public async Task Expired_RefreshToken() { var refreshToken = new RefreshToken { AccessToken = new Token("access_token") { Client = new Client() { ClientId = "roclient" } }, LifeTime = 10, CreationTime = DateTimeOffset.UtcNow.AddSeconds(-15) }; var handle = Guid.NewGuid().ToString(); var store = new InMemoryRefreshTokenStore(); await store.StoreAsync(handle, refreshToken); var client = await _clients.FindClientByIdAsync("roclient"); var validator = Factory.CreateTokenRequestValidator( refreshTokens: store); var parameters = new NameValueCollection(); parameters.Add(Constants.TokenRequest.GrantType, "refresh_token"); parameters.Add(Constants.TokenRequest.RefreshToken, handle); var result = await validator.ValidateRequestAsync(parameters, client); result.IsError.Should().BeTrue(); result.Error.Should().Be(Constants.TokenErrors.InvalidGrant); }
public static TokenRequestValidator CreateTokenRequestValidator( IdentityServerOptions options = null, IScopeStore scopes = null, IAuthorizationCodeStore authorizationCodeStore = null, IRefreshTokenStore refreshTokens = null, IUserService userService = null, ICustomGrantValidator customGrantValidator = null, ICustomRequestValidator customRequestValidator = null, ScopeValidator scopeValidator = null, IDictionary<string, object> environment = null) { if (options == null) { options = TestIdentityServerOptions.Create(); } if (scopes == null) { scopes = new InMemoryScopeStore(TestScopes.Get()); } if (userService == null) { userService = new TestUserService(); } if (customRequestValidator == null) { customRequestValidator = new DefaultCustomRequestValidator(); } if (customGrantValidator == null) { customGrantValidator = new TestGrantValidator(); } if (refreshTokens == null) { refreshTokens = new InMemoryRefreshTokenStore(); } if (scopeValidator == null) { scopeValidator = new ScopeValidator(scopes); } IOwinContext context; if (environment == null) { context = new OwinContext(new Dictionary<string, object>()); } else { context = new OwinContext(environment); } return new TokenRequestValidator(options, authorizationCodeStore, refreshTokens, userService, scopes, customGrantValidator, customRequestValidator, scopeValidator, context); }
public async Task Non_existing_RefreshToken() { var store = new InMemoryRefreshTokenStore(); var client = await _clients.FindClientByIdAsync("roclient"); var validator = Factory.CreateTokenRequestValidator( refreshTokens: store); var parameters = new NameValueCollection(); parameters.Add(Constants.TokenRequest.GrantType, "refresh_token"); parameters.Add(Constants.TokenRequest.RefreshToken, "nonexistent"); var result = await validator.ValidateRequestAsync(parameters, client); result.IsError.Should().BeTrue(); result.Error.Should().Be(Constants.TokenErrors.InvalidGrant); }
public static TokenRequestValidator CreateTokenValidator( IdentityServerOptions options = null, IScopeStore scopes = null, IAuthorizationCodeStore authorizationCodeStore = null, IRefreshTokenStore refreshTokens = null, IUserService userService = null, IAssertionGrantValidator assertionGrantValidator = null, ICustomRequestValidator customRequestValidator = null) { if (options == null) { options = Thinktecture.IdentityServer.Tests.TestIdentityServerOptions.Create(); } if (scopes == null) { scopes = new InMemoryScopeStore(TestScopes.Get()); } if (userService == null) { userService = new TestUserService(); } if (customRequestValidator == null) { customRequestValidator = new DefaultCustomRequestValidator(); } if (assertionGrantValidator == null) { assertionGrantValidator = new TestAssertionValidator(); } if (refreshTokens == null) { refreshTokens = new InMemoryRefreshTokenStore(); } return new TokenRequestValidator(options, authorizationCodeStore, refreshTokens, userService, scopes, assertionGrantValidator, customRequestValidator); }
