public async Task When_Token_Doesnt_Exist_Then_Exception_Is_Returned() { // ARRANGE InitializeFakeObjects(); var parameter = new RevokeTokenParameter { Token = "access_token" }; _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>())) .Returns(new AuthenticateInstruction()); _authenticateClientStub.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>(), null, It.IsAny <bool>())) .Returns(() => Task.FromResult(new AuthenticationResult(new Client(), null))); _grantedTokenRepositoryStub.Setup(g => g.GetAccessToken(It.IsAny <string>())) .Returns(() => Task.FromResult((GrantedToken)null)); _grantedTokenRepositoryStub.Setup(g => g.GetRefreshToken(It.IsAny <string>())) .Returns(() => Task.FromResult((GrantedToken)null)); // ACT var result = await Assert.ThrowsAsync <IdentityServerException>(() => _revokeTokenAction.Execute(parameter, null, null, null)); // ASSERT Assert.NotNull(result); Assert.Equal("invalid_token", result.Code); }
public Task <bool> RevokeToken( RevokeTokenParameter revokeTokenParameter, AuthenticationHeaderValue authenticationHeaderValue) { if (revokeTokenParameter == null) { throw new ArgumentNullException(nameof(revokeTokenParameter)); } var processId = Guid.NewGuid().ToString(); try { _eventPublisher.Publish(new RevokeTokenReceived(Guid.NewGuid().ToString(), processId, _payloadSerializer.GetPayload(revokeTokenParameter, authenticationHeaderValue), authenticationHeaderValue, 0)); _simpleIdentityServerEventSource.StartRevokeToken(revokeTokenParameter.Token); var result = _revokeTokenAction.Execute(revokeTokenParameter, authenticationHeaderValue); _simpleIdentityServerEventSource.EndRevokeToken(revokeTokenParameter.Token); _eventPublisher.Publish(new TokenRevoked(Guid.NewGuid().ToString(), processId, 1)); return(result); } catch (IdentityServerException ex) { _eventPublisher.Publish(new OpenIdErrorReceived(Guid.NewGuid().ToString(), processId, ex.Code, ex.Message, 1)); throw; } }
public async Task When_Invalidating_Access_Token_Then_GrantedToken_Is_Removed() { // ARRANGE InitializeFakeObjects(); var grantedToken = new GrantedToken { AccessToken = "access_token" }; var parameter = new RevokeTokenParameter { Token = "access_token" }; _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>())) .Returns(new AuthenticateInstruction()); _authenticateClientStub.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>(), null, It.IsAny <bool>())) .Returns(() => Task.FromResult(new AuthenticationResult(new Client(), null))); _grantedTokenRepositoryStub.Setup(g => g.GetAccessToken(It.IsAny <string>())) .Returns(Task.FromResult(grantedToken)); _grantedTokenRepositoryStub.Setup(g => g.GetRefreshToken(It.IsAny <string>())) .Returns(() => Task.FromResult((GrantedToken)null)); _grantedTokenRepositoryStub.Setup(g => g.RemoveAccessToken(It.IsAny <string>())) .Returns(Task.FromResult(true)); // ACT await _revokeTokenAction.Execute(parameter, null, null, null); // ASSERTS _grantedTokenRepositoryStub.Verify(g => g.RemoveAccessToken(grantedToken.AccessToken)); }
public async Task When_Invalidating_Refresh_Token_Then_GrantedTokenChildren_Are_Removed() { // ARRANGE InitializeFakeObjects(); var parent = new GrantedToken { RefreshToken = "refresh_token" }; var child = new GrantedToken { ParentTokenId = "refresh_token", AccessToken = "access_token_child" }; var parameter = new RevokeTokenParameter { Token = "refresh_token" }; _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>())) .Returns(new AuthenticateInstruction()); _authenticateClientStub.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>())) .Returns(() => Task.FromResult(new AuthenticationResult(new Core.Common.Models.Client(), null))); _grantedTokenRepositoryStub.Setup(g => g.GetAccessToken(It.IsAny <string>())) .Returns(() => Task.FromResult((GrantedToken)null)); _grantedTokenRepositoryStub.Setup(g => g.GetRefreshToken(It.IsAny <string>())) .Returns(Task.FromResult(parent)); _grantedTokenRepositoryStub.Setup(g => g.RemoveAccessToken(It.IsAny <string>())) .Returns(Task.FromResult(true)); // ACT await _revokeTokenAction.Execute(parameter, null); // ASSERTS _grantedTokenRepositoryStub.Verify(g => g.RemoveRefreshToken(parent.RefreshToken)); }
