public async Task invalid_credentials_should_return_error()
{
var tokens = await GetTokensAsync();
(await IsAccessTokenValidAsync(tokens)).Should().BeTrue();
var revocationClient = new TokenRevocationClient(IdentityServerPipeline.RevocationEndpoint, client_id, "not_valid", _mockPipeline.Handler);
var result = await revocationClient.RevokeAccessTokenAsync(tokens.AccessToken);
result.IsError.Should().BeTrue();
result.Error.Should().Be("invalid_client");
}
public async Task Logout()
{
#region Revocation Token on Logout
// get the metadata
Console.WriteLine("ApplicationSettings.Authority" + ApplicationSettings.OpenIdConnectConfiguration.Authority);
var discoveryClient = new DiscoveryClient(ApplicationSettings.OpenIdConnectConfiguration.Authority);
var metaDataResponse = await discoveryClient.GetAsync();
Console.WriteLine(metaDataResponse.TokenEndpoint);
Console.WriteLine(metaDataResponse.StatusCode);
Console.WriteLine(metaDataResponse.Error);
// create a TokenRevocationClient
var revocationClient = new TokenRevocationClient(
metaDataResponse.RevocationEndpoint,
ApplicationSettings.OpenIdConnectConfiguration.ClientId,
ApplicationSettings.OpenIdConnectConfiguration.ClientSecret);
// get the access token to revoke
var accessToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);
if (!string.IsNullOrWhiteSpace(accessToken))
{
Console.WriteLine("Access Token:" + accessToken);
var revokeAccessTokenResponse =
await revocationClient.RevokeAccessTokenAsync(accessToken);
if (revokeAccessTokenResponse.IsError)
{
throw new Exception("Problem encountered while revoking the access token.", revokeAccessTokenResponse.Exception);
}
}
// revoke the refresh token as well
var refreshToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.RefreshToken);
if (!string.IsNullOrWhiteSpace(refreshToken))
{
var revokeRefreshTokenResponse =
await revocationClient.RevokeRefreshTokenAsync(refreshToken);
if (revokeRefreshTokenResponse.IsError)
{
throw new Exception("Problem encountered while revoking the refresh token.", revokeRefreshTokenResponse.Exception);
}
}
#endregion
}
public async Task Logout()
{
// get the metadata
var discoveryClient = new DiscoveryClient(_appConfiguration.GetValue <string>("QuantusIdpBaseUri"));
var metaDataResponse = await discoveryClient.GetAsync();
// create a TokenRevocationClient
var revocationClient = new TokenRevocationClient(
metaDataResponse.RevocationEndpoint,
"fittifyclient",
"secret");
// get the access token to revoke
var accessToken =
await AuthenticationHttpContextExtensions.GetTokenAsync(
_httpContextAccessor.HttpContext,
OpenIdConnectParameterNames.AccessToken);
if (!string.IsNullOrWhiteSpace(accessToken))
{
var revokeAccessTokenResponse =
await revocationClient.RevokeAccessTokenAsync(accessToken);
if (revokeAccessTokenResponse.IsError)
{
throw new OpenIdConnectException("Problem encountered while revoking the access token."
, revokeAccessTokenResponse.Exception);
}
}
// revoke the refresh token as well
var refreshToken =
await AuthenticationHttpContextExtensions.GetTokenAsync(
_httpContextAccessor.HttpContext,
OpenIdConnectParameterNames.RefreshToken);
if (!string.IsNullOrWhiteSpace(refreshToken))
{
var revokeRefreshTokenResponse =
await revocationClient.RevokeRefreshTokenAsync(refreshToken);
if (revokeRefreshTokenResponse.IsError)
{
throw new OpenIdConnectException("Problem encountered while revoking the refresh token."
