// revoke refresh token only if it belongs to client doing the request
private async Task <bool> RevokeRefreshTokenAsync(string handle, Client client)
{
var token = await _grants.GetRefreshTokenAsync(handle);
if (token != null)
{
if (token.ClientId == client.ClientId)
{
_logger.LogDebug("Refresh token revoked");
await _grants.RemoveRefreshTokensAsync(token.SubjectId, token.ClientId);
await _grants.RemoveReferenceTokensAsync(token.SubjectId, token.ClientId);
}
else
{
var message = string.Format("Client {clientId} tried to revoke a refresh token belonging to a different client: {clientId}", client.ClientId, token.ClientId);
_logger.LogWarning(message);
await RaiseFailureEventAsync(message);
}
return(true);
}
return(false);
}