public async Task When_Token_Does_Not_Exist_Then_Exception_Is_Returned() { var clientid = "clientid"; var clientsecret = "secret"; var parameter = new RevokeTokenParameter { Token = "access_token" }; var client = new Client { ClientId = clientid, Secrets = new[] { new ClientSecret { Type = ClientSecretTypes.SharedSecret, Value = clientsecret } } }; _clientStore.Setup(x => x.GetById(It.IsAny <string>(), It.IsAny <CancellationToken>())).ReturnsAsync(client); _grantedTokenRepositoryStub.Setup(g => g.GetAccessToken(It.IsAny <string>(), It.IsAny <CancellationToken>())) .Returns(() => Task.FromResult((GrantedToken)null)); _grantedTokenRepositoryStub.Setup(g => g.GetRefreshToken(It.IsAny <string>(), It.IsAny <CancellationToken>())) .Returns(() => Task.FromResult((GrantedToken)null)); var authenticationHeader = new AuthenticationHeaderValue( "Basic", $"{clientid}:{clientsecret}".Base64Encode()); var result = await _revokeTokenAction.Execute( parameter, authenticationHeader, null, null, CancellationToken.None) .ConfigureAwait(false) as Option.Error; Assert.Equal("invalid_token", result.Details.Title); }
public async Task <Option> Execute( RevokeTokenParameter revokeTokenParameter, AuthenticationHeaderValue?authenticationHeaderValue, X509Certificate2?certificate, string issuerName, CancellationToken cancellationToken) { var refreshToken = revokeTokenParameter.Token; if (refreshToken == null) { _logger.LogError(Strings.TheRefreshTokenIsNotValid); return(new ErrorDetails { Detail = Strings.TheRefreshTokenIsNotValid, Status = HttpStatusCode.BadRequest, Title = ErrorCodes.InvalidToken }); } // 1. Check the client credentials var instruction = authenticationHeaderValue.GetAuthenticateInstruction(revokeTokenParameter, certificate); var authResult = await _authenticateClient.Authenticate(instruction, issuerName, cancellationToken) .ConfigureAwait(false); var client = authResult.Client; if (client == null) { _logger.LogError(authResult.ErrorMessage); return(new ErrorDetails { Detail = authResult.ErrorMessage !, Status = HttpStatusCode.BadRequest, Title = ErrorCodes.InvalidClient });
public RevokeTokenReceived(string id, string processId, RevokeTokenParameter parameter, AuthenticationHeaderValue authHeader, int order) { Id = id; ProcessId = processId; Parameter = parameter; Order = order; AuthHeader = authHeader; }
public async Task <bool> Execute(RevokeTokenParameter revokeTokenParameter, AuthenticationHeaderValue authenticationHeaderValue, X509Certificate2 certificate, string issuerName) { if (revokeTokenParameter == null) { throw new ArgumentNullException(nameof(revokeTokenParameter)); } if (string.IsNullOrWhiteSpace(revokeTokenParameter.Token)) { throw new ArgumentNullException(nameof(revokeTokenParameter.Token)); } // 1. Check the client credentials var errorMessage = string.Empty; var instruction = CreateAuthenticateInstruction(revokeTokenParameter, authenticationHeaderValue, certificate); var authResult = await _authenticateClient.AuthenticateAsync(instruction, issuerName); var client = authResult.Client; if (client == null) { throw new IdentityServerException(ErrorCodes.InvalidClient, authResult.ErrorMessage); } // 2. Retrieve the granted token & check if it exists GrantedToken grantedToken = await _tokenStore.GetAccessToken(revokeTokenParameter.Token); bool isAccessToken = true; if (grantedToken == null) { grantedToken = await _tokenStore.GetRefreshToken(revokeTokenParameter.Token); isAccessToken = false; } if (grantedToken == null) { throw new IdentityServerException(ErrorCodes.InvalidToken, ErrorDescriptions.TheTokenDoesntExist); } // 3. Verifies whether the token was issued to the client making the revocation request if (grantedToken.ClientId != client.ClientId) { throw new IdentityServerException(ErrorCodes.InvalidToken, string.Format(ErrorDescriptions.TheTokenHasNotBeenIssuedForTheGivenClientId, client.ClientId)); } // 4. Invalid the granted token if (isAccessToken) { return(await _tokenStore.RemoveAccessToken(grantedToken.AccessToken)); } return(await _tokenStore.RemoveRefreshToken(grantedToken.RefreshToken)); }
public async Task <bool> Execute(RevokeTokenParameter revokeTokenParameter, AuthenticationHeaderValue authenticationHeaderValue) { if (revokeTokenParameter == null) { throw new ArgumentNullException(nameof(revokeTokenParameter)); } if (string.IsNullOrWhiteSpace(revokeTokenParameter.Token)) { throw new ArgumentNullException(nameof(revokeTokenParameter.Token)); } // 1. Check the client credentials var errorMessage = string.Empty; var instruction = CreateAuthenticateInstruction(revokeTokenParameter, authenticationHeaderValue); var authResult = await _authenticateClient.AuthenticateAsync(instruction); var client = authResult.Client; if (client == null) { client = await _clientRepository.GetClientByIdAsync(Constants.AnonymousClientId); if (client == null) { throw new IdentityServerException(ErrorCodes.InternalError, string.Format(ErrorDescriptions.ClientIsNotValid, Constants.AnonymousClientId)); } } // 2. Retrieve the granted token & check if it exists GrantedToken grantedToken = await _grantedTokenRepository.GetTokenAsync(revokeTokenParameter.Token); if (grantedToken == null) { grantedToken = await _grantedTokenRepository.GetTokenByRefreshTokenAsync(revokeTokenParameter.Token); } if (grantedToken == null) { return(false); } // 3. Verifies whether the token was issued to the client making the revocation request if (grantedToken.ClientId != client.ClientId) { throw new IdentityServerException(ErrorCodes.InvalidToken, string.Format(ErrorDescriptions.TheTokenHasNotBeenIssuedForTheGivenClientId, client.ClientId)); } // 4. Invalid the granted token return(await _grantedTokenRepository.DeleteAsync(grantedToken)); }
private AuthenticateInstruction CreateAuthenticateInstruction( RevokeTokenParameter revokeTokenParameter, AuthenticationHeaderValue authenticationHeaderValue) { var result = _authenticateInstructionGenerator.GetAuthenticateInstruction(authenticationHeaderValue); result.ClientAssertion = revokeTokenParameter.ClientAssertion; result.ClientAssertionType = revokeTokenParameter.ClientAssertionType; result.ClientIdFromHttpRequestBody = revokeTokenParameter.ClientId; result.ClientSecretFromHttpRequestBody = revokeTokenParameter.ClientSecret; return(result); }
public async Task WhenClientDoesNotExistThenErrorIsReturned() { var parameter = new RevokeTokenParameter { Token = "access_token" }; _clientStore.Setup(x => x.GetById(It.IsAny <string>(), It.IsAny <CancellationToken>())) .ReturnsAsync((Client)null); var error = await _revokeTokenAction.Execute(parameter, null, null, null, CancellationToken.None) .ConfigureAwait(false) as Option.Error; Assert.Equal(ErrorCodes.InvalidClient, error.Details.Title); }
public void Validate(RevokeTokenParameter parameter) { if (parameter == null) { throw new ArgumentNullException(nameof(parameter)); } // Read this RFC for more information if (string.IsNullOrWhiteSpace(parameter.Token)) { throw new IdentityServerException( ErrorCodes.InvalidRequestCode, string.Format(ErrorDescriptions.MissingParameter, Constants.IntrospectionRequestNames.Token)); } }
