public async Task RevokeRefreshToken(string clientId, string refreshToken) { var token = await _referenceTokenStore.GetReferenceTokenAsync(refreshToken); if (token.ClientId == clientId) { await _referenceTokenStore.RemoveReferenceTokenAsync(refreshToken); } }
private async Task <TokenValidationResult> ValidateReferenceAccessTokenAsync(string tokenHandle) { _log.TokenHandle = tokenHandle; var token = await _referenceTokenStore.GetReferenceTokenAsync(tokenHandle); if (token == null) { LogError("Token handle not found in token handle store."); return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken)); } // TODO: review //if (token.Type != OidcConstants.TokenTypes.AccessToken) //{ // LogError("Token handle does not resolve to an access token - but instead to: " + token.Type); // await _tokenHandles.RemoveAsync(tokenHandle); // return Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken); //} if (DateTimeHelper.UtcNow >= token.CreationTime.AddSeconds(token.Lifetime)) { LogError("Token expired."); await _referenceTokenStore.RemoveReferenceTokenAsync(tokenHandle); return(Invalid(OidcConstants.ProtectedResourceErrors.ExpiredToken)); } // load the client that is defined in the token Client client = null; if (token.ClientId != null) { client = await _clients.FindEnabledClientByIdAsync(token.ClientId); } if (client == null) { LogError($"Client deleted or disabled: {token.ClientId}"); return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken)); } return(new TokenValidationResult { IsError = false, Client = client, Claims = ReferenceTokenToClaims(token), ReferenceToken = token, ReferenceTokenId = tokenHandle }); }
/// <summary> /// Revoke access token only if it belongs to client doing the request. /// </summary> protected virtual async Task <bool> RevokeAccessTokenAsync(TokenRevocationRequestValidationResult validationResult) { try { var token = await ReferenceTokenStore.GetReferenceTokenAsync(validationResult.Token); string subject; if (token != null) { subject = token.SubjectId; if (token.ClientId == validationResult.Client.ClientId) { Logger.LogDebug("Access token revoked"); await ReferenceTokenStore.RemoveReferenceTokenAsync(validationResult.Token); } else { Logger.LogWarning("Client {clientId} tried to revoke an access token belonging to a different client: {clientId}", validationResult.Client.ClientId, token.ClientId); } } else { var validateAccessToken = await _tokenValidator.ValidateAccessTokenAsync(validationResult.Token); if (validateAccessToken.IsError) { Logger.LogWarning("Client {clientId} access_token not valid: {clientId}", validationResult.Client.ClientId, token.ClientId); return(false); } var queryClaims = from item in validateAccessToken.Claims where item.Type == JwtClaimTypes.Subject select item.Value; subject = queryClaims.FirstOrDefault(); } // now we need to revoke this subject var rts = RefreshTokenStore as IRefreshTokenStore2; await rts.RemoveRefreshTokensAsync(subject, validationResult.Client.ClientId); var clientExtra = validationResult.Client as ClientExtra; await _tokenRevocationEventHandler.TokenRevokedAsync(clientExtra, subject); return(true); } catch (Exception e) { Logger.LogError(e, "unexpected error in revocation"); } return(false); }
private async Task <TokenValidationResult> ValidateReferenceAccessTokenAsync(string tokenHandle) { using var activity = Tracing.BasicActivitySource.StartActivity("TokenValidator.ValidateReferenceAccessToken"); _log.TokenHandle = tokenHandle; var token = await _referenceTokenStore.GetReferenceTokenAsync(tokenHandle); if (token == null) { LogError("Invalid reference token."); return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken)); } if (token.CreationTime.HasExceeded(token.Lifetime, _clock.UtcNow.UtcDateTime)) { LogError("Token expired."); await _referenceTokenStore.RemoveReferenceTokenAsync(tokenHandle); return(Invalid(OidcConstants.ProtectedResourceErrors.ExpiredToken)); } // load the client that is defined in the token Client client = null; if (token.ClientId != null) { client = await _clients.FindEnabledClientByIdAsync(token.ClientId); } if (client == null) { LogError($"Client deleted or disabled: {token.ClientId}"); return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken)); } return(new TokenValidationResult { IsError = false, Client = client, Claims = ReferenceTokenToClaims(token), ReferenceToken = token, ReferenceTokenId = tokenHandle }); }
private async Task <TokenValidationResult> ValidateReferenceAccessTokenAsync(string tokenHandle) { _log.TokenHandle = tokenHandle; var token = await _referenceTokenStore.GetReferenceTokenAsync(tokenHandle); if (token == null) { LogError("Token handle not found in token handle store."); return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken)); } if (IdentityServerDateTime.UtcNow >= token.CreationTime.AddSeconds(token.Lifetime)) { LogError("Token expired."); await _referenceTokenStore.RemoveReferenceTokenAsync(tokenHandle); return(Invalid(OidcConstants.ProtectedResourceErrors.ExpiredToken)); } // load the client that is defined in the token Client client = null; if (token.ClientId != null) { client = await _clients.FindEnabledClientByIdAsync(token.ClientId); } if (client == null) { LogError($"Client deleted or disabled: {token.ClientId}"); return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken)); } return(new TokenValidationResult { IsError = false, Client = client, Claims = ReferenceTokenToClaims(token), ReferenceToken = token, ReferenceTokenId = tokenHandle }); }
/// <summary> /// Revoke access token only if it belongs to client doing the request. /// </summary> protected virtual async Task <bool> RevokeAccessTokenAsync(TokenRevocationRequestValidationResult validationResult) { var token = await ReferenceTokenStore.GetReferenceTokenAsync(validationResult.Token); if (token != null) { if (token.ClientId == validationResult.Client.ClientId) { Logger.LogDebug("Access token revoked"); await ReferenceTokenStore.RemoveReferenceTokenAsync(validationResult.Token); } else { Logger.LogWarning("Client {clientId} tried to revoke an access token belonging to a different client: {clientId}", validationResult.Client.ClientId, token.ClientId); } return(true); } return(false); }
// revoke access token only if it belongs to client doing the request private async Task <bool> RevokeAccessTokenAsync(string handle, Client client) { var token = await _referenceTokenStore.GetReferenceTokenAsync(handle); if (token != null) { if (token.ClientId == client.ClientId) { _logger.LogDebug("Access token revoked"); await _referenceTokenStore.RemoveReferenceTokenAsync(handle); } else { _logger.LogWarning("Client {clientId} tried to revoke an access token belonging to a different client: {clientId}", client.ClientId, token.ClientId); } return(true); } return(false); }
public async Task RemoveReferenceTokenAsync_should_remove_grant() { var token1 = new Token() { ClientId = "client", Audiences = { "aud" }, CreationTime = DateTime.UtcNow, Type = "type", Claims = new List <Claim> { new Claim("sub", "123"), new Claim("scope", "foo") }, Version = 1 }; var handle = await _referenceTokens.StoreReferenceTokenAsync(token1); await _referenceTokens.RemoveReferenceTokenAsync(handle); var token2 = await _referenceTokens.GetReferenceTokenAsync(handle); token2.Should().BeNull(); }