tsai
/
openiddict-core
mirror of https://github.com/openiddict/openiddict-core.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Introduce built-in reference tokens support and automatic compromised tokens revocation

pull/443/head
Kévin Chalet 9 years ago
parent
8283eee0f2
commit
3280e09c1d
24 changed files with 2446 additions and 177 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 76
      src/OpenIddict.Core/Managers/OpenIddictAuthorizationManager.cs
  2. 237
      src/OpenIddict.Core/Managers/OpenIddictTokenManager.cs
  3. 7
      src/OpenIddict.Core/OpenIddictConstants.cs
  4. 47
      src/OpenIddict.Core/Stores/IOpenIddictAuthorizationStore.cs
  5. 106
      src/OpenIddict.Core/Stores/IOpenIddictTokenStore.cs
  6. 3
      src/OpenIddict.EntityFrameworkCore/OpenIddictExtensions.cs
  7. 95
      src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs
  8. 207
      src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
  9. 5
      src/OpenIddict.Models/OpenIddictAuthorization.cs
  10. 19
      src/OpenIddict.Models/OpenIddictToken.cs
  11. 21
      src/OpenIddict/OpenIddictExtensions.cs
  12. 72
      src/OpenIddict/OpenIddictInitializer.cs
  13. 18
      src/OpenIddict/OpenIddictOptions.cs
  14. 125
      src/OpenIddict/OpenIddictProvider.Exchange.cs
  15. 9
      src/OpenIddict/OpenIddictProvider.Introspection.cs
  16. 50
      src/OpenIddict/OpenIddictProvider.Revocation.cs
  17. 387
      src/OpenIddict/OpenIddictProvider.Serialization.cs
  18. 16
      test/OpenIddict.Tests/OpenIddictExtensionsTests.cs
  19. 67
      test/OpenIddict.Tests/OpenIddictInitializerTests.cs
  20. 316
      test/OpenIddict.Tests/OpenIddictProviderTests.Exchange.cs
  21. 282
      test/OpenIddict.Tests/OpenIddictProviderTests.Introspection.cs
  22. 95
      test/OpenIddict.Tests/OpenIddictProviderTests.Revocation.cs
  23. 358
      test/OpenIddict.Tests/OpenIddictProviderTests.Serialization.cs
  24. 5
      test/OpenIddict.Tests/OpenIddictProviderTests.cs

76
src/OpenIddict.Core/Managers/OpenIddictAuthorizationManager.cs
View File

@ -5,6 +5,7 @@
*/
using System;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
@ -42,9 +43,9 @@ namespace OpenIddict.Core
/// <param name="authorization">The application to create.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation, whose result returns the authorization.
/// </returns>
public virtual Task CreateAsync([NotNull] TAuthorization authorization, CancellationToken cancellationToken)
public virtual Task<TAuthorization> CreateAsync([NotNull] TAuthorization authorization, CancellationToken cancellationToken)
{
if (authorization == null)
{
@ -54,6 +55,38 @@ namespace OpenIddict.Core
return Store.CreateAsync(authorization, cancellationToken);
}
/// <summary>
/// Creates a new authorization.
/// </summary>
/// <param name="subject">The subject associated with the authorization.</param>
/// <param name="client">The client associated with the authorization.</param>
/// <param name="scopes">The scopes associated with the authorization.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation, whose result returns the authorization.
/// </returns>
public virtual Task<TAuthorization> CreateAsync(
[NotNull] string subject, [NotNull] string client,
[NotNull] IEnumerable<string> scopes, CancellationToken cancellationToken)
{
if (scopes == null)
{
throw new ArgumentNullException(nameof(scopes));
}
if (string.IsNullOrEmpty(subject))
{
throw new ArgumentException("The subject cannot be null or empty.", nameof(subject));
}
if (string.IsNullOrEmpty(client))
{
throw new ArgumentException("The client cannot be null or empty.", nameof(subject));
}
return Store.CreateAsync(subject, client, scopes, cancellationToken);
}
/// <summary>
/// Retrieves an authorization using its associated subject/client.
/// </summary>
@ -102,6 +135,45 @@ namespace OpenIddict.Core
return Store.GetIdAsync(authorization, cancellationToken);
}
/// <summary>
/// Revokes an authorization.
/// </summary>
/// <param name="authorization">The authorization to revoke.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>A <see cref="Task"/> that can be used to monitor the asynchronous operation.</returns>
public virtual async Task RevokeAsync([NotNull] TAuthorization authorization, CancellationToken cancellationToken)
{
if (authorization == null)
{
throw new ArgumentNullException(nameof(authorization));
}
var status = await Store.GetStatusAsync(authorization, cancellationToken);
if (!string.Equals(status, OpenIddictConstants.Statuses.Revoked, StringComparison.OrdinalIgnoreCase))
{
await Store.SetStatusAsync(authorization, OpenIddictConstants.Statuses.Revoked, cancellationToken);
await UpdateAsync(authorization, cancellationToken);
}
}
/// <summary>
/// Updates an existing authorization.
/// </summary>
/// <param name="authorization">The authorization to update.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
/// </returns>
public virtual Task UpdateAsync([NotNull] TAuthorization authorization, CancellationToken cancellationToken)
{
if (authorization == null)
{
throw new ArgumentNullException(nameof(authorization));
}
return Store.UpdateAsync(authorization, cancellationToken);
}
/// <summary>
/// Validates the authorization to ensure it's in a consistent state.
/// </summary>