, revokeRefreshTokenResponse.Exception);
}
}
await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); // Logging out of client
await HttpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme); // Logging out of IDP
}
public async Task revoke_valid_access_token_should_return_success()
{
var tokens = await GetTokensAsync();
(await IsAccessTokenValidAsync(tokens)).Should().BeTrue();
var revocationClient = new TokenRevocationClient(IdentityServerPipeline.RevocationEndpoint, client_id, client_secret, _mockPipeline.Handler);
var result = await revocationClient.RevokeAccessTokenAsync(tokens.AccessToken);
result.IsError.Should().BeFalse();
(await IsAccessTokenValidAsync(tokens)).Should().BeFalse();
}
public async Task revoke_valid_refresh_token_should_return_success()
{
var tokens = await GetTokensAsync();
(await UseRefreshTokenAsync(tokens)).Should().BeTrue();
var revocationClient = new TokenRevocationClient(MockIdSvrUiPipeline.RevocationEndpoint, client_id, client_secret, _mockPipeline.Handler);
var result = await revocationClient.RevokeRefreshTokenAsync(tokens.RefreshToken);
result.IsError.Should().BeFalse();
(await UseRefreshTokenAsync(tokens)).Should().BeFalse();
}
protected async void OnSignoutButtonClicked(object sender, EventArgs e)
{
if (authState.RefreshToken == null && authState.AccessToken == null)
{
return;
}
var endpoint = await authState.GetRevocationEndpointAsync();
if (endpoint != null)
{
#if true
// Use custom HttpClientHandler for demonstration. (next 4 lines)
var handler = new HttpClientHandlerEx();
handler.BeforeRequestAsyncHooks += LogPage.HttpRequestLoggerAsync;
handler.AfterResponseAsyncHooks += LogPage.HttpResponseLoggerAsync;
var client = new TokenRevocationClient(endpoint, innerHttpMessageHandler: handler);
#else
// This is normal implementation.
var client = new TokenRevocationClient(endpoint);
#endif
var result = await client.RevokeAsync(new TokenRevocationRequest {
Token = authState.RefreshToken ?? authState.AccessToken
});
#if true
// Google Accounts will return an "invalid_token" error on HTTP 400, not HTTP 200,
// in response to a revocation request for a token that has already been revoked.
if (result.IsError && result.Error != "invalid_token")
{
#else
// This is normal implementation.
if (result.IsError)
{
#endif
#region // Write program to be executed when revoking authorization fails.
ShowAuthState();
ResultLabel.Text = StringResources.MsgAuthRevokeNg;
#endregion
return;
}
}
#region // Program to be executed when revoking authorization succeeds.
authState.Reset();
ShowAuthState();
ResultLabel.Text = StringResources.MsgAuthRevokeOk;
#endregion
}
public async Task Logout()
{
// get the metadata
var discoveryClient = new DiscoveryClient("https://localhost:44326/");
var metaDataResponse = await discoveryClient.GetAsync();
// create a TokenRevocationClient
var revocationClient = new TokenRevocationClient(
metaDataResponse.RevocationEndpoint,
"imagegalleryclient",
"secret");
// get the access token to revoke
var accessToken = await HttpContext
.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);
if (!string.IsNullOrWhiteSpace(accessToken))
{
var revokeAccessTokenResponse =
await revocationClient.RevokeAccessTokenAsync(accessToken);
if (revokeAccessTokenResponse.IsError)
{
throw new Exception("Problem encountered while revoking the access token."
, revokeAccessTokenResponse.Exception);
}
}
// revoke the refresh token as well
var refreshToken = await HttpContext
.GetTokenAsync(OpenIdConnectParameterNames.RefreshToken);
if (!string.IsNullOrWhiteSpace(refreshToken))
{
var revokeRefreshTokenResponse =
await revocationClient.RevokeRefreshTokenAsync(refreshToken);
if (revokeRefreshTokenResponse.IsError)
{
throw new Exception("Problem encountered while revoking the refresh token."
