vinder-io
diff --git a/‎Source/Vinder.Federation.Application/Contracts/IAuthorizationFlowHandler.cs‎
Lines changed: 9 additions & 0 deletions b/‎Source/Vinder.Federation.Application/Contracts/IAuthorizationFlowHandler.cs‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎Source/Vinder.Federation.Application/Handlers/Authorization/AuthorizationCodeGrantHandler.cs‎
Lines changed: 69 additions & 0 deletions b/‎Source/Vinder.Federation.Application/Handlers/Authorization/AuthorizationCodeGrantHandler.cs‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎Source/Vinder.Federation.Application/Handlers/Authorization/AuthorizationHandler.cs‎
Lines changed: 34 additions & 0 deletions b/‎Source/Vinder.Federation.Application/Handlers/Authorization/AuthorizationHandler.cs‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎Source/Vinder.Federation.Application/Handlers/Authorization/ClientCredentialsGrantHandler.cs‎
Lines changed: 37 additions & 0 deletions b/‎Source/Vinder.Federation.Application/Handlers/Authorization/ClientCredentialsGrantHandler.cs‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎Source/Vinder.Federation.Application/Handlers/Identity/ClientAuthenticationHandler.cs‎
Lines changed: 7 additions & 31 deletions b/‎Source/Vinder.Federation.Application/Handlers/Identity/ClientAuthenticationHandler.cs‎
Lines changed: 7 additions & 31 deletions
diff --git a/‎Source/Vinder.Federation.Application/Mappers/AuthorizationMapper.cs‎
Lines changed: 13 additions & 0 deletions b/‎Source/Vinder.Federation.Application/Mappers/AuthorizationMapper.cs‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎Source/Vinder.Federation.Application/Mappers/JsonWebKeysMapper.cs‎
Lines changed: 1 addition & 4 deletions b/‎Source/Vinder.Federation.Application/Mappers/JsonWebKeysMapper.cs‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎Source/Vinder.Federation.Application/Mappers/RedirectUriMapper.cs‎
Lines changed: 7 additions & 0 deletions b/‎Source/Vinder.Federation.Application/Mappers/RedirectUriMapper.cs‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎Source/Vinder.Federation.Application/Payloads/Authorization/AuthorizationParameters.cs‎
Lines changed: 15 additions & 0 deletions b/‎Source/Vinder.Federation.Application/Payloads/Authorization/AuthorizationParameters.cs‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎Source/Vinder.Federation.Application/Payloads/Authorization/AuthorizationScheme.cs‎
Lines changed: 10 additions & 0 deletions b/‎Source/Vinder.Federation.Application/Payloads/Authorization/AuthorizationScheme.cs‎
Lines changed: 10 additions & 0 deletions
@@ -0,0 +1,9 @@
+namespace Vinder.Federation.Application.Contracts;
+
+public interface IAuthorizationFlowHandler
+{
+    public Task<Result<ClientAuthenticationResult>> HandleAsync(
+        ClientAuthenticationCredentials parameters,
+        CancellationToken cancellation = default
+    );
+}
@@ -0,0 +1,69 @@
+namespace Vinder.Federation.Application.Handlers.Authorization;
+
+public sealed class AuthorizationCodeGrantHandler(ITenantCollection tenantCollection, IUserCollection userCollection, ISecurityTokenService tokenService, ITokenCollection tokenCollection) : IAuthorizationFlowHandler
+{
+    public async Task<Result<ClientAuthenticationResult>> HandleAsync(
+        ClientAuthenticationCredentials parameters, CancellationToken cancellation = default)
+    {
+        var filters = new TokenFiltersBuilder()
+            .WithValue(parameters.Code)
+            .WithType(TokenType.AuthorizationCode)
+            .Build();
+
+        var tokens = await tokenCollection.GetTokensAsync(filters, cancellation: cancellation);
+        var token = tokens.FirstOrDefault();
+
+        if (token is null)
+        {
+            return Result<ClientAuthenticationResult>.Failure(AuthorizationErrors.InvalidAuthorizationCode);
+        }
+
+        if (token.IsExpired)
+        {
+            return Result<ClientAuthenticationResult>.Failure(AuthorizationErrors.AuthorizationCodeExpired);
+        }
+
+        var tenantFilters = new TenantFiltersBuilder()
+            .WithIdentifier(token.TenantId)
+            .Build();
+
+        var tenants = await tenantCollection.GetTenantsAsync(tenantFilters, cancellation: cancellation);
+        var tenant = tenants.FirstOrDefault();