237
src/OpenIddict.Core/Managers/OpenIddictTokenManager.cs
View File

@ -65,17 +65,39 @@ namespace OpenIddict.Core
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation, whose result returns the token.
/// </returns>
public virtual async Task<TToken> CreateAsync([NotNull] string type, [NotNull] string subject, CancellationToken cancellationToken)
public virtual Task<TToken> CreateAsync([NotNull] string type, [NotNull] string subject, CancellationToken cancellationToken)
{
if (string.IsNullOrEmpty(type))
{
throw new ArgumentException("The token type cannot be null or empty.", nameof(type));
}
if (!string.Equals(type, OpenIdConnectConstants.TokenTypeHints.AuthorizationCode, StringComparison.OrdinalIgnoreCase) &&
!string.Equals(type, OpenIdConnectConstants.TokenTypeHints.RefreshToken, StringComparison.OrdinalIgnoreCase))
if (string.IsNullOrEmpty(subject))
{
throw new ArgumentException("The specified token type is not supported by the default token manager.");
throw new ArgumentException("The subject cannot be null or empty.");
}
return Store.CreateAsync(type, subject, cancellationToken);
}
/// <summary>
/// Creates a new reference token, which is associated with a particular subject.
/// </summary>
/// <param name="type">The token type.</param>
/// <param name="subject">The subject associated with the token.</param>
/// <param name="hash">The hash of the crypto-secure random identifier associated with the token.</param>
/// <param name="ciphertext">The ciphertext associated with the token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation, whose result returns the token.
/// </returns>
public virtual Task<TToken> CreateAsync(
[NotNull] string type, [NotNull] string subject, [NotNull] string hash,
[NotNull] string ciphertext, CancellationToken cancellationToken)
{
if (string.IsNullOrEmpty(type))
{
throw new ArgumentException("The token type cannot be null or empty.", nameof(type));
}
if (string.IsNullOrEmpty(subject))
@ -83,7 +105,40 @@ namespace OpenIddict.Core
throw new ArgumentException("The subject cannot be null or empty.");
}
return await Store.CreateAsync(type, subject, cancellationToken);
if (string.IsNullOrEmpty(ciphertext))
{
throw new ArgumentException("The ciphertext cannot be null or empty.", nameof(ciphertext));
}
return Store.CreateAsync(type, subject, hash, ciphertext, cancellationToken);
}
/// <summary>
/// Retrieves the list of tokens corresponding to the specified authorization identifier.
/// </summary>
/// <param name="identifier">The authorization identifier associated with the tokens.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the tokens corresponding to the specified authorization.
/// </returns>
public virtual Task<TToken[]> FindByAuthorizationIdAsync(string identifier, CancellationToken cancellationToken)
{
return Store.FindByAuthorizationIdAsync(identifier, cancellationToken);
}
/// <summary>
/// Retrieves the list of tokens corresponding to the specified hash.
/// </summary>
/// <param name="hash">The hashed crypto-secure random identifier associated with the tokens.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the tokens corresponding to the specified hash.
/// </returns>
public virtual Task<TToken> FindByHashAsync(string hash, CancellationToken cancellationToken)
{
return Store.FindByHashAsync(hash, cancellationToken);
}
/// <summary>
@ -114,6 +169,63 @@ namespace OpenIddict.Core
return Store.FindBySubjectAsync(subject, cancellationToken);
}
/// <summary>
/// Retrieves the optional authorization identifier associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the authorization identifier associated with the token.
/// </returns>
public virtual Task<string> GetAuthorizationIdAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
return Store.GetAuthorizationIdAsync(token, cancellationToken);
}
/// <summary>
/// Retrieves the ciphertext associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the ciphertext associated with the specified token.
/// </returns>
public virtual Task<string> GetCiphertextAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
return Store.GetCiphertextAsync(token, cancellationToken);
}
/// <summary>
/// Retrieves the hashed identifier associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the hashed identifier associated with the specified token.
/// </returns>
public virtual Task<string> GetHashAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
return Store.GetHashAsync(token, cancellationToken);
}
/// <summary>
/// Retrieves the unique identifier associated with a token.
/// </summary>
@ -133,20 +245,131 @@ namespace OpenIddict.Core
return Store.GetIdAsync(token, cancellationToken);
}
/// <summary>
/// Retrieves the status associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the status associated with the specified token.
/// </returns>
public virtual Task<string> GetStatusAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
return Store.GetStatusAsync(token, cancellationToken);
}
/// <summary>
/// Determines whether a given token has already been redemeed.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns><c>true</c> if the token has already been redemeed, <c>false</c> otherwise.</returns>
public virtual async Task<bool> IsRedeemedAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
var status = await Store.GetStatusAsync(token, cancellationToken);
if (string.IsNullOrEmpty(status))
{
return false;
}
return string.Equals(status, OpenIddictConstants.Statuses.Redeemed, StringComparison.OrdinalIgnoreCase);
}
/// <summary>
/// Determines whether a given token has been revoked.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns><c>true</c> if the token has been revoked, <c>false</c> otherwise.</returns>
public virtual async Task<bool> IsRevokedAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
var status = await Store.GetStatusAsync(token, cancellationToken);
if (string.IsNullOrEmpty(status))
{
return false;
}
return string.Equals(status, OpenIddictConstants.Statuses.Revoked, StringComparison.OrdinalIgnoreCase);
}
/// <summary>
/// Determines whether a given token is valid.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns><c>true</c> if the token is valid, <c>false</c> otherwise.</returns>
public virtual async Task<bool> IsValidAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
var status = await Store.GetStatusAsync(token, cancellationToken);
if (string.IsNullOrEmpty(status))
{
return false;
}
return string.Equals(status, OpenIddictConstants.Statuses.Valid, StringComparison.OrdinalIgnoreCase);
}
/// <summary>
/// Redeems a token.
/// </summary>
/// <param name="token">The token to redeem.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>A <see cref="Task"/> that can be used to monitor the asynchronous operation.</returns>
public virtual async Task RedeemAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
var status = await Store.GetStatusAsync(token, cancellationToken);
if (!string.Equals(status, OpenIddictConstants.Statuses.Redeemed, StringComparison.OrdinalIgnoreCase))
{
await Store.SetStatusAsync(token, OpenIddictConstants.Statuses.Redeemed, cancellationToken);
await UpdateAsync(token, cancellationToken);
}
}
/// <summary>
/// Revokes a token.
/// </summary>
/// <param name="token">The token to revoke.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>A <see cref="Task"/> that can be used to monitor the asynchronous operation.</returns>
public virtual Task RevokeAsync([NotNull] TToken token, CancellationToken cancellationToken)
public virtual async Task RevokeAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
return Store.RevokeAsync(token, cancellationToken);
var status = await Store.GetStatusAsync(token, cancellationToken);
if (!string.Equals(status, OpenIddictConstants.Statuses.Revoked, StringComparison.OrdinalIgnoreCase))
{
await Store.SetStatusAsync(token, OpenIddictConstants.Statuses.Revoked, cancellationToken);
await UpdateAsync(token, cancellationToken);
}
}
/// <summary>

