public async Task Expired_RefreshToken()
{
var refreshToken = new RefreshToken
{
AccessToken = new Token("access_token") { Client = new Client() { ClientId = "roclient" } },
LifeTime = 10,
CreationTime = DateTimeOffset.UtcNow.AddSeconds(-15)
};
var handle = Guid.NewGuid().ToString();
var store = new InMemoryRefreshTokenStore();
await store.StoreAsync(handle, refreshToken);
var client = await _clients.FindClientByIdAsync("roclient");
var validator = Factory.CreateTokenRequestValidator(
refreshTokens: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, "refresh_token");
parameters.Add(Constants.TokenRequest.RefreshToken, handle);
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeTrue();
result.Error.Should().Be(Constants.TokenErrors.InvalidGrant);
}
public static TokenRequestValidator CreateTokenRequestValidator(
IdentityServerOptions options = null,
IScopeStore scopes = null,
IAuthorizationCodeStore authorizationCodeStore = null,
IRefreshTokenStore refreshTokens = null,
IUserService userService = null,
ICustomGrantValidator customGrantValidator = null,
ICustomRequestValidator customRequestValidator = null,
ScopeValidator scopeValidator = null,
IDictionary<string, object> environment = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (scopes == null)
{
scopes = new InMemoryScopeStore(TestScopes.Get());
}
if (userService == null)
{
userService = new TestUserService();
}
if (customRequestValidator == null)
{
customRequestValidator = new DefaultCustomRequestValidator();
}
if (customGrantValidator == null)
{
customGrantValidator = new TestGrantValidator();
}
if (refreshTokens == null)
{
refreshTokens = new InMemoryRefreshTokenStore();
}
if (scopeValidator == null)
{
scopeValidator = new ScopeValidator(scopes);
}
IOwinContext context;
if (environment == null)
{
context = new OwinContext(new Dictionary<string, object>());
}
else
{
context = new OwinContext(environment);
}
return new TokenRequestValidator(options, authorizationCodeStore, refreshTokens, userService, scopes, customGrantValidator, customRequestValidator, scopeValidator, context);
}
public async Task Non_existing_RefreshToken()
{
var store = new InMemoryRefreshTokenStore();
var client = await _clients.FindClientByIdAsync("roclient");
var validator = Factory.CreateTokenRequestValidator(
refreshTokens: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, "refresh_token");
parameters.Add(Constants.TokenRequest.RefreshToken, "nonexistent");
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeTrue();
result.Error.Should().Be(Constants.TokenErrors.InvalidGrant);
}
public static TokenRequestValidator CreateTokenValidator(
IdentityServerOptions options = null,
IScopeStore scopes = null,
IAuthorizationCodeStore authorizationCodeStore = null,
IRefreshTokenStore refreshTokens = null,
IUserService userService = null,
IAssertionGrantValidator assertionGrantValidator = null,
ICustomRequestValidator customRequestValidator = null)
{
if (options == null)
{
options = Thinktecture.IdentityServer.Tests.TestIdentityServerOptions.Create();
}
if (scopes == null)
{
scopes = new InMemoryScopeStore(TestScopes.Get());
}
if (userService == null)
{
userService = new TestUserService();
}
if (customRequestValidator == null)
{
customRequestValidator = new DefaultCustomRequestValidator();
}
if (assertionGrantValidator == null)
{
assertionGrantValidator = new TestAssertionValidator();
}
if (refreshTokens == null)
{
refreshTokens = new InMemoryRefreshTokenStore();
}
return new TokenRequestValidator(options, authorizationCodeStore, refreshTokens, userService, scopes, assertionGrantValidator, customRequestValidator);
}
public static TokenRequestValidator CreateTokenValidator(
CoreSettings settings = null,
IScopeService scopes = null,
IAuthorizationCodeStore authorizationCodeStore = null,
IRefreshTokenStore refreshTokens = null,
IUserService userService = null,
IAssertionGrantValidator assertionGrantValidator = null,
ICustomRequestValidator customRequestValidator = null)
{
if (settings == null)
{
settings = new TestSettings();
}
if (scopes == null)
{
scopes = new InMemoryScopeService(TestScopes.Get());