+
+        if (tenant is null)
+        {
+            return Result<ClientAuthenticationResult>.Failure(AuthenticationErrors.ClientNotFound);
+        }
+
+        var codeChallenge = token.Metadata.GetValueOrDefault("code.challenge")!;
+        var codeChallengeMethod = token.Metadata.GetValueOrDefault("code.challenge.method")!;
+
+        if (!PkceCodeVerifier.Validate(parameters.CodeVerifier, codeChallenge, codeChallengeMethod))
+        {
+            return Result<ClientAuthenticationResult>.Failure(AuthorizationErrors.InvalidCodeVerifier);
+        }
+
+        var userFilters = new UserFiltersBuilder()
+            .WithIdentifier(token.UserId)
+            .Build();
+
+        var users = await userCollection.GetUsersAsync(userFilters, cancellation: cancellation);
+        var user = users.FirstOrDefault();
+
+        if (user is null)
+        {
+            return Result<ClientAuthenticationResult>.Failure(AuthenticationErrors.UserNotFound);
+        }
+
+        var tokenResult = await tokenService.GenerateAccessTokenAsync(user, cancellation);
+        if (tokenResult.IsFailure || tokenResult.Data is null)
+        {
+            return Result<ClientAuthenticationResult>.Failure(tokenResult.Error);
+        }
+
+        return Result<ClientAuthenticationResult>.Success(new()
+        {
+            AccessToken = tokenResult.Data.Value
+        });
+    }
+}
@@ -0,0 +1,34 @@
+namespace Vinder.Federation.Application.Handlers.Authorization;
+
+public sealed class AuthorizationHandler(ITenantCollection tenantCollection, IRedirectUriPolicy redirectUriPolicy) :
+    IMessageHandler<AuthorizationParameters, Result<AuthorizationScheme>>
+{
+    public async Task<Result<AuthorizationScheme>> HandleAsync(
+        AuthorizationParameters parameters, CancellationToken cancellation = default)
+    {
+        var filters = new TenantFiltersBuilder()
+            .WithClientId(parameters.ClientId)
+            .Build();
+
+        var clients = await tenantCollection.GetTenantsAsync(filters, cancellation);
+        var client = clients.FirstOrDefault();
+
+        if (client is null)
+        {
+            return Result<AuthorizationScheme>.Failure(TenantErrors.TenantDoesNotExist);
+        }
+
+        var redirectUri = parameters.RedirectUri.AsUri();
+
+        // according to oauth 2.0 spec (RFC 6749, section 3.1.2.3):
+        // https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2.3
+
+        var redirectProof = await redirectUriPolicy.EnsureRedirectUriIsAllowedAsync(client, redirectUri, cancellation);
+        if (redirectProof.IsFailure)
+        {
+            return Result<AuthorizationScheme>.Failure(redirectProof.Error);
+        }
+
+        return Result<AuthorizationScheme>.Success(parameters.AsReponse());
+    }
+}
@@ -0,0 +1,37 @@
+namespace Vinder.Federation.Application.Handlers.Authorization;
+
+public sealed class ClientCredentialsGrantHandler(ITenantCollection tenantCollection, ISecurityTokenService tokenService) : IAuthorizationFlowHandler
+{
+    public async Task<Result<ClientAuthenticationResult>> HandleAsync(ClientAuthenticationCredentials parameters, CancellationToken cancellation = default)
+    {
+        var filters = new TenantFiltersBuilder()
+            .WithClientId(parameters.ClientId)
+            .Build();
+
+        var tenants = await tenantCollection.GetTenantsAsync(filters, cancellation: cancellation);
+        var tenant = tenants.FirstOrDefault();
+
+        if (tenant is null)
+        {
+            return Result<ClientAuthenticationResult>.Failure(AuthenticationErrors.ClientNotFound);
+        }
+
+        if (parameters.ClientSecret != tenant.SecretHash)
+        {
+            return Result<ClientAuthenticationResult>.Failure(AuthenticationErrors.InvalidClientCredentials);
+        }
+
+        var tokenResult = await tokenService.GenerateAccessTokenAsync(tenant, cancellation);
+        if (tokenResult.IsFailure)
+        {
+            return Result<ClientAuthenticationResult>.Failure(tokenResult.Error);
+        }
+
+        var response = new ClientAuthenticationResult
+        {
+            AccessToken = tokenResult.Data!.Value
+        };
+
+        return Result<ClientAuthenticationResult>.Success(response);
+    }
+}