7
src/OpenIddict.Core/OpenIddictConstants.cs
View File

@ -39,5 +39,12 @@ namespace OpenIddict.Core
{
public const string Roles = "roles";
}
public static class Statuses
{
public const string Redeemed = "redeemed";
public const string Revoked = "revoked";
public const string Valid = "valid";
}
}
}

47
src/OpenIddict.Core/Stores/IOpenIddictAuthorizationStore.cs
View File

@ -4,6 +4,7 @@
* the license and the contributors participating to this project.
*/
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
using JetBrains.Annotations;
@ -26,6 +27,20 @@ namespace OpenIddict.Core
/// </returns>
Task<TAuthorization> CreateAsync([NotNull] TAuthorization authorization, CancellationToken cancellationToken);
/// <summary>
/// Creates a new authorization.
/// </summary>
/// <param name="subject">The subject associated with the authorization.</param>
/// <param name="client">The client associated with the authorization.</param>
/// <param name="scopes">The scopes associated with the authorization.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation, whose result returns the authorization.
/// </returns>
Task<TAuthorization> CreateAsync(
[NotNull] string subject, [NotNull] string client,
[NotNull] IEnumerable<string> scopes, CancellationToken cancellationToken);
/// <summary>
/// Retrieves an authorization using its unique identifier.
/// </summary>
@ -60,6 +75,17 @@ namespace OpenIddict.Core
/// </returns>
Task<string> GetIdAsync([NotNull] TAuthorization authorization, CancellationToken cancellationToken);
/// <summary>
/// Retrieves the status associated with an authorization.
/// </summary>
/// <param name="authorization">The authorization.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the status associated with the specified authorization.
/// </returns>
Task<string> GetStatusAsync([NotNull] TAuthorization authorization, CancellationToken cancellationToken);
/// <summary>
/// Retrieves the subject associated with an authorization.
/// </summary>
@ -70,5 +96,26 @@ namespace OpenIddict.Core
/// whose result returns the subject associated with the specified authorization.
/// </returns>
Task<string> GetSubjectAsync([NotNull] TAuthorization authorization, CancellationToken cancellationToken);
/// <summary>
/// Sets the status associated with an authorization.
/// </summary>
/// <param name="authorization">The authorization.</param>
/// <param name="status">The status associated with the authorization.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
/// </returns>
Task SetStatusAsync([NotNull] TAuthorization authorization, [NotNull] string status, CancellationToken cancellationToken);
/// <summary>
/// Updates an existing authorization.
/// </summary>
/// <param name="authorization">The authorization to update.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
/// </returns>
Task UpdateAsync([NotNull] TAuthorization authorization, CancellationToken cancellationToken);
}
}

106
src/OpenIddict.Core/Stores/IOpenIddictTokenStore.cs
View File

@ -37,6 +37,51 @@ namespace OpenIddict.Core
/// </returns>
Task<TToken> CreateAsync([NotNull] string type, [NotNull] string subject, CancellationToken cancellationToken);
/// <summary>
/// Creates a new reference token, which is associated with a particular subject.
/// </summary>
/// <param name="type">The token type.</param>
/// <param name="subject">The subject associated with the token.</param>
/// <param name="hash">The hash of the crypto-secure random identifier associated with the token.</param>
/// <param name="ciphertext">The ciphertext associated with the token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation, whose result returns the token.
/// </returns>
Task<TToken> CreateAsync(
[NotNull] string type, [NotNull] string subject, [NotNull] string hash,
[NotNull] string ciphertext, CancellationToken cancellationToken);
/// <summary>
/// Removes a token.
/// </summary>
/// <param name="token">The token to delete.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>A <see cref="Task"/> that can be used to monitor the asynchronous operation.</returns>
Task DeleteAsync([NotNull] TToken token, CancellationToken cancellationToken);
/// <summary>
/// Retrieves the list of tokens corresponding to the specified authorization identifier.
/// </summary>
/// <param name="identifier">The authorization identifier associated with the tokens.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the tokens corresponding to the specified authorization.
/// </returns>
Task<TToken[]> FindByAuthorizationIdAsync(string identifier, CancellationToken cancellationToken);
/// <summary>
/// Retrieves the list of tokens corresponding to the specified hash.
/// </summary>
/// <param name="hash">The hashed crypto-secure random identifier associated with the tokens.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the tokens corresponding to the specified hash.
/// </returns>
Task<TToken> FindByHashAsync(string hash, CancellationToken cancellationToken);
/// <summary>
/// Retrieves an token using its unique identifier.
/// </summary>
@ -59,6 +104,39 @@ namespace OpenIddict.Core
/// </returns>
Task<TToken[]> FindBySubjectAsync(string subject, CancellationToken cancellationToken);
/// <summary>
/// Retrieves the optional authorization identifier associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the authorization identifier associated with the token.
/// </returns>
Task<string> GetAuthorizationIdAsync([NotNull] TToken token, CancellationToken cancellationToken);
/// <summary>
/// Retrieves the ciphertext associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the ciphertext associated with the specified token.
/// </returns>
Task<string> GetCiphertextAsync([NotNull] TToken token, CancellationToken cancellationToken);
/// <summary>
/// Retrieves the hashed identifier associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the hashed identifier associated with the specified token.
/// </returns>
Task<string> GetHashAsync([NotNull] TToken token, CancellationToken cancellationToken);
/// <summary>
/// Retrieves the unique identifier associated with a token.
/// </summary>
@ -71,15 +149,15 @@ namespace OpenIddict.Core
Task<string> GetIdAsync([NotNull] TToken token, CancellationToken cancellationToken);
/// <summary>
/// Retrieves the token type associated with a token.
/// Retrieves the status associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the token type associated with the specified token.
/// whose result returns the status associated with the specified token.
/// </returns>
Task<string> GetTokenTypeAsync([NotNull] TToken token, CancellationToken cancellationToken);
Task<string> GetStatusAsync([NotNull] TToken token, CancellationToken cancellationToken);
/// <summary>
/// Retrieves the subject associated with a token.
@ -93,12 +171,15 @@ namespace OpenIddict.Core
Task<string> GetSubjectAsync([NotNull] TToken token, CancellationToken cancellationToken);
/// <summary>
/// Revokes a token.
/// Retrieves the token type associated with a token.
/// </summary>
/// <param name="token">The token to revoke.</param>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>A <see cref="Task"/> that can be used to monitor the asynchronous operation.</returns>
Task RevokeAsync([NotNull] TToken token, CancellationToken cancellationToken);
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the token type associated with the specified token.
/// </returns>
Task<string> GetTokenTypeAsync([NotNull] TToken token, CancellationToken cancellationToken);
/// <summary>
/// Sets the authorization associated with a token.
@ -122,6 +203,17 @@ namespace OpenIddict.Core
/// </returns>
Task SetClientAsync([NotNull] TToken token, [CanBeNull] string identifier, CancellationToken cancellationToken);
/// <summary>
/// Sets the status associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="status">The status associated with the authorization.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
/// </returns>
Task SetStatusAsync([NotNull] TToken token, [NotNull] string status, CancellationToken cancellationToken);
/// <summary>
/// Updates an existing token.
/// </summary>