}
if (userService == null)
{
userService = new TestUserService();
}
if (customRequestValidator == null)
{
customRequestValidator = new DefaultCustomRequestValidator();
}
if (assertionGrantValidator == null)
{
assertionGrantValidator = new TestAssertionValidator();
}
if (refreshTokens == null)
{
refreshTokens = new InMemoryRefreshTokenStore();
}
return new TokenRequestValidator(settings, authorizationCodeStore, refreshTokens, userService, scopes, assertionGrantValidator, customRequestValidator);
}
public async Task Create_Refresh_Token_Sliding_Lifetime()
{
var store = new InMemoryRefreshTokenStore();
var service = new DefaultRefreshTokenService(store);
var client = await _clients.FindClientByIdAsync("roclient_sliding_refresh_expiration_one_time_only");
var token = TokenFactory.CreateAccessToken(client.ClientId, "valid", 60, "read", "write");
var handle = await service.CreateRefreshTokenAsync(token, client);
// make sure a handle is returned
string.IsNullOrWhiteSpace(handle).Should().BeFalse();
// make sure refresh token is in store
var refreshToken = await store.GetAsync(handle);
refreshToken.Should().NotBeNull();
// check refresh token values
client.ClientId.Should().Be(refreshToken.ClientId);
client.SlidingRefreshTokenLifetime.Should().Be(refreshToken.LifeTime);
}
public async Task Valid_RefreshToken_Request_using_Restricted_Client()
{
var mock = new Mock<IUserService>();
mock.Setup(u => u.IsActiveAsync(It.IsAny<ClaimsPrincipal>())).Returns(Task.FromResult(true));
var subjectClaim = new Claim(Constants.ClaimTypes.Subject, "foo");
var refreshToken = new RefreshToken
{
AccessToken = new Token("access_token")
{
Claims = new List<Claim> { subjectClaim },
Client = new Client { ClientId = "roclient_restricted_refresh"}
},
LifeTime = 600,
CreationTime = DateTimeOffset.UtcNow
};
var handle = Guid.NewGuid().ToString();
var store = new InMemoryRefreshTokenStore();
await store.StoreAsync(handle, refreshToken);
var client = await _clients.FindClientByIdAsync("roclient_restricted_refresh");
var validator = Factory.CreateTokenRequestValidator(
refreshTokens: store,
userService: mock.Object);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, "refresh_token");
parameters.Add(Constants.TokenRequest.RefreshToken, handle);
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeFalse();
}
public static TokenRequestValidator CreateTokenRequestValidator(
IdentityServerOptions options = null,
IScopeStore scopes = null,
IAuthorizationCodeStore authorizationCodeStore = null,
IRefreshTokenStore refreshTokens = null,
IUserService userService = null,
ICustomGrantValidator customGrantValidator = null,
ICustomRequestValidator customRequestValidator = null,
ScopeValidator scopeValidator = null)
{
if (options == null)
{
options = TestIdentityServerOptions.Create();
}
if (scopes == null)
{
scopes = new InMemoryScopeStore(TestScopes.Get());
}
if (userService == null)
{
userService = new TestUserService();
}
if (customRequestValidator == null)
{
customRequestValidator = new DefaultCustomRequestValidator();
}
if (customGrantValidator == null)
{
customGrantValidator = new TestGrantValidator();
}
if (refreshTokens == null)
{
refreshTokens = new InMemoryRefreshTokenStore();
}
if (scopeValidator == null)
{
scopeValidator = new ScopeValidator(scopes);
}
return new TokenRequestValidator(
options,
authorizationCodeStore,
refreshTokens,
userService,
customGrantValidator,
customRequestValidator,
scopeValidator,
new DefaultEventService());
}
public async Task Valid_RefreshToken_Request_using_Restricted_Client()
{
var refreshToken = new RefreshToken
{
AccessToken = new Token("access_token"),
ClientId = "roclient_restricted_refresh",
LifeTime = 600,
Handle = Guid.NewGuid().ToString(),
CreationTime = DateTime.UtcNow
};
var store = new InMemoryRefreshTokenStore();
await store.StoreAsync(refreshToken.Handle, refreshToken);
var client = await _clients.FindClientByIdAsync("roclient_restricted_refresh");
var validator = Factory.CreateTokenValidator(
refreshTokens: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, "refresh_token");
