Пример #1
0
        public async Task When_Token_Doesnt_Exist_Then_Exception_Is_Returned()
        {
            // ARRANGE
            InitializeFakeObjects();
            var parameter = new RevokeTokenParameter
            {
                Token = "access_token"
            };

            _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>()))
            .Returns(new AuthenticateInstruction());
            _authenticateClientStub.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>(), null, It.IsAny <bool>()))
            .Returns(() => Task.FromResult(new AuthenticationResult(new Client(), null)));
            _grantedTokenRepositoryStub.Setup(g => g.GetAccessToken(It.IsAny <string>()))
            .Returns(() => Task.FromResult((GrantedToken)null));
            _grantedTokenRepositoryStub.Setup(g => g.GetRefreshToken(It.IsAny <string>()))
            .Returns(() => Task.FromResult((GrantedToken)null));

            // ACT
            var result = await Assert.ThrowsAsync <IdentityServerException>(() => _revokeTokenAction.Execute(parameter, null, null, null));

            // ASSERT
            Assert.NotNull(result);
            Assert.Equal("invalid_token", result.Code);
        }
Пример #2
0
        public Task <bool> RevokeToken(
            RevokeTokenParameter revokeTokenParameter,
            AuthenticationHeaderValue authenticationHeaderValue)
        {
            if (revokeTokenParameter == null)
            {
                throw new ArgumentNullException(nameof(revokeTokenParameter));
            }

            var processId = Guid.NewGuid().ToString();

            try
            {
                _eventPublisher.Publish(new RevokeTokenReceived(Guid.NewGuid().ToString(), processId, _payloadSerializer.GetPayload(revokeTokenParameter, authenticationHeaderValue), authenticationHeaderValue, 0));
                _simpleIdentityServerEventSource.StartRevokeToken(revokeTokenParameter.Token);
                var result = _revokeTokenAction.Execute(revokeTokenParameter, authenticationHeaderValue);
                _simpleIdentityServerEventSource.EndRevokeToken(revokeTokenParameter.Token);
                _eventPublisher.Publish(new TokenRevoked(Guid.NewGuid().ToString(), processId, 1));
                return(result);
            }
            catch (IdentityServerException ex)
            {
                _eventPublisher.Publish(new OpenIdErrorReceived(Guid.NewGuid().ToString(), processId, ex.Code, ex.Message, 1));
                throw;
            }
        }
Пример #3
0
        public async Task When_Invalidating_Access_Token_Then_GrantedToken_Is_Removed()
        {
            // ARRANGE
            InitializeFakeObjects();
            var grantedToken = new GrantedToken
            {
                AccessToken = "access_token"
            };
            var parameter = new RevokeTokenParameter
            {
                Token = "access_token"
            };

            _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>()))
            .Returns(new AuthenticateInstruction());
            _authenticateClientStub.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>(), null, It.IsAny <bool>()))
            .Returns(() => Task.FromResult(new AuthenticationResult(new Client(), null)));
            _grantedTokenRepositoryStub.Setup(g => g.GetAccessToken(It.IsAny <string>()))
            .Returns(Task.FromResult(grantedToken));
            _grantedTokenRepositoryStub.Setup(g => g.GetRefreshToken(It.IsAny <string>()))
            .Returns(() => Task.FromResult((GrantedToken)null));
            _grantedTokenRepositoryStub.Setup(g => g.RemoveAccessToken(It.IsAny <string>()))
            .Returns(Task.FromResult(true));

            // ACT
            await _revokeTokenAction.Execute(parameter, null, null, null);

            // ASSERTS
            _grantedTokenRepositoryStub.Verify(g => g.RemoveAccessToken(grantedToken.AccessToken));
        }
Пример #4
0
        public async Task When_Invalidating_Refresh_Token_Then_GrantedTokenChildren_Are_Removed()
        {
            // ARRANGE
            InitializeFakeObjects();
            var parent = new GrantedToken
            {
                RefreshToken = "refresh_token"
            };
            var child = new GrantedToken
            {
                ParentTokenId = "refresh_token",
                AccessToken   = "access_token_child"
            };
            var parameter = new RevokeTokenParameter
            {
                Token = "refresh_token"
            };

