// revoke refresh token only if it belongs to client doing the request private async Task <bool> RevokeRefreshTokenAsync(string handle, Client client) { var token = await _refreshTokens.GetAsync(handle); if (token != null) { if (token.ClientId == client.ClientId) { await _refreshTokens.RevokeAsync(token.SubjectId, token.ClientId); await _tokenHandles.RevokeAsync(token.SubjectId, token.ClientId); } else { var message = string.Format("Client {0} tried to revoke a refresh token belonging to a different client: {1}", client.ClientId, token.ClientId); Logger.Warn(message); await RaiseFailureEventAsync(message); } return(true); } return(false); }
public async Task NonRevokedTokensAreReturned() { await _setup; await _store.RevokeAsync(SubjectB, RevokedClient); var results = await _store.GetAllAsync(SubjectB); Assert.Equal( _subjectBTokens .Where(x => x.ClientId != RevokedClient) .OrderBy(CreationTime) .Select(TestData.ToTestableString), results .OfType <Token>() .OrderBy(CreationTime) .Select(TestData.ToTestableString) ); }