, revokeRefreshTokenResponse.Exception);
}
}
// Clears the local cookie ("Cookies" must match name from scheme)
await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc");
}
private async Task RevokeAccessToken(TokenRevocationClient revocationClient)
{
var accessToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);
if (!string.IsNullOrWhiteSpace(accessToken))
{
var revokeAccessTokenResponse = await revocationClient.RevokeAccessTokenAsync(accessToken);
if (revokeAccessTokenResponse.IsError)
{
throw new Exception("Problem encountered while revoking the access token.", revokeAccessTokenResponse.Exception);
}
}
}
public async Task Logout()
{
var discoveryClient = new DiscoveryClient("https://localhost:5003/");
var metaDataResponse = await discoveryClient.GetAsync();
var revocationClient = new TokenRevocationClient(metaDataResponse.RevocationEndpoint, "imagegalleryclient", "secret");
await RevokeAccessToken(revocationClient);
await RevokeRefreshToken(revocationClient);
await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc");
}
public async Task Valid_protocol_response_should_be_handled_correctly()
{
var handler = new NetworkHandler(HttpStatusCode.OK, "ok");
var client = new TokenRevocationClient(
Endpoint,
"client",
innerHttpMessageHandler: handler);
var response = await client.RevokeAccessTokenAsync("token");
response.IsError.Should().BeFalse();
response.ErrorType.Should().Be(ResponseErrorType.None);
response.HttpStatusCode.Should().Be(HttpStatusCode.OK);
}
private async Task RevokeAccessToken(TokenRevocationClient revocationClient)
{
// Get the access token
var accessToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);
if (!string.IsNullOrWhiteSpace(accessToken))
{
// Revoke the access token
var revokeAccessTokenResponse = await revocationClient.RevokeAccessTokenAsync(accessToken);
if (revokeAccessTokenResponse.IsError)
{
throw new Exception("Error occurred during revocation of the access token", revokeAccessTokenResponse.Exception);
}
}
}
public async Task Exception_should_be_handled_correctly()
{
var handler = new NetworkHandler(new Exception("exception"));
var client = new TokenRevocationClient(
Endpoint,
"client",
innerHttpMessageHandler: handler);
var response = await client.RevokeAccessTokenAsync("token");
response.IsError.Should().BeTrue();
response.ErrorType.Should().Be(ResponseErrorType.Exception);
response.Error.Should().Be("exception");
response.Exception.Should().NotBeNull();
}
public async Task Valid_protocol_response_should_be_handled_correctly()
{
var handler = new NetworkHandler(HttpStatusCode.OK, "ok");
var client = new TokenRevocationClient(
Endpoint,
"client",
"clientsecret",
innerHttpMessageHandler: handler);
var response = await client.RevokeAccessTokenAsync("token");
Assert.AreEqual(false, response.IsError);
Assert.AreEqual(ResponseErrorType.None, response.ErrorType);
Assert.AreEqual(HttpStatusCode.OK, response.HttpStatusCode);
}
public static async Task RevokeAccessTokenAsync(this TokenRevocationClient revocationClient, HttpContext httpContext)
{
// get access token
var accessToken = await httpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);
if (!string.IsNullOrWhiteSpace(accessToken))
{
// revoke access token
var revokeAccessTokenResponse = await revocationClient.RevokeAccessTokenAsync(accessToken);
if (revokeAccessTokenResponse.IsError)
{
throw new Exception("Error occurred during revocation of access token", revokeAccessTokenResponse.Exception);
}
}
}
public async Task Exception_should_be_handled_correctly()
{
var handler = new NetworkHandler(HttpStatusCode.InternalServerError, "exception");
var client = new TokenRevocationClient(
Endpoint,
"client",
"clientsecret",
innerHttpMessageHandler: handler);
var response = await client.RevokeAccessTokenAsync("token");
Assert.AreEqual(true, response.IsError);
