public override async Task HandleRevocationRequest(HandleRevocationRequestContext context)
{
// If the received token is not a refresh token,
// return an error to indicate that the token cannot be revoked.
if (!context.Ticket.IsRefreshToken())
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedTokenType,
description: "Only refresh tokens can be revoked.");
return;
}
// Extract the token identifier from the authentication ticket.
var identifier = context.Ticket.GetTicketId();
var cmd = new DeleteRefreshTokenByTokenCommand(identifier);
var result = await ExecuteCommand <DeleteRefreshTokenByTokenCommand, Core.Result>(context, cmd);
if (result.Succeeded)
{
context.Revoked = true;
SetCorsHeader(context);
}
else
{
context.Reject(OpenIdConnectConstants.Errors.InvalidRequest, "Could not revoke refresh_token.");
return;
}
}
/// <summary>
/// Set cross-origin HTTP request (Cors) header to allow requests from a different domains.
/// This Cors value is specific to an Application and set by when validating the client application (ValidateClientAuthenticationp).
/// </summary>
private static void SetCorsHeader(HandleRevocationRequestContext context)
{
var allowedOrigin = context.HttpContext.Items["as:clientAllowedOrigin"] as string;
if (allowedOrigin != null)
{
context.HttpContext.Response.Headers.Add("Access-Control-Allow-Origin", new StringValues(allowedOrigin));
}
}
public override async Task HandleRevocationRequest([NotNull] HandleRevocationRequestContext context)
{
var logger = context.HttpContext.RequestServices.GetRequiredService <ILogger <OpenIddictProvider <TApplication, TAuthorization, TScope, TToken> > >();
var tokens = context.HttpContext.RequestServices.GetRequiredService <OpenIddictTokenManager <TToken> >();
Debug.Assert(context.Ticket != null, "The authentication ticket shouldn't be null.");
// If the received token is not an authorization code or a refresh token,
// return an error to indicate that the token cannot be revoked.
if (!context.Ticket.IsAuthorizationCode() && !context.Ticket.IsRefreshToken())
{
logger.LogError("The revocation request was rejected because the token was not revocable.");
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedTokenType,
description: "Only authorization codes and refresh tokens can be revoked.");
return;
}
// Extract the token identifier from the authentication ticket.
var identifier = context.Ticket.GetTicketId();
Debug.Assert(!string.IsNullOrEmpty(identifier), "The token should contain a ticket identifier.");
// Retrieve the token from the database. If the token cannot be found,
// assume it is invalid and consider the revocation as successful.
var token = await tokens.FindByIdAsync(identifier, context.HttpContext.RequestAborted);
if (token == null)
{
logger.LogInformation("The token '{Identifier}' was already revoked.", identifier);
context.Revoked = true;
return;
}
// Revoke the token.
await tokens.RevokeAsync(token, context.HttpContext.RequestAborted);
logger.LogInformation("The token '{Identifier}' was successfully revoked.", identifier);
context.Revoked = true;
}
public override async Task HandleRevocationRequest([NotNull] HandleRevocationRequestContext context)
{
var options = (OpenIddictOptions)context.Options;
Debug.Assert(context.Ticket != null, "The authentication ticket shouldn't be null.");
// If the received token is not an authorization code or a refresh token,
// return an error to indicate that the token cannot be revoked.
if (context.Ticket.IsIdentityToken())
{
Logger.LogError("The revocation request was rejected because identity tokens are not revocable.");
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedTokenType,
description: "The specified token cannot be revoked.");
return;
}
// If the received token is an access token, return an error if reference tokens are not enabled.
if (!options.UseReferenceTokens && context.Ticket.IsAccessToken())
{
Logger.LogError("The revocation request was rejected because the access token was not revocable.");
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedTokenType,
description: "The specified token cannot be revoked.");
return;
}
// Extract the token identifier from the authentication ticket.
var identifier = context.Ticket.GetTokenId();
Debug.Assert(!string.IsNullOrEmpty(identifier), "The authentication ticket should contain a token identifier.");
// Retrieve the token from the request properties. If it's already marked as revoked, directly return a 200 response.
var token = context.Request.GetProperty <TToken>($"{OpenIddictConstants.Properties.Token}:{identifier}");
Debug.Assert(token != null, "The token shouldn't be null.");
if (await Tokens.IsRevokedAsync(token))
{
Logger.LogInformation("The token '{Identifier}' was not revoked because " +
"it was already marked as invalid.", identifier);
context.Revoked = true;
return;
}
// Try to revoke the token. If an exception is thrown,
// log and swallow it to ensure that a valid response
// will be returned to the client application.
try
{
await Tokens.RevokeAsync(token);
}
catch (Exception exception)
{
Logger.LogWarning(exception, "An exception occurred while trying to revoke the authorization " +
"associated with the token '{Identifier}'.", identifier);
return;
}
Logger.LogInformation("The token '{Identifier}' was successfully revoked.", identifier);
context.Revoked = true;
}
public override async Task HandleRevocationRequest(HandleRevocationRequestContext context)
{
_tokenRepository.RevokeToken(context.Request.Token);
context.Revoked = true;
}
public Task HandleRevocationRequest(HandleRevocationRequestContext context)
{
throw new NotImplementedException();
}
