// revoke refresh token only if it belongs to client doing the request
private async Task <bool> RevokeRefreshTokenAsync(string handle, Client client)
{
var token = await _refreshTokens.GetAsync(handle);
if (token != null)
{
if (token.ClientId == client.ClientId)
{
await _refreshTokens.RevokeAsync(token.SubjectId, token.ClientId);
await _tokenHandles.RevokeAsync(token.SubjectId, token.ClientId);
}
else
{
var message = string.Format("Client {0} tried to revoke a refresh token belonging to a different client: {1}", client.ClientId, token.ClientId);
Logger.Warn(message);
await RaiseFailureEventAsync(message);
}
return(true);
}
return(false);
}
public async Task NonRevokedTokensAreReturned()
{
await _setup;
await _store.RevokeAsync(SubjectB, RevokedClient);
var results = await _store.GetAllAsync(SubjectB);
Assert.Equal(
_subjectBTokens
.Where(x => x.ClientId != RevokedClient)
.OrderBy(CreationTime)
.Select(TestData.ToTestableString),
results
.OfType <Token>()
.OrderBy(CreationTime)
.Select(TestData.ToTestableString)
);
}