Assert.AreEqual(ResponseErrorType.Http, response.ErrorType);
Assert.IsNotNull(response.Error);
Assert.AreEqual("exception", response.Error);
}
private async Task RevokeRefreshToken(TokenRevocationClient revocationClient)
{
// get refresh token
var refreshToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.RefreshToken);
if (!string.IsNullOrWhiteSpace(refreshToken))
{
// revoke refresh token
var revokeRefreshTokenResponse = await revocationClient.RevokeRefreshTokenAsync(refreshToken);
if (revokeRefreshTokenResponse.IsError)
{
throw new Exception("Error occurred during revocation of refresh token", revokeRefreshTokenResponse.Exception);
}
}
}
public async Task Http_error_should_be_handled_correctly()
{
var handler = new NetworkHandler(HttpStatusCode.NotFound, "not found");
var client = new TokenRevocationClient(
Endpoint,
"client",
innerHttpMessageHandler: handler);
var response = await client.RevokeAccessTokenAsync("token");
response.IsError.Should().BeTrue();
response.ErrorType.Should().Be(ResponseErrorType.Http);
response.HttpStatusCode.Should().Be(HttpStatusCode.NotFound);
response.Error.Should().Be("not found");
}
public async Task Malformed_response_document_should_be_handled_correctly()
{
var document = "invalid";
var handler = new NetworkHandler(document, HttpStatusCode.BadRequest);
var client = new TokenRevocationClient(
Endpoint,
"client",
innerHttpMessageHandler: handler);
var response = await client.RevokeAccessTokenAsync("token");
response.IsError.Should().BeTrue();
response.ErrorType.Should().Be(ResponseErrorType.Exception);
response.Raw.Should().Be("invalid");
response.Exception.Should().NotBeNull();
}
public async Task Valid_protocol_error_should_be_handled_correctly()
{
var document = File.ReadAllText(FileName.Create("failure_token_revocation_response.json"));
var handler = new NetworkHandler(document, HttpStatusCode.BadRequest);
var client = new TokenRevocationClient(
Endpoint,
"client",
innerHttpMessageHandler: handler);
var response = await client.RevokeAccessTokenAsync("token");
response.IsError.Should().BeTrue();
response.ErrorType.Should().Be(ResponseErrorType.Protocol);
response.HttpStatusCode.Should().Be(HttpStatusCode.BadRequest);
response.Error.Should().Be("error");
}
public async Task Logout()
{
// get IDP metadata
var discoveryClient = new DiscoveryClient("https://localhost:44332/");
var metaData = await discoveryClient.GetAsync();
// create token revocation client
var revocationClient = new TokenRevocationClient(metaData.RevocationEndpoint,
"imagegalleryclient", "secret");
// get access token to revoke
var accessToken = await HttpContext
.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);
if (!string.IsNullOrWhiteSpace(accessToken))
{
var revokeAccessTokenResponse = await revocationClient
.RevokeAccessTokenAsync(accessToken);
if (revokeAccessTokenResponse.IsError)
{
throw new Exception("Problem occured while revoking access token.",
revokeAccessTokenResponse.Exception);
}
}
// revoke refresh token
var refreshToken = await HttpContext
.GetTokenAsync(OpenIdConnectParameterNames.RefreshToken);
if (!string.IsNullOrWhiteSpace(refreshToken))
{
var revokeRefreshTokenResponse = await revocationClient
.RevokeRefreshTokenAsync(refreshToken);
if (revokeRefreshTokenResponse.IsError)
{
throw new Exception("Problem occured while revoking refresh token.",
revokeRefreshTokenResponse.Exception);
}
}
await HttpContext.SignOutAsync("Cookie"); // logout at client app level
await HttpContext.SignOutAsync("oidc"); // logout at IDP level
}
//[HttpGet(nameof(Logout))]
public async Task Logout()
{
// get the metadata
var discoveryClient = new DiscoveryClient(_configuration.GetSection("Applications")["IDP"]);
var metaDataResponse = await discoveryClient.GetAsync();
// get revocation client
var revocationClient = new TokenRevocationClient(metaDataResponse.RevocationEndpoint, "qsolverapi", "qsolverapisecret");
