diff --git a/src/OpenIddict/OpenIddictProvider.Exchange.cs b/src/OpenIddict/OpenIddictProvider.Exchange.cs index 06bb3400..ee95f42a 100644 --- a/src/OpenIddict/OpenIddictProvider.Exchange.cs +++ b/src/OpenIddict/OpenIddictProvider.Exchange.cs @@ -210,9 +210,8 @@ namespace OpenIddict Debug.Assert(context.Ticket != null, "The authentication ticket shouldn't be null."); // Extract the token identifier from the authentication ticket. - var identifier = context.Ticket.GetTicketId(); - Debug.Assert(!string.IsNullOrEmpty(identifier), - "The authentication ticket should contain a ticket identifier."); + var identifier = context.Ticket.GetProperty(OpenIdConnectConstants.Properties.TokenId); + Debug.Assert(!string.IsNullOrEmpty(identifier), "The authentication ticket should contain a ticket identifier."); if (context.Request.IsAuthorizationCodeGrantType()) { diff --git a/src/OpenIddict/OpenIddictProvider.Introspection.cs b/src/OpenIddict/OpenIddictProvider.Introspection.cs index 868373e3..46472dca 100644 --- a/src/OpenIddict/OpenIddictProvider.Introspection.cs +++ b/src/OpenIddict/OpenIddictProvider.Introspection.cs @@ -107,6 +107,9 @@ namespace OpenIddict Debug.Assert(context.Ticket != null, "The authentication ticket shouldn't be null."); Debug.Assert(!string.IsNullOrEmpty(context.Request.ClientId), "The client_id parameter shouldn't be null."); + var identifier = context.Ticket.GetProperty(OpenIdConnectConstants.Properties.TokenId); + Debug.Assert(!string.IsNullOrEmpty(identifier), "The token identifier shouldn't be null or empty."); + // Note: the OpenID Connect server middleware allows authorized presenters (e.g relying parties) to introspect access tokens // but OpenIddict uses a stricter policy that only allows resource servers to use the introspection endpoint, unless the ticket // doesn't have any audience: in this case, the caller is allowed to introspect the token even if it's not listed as a valid audience. @@ -114,7 +117,7 @@ namespace OpenIddict { logger.LogWarning("The client application '{ClientId}' is not allowed to introspect the access " + "token '{Identifier}' because it's not listed as a valid audience.", - context.Request.ClientId, context.Ticket.GetTicketId()); + context.Request.ClientId, identifier); context.Active = false; @@ -126,11 +129,11 @@ namespace OpenIddict { // Retrieve the token from the database using the unique identifier stored in the authentication ticket: // if the corresponding entry cannot be found, return Active = false to indicate that is is no longer valid. - var token = await tokens.FindByIdAsync(context.Ticket.GetTicketId(), context.HttpContext.RequestAborted); + var token = await tokens.FindByIdAsync(identifier, context.HttpContext.RequestAborted); if (token == null) { logger.LogInformation("The token {Identifier} was declared as inactive because " + - "it was revoked.", context.Ticket.GetTicketId()); + "it was revoked.", identifier); context.Active = false; diff --git a/src/OpenIddict/OpenIddictProvider.Revocation.cs b/src/OpenIddict/OpenIddictProvider.Revocation.cs index eefa3fb1..afb4e3ae 100644 --- a/src/OpenIddict/OpenIddictProvider.Revocation.cs +++ b/src/OpenIddict/OpenIddictProvider.Revocation.cs @@ -147,7 +147,7 @@ namespace OpenIddict } // Extract the token identifier from the authentication ticket. - var identifier = context.Ticket.GetTicketId(); + var identifier = context.Ticket.GetProperty(OpenIdConnectConstants.Properties.TokenId); Debug.Assert(!string.IsNullOrEmpty(identifier), "The token should contain a ticket identifier."); // Retrieve the token from the database. If the token cannot be found, diff --git a/src/OpenIddict/OpenIddictProvider.Serialization.cs b/src/OpenIddict/OpenIddictProvider.Serialization.cs index 957f37b4..da3bcd00 100644 --- a/src/OpenIddict/OpenIddictProvider.Serialization.cs +++ b/src/OpenIddict/OpenIddictProvider.Serialization.cs @@ -54,7 +54,7 @@ namespace OpenIddict // Attach the key returned by the underlying store // to the authorization code to override the