From a5de78988bb32f5d0ca97041952cc4e5fbcf3c8e Mon Sep 17 00:00:00 2001
From: Brock Allen <brockallen@gmail.com>
Date: Sat, 21 Jan 2017 13:32:35 -0500
Subject: [PATCH] filter out disabled clients #3462

---
 source/Core/Extensions/IClientStoreExtensions.cs | 16 ++++++++++++++++
 .../Default/DefaultCustomTokenValidator.cs       |  4 ++--
 .../Core/Validation/AuthorizeRequestValidator.cs |  4 ++--
 source/Core/Validation/ClientSecretValidator.cs  |  6 +++---
 source/Core/Validation/TokenValidator.cs         |  6 +++---
 5 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/source/Core/Extensions/IClientStoreExtensions.cs b/source/Core/Extensions/IClientStoreExtensions.cs
index 8a61ee3fc..cabdf017a 100644
--- a/source/Core/Extensions/IClientStoreExtensions.cs
+++ b/source/Core/Extensions/IClientStoreExtensions.cs
@@ -25,6 +25,22 @@ namespace IdentityServer3.Core.Extensions
 {
     internal static class IClientStoreExtensions
     {
+        internal static async Task<Client> FindEnabledClientByIdAsync(this IClientStore store, string clientId)
+        {
+            if (store == null) throw new ArgumentNullException("store");
+
+            if (clientId.IsPresent())
+            {
+                var client = await store.FindClientByIdAsync(clientId);
+                if (client != null && client.Enabled)
+                {
+                    return client;
+                }
+            }
+
+            return null;
+        }
+
         internal static async Task<IEnumerable<string>> GetIdentityProviderRestrictionsAsync(this IClientStore store, string clientId)
         {
             if (store == null) throw new ArgumentNullException("store");
diff --git a/source/Core/Services/Default/DefaultCustomTokenValidator.cs b/source/Core/Services/Default/DefaultCustomTokenValidator.cs
index d5a8412f5..30da1d73b 100644
--- a/source/Core/Services/Default/DefaultCustomTokenValidator.cs
+++ b/source/Core/Services/Default/DefaultCustomTokenValidator.cs
@@ -100,8 +100,8 @@ public virtual async Task<TokenValidationResult> ValidateAccessTokenAsync(TokenV
             var clientClaim = result.Claims.FirstOrDefault(c => c.Type == Constants.ClaimTypes.ClientId);
             if (clientClaim != null)
             {
-                var client = await _clients.FindClientByIdAsync(clientClaim.Value);
-                if (client == null || client.Enabled == false)
+                var client = await _clients.FindEnabledClientByIdAsync(clientClaim.Value);
+                if (client == null)
                 {
                     Logger.Warn("Client deleted or disabled: " + clientClaim.Value);
 
diff --git a/source/Core/Validation/AuthorizeRequestValidator.cs b/source/Core/Validation/AuthorizeRequestValidator.cs
index 037ed82c6..429f59645 100644
--- a/source/Core/Validation/AuthorizeRequestValidator.cs
+++ b/source/Core/Validation/AuthorizeRequestValidator.cs
@@ -158,8 +158,8 @@ public async Task<AuthorizeRequestValidationResult> ValidateClientAsync(Validate
             //////////////////////////////////////////////////////////
             // check for valid client
             //////////////////////////////////////////////////////////
-            var client = await _clients.FindClientByIdAsync(request.ClientId);
-            if (client == null || client.Enabled == false)
+            var client = await _clients.FindEnabledClientByIdAsync(request.ClientId);
+            if (client == null)
             {
                 LogError("Unknown client or not enabled: " + request.ClientId, request);
                 return Invalid(request, ErrorTypes.User, Constants.AuthorizeErrors.UnauthorizedClient);
diff --git a/source/Core/Validation/ClientSecretValidator.cs b/source/Core/Validation/ClientSecretValidator.cs
index 63d61dc4e..4121267df 100644
--- a/source/Core/Validation/ClientSecretValidator.cs
+++ b/source/Core/Validation/ClientSecretValidator.cs
@@ -60,12 +60,12 @@ public async Task<ClientSecretValidationResult> ValidateAsync()
             }
 
             // load client
-            var client = await _clients.FindClientByIdAsync(parsedSecret.Id);
+            var client = await _clients.FindEnabledClientByIdAsync(parsedSecret.Id);
             if (client == null)
             {
-                await RaiseFailureEvent(parsedSecret.Id, "Unknown client");
+                await RaiseFailureEvent(parsedSecret.Id, "Unknown or disabled client");
 
-                Logger.Info("No client with that id found. aborting");
+                Logger.Info("No client with that id found or client is disabled. aborting");
                 return fail;
             }
 
diff --git a/source/Core/Validation/TokenValidator.cs b/source/Core/Validation/TokenValidator.cs
index facd72d33..cb22c9d22 100644
--- a/source/Core/Validation/TokenValidator.cs
+++ b/source/Core/Validation/TokenValidator.cs
@@ -110,7 +110,7 @@ public virtual async Task<TokenValidationResult> ValidateIdentityTokenAsync(stri
             _log.ClientId = clientId;
             _log.ValidateLifetime = validateLifetime;
 
-            var client = await _clients.FindClientByIdAsync(clientId);
+            var client = await _clients.FindEnabledClientByIdAsync(clientId);
             if (client == null)
             {
                 LogError("Unknown or disabled client.");
@@ -264,10 +264,10 @@ private async Task<TokenValidationResult> ValidateJwtAsync(string jwt, string au
                 var clientId = id.FindFirst(Constants.ClaimTypes.ClientId);
                 if (clientId != null)
                 {
-                    client = await _clients.FindClientByIdAsync(clientId.Value);
+                    client = await _clients.FindEnabledClientByIdAsync(clientId.Value);
                     if (client == null)
                     {
-                        throw new InvalidOperationException("Client does not exist anymore.");
+                        throw new InvalidOperationException("Client does not exist anymore or is disabled.");
                     }
                 }