3
src/OpenIddict.EntityFrameworkCore/OpenIddictExtensions.cs
View File

@ -264,6 +264,9 @@ namespace Microsoft.Extensions.DependencyInjection
{
entity.HasKey(token => token.Id);
entity.HasIndex(token => token.Hash)
.IsUnique(unique: true);
entity.ToTable("OpenIddictTokens");
});

95
src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictAuthorizationStore.cs
View File

@ -5,6 +5,7 @@
*/
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Linq;
using System.Threading;
@ -104,6 +105,48 @@ namespace OpenIddict.EntityFrameworkCore
return authorization;
}
/// <summary>
/// Creates a new authorization.
/// </summary>
/// <param name="subject">The subject associated with the authorization.</param>
/// <param name="client">The client associated with the authorization.</param>
/// <param name="scopes">The scopes associated with the authorization.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation, whose result returns the authorization.
/// </returns>
public virtual async Task<TAuthorization> CreateAsync(
[NotNull] string subject, [NotNull] string client,
[NotNull] IEnumerable<string> scopes, CancellationToken cancellationToken)
{
if (string.IsNullOrEmpty(subject))
{
throw new ArgumentException("The subject cannot be null or empty.", nameof(subject));
}
if (string.IsNullOrEmpty(client))
{
throw new ArgumentException("The client cannot be null or empty.", nameof(subject));
}
var key = ConvertIdentifierFromString(client);
var application = await Applications.SingleOrDefaultAsync(entity => entity.Id.Equals(key));
if (application == null)
{
throw new InvalidOperationException("The application associated with the authorization cannot be found.");
}
var authorization = new TAuthorization
{
Application = application,
Scope = string.Join(" ", scopes),
Subject = subject
};
return await CreateAsync(authorization, cancellationToken);
}
/// <summary>
/// Retrieves an authorization using its associated subject/client.
/// </summary>
@ -160,6 +203,20 @@ namespace OpenIddict.EntityFrameworkCore
return Task.FromResult(ConvertIdentifierToString(authorization.Id));
}
/// <summary>
/// Retrieves the status associated with an authorization.
/// </summary>
/// <param name="authorization">The authorization.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the status associated with the specified authorization.
/// </returns>
public virtual Task<string> GetStatusAsync([NotNull] TAuthorization authorization, CancellationToken cancellationToken)
{
return Task.FromResult(authorization.Status);
}
/// <summary>
/// Retrieves the subject associated with an authorization.
/// </summary>
@ -179,6 +236,44 @@ namespace OpenIddict.EntityFrameworkCore
return Task.FromResult(authorization.Subject);
}
/// <summary>
/// Sets the status associated with an authorization.
/// </summary>
/// <param name="authorization">The authorization.</param>
/// <param name="status">The status associated with the authorization.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
/// </returns>
public virtual Task SetStatusAsync([NotNull] TAuthorization authorization, [NotNull] string status, CancellationToken cancellationToken)
{
authorization.Status = status;
return Task.CompletedTask;
}
/// <summary>
/// Updates an existing authorization.
/// </summary>
/// <param name="authorization">The authorization to update.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
/// </returns>
public virtual async Task UpdateAsync([NotNull] TAuthorization authorization, CancellationToken cancellationToken)
{
Context.Attach(authorization);
Context.Update(authorization);
try
{
await Context.SaveChangesAsync(cancellationToken);
}
catch (DbUpdateConcurrencyException) { }
}
/// <summary>
/// Converts the provided identifier to a strongly typed key object.
/// </summary>

