public async Task RevokeRefreshToken(string clientId, string refreshToken)
{
var token = await _referenceTokenStore.GetReferenceTokenAsync(refreshToken);
if (token.ClientId == clientId)
{
await _referenceTokenStore.RemoveReferenceTokenAsync(refreshToken);
}
}
private async Task <TokenValidationResult> ValidateReferenceAccessTokenAsync(string tokenHandle)
{
_log.TokenHandle = tokenHandle;
var token = await _referenceTokenStore.GetReferenceTokenAsync(tokenHandle);
if (token == null)
{
LogError("Token handle not found in token handle store.");
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
// TODO: review
//if (token.Type != OidcConstants.TokenTypes.AccessToken)
//{
// LogError("Token handle does not resolve to an access token - but instead to: " + token.Type);
// await _tokenHandles.RemoveAsync(tokenHandle);
// return Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken);
//}
if (DateTimeHelper.UtcNow >= token.CreationTime.AddSeconds(token.Lifetime))
{
LogError("Token expired.");
await _referenceTokenStore.RemoveReferenceTokenAsync(tokenHandle);
return(Invalid(OidcConstants.ProtectedResourceErrors.ExpiredToken));
}
// load the client that is defined in the token
Client client = null;
if (token.ClientId != null)
{
client = await _clients.FindEnabledClientByIdAsync(token.ClientId);
}
if (client == null)
{
LogError($"Client deleted or disabled: {token.ClientId}");
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
return(new TokenValidationResult
{
IsError = false,
Client = client,
Claims = ReferenceTokenToClaims(token),
ReferenceToken = token,
ReferenceTokenId = tokenHandle
});
}
/// <summary>
/// Revoke access token only if it belongs to client doing the request.
/// </summary>
protected virtual async Task <bool> RevokeAccessTokenAsync(TokenRevocationRequestValidationResult validationResult)
{
try
{
var token = await ReferenceTokenStore.GetReferenceTokenAsync(validationResult.Token);
string subject;
if (token != null)
{
subject = token.SubjectId;
if (token.ClientId == validationResult.Client.ClientId)
{
Logger.LogDebug("Access token revoked");
await ReferenceTokenStore.RemoveReferenceTokenAsync(validationResult.Token);
}
else
{
Logger.LogWarning("Client {clientId} tried to revoke an access token belonging to a different client: {clientId}", validationResult.Client.ClientId, token.ClientId);
}
}
else
{
var validateAccessToken = await _tokenValidator.ValidateAccessTokenAsync(validationResult.Token);
if (validateAccessToken.IsError)
{
Logger.LogWarning("Client {clientId} access_token not valid: {clientId}", validationResult.Client.ClientId, token.ClientId);
return(false);
}
var queryClaims = from item in validateAccessToken.Claims
where item.Type == JwtClaimTypes.Subject
select item.Value;
subject = queryClaims.FirstOrDefault();
}
// now we need to revoke this subject
var rts = RefreshTokenStore as IRefreshTokenStore2;
await rts.RemoveRefreshTokensAsync(subject, validationResult.Client.ClientId);
var clientExtra = validationResult.Client as ClientExtra;
await _tokenRevocationEventHandler.TokenRevokedAsync(clientExtra, subject);
return(true);
}
catch (Exception e)
{
Logger.LogError(e, "unexpected error in revocation");
}
return(false);
}
private async Task <TokenValidationResult> ValidateReferenceAccessTokenAsync(string tokenHandle)
{
using var activity = Tracing.BasicActivitySource.StartActivity("TokenValidator.ValidateReferenceAccessToken");
_log.TokenHandle = tokenHandle;
var token = await _referenceTokenStore.GetReferenceTokenAsync(tokenHandle);
if (token == null)
{
LogError("Invalid reference token.");
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
if (token.CreationTime.HasExceeded(token.Lifetime, _clock.UtcNow.UtcDateTime))
{
LogError("Token expired.");
await _referenceTokenStore.RemoveReferenceTokenAsync(tokenHandle);
return(Invalid(OidcConstants.ProtectedResourceErrors.ExpiredToken));
}
// load the client that is defined in the token
Client client = null;
if (token.ClientId != null)
{
client = await _clients.FindEnabledClientByIdAsync(token.ClientId);
}
if (client == null)
{
LogError($"Client deleted or disabled: {token.ClientId}");
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
return(new TokenValidationResult
{
IsError = false,
Client = client,
Claims = ReferenceTokenToClaims(token),
ReferenceToken = token,
ReferenceTokenId = tokenHandle
});
}
private async Task <TokenValidationResult> ValidateReferenceAccessTokenAsync(string tokenHandle)
{
_log.TokenHandle = tokenHandle;
var token = await _referenceTokenStore.GetReferenceTokenAsync(tokenHandle);
if (token == null)
{
LogError("Token handle not found in token handle store.");
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
if (IdentityServerDateTime.UtcNow >= token.CreationTime.AddSeconds(token.Lifetime))
{
LogError("Token expired.");
await _referenceTokenStore.RemoveReferenceTokenAsync(tokenHandle);
return(Invalid(OidcConstants.ProtectedResourceErrors.ExpiredToken));
}
// load the client that is defined in the token
Client client = null;
if (token.ClientId != null)
{
client = await _clients.FindEnabledClientByIdAsync(token.ClientId);
}
if (client == null)
{
LogError($"Client deleted or disabled: {token.ClientId}");
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
return(new TokenValidationResult
{
IsError = false,
Client = client,
Claims = ReferenceTokenToClaims(token),
ReferenceToken = token,
ReferenceTokenId = tokenHandle
});
}
/// <summary>
/// Revoke access token only if it belongs to client doing the request.
/// </summary>
protected virtual async Task <bool> RevokeAccessTokenAsync(TokenRevocationRequestValidationResult validationResult)
{
var token = await ReferenceTokenStore.GetReferenceTokenAsync(validationResult.Token);
if (token != null)
{
if (token.ClientId == validationResult.Client.ClientId)
{
Logger.LogDebug("Access token revoked");
await ReferenceTokenStore.RemoveReferenceTokenAsync(validationResult.Token);
}
else
{
Logger.LogWarning("Client {clientId} tried to revoke an access token belonging to a different client: {clientId}", validationResult.Client.ClientId, token.ClientId);
}
return(true);
}
return(false);
}
// revoke access token only if it belongs to client doing the request
private async Task <bool> RevokeAccessTokenAsync(string handle, Client client)
{
var token = await _referenceTokenStore.GetReferenceTokenAsync(handle);
if (token != null)
{
if (token.ClientId == client.ClientId)
{
_logger.LogDebug("Access token revoked");
await _referenceTokenStore.RemoveReferenceTokenAsync(handle);
}
else
{
_logger.LogWarning("Client {clientId} tried to revoke an access token belonging to a different client: {clientId}", client.ClientId, token.ClientId);
}
return(true);
}
return(false);
}
public async Task RemoveReferenceTokenAsync_should_remove_grant()
{
var token1 = new Token()
{
ClientId = "client",
Audiences = { "aud" },
CreationTime = DateTime.UtcNow,
Type = "type",
Claims = new List <Claim>
{
new Claim("sub", "123"),
new Claim("scope", "foo")
},
Version = 1
};
var handle = await _referenceTokens.StoreReferenceTokenAsync(token1);
await _referenceTokens.RemoveReferenceTokenAsync(handle);
var token2 = await _referenceTokens.GetReferenceTokenAsync(handle);
token2.Should().BeNull();
}
