private async Task <TokenValidationResult> ValidateReferenceAccessTokenAsync(string tokenHandle)
{
_log.TokenHandle = tokenHandle;
var token = await _grants.GetReferenceTokenAsync(tokenHandle);
if (token == null)
{
LogError("Token handle not found in token handle store.");
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
// TODO: review
//if (token.Type != OidcConstants.TokenTypes.AccessToken)
//{
// LogError("Token handle does not resolve to an access token - but instead to: " + token.Type);
// await _tokenHandles.RemoveAsync(tokenHandle);
// return Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken);
//}
if (DateTimeHelper.UtcNow >= token.CreationTime.AddSeconds(token.Lifetime))
{
LogError("Token expired.");
await _grants.RemoveReferenceTokenAsync(tokenHandle);
return(Invalid(OidcConstants.ProtectedResourceErrors.ExpiredToken));
}
// load the client that is defined in the token
Client client = null;
if (token.ClientId != null)
{
client = await _clients.FindEnabledClientByIdAsync(token.ClientId);
}
if (client == null)
{
LogError($"Client deleted or disabled: {token.ClientId}");
return(Invalid(OidcConstants.ProtectedResourceErrors.InvalidToken));
}
return(new TokenValidationResult
{
IsError = false,
Client = client,
Claims = ReferenceTokenToClaims(token),
ReferenceToken = token,
ReferenceTokenId = tokenHandle
});
}
// revoke access token only if it belongs to client doing the request
private async Task <bool> RevokeAccessTokenAsync(string handle, Client client)
{
var token = await _grants.GetReferenceTokenAsync(handle);
if (token != null)
{
if (token.ClientId == client.ClientId)
{
_logger.LogDebug("Access token revoked");
await _grants.RemoveReferenceTokenAsync(handle);
}
else
{
var message = string.Format("Client {clientId} tried to revoke an access token belonging to a different client: {clientId}", client.ClientId, token.ClientId);
_logger.LogWarning(message);
await RaiseFailureEventAsync(message);
}
return(true);
}
return(false);
}