Merge pull request #34 from bornlogic/fix/user-role-scope-bypass-validation

fix

Author: VictorFZ

Bornlogic.IdentityServer/Validation/Default/DefaultResourceValidator.cs

@@ -72,6 +72,14 @@ public virtual async Task<ResourceValidationResult> ValidateRequestedResourcesAs
                 return result;
             }
 
+            var subjectIdOrDefault = request.Subject?.GetSubjectIdOrDefault();
+
+            var userHasLoginByPassRoleInClient = !string.IsNullOrEmpty(subjectIdOrDefault) &&
+                                                 await _clientUserRoleService.UserHasLoginByPassRoleInClient(
+                                                     subjectIdOrDefault, request.Client,
+                                                     _clientRoleOptions?.Value
+                                                         ?.ValidUserRolesToBypassClientScopeValidation);
+
             var scopeNames = parsedScopesResult.ParsedScopes.Select(x => x.ParsedName).Distinct().ToArray();
             var resourcesFromStore = await _store.FindEnabledResourcesByScopeAsync(scopeNames);
 
@@ -88,13 +96,6 @@ public virtual async Task<ResourceValidationResult> ValidateRequestedResourcesAs
                 await ValidateRequestRequiredScopeAsync(request.Client, requiredRequestResourcesFromStore, scope, result);
             }
 
-            var subjectIdOrDefault = request.Subject?.GetSubjectIdOrDefault();
-
-            if (!string.IsNullOrEmpty(subjectIdOrDefault) && await _clientUserRoleService.UserHasLoginByPassRoleInClient(subjectIdOrDefault, request.Client, _clientRoleOptions?.Value?.ValidUserRolesToBypassClientScopeValidation))
-            {
-                result.InvalidScopes.Clear();
-            }
-
             if (result.InvalidScopes.Count > 0)
             {
                 result.Resources.IdentityResources.Clear();
@@ -119,11 +120,12 @@ protected virtual async Task ValidateScopeAsync(
             Resources resourcesFromStore,
             ParsedScopeValue requestedScope,
             ResourceValidationResult result,
-            bool forceRequired)
+            bool forceRequired,
+            bool userHasLoginByPassRoleInClient)
         {
             if (requestedScope.ParsedName == IdentityServerConstants.StandardScopes.OfflineAccess)
             {
-                if (await IsClientAllowedOfflineAccessAsync(client))
+                if (userHasLoginByPassRoleInClient || await IsClientAllowedOfflineAccessAsync(client))
                 {
                     result.Resources.OfflineAccess = true;
                     result.ParsedScopes.Add(new ParsedScopeValue(IdentityServerConstants.StandardScopes.OfflineAccess));
@@ -138,7 +140,7 @@ protected virtual async Task ValidateScopeAsync(
                 var identity = resourcesFromStore.FindIdentityResourcesByScope(requestedScope.ParsedName);
                 if (identity != null)
                 {
-                    if (await IsClientAllowedIdentityResourceAsync(client, identity))
+                    if (userHasLoginByPassRoleInClient || await IsClientAllowedIdentityResourceAsync(client, identity))
                     {
                         result.ParsedScopes.Add(requestedScope);
                         result.Resources.IdentityResources.Add(identity);
@@ -153,7 +155,7 @@ protected virtual async Task ValidateScopeAsync(
                     var apiScope = resourcesFromStore.FindApiScope(requestedScope.ParsedName);
                     if (apiScope != null)
                     {
-                        if (await IsClientAllowedApiScopeAsync(client, apiScope))
+                        if (userHasLoginByPassRoleInClient || await IsClientAllowedApiScopeAsync(client, apiScope))
                         {
                             result.ParsedScopes.Add(requestedScope);
 
@@ -182,7 +184,8 @@ protected virtual async Task ValidateScopeAsync(
             }
         }
 
-        protected virtual async Task ValidateRequestRequiredScopeAsync(Client client, Resources resourcesFromStore, ParsedScopeValue requestedScope, ResourceValidationResult result)
+        protected virtual async Task ValidateRequestRequiredScopeAsync(Client client, Resources resourcesFromStore, ParsedScopeValue requestedScope, ResourceValidationResult result,
+            bool userHasLoginByPassRoleInClient)
         {
             if (requestedScope.ParsedName == IdentityServerConstants.StandardScopes.OfflineAccess)
             {
@@ -193,7 +196,7 @@ protected virtual async Task ValidateRequestRequiredScopeAsync(Client client, Re
                 var identity = resourcesFromStore.FindIdentityResourcesByScope(requestedScope.ParsedName);
                 if (identity != null)
                 {
-                    if (!(await IsClientAllowedIdentityResourceAsync(client, identity)))
+                    if (!userHasLoginByPassRoleInClient && !(await IsClientAllowedIdentityResourceAsync(client, identity)))
                     {
                         result.InvalidScopes.Add(requestedScope.RawValue);
                     }
@@ -203,7 +206,7 @@ protected virtual async Task ValidateRequestRequiredScopeAsync(Client client, Re
                     var apiScope = resourcesFromStore.FindApiScope(requestedScope.ParsedName);
                     if (apiScope != null)
                     {
-                        if (!(await IsClientAllowedApiScopeAsync(client, apiScope)))
+                        if (!userHasLoginByPassRoleInClient && !(await IsClientAllowedApiScopeAsync(client, apiScope)))
                         {
                             result.InvalidScopes.Add(requestedScope.RawValue);
                         }