder()
42+
.WithClientId(parameters.ClientId)
43+
.Build();
44+
45+
var clients = await clientCollection.GetClientsAsync(clientFilters, cancellation: cancellation);
46+
var client = clients.FirstOrDefault();
47+
48+
if (client is null || !string.Equals(client.RealmId, token.RealmId, StringComparison.Ordinal))
49+
{
50+
return Result<ClientAuthenticationResult>.Failure(AuthorizationErrors.InvalidAuthorizationCode);
51+
}
52+
53+
var boundClientId = token.Metadata.GetValueOrDefault("client.id");
54+
if (!string.Equals(boundClientId, parameters.ClientId, StringComparison.Ordinal))
55+
{
56+
return Result<ClientAuthenticationResult>.Failure(AuthorizationErrors.InvalidAuthorizationCode);
57+
}
58+
4159
var codeChallenge = token.Metadata.GetValueOrDefault("code.challenge")!;
4260
var codeChallengeMethod = token.Metadata.GetValueOrDefault("code.challenge.method")!;
4361

@@ -58,7 +76,7 @@ public async Task<Result<ClientAuthenticationResult>> HandleAsync(
5876
return Result<ClientAuthenticationResult>.Failure(AuthenticationErrors.UserNotFound);
5977
}
6078

61-
var tokenResult = await tokenService.GenerateAccessTokenAsync(user, cancellation);
79+
var tokenResult = await tokenService.GenerateAccessTokenAsync(user, client.Audiences, cancellation);
6280
if (tokenResult.IsFailure || tokenResult.Data is null)
6381
{
6482
return Result<ClientAuthenticationResult>.Failure(tokenResult.Error);

0 commit comments

Comments
 (0)