            _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>()))
            .Returns(new AuthenticateInstruction());
            _authenticateClientStub.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>()))
            .Returns(() => Task.FromResult(new AuthenticationResult(new Core.Common.Models.Client(), null)));
            _grantedTokenRepositoryStub.Setup(g => g.GetAccessToken(It.IsAny <string>()))
            .Returns(() => Task.FromResult((GrantedToken)null));
            _grantedTokenRepositoryStub.Setup(g => g.GetRefreshToken(It.IsAny <string>()))
            .Returns(Task.FromResult(parent));
            _grantedTokenRepositoryStub.Setup(g => g.RemoveAccessToken(It.IsAny <string>()))
            .Returns(Task.FromResult(true));

            // ACT
            await _revokeTokenAction.Execute(parameter, null);

            // ASSERTS
            _grantedTokenRepositoryStub.Verify(g => g.RemoveRefreshToken(parent.RefreshToken));
        }
Пример #5
0
        public async Task When_Token_Does_Not_Exist_Then_Exception_Is_Returned()
        {
            var clientid     = "clientid";
            var clientsecret = "secret";
            var parameter    = new RevokeTokenParameter {
                Token = "access_token"
            };

            var client = new Client
            {
                ClientId = clientid,
                Secrets  = new[] { new ClientSecret {
                                       Type = ClientSecretTypes.SharedSecret, Value = clientsecret
                                   } }
            };

            _clientStore.Setup(x => x.GetById(It.IsAny <string>(), It.IsAny <CancellationToken>())).ReturnsAsync(client);
            _grantedTokenRepositoryStub.Setup(g => g.GetAccessToken(It.IsAny <string>(), It.IsAny <CancellationToken>()))
            .Returns(() => Task.FromResult((GrantedToken)null));
            _grantedTokenRepositoryStub.Setup(g => g.GetRefreshToken(It.IsAny <string>(), It.IsAny <CancellationToken>()))
            .Returns(() => Task.FromResult((GrantedToken)null));

            var authenticationHeader = new AuthenticationHeaderValue(
                "Basic",
                $"{clientid}:{clientsecret}".Base64Encode());
            var result = await _revokeTokenAction.Execute(
                parameter,
                authenticationHeader,
                null,
                null,
                CancellationToken.None)
                         .ConfigureAwait(false) as Option.Error;

            Assert.Equal("invalid_token", result.Details.Title);
        }
Пример #6
0
        public async Task <Option> Execute(
            RevokeTokenParameter revokeTokenParameter,
            AuthenticationHeaderValue?authenticationHeaderValue,
            X509Certificate2?certificate,
            string issuerName,
            CancellationToken cancellationToken)
        {
            var refreshToken = revokeTokenParameter.Token;

            if (refreshToken == null)
            {
                _logger.LogError(Strings.TheRefreshTokenIsNotValid);
                return(new ErrorDetails
                {
                    Detail = Strings.TheRefreshTokenIsNotValid,
                    Status = HttpStatusCode.BadRequest,
                    Title = ErrorCodes.InvalidToken
                });
            }
            // 1. Check the client credentials
            var instruction = authenticationHeaderValue.GetAuthenticateInstruction(revokeTokenParameter, certificate);
            var authResult  = await _authenticateClient.Authenticate(instruction, issuerName, cancellationToken)
                              .ConfigureAwait(false);

            var client = authResult.Client;

            if (client == null)
            {
                _logger.LogError(authResult.ErrorMessage);
                return(new ErrorDetails
                {
                    Detail = authResult.ErrorMessage !,
                    Status = HttpStatusCode.BadRequest,
                    Title = ErrorCodes.InvalidClient
                });
Пример #7
0
 public RevokeTokenReceived(string id, string processId, RevokeTokenParameter parameter, AuthenticationHeaderValue authHeader, int order)
 {
     Id         = id;
     ProcessId  = processId;
     Parameter  = parameter;
     Order      = order;
     AuthHeader = authHeader;
 }
Пример #8
0
        public async Task <bool> Execute(RevokeTokenParameter revokeTokenParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName)
        {
            if (revokeTokenParameter == null)
            {
                throw new ArgumentNullException(nameof(revokeTokenParameter));
            }

            if (string.IsNullOrWhiteSpace(revokeTokenParameter.Token))
            {
                throw new ArgumentNullException(nameof(revokeTokenParameter.Token));
            }

            // 1. Check the client credentials
            var errorMessage = string.Empty;
            var instruction  = CreateAuthenticateInstruction(revokeTokenParameter, authenticationHeaderValue, certificate);
            var authResult   = await _authenticateClient.AuthenticateAsync(instruction, issuerName);

            var client = authResult.Client;

            if (client == null)
            {
                throw new IdentityServerException(ErrorCodes.InvalidClient, authResult.ErrorMessage);
            }