public static TokenRequestValidator CreateTokenValidator( CoreSettings settings = null, IScopeService scopes = null, IAuthorizationCodeStore authorizationCodeStore = null, IRefreshTokenStore refreshTokens = null, IUserService userService = null, IAssertionGrantValidator assertionGrantValidator = null, ICustomRequestValidator customRequestValidator = null) { if (settings == null) { settings = new TestSettings(); } if (scopes == null) { scopes = new InMemoryScopeService(TestScopes.Get()); } if (userService == null) { userService = new TestUserService(); } if (customRequestValidator == null) { customRequestValidator = new DefaultCustomRequestValidator(); } if (assertionGrantValidator == null) { assertionGrantValidator = new TestAssertionValidator(); } if (refreshTokens == null) { refreshTokens = new InMemoryRefreshTokenStore(); } return new TokenRequestValidator(settings, authorizationCodeStore, refreshTokens, userService, scopes, assertionGrantValidator, customRequestValidator); }
public async Task Create_Refresh_Token_Sliding_Lifetime() { var store = new InMemoryRefreshTokenStore(); var service = new DefaultRefreshTokenService(store); var client = await _clients.FindClientByIdAsync("roclient_sliding_refresh_expiration_one_time_only"); var token = TokenFactory.CreateAccessToken(client.ClientId, "valid", 60, "read", "write"); var handle = await service.CreateRefreshTokenAsync(token, client); // make sure a handle is returned string.IsNullOrWhiteSpace(handle).Should().BeFalse(); // make sure refresh token is in store var refreshToken = await store.GetAsync(handle); refreshToken.Should().NotBeNull(); // check refresh token values client.ClientId.Should().Be(refreshToken.ClientId); client.SlidingRefreshTokenLifetime.Should().Be(refreshToken.LifeTime); }
public async Task Valid_RefreshToken_Request_using_Restricted_Client() { var mock = new Mock<IUserService>(); mock.Setup(u => u.IsActiveAsync(It.IsAny<ClaimsPrincipal>())).Returns(Task.FromResult(true)); var subjectClaim = new Claim(Constants.ClaimTypes.Subject, "foo"); var refreshToken = new RefreshToken { AccessToken = new Token("access_token") { Claims = new List<Claim> { subjectClaim }, Client = new Client { ClientId = "roclient_restricted_refresh"} }, LifeTime = 600, CreationTime = DateTimeOffset.UtcNow }; var handle = Guid.NewGuid().ToString(); var store = new InMemoryRefreshTokenStore(); await store.StoreAsync(handle, refreshToken); var client = await _clients.FindClientByIdAsync("roclient_restricted_refresh"); var validator = Factory.CreateTokenRequestValidator( refreshTokens: store, userService: mock.Object); var parameters = new NameValueCollection(); parameters.Add(Constants.TokenRequest.GrantType, "refresh_token"); parameters.Add(Constants.TokenRequest.RefreshToken, handle); var result = await validator.ValidateRequestAsync(parameters, client); result.IsError.Should().BeFalse(); }
public static TokenRequestValidator CreateTokenRequestValidator( IdentityServerOptions options = null, IScopeStore scopes = null, IAuthorizationCodeStore authorizationCodeStore = null, IRefreshTokenStore refreshTokens = null, IUserService userService = null, ICustomGrantValidator customGrantValidator = null, ICustomRequestValidator customRequestValidator = null, ScopeValidator scopeValidator = null) { if (options == null) { options = TestIdentityServerOptions.Create(); } if (scopes == null) { scopes = new InMemoryScopeStore(TestScopes.Get()); } if (userService == null) { userService = new TestUserService(); } if (customRequestValidator == null) { customRequestValidator = new DefaultCustomRequestValidator(); } if (customGrantValidator == null) { customGrantValidator = new TestGrantValidator(); } if (refreshTokens == null) { refreshTokens = new InMemoryRefreshTokenStore(); } if (scopeValidator == null) { scopeValidator = new ScopeValidator(scopes); } return new TokenRequestValidator( options, authorizationCodeStore, refreshTokens, userService, customGrantValidator, customRequestValidator, scopeValidator, new DefaultEventService()); }
public async Task Valid_RefreshToken_Request_using_Restricted_Client() { var refreshToken = new RefreshToken { AccessToken = new Token("access_token"), ClientId = "roclient_restricted_refresh", LifeTime = 600, Handle = Guid.NewGuid().ToString(), CreationTime = DateTime.UtcNow }; var store = new InMemoryRefreshTokenStore(); await store.StoreAsync(refreshToken.Handle, refreshToken); var client = await _clients.FindClientByIdAsync("roclient_restricted_refresh"); var validator = Factory.CreateTokenValidator( refreshTokens: store); var parameters = new NameValueCollection(); parameters.Add(Constants.TokenRequest.GrantType, "refresh_token"); parameters.Add(Constants.TokenRequest.RefreshToken, refreshToken.Handle); var result = await validator.ValidateRequestAsync(parameters, client); Assert.IsFalse(result.IsError); }