207
src/OpenIddict.EntityFrameworkCore/Stores/OpenIddictTokenStore.cs
View File

@ -125,7 +125,107 @@ namespace OpenIddict.EntityFrameworkCore
throw new ArgumentException("The token type cannot be null or empty.");
}
return CreateAsync(new TToken { Subject = subject, Type = type }, cancellationToken);
if (string.IsNullOrEmpty(subject))
{
throw new ArgumentException("The subject cannot be null or empty.");
}
var token = new TToken
{
Subject = subject,
Type = type
};
return CreateAsync(token, cancellationToken);
}
/// <summary>
/// Creates a new reference token, which is associated with a particular subject.
/// </summary>
/// <param name="type">The token type.</param>
/// <param name="subject">The subject associated with the token.</param>
/// <param name="hash">The hash of the crypto-secure random identifier associated with the token.</param>
/// <param name="ciphertext">The ciphertext associated with the token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation, whose result returns the token.
/// </returns>
public virtual Task<TToken> CreateAsync(
[NotNull] string type, [NotNull] string subject, [NotNull] string hash,
[NotNull] string ciphertext, CancellationToken cancellationToken)
{
if (string.IsNullOrEmpty(type))
{
throw new ArgumentException("The token type cannot be null or empty.");
}
if (string.IsNullOrEmpty(subject))
{
throw new ArgumentException("The subject cannot be null or empty.");
}
var token = new TToken
{
Ciphertext = ciphertext,
Hash = hash,
Subject = subject,
Type = type
};
return CreateAsync(token, cancellationToken);
}
/// <summary>
/// Removes a token.
/// </summary>
/// <param name="token">The token to delete.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>A <see cref="Task"/> that can be used to monitor the asynchronous operation.</returns>
public virtual async Task DeleteAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
Context.Remove(token);
try
{
await Context.SaveChangesAsync(cancellationToken);
}
catch (DbUpdateConcurrencyException) { }
}
/// <summary>
/// Retrieves the list of tokens corresponding to the specified authorization identifier.
/// </summary>
/// <param name="identifier">The authorization identifier associated with the tokens.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the tokens corresponding to the specified authorization.
/// </returns>
public virtual Task<TToken[]> FindByAuthorizationIdAsync(string identifier, CancellationToken cancellationToken)
{
var key = ConvertIdentifierFromString(identifier);
return Tokens.Where(token => token.Authorization.Id.Equals(key)).ToArrayAsync(cancellationToken);
}
/// <summary>
/// Retrieves the list of tokens corresponding to the specified hash.
/// </summary>
/// <param name="hash">The hashed crypto-secure random identifier associated with the tokens.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the tokens corresponding to the specified hash.
/// </returns>
public virtual Task<TToken> FindByHashAsync(string hash, CancellationToken cancellationToken)
{
return Tokens.SingleOrDefaultAsync(token => token.Hash == hash, cancellationToken);
}
/// <summary>
@ -158,6 +258,67 @@ namespace OpenIddict.EntityFrameworkCore
return Tokens.Where(token => token.Subject == subject).ToArrayAsync();
}
/// <summary>
/// Retrieves the optional authorization identifier associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the authorization identifier associated with the token.
/// </returns>
public virtual async Task<string> GetAuthorizationIdAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
var key = await (from authorization in Authorizations
where authorization.Tokens.Any(entity => entity.Id.Equals(token.Id))
select authorization.Id).SingleOrDefaultAsync();
return ConvertIdentifierToString(key);
}
/// <summary>
/// Retrieves the ciphertext associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the ciphertext associated with the specified token.
/// </returns>
public virtual Task<string> GetCiphertextAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
return Task.FromResult(token.Ciphertext);
}
/// <summary>
/// Retrieves the hashed identifier associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the hashed identifier associated with the specified token.
/// </returns>
public virtual Task<string> GetHashAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
return Task.FromResult(token.Hash);
}
/// <summary>
/// Retrieves the unique identifier associated with a token.
/// </summary>
@ -178,22 +339,22 @@ namespace OpenIddict.EntityFrameworkCore
}
/// <summary>
/// Retrieves the token type associated with a token.
/// Retrieves the status associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the token type associated with the specified token.
/// whose result returns the status associated with the specified token.
/// </returns>
public virtual Task<string> GetTokenTypeAsync([NotNull] TToken token, CancellationToken cancellationToken)
public virtual Task<string> GetStatusAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
return Task.FromResult(token.Type);
return Task.FromResult(token.Status);
}
/// <summary>
@ -216,26 +377,22 @@ namespace OpenIddict.EntityFrameworkCore
}
/// <summary>
/// Revokes a token.
/// Retrieves the token type associated with a token.
/// </summary>
/// <param name="token">The token to revoke.</param>
/// <param name="token">The token.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>A <see cref="Task"/> that can be used to monitor the asynchronous operation.</returns>
public virtual async Task RevokeAsync([NotNull] TToken token, CancellationToken cancellationToken)
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation,
/// whose result returns the token type associated with the specified token.
/// </returns>
public virtual Task<string> GetTokenTypeAsync([NotNull] TToken token, CancellationToken cancellationToken)
{
if (token == null)
{
throw new ArgumentNullException(nameof(token));
}
Context.Remove(token);
try
{
await Context.SaveChangesAsync(cancellationToken);
}
catch (DbUpdateConcurrencyException) { }
return Task.FromResult(token.Type);
}
/// <summary>
@ -324,6 +481,22 @@ namespace OpenIddict.EntityFrameworkCore
}
}
/// <summary>
/// Sets the status associated with a token.
/// </summary>
/// <param name="token">The token.</param>
/// <param name="status">The status associated with the authorization.</param>
/// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
/// <returns>
/// A <see cref="Task"/> that can be used to monitor the asynchronous operation.
/// </returns>
public virtual Task SetStatusAsync([NotNull] TToken token, [NotNull] string status, CancellationToken cancellationToken)
{
token.Status = status;
return Task.CompletedTask;
}
/// <summary>
/// Updates an existing token.
/// </summary>

5
src/OpenIddict.Models/OpenIddictAuthorization.cs
View File

@ -50,6 +50,11 @@ namespace OpenIddict.Models
/// </summary>
public virtual string Scope { get; set; }
/// <summary>
/// Gets or sets the status of the current authorization.
/// </summary>
public virtual string Status { get; set; } = "valid";
/// <summary>
/// Gets or sets the subject associated with the current authorization.
/// </summary>