await RevokeAccessToken(revocationClient);
await RevokeRefreshToken(revocationClient);
// sign-out of authentication schemes
await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc");
}
public async Task Http_error_should_be_handled_correctly()
{
var handler = new NetworkHandler(HttpStatusCode.NotFound, "not found");
var client = new TokenRevocationClient(
Endpoint,
"client",
"clientsecret",
innerHttpMessageHandler: handler);
var response = await client.RevokeAccessTokenAsync("token");
Assert.AreEqual(true, response.IsError);
Assert.AreEqual(ResponseErrorType.Http, response.ErrorType);
Assert.AreEqual(HttpStatusCode.NotFound, response.HttpStatusCode);
Assert.AreEqual("not found", response.Error);
}
public async Task Logout()
{
// get the metadata
var discoveryClient = new DiscoveryClient("https://localhost:44373/");
var metaDataResponse = await discoveryClient.GetAsync();
// get revocation client
var revocationClient = new TokenRevocationClient(metaDataResponse.RevocationEndpoint, "imagegalleryclient", "ItsMySecret");
await RevokeAccessToken(revocationClient);
await RevokeRefreshToken(revocationClient);
// sign-out of authentication schemes
await HttpContext.SignOutAsync("Cookies");
await HttpContext.SignOutAsync("oidc");
}
public async Task Malformed_response_document_should_be_handled_correctly()
{
var document = "invalid";
var handler = new NetworkHandler(document, HttpStatusCode.BadRequest);
var client = new TokenRevocationClient(
Endpoint,
"client",
"clientsecret",
innerHttpMessageHandler: handler);
var response = await client.RevokeAccessTokenAsync("token");
Assert.AreEqual(true, response.IsError);
Assert.AreEqual(ResponseErrorType.Exception, response.ErrorType);
Assert.AreEqual("invalid", response.Raw);
Assert.IsNotNull(response.Exception);
}
public async Task Valid_protocol_error_should_be_handled_correctly()
{
var document = File.ReadAllText(Path.Combine(Directory.GetCurrentDirectory(), "Documents", "failure_token_revocation_response.json"));
var handler = new NetworkHandler(document, HttpStatusCode.BadRequest);
var client = new TokenRevocationClient(
Endpoint,
"client",
"clientsecret",
innerHttpMessageHandler: handler);
var response = await client.RevokeAccessTokenAsync("token");
Assert.AreEqual(true, response.IsError);
Assert.AreEqual(ResponseErrorType.Protocol, response.ErrorType);
Assert.AreEqual(HttpStatusCode.BadRequest, response.HttpStatusCode);
Assert.AreEqual("error", response.Error);
}
public async Task <ActionResult> RevokeRefreshToken()
{
var refreshToken = (User as ClaimsPrincipal).FindFirst("refresh_token").Value;
//Revoke Refresh token call
var revokeClient = new TokenRevocationClient(AppController.revocationEndpoint, clientid, clientsecret);
//Revoke refresh token
TokenRevocationResponse revokeAccessTokenResponse = await revokeClient.RevokeAccessTokenAsync(refreshToken);
if (revokeAccessTokenResponse.HttpStatusCode == HttpStatusCode.OK)
{
Session.Abandon();
Request.GetOwinContext().Authentication.SignOut();
}
//return RedirectToAction("Index");
return(RedirectToAction("Index"));
}
public async Task RevokeTokens()
{
// get the metadata
var discoveryClient = new DiscoveryClient("https://localhost:44379/");
var metaDataResponse = await discoveryClient.GetAsync();
// create a TokenRevocationClient
var revocationClient = new TokenRevocationClient(
metaDataResponse.RevocationEndpoint,
"samplewebclient",
"secret");
// get the access token to revoke
var accessToken = await HttpContext
.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);
if (!string.IsNullOrWhiteSpace(accessToken))
{
var revokeAccessTokenResponse =
await revocationClient.RevokeAccessTokenAsync(accessToken);
if (revokeAccessTokenResponse.IsError)
{
throw new Exception("Problem encountered while revoking the access token."