public async Task When_Client_Doesnt_Exist_Then_Exception_Is_Thrown() { // ARRANGE InitializeFakeObjects(); var parameter = new RevokeTokenParameter { Token = "access_token" }; _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>())) .Returns(new AuthenticateInstruction()); _authenticateClientStub.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>(), null, It.IsAny <bool>())) .Returns(() => Task.FromResult(new AuthenticationResult(null, null))); _clientRepositoryStub.Setup(c => c.GetClientByIdAsync(It.IsAny <string>())) .Returns(() => Task.FromResult((Client)null)); // ACT & ASSERTS var exception = await Assert.ThrowsAsync <IdentityServerException>(() => _revokeTokenAction.Execute(parameter, null, null, null)); Assert.NotNull(exception); Assert.True(exception.Code == ErrorCodes.InvalidClient); }
public async Task When_Invalidating_Refresh_Token_Then_GrantedTokenChildren_Are_Removed() { var clientid = "clientid"; var clientsecret = "secret"; var parent = new GrantedToken { ClientId = clientid, RefreshToken = "refresh_token" }; var parameter = new RevokeTokenParameter { Token = "refresh_token" }; var client = new Client { ClientId = clientid, Secrets = new[] { new ClientSecret { Type = ClientSecretTypes.SharedSecret, Value = clientsecret } } }; _clientStore.Setup(x => x.GetById(It.IsAny <string>(), It.IsAny <CancellationToken>())).ReturnsAsync(client); _grantedTokenRepositoryStub.Setup(g => g.GetAccessToken(It.IsAny <string>(), It.IsAny <CancellationToken>())) .Returns(() => Task.FromResult((GrantedToken)null)); _grantedTokenRepositoryStub.Setup(g => g.GetRefreshToken(It.IsAny <string>(), It.IsAny <CancellationToken>())) .ReturnsAsync(parent); _grantedTokenRepositoryStub .Setup(g => g.RemoveAccessToken(It.IsAny <string>(), It.IsAny <CancellationToken>())) .ReturnsAsync(true); var authenticationHeader = new AuthenticationHeaderValue( "Basic", $"{clientid}:{clientsecret}".Base64Encode()); await _revokeTokenAction.Execute(parameter, authenticationHeader, null, null, CancellationToken.None) .ConfigureAwait(false); _grantedTokenRepositoryStub.Verify( g => g.RemoveRefreshToken(parent.RefreshToken, It.IsAny <CancellationToken>())); }
public string GetPayload(RevokeTokenParameter parameter, AuthenticationHeaderValue authenticationHeaderValue) { if (parameter == null) { throw new ArgumentNullException(nameof(parameter)); } var clientId = GetClientId(authenticationHeaderValue); if (string.IsNullOrWhiteSpace(clientId)) { clientId = parameter.ClientId; } var result = new Payload { ClientId = clientId, Authorization = BuildAuthHeader(authenticationHeaderValue), Content = parameter }; return(JsonConvert.SerializeObject(result)); }
public async Task When_Token_Doesnt_Exist_Then_False_Is_Returned() { // ARRANGE InitializeFakeObjects(); var parameter = new RevokeTokenParameter { Token = "access_token" }; _authenticateInstructionGeneratorStub.Setup(a => a.GetAuthenticateInstruction(It.IsAny <AuthenticationHeaderValue>())) .Returns(new AuthenticateInstruction()); _authenticateClientStub.Setup(a => a.AuthenticateAsync(It.IsAny <AuthenticateInstruction>())) .Returns(() => Task.FromResult(new AuthenticationResult(new Client(), null))); _grantedTokenRepositoryStub.Setup(g => g.GetAccessToken(It.IsAny <string>())) .Returns(() => Task.FromResult((GrantedToken)null)); _grantedTokenRepositoryStub.Setup(g => g.GetRefreshToken(It.IsAny <string>())) .Returns(() => Task.FromResult((GrantedToken)null)); // ACT var result = await _revokeTokenAction.Execute(parameter, null); // ASSERT Assert.False(result); }