19
src/OpenIddict.Models/OpenIddictToken.cs
View File

@ -43,12 +43,31 @@ namespace OpenIddict.Models
/// </summary>
public virtual TAuthorization Authorization { get; set; }
/// <summary>
/// Gets or sets the encrypted payload
/// of the current token, if applicable.
/// This property is only used for reference tokens.
/// </summary>
public virtual string Ciphertext { get; set; }
/// <summary>
/// Gets or sets the hashed identifier associated
/// with the current token, if applicable.
/// This property is only used for reference tokens.
/// </summary>
public virtual string Hash { get; set; }
/// <summary>
/// Gets or sets the unique identifier
/// associated with the current token.
/// </summary>
public virtual TKey Id { get; set; }
/// <summary>
/// Gets or sets the status of the current token.
/// </summary>
public virtual string Status { get; set; } = "valid";
/// <summary>
/// Gets or sets the subject associated with the current token.
/// </summary>

21
src/OpenIddict/OpenIddictExtensions.cs
View File

@ -890,5 +890,26 @@ namespace Microsoft.AspNetCore.Builder
};
});
}
/// <summary>
/// Configures OpenIddict to use reference tokens, so that authorization codes,
/// access tokens and refresh tokens are stored as ciphertext in the database
/// (only an identifier is returned to the client application). Enabling this option
/// is useful to keep track of all the issued tokens, when storing a very large
/// number of claims in the authorization codes, access tokens and refresh tokens
/// or when immediate revocation of reference access tokens is desired.
/// Note: this option cannot be used when configuring JWT as the access token format.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder UseReferenceTokens([NotNull] this OpenIddictBuilder builder)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
return builder.Configure(options => options.UseReferenceTokens = true);
}
}
}

72
src/OpenIddict/OpenIddictInitializer.cs
View File

@ -8,7 +8,10 @@ using System;
using System.ComponentModel;
using System.Linq;
using AspNet.Security.OpenIdConnect.Primitives;
using AspNet.Security.OpenIdConnect.Server;
using JetBrains.Annotations;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.DataProtection;
using Microsoft.Extensions.Caching.Distributed;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
@ -23,13 +26,17 @@ namespace OpenIddict
public class OpenIddictInitializer : IPostConfigureOptions<OpenIddictOptions>
{
private readonly IDistributedCache _cache;
private readonly IDataProtectionProvider _dataProtectionProvider;
/// <summary>
/// Creates a new instance of the <see cref="OpenIddictInitializer"/> class.
/// </summary>
public OpenIddictInitializer([NotNull] IDistributedCache cache)
public OpenIddictInitializer(
[NotNull] IDistributedCache cache,
[NotNull] IDataProtectionProvider dataProtectionProvider)
{
_cache = cache;
_dataProtectionProvider = dataProtectionProvider;
}
/// <summary>
@ -50,6 +57,11 @@ namespace OpenIddict
throw new ArgumentException("The options instance name cannot be null or empty.", nameof(name));
}
if (options.RandomNumberGenerator == null)
{
throw new InvalidOperationException("A random number generator must be registered.");
}
// When no distributed cache has been registered in the options,
// try to resolve it from the dependency injection container.
if (options.Cache == null)
@ -57,6 +69,52 @@ namespace OpenIddict
options.Cache = _cache;
}
// If OpenIddict was configured to use reference tokens, replace the default access tokens/
// authorization codes/refresh tokens formats using a specific data protector to ensure
// that encrypted tokens stored in the database cannot be treated as valid tokens if the
// reference tokens option is later turned off by the developer.
if (options.UseReferenceTokens)
{
// Note: a default data protection provider is always registered by
// the OpenID Connect server handler when none is explicitly set but
// this initializer is registered to be invoked before ASOS' initializer.
// To ensure the provider property is never null, it's manually set here.
if (options.DataProtectionProvider == null)
{
options.DataProtectionProvider = _dataProtectionProvider;
}
if (options.AccessTokenFormat == null)
{
var protector = options.DataProtectionProvider.CreateProtector(
nameof(OpenIdConnectServerHandler),
nameof(options.AccessTokenFormat),
nameof(options.UseReferenceTokens), name);
options.AccessTokenFormat = new TicketDataFormat(protector);
}
if (options.AuthorizationCodeFormat == null)
{
var protector = options.DataProtectionProvider.CreateProtector(
nameof(OpenIdConnectServerHandler),
nameof(options.AuthorizationCodeFormat),
nameof(options.UseReferenceTokens), name);
options.AuthorizationCodeFormat = new TicketDataFormat(protector);
}
if (options.RefreshTokenFormat == null)
{
var protector = options.DataProtectionProvider.CreateProtector(
nameof(OpenIdConnectServerHandler),
nameof(options.RefreshTokenFormat),
nameof(options.UseReferenceTokens), name);
options.RefreshTokenFormat = new TicketDataFormat(protector);
}
}
// Ensure at least one flow has been enabled.
if (options.GrantTypes.Count == 0)
{
@ -88,6 +146,18 @@ namespace OpenIddict
throw new InvalidOperationException("The revocation endpoint cannot be enabled when token revocation is disabled.");
}
if (options.UseReferenceTokens && options.DisableTokenRevocation)
{
throw new InvalidOperationException(
"Reference tokens cannot be used when disabling token revocation.");
}
if (options.UseReferenceTokens && options.AccessTokenHandler != null)
{
throw new InvalidOperationException(
"Reference tokens cannot be used when configuring JWT as the access token format.");
}
if (options.AccessTokenHandler != null && options.SigningCredentials.Count == 0)
{
throw new InvalidOperationException(