@@ -1,41 +1,17 @@
 namespace Vinder.Federation.Application.Handlers.Identity;
 
-public sealed class ClientAuthenticationHandler(
-    ITenantCollection tenantCollection,
-    ISecurityTokenService tokenService
-) : IMessageHandler<ClientAuthenticationCredentials, Result<ClientAuthenticationResult>>
+public sealed class ClientAuthenticationHandler(ITenantCollection tenantCollection, IUserCollection userCollection, ITokenCollection tokenCollection, ISecurityTokenService tokenService) :
+    IMessageHandler<ClientAuthenticationCredentials, Result<ClientAuthenticationResult>>
 {
     public async Task<Result<ClientAuthenticationResult>> HandleAsync(
         ClientAuthenticationCredentials parameters, CancellationToken cancellation = default)
     {
-        var filters = TenantFilters.WithSpecifications()
-            .WithClientId(parameters.ClientId)
-            .Build();
-
-        var tenants = await tenantCollection.GetTenantsAsync(filters, cancellation: cancellation);
-        var tenant = tenants.FirstOrDefault();
-
-        if (tenant is null)
-        {
-            return Result<ClientAuthenticationResult>.Failure(AuthenticationErrors.ClientNotFound);
-        }
-
-        if (parameters.ClientSecret != tenant.SecretHash)
-        {
-            return Result<ClientAuthenticationResult>.Failure(AuthenticationErrors.InvalidClientCredentials);
-        }
-
-        var tokenResult = await tokenService.GenerateAccessTokenAsync(tenant, cancellation);
-        if (tokenResult.IsFailure)
-        {
-            return Result<ClientAuthenticationResult>.Failure(tokenResult.Error);
-        }
-
-        var response = new ClientAuthenticationResult
+        IAuthorizationFlowHandler handler = parameters.GrantType switch
         {
-            AccessToken = tokenResult.Data!.Value
+            SupportedGrantType.AuthorizationCode => new AuthorizationCodeGrantHandler(tenantCollection, userCollection, tokenService, tokenCollection),
+            SupportedGrantType.ClientCredentials => new ClientCredentialsGrantHandler(tenantCollection, tokenService),
         };
 
-        return Result<ClientAuthenticationResult>.Success(response);
+        return await handler.HandleAsync(parameters, cancellation);
     }
-}
+}
@@ -0,0 +1,13 @@
+namespace Vinder.Federation.Application.Mappers;
+
+public static class AuthorizationMapper
+{
+    public static AuthorizationScheme AsReponse(this AuthorizationParameters parameters) => new()
+    {
+        ClientId = parameters.ClientId,
+        RedirectUri = parameters.RedirectUri,
+        State = parameters.State,
+        CodeChallenge = parameters.CodeChallenge,
+        CodeChallengeMethod = parameters.CodeChallengeMethod,
+    };
+}
@@ -1,6 +1,3 @@
-using Microsoft.IdentityModel.Tokens;
-using Vinder.Federation.Application.Payloads.Connect;
-
 namespace Vinder.Federation.Application.Mappers;
 
 public static class JsonWebKeysMapper
@@ -25,4 +22,4 @@ public static JsonWebKeySetScheme AsJsonWebKeySetScheme(Secret secret)
             Keys = [JsonWebKeysMapper.AsJsonWebKeys(secret)]
         };
     }
-}
+}
@@ -0,0 +1,7 @@
+namespace Vinder.Federation.Application.Mappers;
+
+public static class RedirectUriMapper
+{
+    public static RedirectUri AsUri(this string uri) =>
+        new(uri);
+}
@@ -0,0 +1,15 @@
+namespace Vinder.Federation.Application.Payloads.Authorization;
+
+public sealed record AuthorizationParameters : IMessage<Result<AuthorizationScheme>>
+{
+    public string ResponseType { get; init; } = default!;
+    public string RedirectUri { get; init; } = default!;
+
+    public string ClientId { get; init; } = default!;
+
+    public string CodeChallenge { get; init; } = default!;
+    public string CodeChallengeMethod { get; init; } = default!;
+
+    public string? Scope { get; init; } = default!;
+    public string? State { get; init; } = default!;
+}
@@ -0,0 +1,10 @@
+namespace Vinder.Federation.Application.Payloads.Authorization;
+
+public sealed record AuthorizationScheme
+{
+    public string ClientId { get; init; } = default!;
+    public string RedirectUri { get; init; } = default!;
+    public string CodeChallenge { get; init; } = default!;
+    public string CodeChallengeMethod { get; init; } = default!;
+    public string? State { get; init; } = default;
+}