parameters.Add(Constants.TokenRequest.RefreshToken, refreshToken.Handle);
var result = await validator.ValidateRequestAsync(parameters, client);
Assert.IsFalse(result.IsError);
}
public static IContainer Configure(IdentityServerOptions options)
{
if (options == null) throw new ArgumentNullException("options");
if (options.Factory == null) throw new InvalidOperationException("null factory");
IdentityServerServiceFactory fact = options.Factory;
fact.Validate();
var builder = new ContainerBuilder();
builder.RegisterInstance(options).AsSelf();
// mandatory from factory
builder.Register(fact.UserService, "inner");
builder.RegisterDecorator<IUserService>((s, inner) =>
{
var filter = s.Resolve<IExternalClaimsFilter>();
return new ExternalClaimsFilterUserService(filter, inner);
}, "inner");
builder.Register(fact.ScopeStore);
builder.Register(fact.ClientStore);
// optional from factory
if (fact.AuthorizationCodeStore != null)
{
builder.Register(fact.AuthorizationCodeStore, "inner");
}
else
{
var inmemCodeStore = new InMemoryAuthorizationCodeStore();
builder.RegisterInstance(inmemCodeStore).Named<IAuthorizationCodeStore>("inner");
}
builder.RegisterDecorator<IAuthorizationCodeStore>((s, inner) =>
{
return new KeyHashingAuthorizationCodeStore(inner);
}, "inner");
if (fact.TokenHandleStore != null)
{
builder.Register(fact.TokenHandleStore, "inner");
}
else
{
var inmemTokenHandleStore = new InMemoryTokenHandleStore();
builder.RegisterInstance(inmemTokenHandleStore).Named<ITokenHandleStore>("inner");
}
builder.RegisterDecorator<ITokenHandleStore>((s, inner) =>
{
return new KeyHashingTokenHandleStore(inner);
}, "inner");
if (fact.RefreshTokenStore != null)
{
builder.Register(fact.RefreshTokenStore, "inner");
}
else
{
var inmemRefreshTokenStore = new InMemoryRefreshTokenStore();
builder.RegisterInstance(inmemRefreshTokenStore).Named<IRefreshTokenStore>("inner");
}
builder.RegisterDecorator<IRefreshTokenStore>((s, inner) =>
{
return new KeyHashingRefreshTokenStore(inner);
}, "inner");
if (fact.ConsentStore != null)
{
builder.Register(fact.ConsentStore);
}
else
{
var inmemConsentStore = new InMemoryConsentStore();
builder.RegisterInstance(inmemConsentStore).As<IConsentStore>();
}
if (fact.ClaimsProvider != null)
{
builder.Register(fact.ClaimsProvider);
}
else
{
builder.RegisterType<DefaultClaimsProvider>().As<IClaimsProvider>();
}
if (fact.TokenService != null)
{
builder.Register(fact.TokenService);
}
else
{
builder.RegisterType<DefaultTokenService>().As<ITokenService>();
}
if (fact.RefreshTokenService != null)
{
builder.Register(fact.RefreshTokenService);
}
else
{
builder.RegisterType<DefaultRefreshTokenService>().As<IRefreshTokenService>();
}
if (fact.TokenSigningService != null)
{
builder.Register(fact.TokenSigningService);
}
else
{
builder.RegisterType<DefaultTokenSigningService>().As<ITokenSigningService>();
}
if (fact.CustomRequestValidator != null)
{
builder.Register(fact.CustomRequestValidator);
}
else
{
builder.RegisterType<DefaultCustomRequestValidator>().As<ICustomRequestValidator>();
}
if (fact.CustomGrantValidator != null)
{
builder.Register(fact.CustomGrantValidator);
}
else
{
builder.RegisterType<DefaultCustomGrantValidator>().As<ICustomGrantValidator>();
}
if (fact.ExternalClaimsFilter != null)
{
builder.Register(fact.ExternalClaimsFilter);
}
else
{
builder.RegisterType<NopClaimsFilter>().As<IExternalClaimsFilter>();
}
if (fact.CustomTokenValidator != null)
{
builder.Register(fact.CustomTokenValidator);
}
else
{
builder.RegisterType<DefaultCustomTokenValidator>().As<ICustomTokenValidator>();
}
if (fact.ConsentService != null)
{
builder.Register(fact.ConsentService);
}
else
{
builder.RegisterType<DefaultConsentService>().As<IConsentService>();
}
if (fact.EventService != null)
{
builder.Register(fact.EventService);
}
else
{
builder.RegisterType<DefaultEventService>().As<IEventService>();
}
if (fact.RedirectUriValidator != null)
{
builder.Register(fact.RedirectUriValidator);
}
else
{
builder.RegisterType<DefaultRedirectUriValidator>().As<IRedirectUriValidator>();
}
// this is more of an internal interface, but maybe we want to open it up as pluggable?