18
src/OpenIddict/OpenIddictOptions.cs
View File

@ -6,6 +6,7 @@
using System;
using System.Collections.Generic;
using System.Security.Cryptography;
using AspNet.Security.OpenIdConnect.Server;
using Microsoft.Extensions.Caching.Distributed;
@ -54,11 +55,28 @@ namespace OpenIddict
/// </summary>
public ISet<string> GrantTypes { get; } = new HashSet<string>(StringComparer.Ordinal);
/// <summary>
/// Gets or sets the random number generator used to generate crypto-secure identifiers.
/// </summary>
public RandomNumberGenerator RandomNumberGenerator { get; set; } = RandomNumberGenerator.Create();
/// <summary>
/// Gets or sets a boolean determining whether client identification is required.
/// Enabling this option requires registering a client application and sending a
/// valid client_id when communicating with the token and revocation endpoints.
/// </summary>
public bool RequireClientIdentification { get; set; }
/// <summary>
/// Gets or sets a boolean indicating whether reference tokens should be used.
/// When set to <c>true</c>, authorization codes, access tokens and refresh tokens
/// are stored as ciphertext in the database and a crypto-secure random identifier
/// is returned to the client application. Enabling this option is useful
/// to keep track of all the issued tokens, when storing a very large number
/// of claims in the authorization codes, access tokens and refresh tokens
/// or when immediate revocation of reference access tokens is desired.
/// Note: this option cannot be used when configuring JWT as the access token format.
/// </summary>
public bool UseReferenceTokens { get; set; }
}
}

125
src/OpenIddict/OpenIddictProvider.Exchange.cs
View File

@ -11,6 +11,7 @@ using AspNet.Security.OpenIdConnect.Primitives;
using AspNet.Security.OpenIdConnect.Server;
using JetBrains.Annotations;
using Microsoft.Extensions.Logging;
using OpenIddict.Core;
namespace OpenIddict
{
@ -197,56 +198,108 @@ namespace OpenIddict
{
var options = (OpenIddictOptions) context.Options;
if (!options.DisableTokenRevocation && (context.Request.IsAuthorizationCodeGrantType() ||
context.Request.IsRefreshTokenGrantType()))
if (options.DisableTokenRevocation || (!context.Request.IsAuthorizationCodeGrantType() &&
!context.Request.IsRefreshTokenGrantType()))
{
Debug.Assert(context.Ticket != null, "The authentication ticket shouldn't be null.");
// Invoke the rest of the pipeline to allow
// the user code to handle the token request.
context.SkipHandler();
// Extract the token identifier from the authentication ticket.
var identifier = context.Ticket.GetProperty(OpenIdConnectConstants.Properties.TokenId);
Debug.Assert(!string.IsNullOrEmpty(identifier), "The authentication ticket should contain a ticket identifier.");
return;
}
Debug.Assert(context.Ticket != null, "The authentication ticket shouldn't be null.");
if (context.Request.IsAuthorizationCodeGrantType())
// Extract the token identifier from the authentication ticket.
var identifier = context.Ticket.GetProperty(OpenIdConnectConstants.Properties.TokenId);
Debug.Assert(!string.IsNullOrEmpty(identifier), "The authentication ticket should contain a ticket identifier.");
if (context.Request.IsAuthorizationCodeGrantType())
{
// Retrieve the authorization code from the database and ensure it is still valid.
var token = await Tokens.FindByIdAsync(identifier, context.HttpContext.RequestAborted);
if (token == null)
{
// Retrieve the token from the database and ensure it is still valid.
var token = await Tokens.FindByIdAsync(identifier, context.HttpContext.RequestAborted);
if (token == null)
{
Logger.LogError("The token request was rejected because the authorization code was revoked.");
Logger.LogError("The token request was rejected because the authorization code was no longer valid.");
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The authorization code is no longer valid.");
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The specified authorization code is no longer valid.");
return;
return;
}
// If the authorization code is already marked as redeemed, this may indicate that the authorization
// code was compromised. In this case, revoke the authorization and all the associated tokens.
// See https://tools.ietf.org/html/rfc6749#section-10.5 for more information.
if (await Tokens.IsRedeemedAsync(token, context.HttpContext.RequestAborted))
{
var key = context.Ticket.GetProperty(OpenIddictConstants.Properties.AuthorizationId);
if (!string.IsNullOrEmpty(key))
{
var authorization = await Authorizations.FindByIdAsync(key, context.HttpContext.RequestAborted);
if (authorization != null)
{
Logger.LogInformation("The authorization '{Identifier}' was automatically revoked.", key);
await Authorizations.RevokeAsync(authorization, context.HttpContext.RequestAborted);
}
var tokens = await Tokens.FindByAuthorizationIdAsync(key, context.HttpContext.RequestAborted);
for (var index = 0; index < tokens.Length; index++)
{
Logger.LogInformation("The compromised token '{Identifier}' was automatically revoked.",
await Tokens.GetIdAsync(tokens[index], context.HttpContext.RequestAborted));
await Tokens.RevokeAsync(tokens[index], context.HttpContext.RequestAborted);
}
}
// Revoke the authorization code to prevent token reuse.
await Tokens.RevokeAsync(token, context.HttpContext.RequestAborted);
Logger.LogError("The token request was rejected because the authorization code was already redeemed.");
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The specified authorization code has already been redemeed.");
return;
}
else if (context.Request.IsRefreshTokenGrantType())
else if (!await Tokens.IsValidAsync(token, context.HttpContext.RequestAborted))
{
// Retrieve the token from the database and ensure it is still valid.
var token = await Tokens.FindByIdAsync(identifier, context.HttpContext.RequestAborted);
if (token == null)
{
Logger.LogError("The token request was rejected because the refresh token was revoked.");
Logger.LogError("The token request was rejected because the authorization code was no longer valid.");
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The refresh token is no longer valid.");
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The specified authorization code is no longer valid.");
return;
}
return;
}
// When sliding expiration is enabled, immediately
// revoke the refresh token to prevent future reuse.
// See https://tools.ietf.org/html/rfc6749#section-6.
if (context.Options.UseSlidingExpiration)
{
await Tokens.RevokeAsync(token, context.HttpContext.RequestAborted);
}
// Mark the authorization code as redeemed to prevent token reuse.
await Tokens.RedeemAsync(token, context.HttpContext.RequestAborted);
}
else
{
// Retrieve the token from the database and ensure it is still valid.
var token = await Tokens.FindByIdAsync(identifier, context.HttpContext.RequestAborted);
if (token == null || !await Tokens.IsValidAsync(token, context.HttpContext.RequestAborted))
{
Logger.LogError("The token request was rejected because the refresh token was no longer valid.");
context.Reject(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "The specified refresh token is no longer valid.");
return;
}
// When sliding expiration is enabled, immediately
// redeem the refresh token to prevent future reuse.
// See https://tools.ietf.org/html/rfc6749#section-6.
if (options.UseSlidingExpiration)
{
await Tokens.RedeemAsync(token, context.HttpContext.RequestAborted);
}
}