default GUID // generated by the OpenID Connect server middleware. - context.Ticket.SetTicketId(identifier); + context.Ticket.SetProperty(OpenIdConnectConstants.Properties.TokenId, identifier); var application = await applications.FindByClientIdAsync(context.Request.ClientId, context.HttpContext.RequestAborted); if (application == null) @@ -105,7 +105,7 @@ namespace OpenIddict // Attach the key returned by the underlying store // to the refresh token to override the default GUID // generated by the OpenID Connect server middleware. - context.Ticket.SetTicketId(identifier); + context.Ticket.SetProperty(OpenIdConnectConstants.Properties.TokenId, identifier); // If the client application is known, associate it with the token. if (!string.IsNullOrEmpty(context.Request.ClientId)) diff --git a/test/OpenIddict.Tests/OpenIddictProviderTests.Exchange.cs b/test/OpenIddict.Tests/OpenIddictProviderTests.Exchange.cs index 14c9e1b6..35cc7264 100644 --- a/test/OpenIddict.Tests/OpenIddictProviderTests.Exchange.cs +++ b/test/OpenIddict.Tests/OpenIddictProviderTests.Exchange.cs @@ -366,8 +366,8 @@ namespace OpenIddict.Tests OpenIdConnectServerDefaults.AuthenticationScheme); ticket.SetPresenters("Fabrikam"); - ticket.SetTicketId("3E228451-1555-46F7-A471-951EFBA23A56"); - ticket.SetUsage(OpenIdConnectConstants.Usages.AuthorizationCode); + ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56"); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AuthorizationCode); var format = new Mock>(); @@ -417,8 +417,8 @@ namespace OpenIddict.Tests new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); - ticket.SetTicketId("60FFF7EA-F98E-437B-937E-5073CC313103"); - ticket.SetUsage(OpenIdConnectConstants.Usages.RefreshToken); + ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103"); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken); var format = new Mock>(); @@ -467,8 +467,8 @@ namespace OpenIddict.Tests OpenIdConnectServerDefaults.AuthenticationScheme); ticket.SetPresenters("Fabrikam"); - ticket.SetTicketId("3E228451-1555-46F7-A471-951EFBA23A56"); - ticket.SetUsage(OpenIdConnectConstants.Usages.AuthorizationCode); + ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56"); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AuthorizationCode); var format = new Mock>(); @@ -526,8 +526,8 @@ namespace OpenIddict.Tests new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); - ticket.SetTicketId("60FFF7EA-F98E-437B-937E-5073CC313103"); - ticket.SetUsage(OpenIdConnectConstants.Usages.RefreshToken); + ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103"); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken); var format = new Mock>(); @@ -587,8 +587,8 @@ namespace OpenIddict.Tests OpenIdConnectServerDefaults.AuthenticationScheme); ticket.SetPresenters("Fabrikam"); - ticket.SetTicketId("3E228451-1555-46F7-A471-951EFBA23A56"); - ticket.SetUsage(OpenIdConnectConstants.Usages.AuthorizationCode); + ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56"); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AuthorizationCode); var format = new Mock>(); @@ -649,8 +649,8 @@ namespace OpenIddict.Tests new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); - ticket.SetTicketId("60FFF7EA-F98E-437B-937E-5073CC313103"); - ticket.SetUsage(OpenIdConnectConstants.Usages.RefreshToken); + ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103"); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken); var format = new Mock>(); @@ -714,17 +714,17 @@ namespace OpenIddict.Tests new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); - ticket.SetTicketId("60FFF7EA-F98E-437B-937E-5073CC313103"); + ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103"); switch (flow) { case OpenIdConnectConstants.GrantTypes.AuthorizationCode: - ticket.SetUsage(OpenIdConnectConstants.Usages.AuthorizationCode); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AuthorizationCode); ticket.SetPresenters("Fabrikam"); break; case OpenIdConnectConstants.GrantTypes.RefreshToken: - ticket.SetUsage(OpenIdConnectConstants.Usages.RefreshToken); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken); break; } diff --git a/test/OpenIddict.Tests/OpenIddictProviderTests.Introspection.cs b/test/OpenIddict.Tests/OpenIddictProviderTests.Introspection.cs index 428f0a13..0d050c08 100644 --- a/test/OpenIddict.Tests/OpenIddictProviderTests.Introspection.cs +++ b/test/OpenIddict.Tests/OpenIddictProviderTests.Introspection.cs @@ -187,8 +187,8 @@ namespace OpenIddict.Tests OpenIdConnectServerDefaults.AuthenticationScheme); ticket.SetAudiences("Contoso"); - ticket.SetTicketId("3E228451-1555-46F7-A471-951EFBA23A56"); - ticket.SetUsage(OpenIdConnectConstants.Usages.AccessToken); + ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56"); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AccessToken); var format = new Mock>(); @@ -241,8 +241,8 @@ namespace OpenIddict.Tests new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); - ticket.SetTicketId("3E228451-1555-46F7-A471-951EFBA23A56"); - ticket.SetUsage(OpenIdConnectConstants.Usages.AuthorizationCode); + ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56"); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AuthorizationCode); var format = new Mock>(); @@ -297,8 +297,8 @@ namespace OpenIddict.Tests new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); - ticket.SetTicketId("3E228451-1555-46F7-A471-951EFBA23A56"); - ticket.SetUsage(OpenIdConnectConstants.Usages.AuthorizationCode); + ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56"); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AuthorizationCode); var format = new Mock>(); @@ -353,8 +353,8 @@ namespace OpenIddict.Tests new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); - ticket.SetTicketId("3E228451-1555-46F7-A471-951EFBA23A56"); - ticket.SetUsage(OpenIdConnectConstants.Usages.AuthorizationCode); + ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56"); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AuthorizationCode); var format = new Mock>(); @@ -417,8 +417,8 @@ namespace OpenIddict.Tests new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); - ticket.SetTicketId("3E228451-1555-46F7-A471-951EFBA23A56"); - ticket.SetUsage(OpenIdConnectConstants.Usages.RefreshToken); + ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56"); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken); var format = new Mock>(); diff --git a/test/OpenIddict.Tests/OpenIddictProviderTests.Revocation.cs b/test/OpenIddict.Tests/OpenIddictProviderTests.Revocation.cs index 7ed2ef0e..33492f1f 100644 --- a/test/OpenIddict.Tests/OpenIddictProviderTests.Revocation.cs +++ b/test/OpenIddict.Tests/OpenIddictProviderTests.Revocation.cs @@ -227,8 +227,8 @@ namespace OpenIddict.Tests new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); - ticket.SetTicketId("3E228451-1555-46F7-A471-951EFBA23A56"); - ticket.SetUsage(OpenIdConnectConstants.Usages.AccessToken); + ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56"); + ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AccessToken); var format = new Mock>(); @@ -264,7 +264,7 @@ namespace OpenIddict.Tests mock.ValidTo == DateTime.UtcNow.AddDays(1)); var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme); - identity.AddClaim(OpenIdConnectConstants.Claims.Usage, OpenIdConnectConstants.Usages.IdentityToken); + identity.AddClaim(OpenIdConnectConstants.Claims.TokenUsage, OpenIdConnectConstants.TokenUsages.IdToken); var handler = new Mock(); @@ -308,7 +308,7 @@ namespace OpenIddict.Tests new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); - ticket.SetTicketId("3E228451-1555-46F7-A471-951EFBA23A56"); + ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56"); var format = new Mock>(); @@ -352,7 +352,7 @@ namespace OpenIddict.Tests new AuthenticationProperties(), OpenIdConnectServerDefaults.AuthenticationScheme); - ticket.SetTicketId("3E228451-1555-46F7-A471-951EFBA23A56"); + ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56"); var format = new Mock>();