, revokeAccessTokenResponse.Exception);
}
}
// revoke the refresh token as well
var refreshToken = await HttpContext
.GetTokenAsync(OpenIdConnectParameterNames.RefreshToken);
if (!string.IsNullOrWhiteSpace(refreshToken))
{
var revokeRefreshTokenResponse =
await revocationClient.RevokeRefreshTokenAsync(refreshToken);
if (revokeRefreshTokenResponse.IsError)
{
throw new Exception("Problem encountered while revoking the refresh token."
, revokeRefreshTokenResponse.Exception);
}
}
}
public async Task Logout()
{
//get the metadata
var discoveryClient = new DiscoveryClient("https://localhost:44364/");
var metaDataResponse = await discoveryClient.GetAsync();
//create a TokenRevocationClient
var revocationClient = new TokenRevocationClient(
metaDataResponse.RevocationEndpoint, "imagegalleryclient", "secret"
);
//get the ACCESS token to revoke
var accessToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);
if (!string.IsNullOrWhiteSpace(accessToken))
{
var revokeAccessTokenResponse = await revocationClient.RevokeAccessTokenAsync(accessToken);
if (revokeAccessTokenResponse.IsError)
{
throw new Exception("Problem encountered while revoking the access token.", revokeAccessTokenResponse.Exception);
}
}
//get the REFRESH token to revoke
var refreshToken = await HttpContext.GetTokenAsync(OpenIdConnectParameterNames.RefreshToken);
if (!string.IsNullOrWhiteSpace(refreshToken))
{
var revokeRefreshTokenResponse = await revocationClient.RevokeAccessTokenAsync(refreshToken);
if (revokeRefreshTokenResponse.IsError)
{
throw new Exception("Problem encountered while revoking the refresh token.", revokeRefreshTokenResponse.Exception);
}
}
//clear cookie - name must match
//this is loggin out of the client app but not from ths IDP
await HttpContext.SignOutAsync("Cookies");
//loogin out of IDP
await HttpContext.SignOutAsync("oidc");
}
public async Task Logout()
{
var discoveryClient = new DiscoveryClient(ImageGallery.Client.Consts.IdentityPointUri);
var discoveryDocument = await discoveryClient.GetAsync();
var revocationClient = new TokenRevocationClient(
discoveryDocument.RevocationEndpoint,
"imagegalleryclient",
"secret");
var accessToken =
await HttpContext.Authentication.GetTokenAsync(OpenIdConnectParameterNames.AccessToken);
if (!string.IsNullOrWhiteSpace(accessToken))
{
var response = await revocationClient.RevokeAccessTokenAsync(accessToken);
if (response.IsError)
{
throw new Exception("Problem encountered while revoking the access token",
response.Exception);
}
}
var refreshToken = await HttpContext.Authentication.GetTokenAsync(
OpenIdConnectParameterNames.RefreshToken);
if (!string.IsNullOrWhiteSpace(refreshToken))
{
var response = await revocationClient.RevokeRefreshTokenAsync(refreshToken);
if (response.IsError)
{
throw new Exception("Problem encountered while revoking the refresh token",
response.Exception);
}
}
await HttpContext.Authentication.SignOutAsync("oidc");
await HttpContext.Authentication.SignOutAsync("Cookies");
}
public async Task Valid_protocol_error_should_be_handled_correctly()
{
var document = File.ReadAllText(Path.Combine(PlatformServices.Default.Application.ApplicationBasePath, "documents", "failure_token_revocation_response.json"));
var handler = new NetworkHandler(document, HttpStatusCode.BadRequest);
var client = new TokenRevocationClient(
Endpoint,
"client",
innerHttpMessageHandler: handler);
var response = await client.RevokeAccessTokenAsync("token");
response.IsError.Should().BeTrue();
response.ErrorType.Should().Be(ResponseErrorType.Protocol);
response.HttpStatusCode.Should().Be(HttpStatusCode.BadRequest);
response.Error.Should().Be("error");
//response.ErrorDescription.Should().Be("error_description");
//response.TryGet("custom").Should().Be("custom");
}