// this is used by the DefaultClientPermissionsService below, or it could be used
// by a custom IClientPermissionsService
builder.Register(ctx =>
{
var consent = ctx.Resolve<IConsentStore>();
var refresh = ctx.Resolve<IRefreshTokenStore>();
var code = ctx.Resolve<IAuthorizationCodeStore>();
var access = ctx.Resolve<ITokenHandleStore>();
return new AggregatePermissionsStore(
consent,
new TokenMetadataPermissionsStoreAdapter(refresh.GetAllAsync, refresh.RevokeAsync),
new TokenMetadataPermissionsStoreAdapter(code.GetAllAsync, code.RevokeAsync),
new TokenMetadataPermissionsStoreAdapter(access.GetAllAsync, access.RevokeAsync)
);
}).As<IPermissionsStore>();
if (fact.ClientPermissionsService != null)
{
builder.Register(fact.ClientPermissionsService);
}
else
{
builder.RegisterType<DefaultClientPermissionsService>().As<IClientPermissionsService>();
}
if (fact.ViewService != null)
{
builder.Register(fact.ViewService);
}
else
{
builder.RegisterType<DefaultViewService>().As<IViewService>();
}
// hosting services
builder.RegisterType<OwinEnvironmentService>();
// validators
builder.RegisterType<TokenRequestValidator>();
builder.RegisterType<AuthorizeRequestValidator>();
builder.RegisterType<ClientValidator>();
builder.RegisterType<TokenValidator>();
builder.RegisterType<EndSessionRequestValidator>();
builder.RegisterType<BearerTokenUsageValidator>();
builder.RegisterType<ScopeValidator>();
// processors
builder.RegisterType<TokenResponseGenerator>();
builder.RegisterType<AuthorizeResponseGenerator>();
builder.RegisterType<AuthorizeInteractionResponseGenerator>();
builder.RegisterType<UserInfoResponseGenerator>();
builder.RegisterType<EndSessionResponseGenerator>();
// for authentication
var authenticationOptions = options.AuthenticationOptions ?? new AuthenticationOptions();
builder.RegisterInstance(authenticationOptions).AsSelf();
// load core controller
builder.RegisterApiControllers(typeof(AuthorizeEndpointController).Assembly);
// add any additional dependencies from hosting application
foreach(var registration in fact.Registrations)
{
builder.Register(registration);
}
return builder.Build();
}
public static IContainer Configure(IdentityServerOptions options, InternalConfiguration internalConfig)
{
if (options == null) throw new ArgumentNullException("options");
if (options.Factory == null) throw new InvalidOperationException("null factory");
if (internalConfig == null) throw new ArgumentNullException("internalConfig");
IdentityServerServiceFactory fact = options.Factory;
fact.Validate();
var builder = new ContainerBuilder();
builder.RegisterInstance(internalConfig).AsSelf();
// mandatory from factory
builder.Register(fact.UserService);
builder.Register(fact.ScopeService);
builder.Register(fact.ClientService);
builder.Register(fact.CoreSettings);
// optional from factory
if (fact.AuthorizationCodeStore != null)
{
builder.Register(fact.AuthorizationCodeStore);
}
else
{
var inmemCodeStore = new InMemoryAuthorizationCodeStore();
builder.RegisterInstance(inmemCodeStore).As<IAuthorizationCodeStore>();
}
if (fact.TokenHandleStore != null)
{
builder.Register(fact.TokenHandleStore);
}
else
{
var inmemTokenHandleStore = new InMemoryTokenHandleStore();
builder.RegisterInstance(inmemTokenHandleStore).As<ITokenHandleStore>();
}
if (fact.RefreshTokenStore != null)
{
builder.Register(fact.RefreshTokenStore);
}
else
{
var inmemRefreshTokenStore = new InMemoryRefreshTokenStore();
builder.RegisterInstance(inmemRefreshTokenStore).As<IRefreshTokenStore>();
}
if (fact.ConsentService != null)
{
builder.Register(fact.ConsentService);
}
else
{
var inmemConsentService = new InMemoryConsentService();
builder.RegisterInstance(inmemConsentService).As<IConsentService>();
}
if (fact.ClaimsProvider != null)
{
builder.Register(fact.ClaimsProvider);
}
else
{
builder.RegisterType<DefaultClaimsProvider>().As<IClaimsProvider>();
}
if (fact.TokenService != null)
{
builder.Register(fact.TokenService);
}
else
{
builder.RegisterType<DefaultTokenService>().As<ITokenService>();
}
if (fact.RefreshTokenService != null)
{
builder.Register(fact.RefreshTokenService);
}
else
{
builder.RegisterType<DefaultRefreshTokenService>().As<IRefreshTokenService>();