            // 2. Retrieve the granted token & check if it exists
            GrantedToken grantedToken = await _tokenStore.GetAccessToken(revokeTokenParameter.Token);

            bool isAccessToken = true;

            if (grantedToken == null)
            {
                grantedToken = await _tokenStore.GetRefreshToken(revokeTokenParameter.Token);

                isAccessToken = false;
            }

            if (grantedToken == null)
            {
                throw new IdentityServerException(ErrorCodes.InvalidToken, ErrorDescriptions.TheTokenDoesntExist);
            }

            // 3. Verifies whether the token was issued to the client making the revocation request
            if (grantedToken.ClientId != client.ClientId)
            {
                throw new IdentityServerException(ErrorCodes.InvalidToken, string.Format(ErrorDescriptions.TheTokenHasNotBeenIssuedForTheGivenClientId, client.ClientId));
            }

            // 4. Invalid the granted token
            if (isAccessToken)
            {
                return(await _tokenStore.RemoveAccessToken(grantedToken.AccessToken));
            }

            return(await _tokenStore.RemoveRefreshToken(grantedToken.RefreshToken));
        }
Пример #9
0
        public async Task <bool> Execute(RevokeTokenParameter revokeTokenParameter, AuthenticationHeaderValue authenticationHeaderValue)
        {
            if (revokeTokenParameter == null)
            {
                throw new ArgumentNullException(nameof(revokeTokenParameter));
            }

            if (string.IsNullOrWhiteSpace(revokeTokenParameter.Token))
            {
                throw new ArgumentNullException(nameof(revokeTokenParameter.Token));
            }

            // 1. Check the client credentials
            var errorMessage = string.Empty;
            var instruction  = CreateAuthenticateInstruction(revokeTokenParameter,
                                                             authenticationHeaderValue);
            var authResult = await _authenticateClient.AuthenticateAsync(instruction);

            var client = authResult.Client;

            if (client == null)
            {
                client = await _clientRepository.GetClientByIdAsync(Constants.AnonymousClientId);

                if (client == null)
                {
                    throw new IdentityServerException(ErrorCodes.InternalError,
                                                      string.Format(ErrorDescriptions.ClientIsNotValid, Constants.AnonymousClientId));
                }
            }

            // 2. Retrieve the granted token & check if it exists
            GrantedToken grantedToken = await _grantedTokenRepository.GetTokenAsync(revokeTokenParameter.Token);

            if (grantedToken == null)
            {
                grantedToken = await _grantedTokenRepository.GetTokenByRefreshTokenAsync(revokeTokenParameter.Token);
            }

            if (grantedToken == null)
            {
                return(false);
            }

            // 3. Verifies whether the token was issued to the client making the revocation request
            if (grantedToken.ClientId != client.ClientId)
            {
                throw new IdentityServerException(ErrorCodes.InvalidToken, string.Format(ErrorDescriptions.TheTokenHasNotBeenIssuedForTheGivenClientId, client.ClientId));
            }

            // 4. Invalid the granted token
            return(await _grantedTokenRepository.DeleteAsync(grantedToken));
        }
Пример #10
0
        private AuthenticateInstruction CreateAuthenticateInstruction(
            RevokeTokenParameter revokeTokenParameter,
            AuthenticationHeaderValue authenticationHeaderValue)
        {
            var result = _authenticateInstructionGenerator.GetAuthenticateInstruction(authenticationHeaderValue);

            result.ClientAssertion                 = revokeTokenParameter.ClientAssertion;
            result.ClientAssertionType             = revokeTokenParameter.ClientAssertionType;
            result.ClientIdFromHttpRequestBody     = revokeTokenParameter.ClientId;
            result.ClientSecretFromHttpRequestBody = revokeTokenParameter.ClientSecret;
            return(result);
        }
Пример #11
0
        public async Task WhenClientDoesNotExistThenErrorIsReturned()
        {
            var parameter = new RevokeTokenParameter {
                Token = "access_token"
            };

            _clientStore.Setup(x => x.GetById(It.IsAny <string>(), It.IsAny <CancellationToken>()))
            .ReturnsAsync((Client)null);

            var error = await _revokeTokenAction.Execute(parameter, null, null, null, CancellationToken.None)
                        .ConfigureAwait(false) as Option.Error;

            Assert.Equal(ErrorCodes.InvalidClient, error.Details.Title);
        }
Пример #12
0
        public void Validate(RevokeTokenParameter parameter)
        {
            if (parameter == null)
            {
                throw new ArgumentNullException(nameof(parameter));
            }