public static IContainer Configure(IdentityServerOptions options) { if (options == null) throw new ArgumentNullException("options"); if (options.Factory == null) throw new InvalidOperationException("null factory"); IdentityServerServiceFactory fact = options.Factory; fact.Validate(); var builder = new ContainerBuilder(); builder.RegisterInstance(options).AsSelf(); // mandatory from factory builder.Register(fact.UserService, "inner"); builder.RegisterDecorator<IUserService>((s, inner) => { var filter = s.Resolve<IExternalClaimsFilter>(); return new ExternalClaimsFilterUserService(filter, inner); }, "inner"); builder.Register(fact.ScopeStore); builder.Register(fact.ClientStore); // optional from factory if (fact.AuthorizationCodeStore != null) { builder.Register(fact.AuthorizationCodeStore, "inner"); } else { var inmemCodeStore = new InMemoryAuthorizationCodeStore(); builder.RegisterInstance(inmemCodeStore).Named<IAuthorizationCodeStore>("inner"); } builder.RegisterDecorator<IAuthorizationCodeStore>((s, inner) => { return new KeyHashingAuthorizationCodeStore(inner); }, "inner"); if (fact.TokenHandleStore != null) { builder.Register(fact.TokenHandleStore, "inner"); } else { var inmemTokenHandleStore = new InMemoryTokenHandleStore(); builder.RegisterInstance(inmemTokenHandleStore).Named<ITokenHandleStore>("inner"); } builder.RegisterDecorator<ITokenHandleStore>((s, inner) => { return new KeyHashingTokenHandleStore(inner); }, "inner"); if (fact.RefreshTokenStore != null) { builder.Register(fact.RefreshTokenStore, "inner"); } else { var inmemRefreshTokenStore = new InMemoryRefreshTokenStore(); builder.RegisterInstance(inmemRefreshTokenStore).Named<IRefreshTokenStore>("inner"); } builder.RegisterDecorator<IRefreshTokenStore>((s, inner) => { return new KeyHashingRefreshTokenStore(inner); }, "inner"); if (fact.ConsentStore != null) { builder.Register(fact.ConsentStore); } else { var inmemConsentStore = new InMemoryConsentStore(); builder.RegisterInstance(inmemConsentStore).As<IConsentStore>(); } if (fact.ClaimsProvider != null) { builder.Register(fact.ClaimsProvider); } else { builder.RegisterType<DefaultClaimsProvider>().As<IClaimsProvider>(); } if (fact.TokenService != null) { builder.Register(fact.TokenService); } else { builder.RegisterType<DefaultTokenService>().As<ITokenService>(); } if (fact.RefreshTokenService != null) { builder.Register(fact.RefreshTokenService); } else { builder.RegisterType<DefaultRefreshTokenService>().As<IRefreshTokenService>(); } if (fact.TokenSigningService != null) { builder.Register(fact.TokenSigningService); } else { builder.RegisterType<DefaultTokenSigningService>().As<ITokenSigningService>(); } if (fact.CustomRequestValidator != null) { builder.Register(fact.CustomRequestValidator); } else { builder.RegisterType<DefaultCustomRequestValidator>().As<ICustomRequestValidator>(); } if (fact.CustomGrantValidator != null) { builder.Register(fact.CustomGrantValidator); } else { builder.RegisterType<DefaultCustomGrantValidator>().As<ICustomGrantValidator>(); } if (fact.ExternalClaimsFilter != null) { builder.Register(fact.ExternalClaimsFilter); } else { builder.RegisterType<NopClaimsFilter>().As<IExternalClaimsFilter>(); } if (fact.CustomTokenValidator != null) { builder.Register(fact.CustomTokenValidator); } else { builder.RegisterType<DefaultCustomTokenValidator>().As<ICustomTokenValidator>(); } if (fact.ConsentService != null) { builder.Register(fact.ConsentService); } else { builder.RegisterType<DefaultConsentService>().As<IConsentService>(); } if (fact.EventService != null) { builder.Register(fact.EventService); } else { builder.RegisterType<DefaultEventService>().As<IEventService>(); } if (fact.RedirectUriValidator != null) { builder.Register(fact.RedirectUriValidator); } else { builder.RegisterType<DefaultRedirectUriValidator>().As<IRedirectUriValidator>(); } // this