}
if (fact.TokenSigningService != null)
{
builder.Register(fact.TokenSigningService);
}
else
{
builder.RegisterType<DefaultTokenSigningService>().As<ITokenSigningService>();
}
if (fact.CustomRequestValidator != null)
{
builder.Register(fact.CustomRequestValidator);
}
else
{
builder.RegisterType<DefaultCustomRequestValidator>().As<ICustomRequestValidator>();
}
if (fact.AssertionGrantValidator != null)
{
builder.Register(fact.AssertionGrantValidator);
}
else
{
builder.RegisterType<DefaultAssertionGrantValidator>().As<IAssertionGrantValidator>();
}
if (fact.ExternalClaimsFilter != null)
{
builder.Register(fact.ExternalClaimsFilter);
}
else
{
builder.RegisterType<DefaultExternalClaimsFilter>().As<IExternalClaimsFilter>();
}
if (fact.CustomTokenValidator != null)
{
builder.Register(fact.CustomTokenValidator);
}
else
{
builder.RegisterType<DefaultCustomTokenValidator>().As<ICustomTokenValidator>();
}
// validators
builder.RegisterType<TokenRequestValidator>();
builder.RegisterType<AuthorizeRequestValidator>();
builder.RegisterType<ClientValidator>();
builder.RegisterType<TokenValidator>();
// processors
builder.RegisterType<TokenResponseGenerator>();
builder.RegisterType<AuthorizeResponseGenerator>();
builder.RegisterType<AuthorizeInteractionResponseGenerator>();
builder.RegisterType<UserInfoResponseGenerator>();
// general services
builder.RegisterType<CookieMiddlewareTrackingCookieService>().As<ITrackingCookieService>();
// for authentication
var authenticationOptions = options.AuthenticationOptions ?? new AuthenticationOptions();
builder.RegisterInstance(authenticationOptions).AsSelf();
// load core controller
builder.RegisterApiControllers(typeof(AuthorizeEndpointController).Assembly);
// add any additional dependencies from hosting application
foreach(var registration in fact.Registrations)
{
builder.Register(registration);
}
return builder.Build();
}
public async Task Sliding_Expiration_does_not_exceed_absolute_Expiration()
{
var store = new InMemoryRefreshTokenStore();
var service = new DefaultRefreshTokenService(store);
var client = await _clients.FindClientByIdAsync("roclient_sliding_refresh_expiration_one_time_only");
var token = TokenFactory.CreateAccessToken(client.ClientId, "valid", 60, "read", "write");
var handle = await service.CreateRefreshTokenAsync(token, client);
var refreshToken = await store.GetAsync(handle);
var lifetime = refreshToken.LifeTime;
await Task.Delay(8000);
var newHandle = await service.UpdateRefreshTokenAsync(handle, refreshToken, client);
var newRefreshToken = await store.GetAsync(newHandle);
var newLifetime = newRefreshToken.LifeTime;
newLifetime.Should().Be(client.AbsoluteRefreshTokenLifetime);
}
public async Task OneTime_Handle_creates_new_Handle()
{
var store = new InMemoryRefreshTokenStore();
var service = new DefaultRefreshTokenService(store);
var client = await _clients.FindClientByIdAsync("roclient_absolute_refresh_expiration_one_time_only");
var token = TokenFactory.CreateAccessToken(client.ClientId, "valid", 60, "read", "write");
var handle = await service.CreateRefreshTokenAsync(token, client);
var newHandle = await service.UpdateRefreshTokenAsync(handle, await store.GetAsync(handle), client);
newHandle.Should().NotBe(handle);
}
public async Task Client_has_no_OfflineAccess_Scope_anymore_at_RefreshToken_Request()
{
var refreshToken = new RefreshToken
{
AccessToken = new Token("access_token"),
ClientId = "roclient_restricted",
LifeTime = 600,
CreationTime = DateTime.UtcNow
};
var handle = Guid.NewGuid().ToString();
var store = new InMemoryRefreshTokenStore();
await store.StoreAsync(handle, refreshToken);
var client = await _clients.FindClientByIdAsync("roclient_restricted");
var validator = Factory.CreateTokenRequestValidator(
refreshTokens: store);
var parameters = new NameValueCollection();
parameters.Add(Constants.TokenRequest.GrantType, "refresh_token");
parameters.Add(Constants.TokenRequest.RefreshToken, handle);
var result = await validator.ValidateRequestAsync(parameters, client);
result.IsError.Should().BeTrue();
result.Error.Should().Be(Constants.TokenErrors.InvalidGrant);
}