            // Read this RFC for more information
            if (string.IsNullOrWhiteSpace(parameter.Token))
            {
                throw new IdentityServerException(
                          ErrorCodes.InvalidRequestCode,
                          string.Format(ErrorDescriptions.MissingParameter, Constants.IntrospectionRequestNames.Token));
            }
        }
Пример #13
0
        public async Task When_Client_Doesnt_Exist_Then_Exception_Is_Thrown()
        {
            // ARRANGE
            InitializeFakeObjects();
            var parameter = new RevokeTokenParameter
            {
                Token = "access_token"
            };

            _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>()))
            .Returns(new AuthenticateInstruction());
            _authenticateClientStub.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>(), null, It.IsAny <bool>()))
            .Returns(() => Task.FromResult(new AuthenticationResult(null, null)));
            _clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>()))
            .Returns(() => Task.FromResult((Client)null));

            // ACT & ASSERTS
            var exception = await Assert.ThrowsAsync <IdentityServerException>(() => _revokeTokenAction.Execute(parameter, null, null, null));

            Assert.NotNull(exception);
            Assert.True(exception.Code == ErrorCodes.InvalidClient);
        }
Пример #14
0
        public async Task When_Invalidating_Refresh_Token_Then_GrantedTokenChildren_Are_Removed()
        {
            var clientid     = "clientid";
            var clientsecret = "secret";
            var parent       = new GrantedToken {
                ClientId = clientid, RefreshToken = "refresh_token"
            };

            var parameter = new RevokeTokenParameter {
                Token = "refresh_token"
            };

            var client = new Client
            {
                ClientId = clientid,
                Secrets  = new[] { new ClientSecret {
                                       Type = ClientSecretTypes.SharedSecret, Value = clientsecret
                                   } }
            };

            _clientStore.Setup(x => x.GetById(It.IsAny <string>(), It.IsAny <CancellationToken>())).ReturnsAsync(client);

            _grantedTokenRepositoryStub.Setup(g => g.GetAccessToken(It.IsAny <string>(), It.IsAny <CancellationToken>()))
            .Returns(() => Task.FromResult((GrantedToken)null));
            _grantedTokenRepositoryStub.Setup(g => g.GetRefreshToken(It.IsAny <string>(), It.IsAny <CancellationToken>()))
            .ReturnsAsync(parent);
            _grantedTokenRepositoryStub
            .Setup(g => g.RemoveAccessToken(It.IsAny <string>(), It.IsAny <CancellationToken>()))
            .ReturnsAsync(true);

            var authenticationHeader = new AuthenticationHeaderValue(
                "Basic",
                $"{clientid}:{clientsecret}".Base64Encode());
            await _revokeTokenAction.Execute(parameter, authenticationHeader, null, null, CancellationToken.None)
            .ConfigureAwait(false);

            _grantedTokenRepositoryStub.Verify(
                g => g.RemoveRefreshToken(parent.RefreshToken, It.IsAny <CancellationToken>()));
        }
Пример #15
0
        public string GetPayload(RevokeTokenParameter parameter, AuthenticationHeaderValue authenticationHeaderValue)
        {
            if (parameter == null)
            {
                throw new ArgumentNullException(nameof(parameter));
            }

            var clientId = GetClientId(authenticationHeaderValue);

            if (string.IsNullOrWhiteSpace(clientId))
            {
                clientId = parameter.ClientId;
            }

            var result = new Payload
            {
                ClientId      = clientId,
                Authorization = BuildAuthHeader(authenticationHeaderValue),
                Content       = parameter
            };

            return(JsonConvert.SerializeObject(result));
        }
Пример #16
0
        public async Task When_Token_Doesnt_Exist_Then_False_Is_Returned()
        {
            // ARRANGE
            InitializeFakeObjects();
            var parameter = new RevokeTokenParameter
            {
                Token = "access_token"
            };

            _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>()))
            .Returns(new AuthenticateInstruction());
            _authenticateClientStub.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>()))
            .Returns(() => Task.FromResult(new AuthenticationResult(new Client(), null)));
            _grantedTokenRepositoryStub.Setup(g => g.GetAccessToken(It.IsAny <string>()))
            .Returns(() => Task.FromResult((GrantedToken)null));
            _grantedTokenRepositoryStub.Setup(g => g.GetRefreshToken(It.IsAny <string>()))
            .Returns(() => Task.FromResult((GrantedToken)null));

            // ACT
            var result = await _revokeTokenAction.Execute(parameter, null);

            // ASSERT
            Assert.False(result);
        }