is more of an internal interface, but maybe we want to open it up as pluggable? // this is used by the DefaultClientPermissionsService below, or it could be used // by a custom IClientPermissionsService builder.Register(ctx => { var consent = ctx.Resolve<IConsentStore>(); var refresh = ctx.Resolve<IRefreshTokenStore>(); var code = ctx.Resolve<IAuthorizationCodeStore>(); var access = ctx.Resolve<ITokenHandleStore>(); return new AggregatePermissionsStore( consent, new TokenMetadataPermissionsStoreAdapter(refresh.GetAllAsync, refresh.RevokeAsync), new TokenMetadataPermissionsStoreAdapter(code.GetAllAsync, code.RevokeAsync), new TokenMetadataPermissionsStoreAdapter(access.GetAllAsync, access.RevokeAsync) ); }).As<IPermissionsStore>(); if (fact.ClientPermissionsService != null) { builder.Register(fact.ClientPermissionsService); } else { builder.RegisterType<DefaultClientPermissionsService>().As<IClientPermissionsService>(); } if (fact.ViewService != null) { builder.Register(fact.ViewService); } else { builder.RegisterType<DefaultViewService>().As<IViewService>(); } // hosting services builder.RegisterType<OwinEnvironmentService>(); // validators builder.RegisterType<TokenRequestValidator>(); builder.RegisterType<AuthorizeRequestValidator>(); builder.RegisterType<ClientValidator>(); builder.RegisterType<TokenValidator>(); builder.RegisterType<EndSessionRequestValidator>(); builder.RegisterType<BearerTokenUsageValidator>(); builder.RegisterType<ScopeValidator>(); // processors builder.RegisterType<TokenResponseGenerator>(); builder.RegisterType<AuthorizeResponseGenerator>(); builder.RegisterType<AuthorizeInteractionResponseGenerator>(); builder.RegisterType<UserInfoResponseGenerator>(); builder.RegisterType<EndSessionResponseGenerator>(); // for authentication var authenticationOptions = options.AuthenticationOptions ?? new AuthenticationOptions(); builder.RegisterInstance(authenticationOptions).AsSelf(); // load core controller builder.RegisterApiControllers(typeof(AuthorizeEndpointController).Assembly); // add any additional dependencies from hosting application foreach(var registration in fact.Registrations) { builder.Register(registration); } return builder.Build(); }
public static IContainer Configure(IdentityServerOptions options, InternalConfiguration internalConfig) { if (options == null) throw new ArgumentNullException("options"); if (options.Factory == null) throw new InvalidOperationException("null factory"); if (internalConfig == null) throw new ArgumentNullException("internalConfig"); IdentityServerServiceFactory fact = options.Factory; fact.Validate(); var builder = new ContainerBuilder(); builder.RegisterInstance(internalConfig).AsSelf(); // mandatory from factory builder.Register(fact.UserService); builder.Register(fact.ScopeService); builder.Register(fact.ClientService); builder.Register(fact.CoreSettings); // optional from factory if (fact.AuthorizationCodeStore != null) { builder.Register(fact.AuthorizationCodeStore); } else { var inmemCodeStore = new InMemoryAuthorizationCodeStore(); builder.RegisterInstance(inmemCodeStore).As<IAuthorizationCodeStore>(); } if (fact.TokenHandleStore != null) { builder.Register(fact.TokenHandleStore); } else { var inmemTokenHandleStore = new InMemoryTokenHandleStore(); builder.RegisterInstance(inmemTokenHandleStore).As<ITokenHandleStore>(); } if (fact.RefreshTokenStore != null) { builder.Register(fact.RefreshTokenStore); } else { var inmemRefreshTokenStore = new InMemoryRefreshTokenStore(); builder.RegisterInstance(inmemRefreshTokenStore).As<IRefreshTokenStore>(); } if (fact.ConsentService != null) { builder.Register(fact.ConsentService); } else { var inmemConsentService = new InMemoryConsentService(); builder.RegisterInstance(inmemConsentService).As<IConsentService>(); } if (fact.ClaimsProvider != null) { builder.Register(fact.ClaimsProvider); } else { builder.RegisterType<DefaultClaimsProvider>().As<IClaimsProvider>(); } if (fact.TokenService != null) { builder.Register(fact.TokenService); } else { builder.RegisterType<DefaultTokenService>().As<ITokenService>(); } if (fact.RefreshTokenService != null) { builder.Register(fact.RefreshTokenService); } else { builder.RegisterType<DefaultRefreshTokenService>().As<IRefreshTokenService>(); } if (fact.TokenSigningService != null) { builder.Register(fact.TokenSigningService); } else { builder.RegisterType<DefaultTokenSigningService>().As<ITokenSigningService>(); } if (fact.CustomRequestValidator != null) { builder.Register(fact.CustomRequestValidator); } else { builder.RegisterType<DefaultCustomRequestValidator>().As<ICustomRequestValidator>(); } if (fact.AssertionGrantValidator != null) { builder.Register(fact.AssertionGrantValidator); } else { builder.RegisterType<DefaultAssertionGrantValidator>().As<IAssertionGrantValidator>(); } if (fact.ExternalClaimsFilter != null) { builder.Register(fact.ExternalClaimsFilter); } else { builder.RegisterType<DefaultExternalClaimsFilter>().As<IExternalClaimsFilter>(); } if (fact.CustomTokenValidator != null) { builder.Register(fact.CustomTokenValidator); } else { builder.RegisterType<DefaultCustomTokenValidator>().As<ICustomTokenValidator>(); } // validators builder.RegisterType<TokenRequestValidator>(); builder.RegisterType<AuthorizeRequestValidator>(); builder.RegisterType<ClientValidator>(); builder.RegisterType<TokenValidator>(); // processors builder.RegisterType<TokenResponseGenerator>(); builder.RegisterType<AuthorizeResponseGenerator>(); builder.RegisterType<AuthorizeInteractionResponseGenerator>(); builder.RegisterType<UserInfoResponseGenerator>(); // general services builder.RegisterType<CookieMiddlewareTrackingCookieService>().As<ITrackingCookieService>(); // for authentication var authenticationOptions = options.AuthenticationOptions ?? new AuthenticationOptions(); builder.RegisterInstance(authenticationOptions).AsSelf(); // load core controller builder.RegisterApiControllers(typeof(AuthorizeEndpointController).Assembly); // add any additional dependencies from hosting application foreach(var registration in fact.Registrations) { builder.Register(registration); } return builder.Build(); }
public async Task Sliding_Expiration_does_not_exceed_absolute_Expiration() { var store = new InMemoryRefreshTokenStore(); var service = new DefaultRefreshTokenService(store); var client = await _clients.FindClientByIdAsync("roclient_sliding_refresh_expiration_one_time_only"); var token = TokenFactory.CreateAccessToken(client.ClientId, "valid", 60, "read", "write"); var handle = await service.CreateRefreshTokenAsync(token, client); var refreshToken = await store.GetAsync(handle); var lifetime = refreshToken.LifeTime; await Task.Delay(8000); var newHandle = await service.UpdateRefreshTokenAsync(handle, refreshToken, client); var newRefreshToken = await store.GetAsync(newHandle); var newLifetime = newRefreshToken.LifeTime; newLifetime.Should().Be(client.AbsoluteRefreshTokenLifetime); }
public async Task OneTime_Handle_creates_new_Handle() { var store = new InMemoryRefreshTokenStore(); var service = new DefaultRefreshTokenService(store); var client = await _clients.FindClientByIdAsync("roclient_absolute_refresh_expiration_one_time_only"); var token = TokenFactory.CreateAccessToken(client.ClientId, "valid", 60, "read", "write"); var handle = await service.CreateRefreshTokenAsync(token, client); var newHandle = await service.UpdateRefreshTokenAsync(handle, await store.GetAsync(handle), client); newHandle.Should().NotBe(handle); }
public async Task Client_has_no_OfflineAccess_Scope_anymore_at_RefreshToken_Request() { var refreshToken = new RefreshToken { AccessToken = new Token("access_token"), ClientId = "roclient_restricted", LifeTime = 600, CreationTime = DateTime.UtcNow }; var handle = Guid.NewGuid().ToString(); var store = new InMemoryRefreshTokenStore(); await store.StoreAsync(handle, refreshToken); var client = await _clients.FindClientByIdAsync("roclient_restricted"); var validator = Factory.CreateTokenRequestValidator( refreshTokens: store); var parameters = new NameValueCollection(); parameters.Add(Constants.TokenRequest.GrantType, "refresh_token"); parameters.Add(Constants.TokenRequest.RefreshToken, handle); var result = await validator.ValidateRequestAsync(parameters, client); result.IsError.Should().BeTrue(); result.Error.Should().Be(Constants.TokenErrors.InvalidGrant); }