public OAuthRefreshToken FindValidRefreshToken(string clientId, string token)
{
var isRefreshTokenValid = _tokenService.Validate(token);
if (!isRefreshTokenValid)
{
return(null);
}
var refreshToken = _oAuthRefreshTokenStorage.FetchByToken(token);
if (refreshToken == null)
{
return(null);
}
var securityToken = _tokenService.ReadToken(token);
var userId = securityToken.Claims.FirstOrDefault(x => x.Type.Equals(OAuthClaimTypes.NameIdentifier))?.Value;
if (string.IsNullOrWhiteSpace(userId))
{
return(null);
}
var rememberToken = _oAuthUserProvider.GetUserRememberToken(userId) ?? string.Empty;
var securityTokenRememberToken = securityToken.Claims.FirstOrDefault(x => x.Type.Equals(OAuthClaimTypes.RememberToken))?.Value ?? string.Empty;
// If user has logged out everwhere, the remember token doesn't match anymore and we log out.
if (rememberToken != securityTokenRememberToken)
{
_oAuthRefreshTokenStorage.Delete(token);
return(null);
}
// Make sure refresh token is valid
if (refreshToken.ClientId != clientId || // Invalid client
refreshToken.ExpireAt < DateTime.UtcNow) // Expired
{
return(null);
}
// Refresh token is valid
return(refreshToken);
}
