better perf in request validation

DuendeSoftware · Nov 21, 2024 · 2bbde03 · 2bbde03
1 parent 4c83776
commit 2bbde03
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 37 deletions.
diff --git a/src/IdentityServer/Validation/Default/AuthorizeRequestValidator.cs b/src/IdentityServer/Validation/Default/AuthorizeRequestValidator.cs
@@ -463,26 +463,32 @@ private async Task<AuthorizeRequestValidationResult> ValidateScopeAndResourceAsy
         //////////////////////////////////////////////////////////
         // check for resource indicators and valid format
         //////////////////////////////////////////////////////////
-        var resourceIndicators = request.Raw.GetValues(OidcConstants.AuthorizeRequest.Resource) ?? Enumerable.Empty<string>();
-
-        if (resourceIndicators?.Any(x => x.Length > _options.InputLengthRestrictions.ResourceIndicatorMaxLength) == true)
+        var resourceIndicators = request.Raw.GetValues(OidcConstants.AuthorizeRequest.Resource);
+        if (resourceIndicators == null)
         {
-            return Invalid(request, OidcConstants.AuthorizeErrors.InvalidTarget, "Resource indicator maximum length exceeded");
+            request.RequestedResourceIndicators = [];
         }
-
-        if (!resourceIndicators.AreValidResourceIndicatorFormat(_logger))
+        else
         {
-            return Invalid(request, OidcConstants.AuthorizeErrors.InvalidTarget, "Invalid resource indicator format");
-        }
+            if (resourceIndicators.Any(x => x.Length > _options.InputLengthRestrictions.ResourceIndicatorMaxLength))
+            {
+                return Invalid(request, OidcConstants.AuthorizeErrors.InvalidTarget, "Resource indicator maximum length exceeded");
+            }
 
-        // we don't want to allow resource indicators when "token" is requested to authorize endpoint
-        if (request.GrantType == GrantType.Implicit && resourceIndicators.Any())
-        {
-            // todo: correct error?
-            return Invalid(request, OidcConstants.AuthorizeErrors.InvalidTarget, "Resource indicators not allowed for response_type 'token'.");
+            if (!resourceIndicators.AreValidResourceIndicatorFormat(_logger))
+            {
+                return Invalid(request, OidcConstants.AuthorizeErrors.InvalidTarget, "Invalid resource indicator format");
+            }
+
+            // we don't want to allow resource indicators when "token" is requested to authorize endpoint
+            if (request.GrantType == GrantType.Implicit && resourceIndicators.Length != 0)
+            {
+                // todo: correct error?
+                return Invalid(request, OidcConstants.AuthorizeErrors.InvalidTarget, "Resource indicators not allowed for response_type 'token'.");
+            }
+
+            request.RequestedResourceIndicators = resourceIndicators;
         }
-
-        request.RequestedResourceIndicators = resourceIndicators;
 
         //////////////////////////////////////////////////////////
         // check if scopes are valid/supported and check for resource scopes

diff --git a/src/IdentityServer/Validation/Default/BackchannelAuthenticationRequestValidator.cs b/src/IdentityServer/Validation/Default/BackchannelAuthenticationRequestValidator.cs
@@ -136,19 +136,25 @@ public async Task<BackchannelAuthenticationRequestValidationResult> ValidateRequ
         //////////////////////////////////////////////////////////
         // check for resource indicators and valid format
         //////////////////////////////////////////////////////////
-        var resourceIndicators = _validatedRequest.Raw.GetValues(OidcConstants.AuthorizeRequest.Resource) ?? Enumerable.Empty<string>();
-
-        if (resourceIndicators?.Any(x => x.Length > _options.InputLengthRestrictions.ResourceIndicatorMaxLength) == true)
+        var resourceIndicators = _validatedRequest.Raw.GetValues(OidcConstants.AuthorizeRequest.Resource);
+        if (resourceIndicators == null)
         {
-            return Invalid(OidcConstants.BackchannelAuthenticationRequestErrors.InvalidTarget, "Resource indicator maximum length exceeded");
+            _validatedRequest.RequestedResourceIndicators = [];
         }
-
-        if (!resourceIndicators.AreValidResourceIndicatorFormat(_logger))
+        else
         {
-            return Invalid(OidcConstants.BackchannelAuthenticationRequestErrors.InvalidTarget, "Invalid resource indicator format");
-        }
+            if (resourceIndicators.Any(x => x.Length > _options.InputLengthRestrictions.ResourceIndicatorMaxLength))
+            {
+                return Invalid(OidcConstants.BackchannelAuthenticationRequestErrors.InvalidTarget, "Resource indicator maximum length exceeded");
+            }
 
-        _validatedRequest.RequestedResourceIndicators = resourceIndicators?.ToList();
+            if (!resourceIndicators.AreValidResourceIndicatorFormat(_logger))
+            {
+                return Invalid(OidcConstants.BackchannelAuthenticationRequestErrors.InvalidTarget, "Invalid resource indicator format");
+            }
+
+            _validatedRequest.RequestedResourceIndicators = resourceIndicators;
+        }
 
         //////////////////////////////////////////////////////////
         // check if scopes are valid/supported and check for resource scopes

diff --git a/src/IdentityServer/Validation/Default/TokenRequestValidator.cs b/src/IdentityServer/Validation/Default/TokenRequestValidator.cs
@@ -152,24 +152,31 @@ public async Task<TokenRequestValidationResult> ValidateRequestAsync(TokenReques
         //////////////////////////////////////////////////////////
         // check for resource indicator and basic formatting
         //////////////////////////////////////////////////////////
-        var resourceIndicators = parameters.GetValues(OidcConstants.TokenRequest.Resource) ?? Enumerable.Empty<string>();
-
-        if (resourceIndicators?.Any(x => x.Length > _options.InputLengthRestrictions.ResourceIndicatorMaxLength) == true)
+        var resourceIndicators = parameters.GetValues(OidcConstants.TokenRequest.Resource);
+        if (resourceIndicators == null)
         {
-            return Invalid(OidcConstants.AuthorizeErrors.InvalidTarget, "Resource indicator maximum length exceeded");
+            _validatedRequest.RequestedResourceIndicator = null;
         }
-
-        if (!resourceIndicators.AreValidResourceIndicatorFormat(_logger))
+        else
         {
-            return Invalid(OidcConstants.AuthorizeErrors.InvalidTarget, "Invalid resource indicator format");
-        }
+            if (resourceIndicators.Any(x => x.Length > _options.InputLengthRestrictions.ResourceIndicatorMaxLength))
+            {
+                return Invalid(OidcConstants.AuthorizeErrors.InvalidTarget, "Resource indicator maximum length exceeded");
+            }
 
-        if (resourceIndicators.Count() > 1)
-        {
-            return Invalid(OidcConstants.AuthorizeErrors.InvalidTarget, "Multiple resource indicators not supported on token endpoint.");
-        }
+            if (!resourceIndicators.AreValidResourceIndicatorFormat(_logger))
+            {
+                return Invalid(OidcConstants.AuthorizeErrors.InvalidTarget, "Invalid resource indicator format");
+            }
 
-        _validatedRequest.RequestedResourceIndicator = resourceIndicators.SingleOrDefault();
+            if (resourceIndicators.Length > 1)
+            {
+                return Invalid(OidcConstants.AuthorizeErrors.InvalidTarget,
+                    "Multiple resource indicators not supported on token endpoint.");
+            }
+
+            _validatedRequest.RequestedResourceIndicator = resourceIndicators.SingleOrDefault();
+        }
 
         //////////////////////////////////////////////////////////
         // proof token validation