9
src/OpenIddict/OpenIddictProvider.Introspection.cs
View File

@ -116,13 +116,18 @@ namespace OpenIddict
return;
}
if (options.DisableTokenRevocation)
{
return;
}
// When the received ticket is revocable, ensure it is still valid.
if (!options.DisableTokenRevocation && (context.Ticket.IsAuthorizationCode() || context.Ticket.IsRefreshToken()))
if (options.UseReferenceTokens || context.Ticket.IsAuthorizationCode() || context.Ticket.IsRefreshToken())
{
// Retrieve the token from the database using the unique identifier stored in the authentication ticket:
// if the corresponding entry cannot be found, return Active = false to indicate that is is no longer valid.
var token = await Tokens.FindByIdAsync(identifier, context.HttpContext.RequestAborted);
if (token == null)
if (token == null || !await Tokens.IsValidAsync(token, context.HttpContext.RequestAborted))
{
Logger.LogInformation("The token {Identifier} was declared as inactive because " +
"it was revoked.", identifier);

50
src/OpenIddict/OpenIddictProvider.Revocation.cs
View File

@ -24,16 +24,28 @@ namespace OpenIddict
Debug.Assert(!options.DisableTokenRevocation, "Token revocation support shouldn't be disabled at this stage.");
// When token_type_hint is specified, reject the request if it doesn't correspond to a revocable token.
if (!string.IsNullOrEmpty(context.Request.TokenTypeHint) &&
!string.Equals(context.Request.TokenTypeHint, OpenIdConnectConstants.TokenTypeHints.AuthorizationCode) &&
!string.Equals(context.Request.TokenTypeHint, OpenIdConnectConstants.TokenTypeHints.RefreshToken))
if (!string.IsNullOrEmpty(context.Request.TokenTypeHint))
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedTokenType,
description: "Only authorization codes and refresh tokens can be revoked. When specifying a token_type_hint " +
"parameter, its value must be equal to 'authorization_code' or 'refresh_token'.");
if (string.Equals(context.Request.TokenTypeHint, OpenIdConnectConstants.TokenTypeHints.IdToken))
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedTokenType,
description: "Identity tokens cannot be revoked. When specifying a token_type_hint parameter, " +
"its value must be equal to 'access_token', 'authorization_code' or 'refresh_token'.");
return;
return;
}
if (!options.UseReferenceTokens &&
string.Equals(context.Request.TokenTypeHint, OpenIdConnectConstants.TokenTypeHints.AccessToken))
{
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedTokenType,
description: "Access tokens cannot be revoked. When specifying a token_type_hint parameter, " +
"its value must be equal to 'authorization_code' or 'refresh_token'.");
return;
}
}
// Skip client authentication if the client identifier is missing or reject
@ -123,17 +135,31 @@ namespace OpenIddict
public override async Task HandleRevocationRequest([NotNull] HandleRevocationRequestContext context)
{
var options = (OpenIddictOptions) context.Options;
Debug.Assert(context.Ticket != null, "The authentication ticket shouldn't be null.");
// If the received token is not an authorization code or a refresh token,
// return an error to indicate that the token cannot be revoked.
if (!context.Ticket.IsAuthorizationCode() && !context.Ticket.IsRefreshToken())
if (context.Ticket.IsIdentityToken())
{
Logger.LogError("The revocation request was rejected because identity tokens are not revocable.");
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedTokenType,
description: "Identity tokens cannot be revoked.");
return;
}
// If the received token is an access token, return an error if reference tokens are not enabled.
if (!options.UseReferenceTokens && context.Ticket.IsAccessToken())
{
Logger.LogError("The revocation request was rejected because the token was not revocable.");
Logger.LogError("The revocation request was rejected because the access token was not revocable.");
context.Reject(
error: OpenIdConnectConstants.Errors.UnsupportedTokenType,
description: "Only authorization codes and refresh tokens can be revoked.");
description: "The specified access token cannot be revoked.");
return;
}
@ -145,7 +171,7 @@ namespace OpenIddict
// Retrieve the token from the database. If the token cannot be found,
// assume it is invalid and consider the revocation as successful.
var token = await Tokens.FindByIdAsync(identifier, context.HttpContext.RequestAborted);
if (token == null)
if (token == null || await Tokens.IsRevokedAsync(token, context.HttpContext.RequestAborted))
{
Logger.LogInformation("The token '{Identifier}' was already revoked.", identifier);

387
src/OpenIddict/OpenIddictProvider.Serialization.cs
View File

@ -6,11 +6,16 @@
using System;
using System.Diagnostics;
using System.Security.Cryptography;
using System.Threading;
using System.Threading.Tasks;
using AspNet.Security.OpenIdConnect.Extensions;
using AspNet.Security.OpenIdConnect.Primitives;
using AspNet.Security.OpenIdConnect.Server;
using JetBrains.Annotations;
using Microsoft.AspNetCore.Authentication;
using Microsoft.Extensions.Logging;
using Microsoft.IdentityModel.Tokens;
using OpenIddict.Core;
namespace OpenIddict
@ -18,108 +23,358 @@ namespace OpenIddict
public partial class OpenIddictProvider<TApplication, TAuthorization, TScope, TToken> : OpenIdConnectServerProvider
where TApplication : class where TAuthorization : class where TScope : class where TToken : class
{
public override async Task SerializeAuthorizationCode([NotNull] SerializeAuthorizationCodeContext context)
public override async Task DeserializeAccessToken([NotNull] DeserializeAccessTokenContext context)
{
var options = (OpenIddictOptions) context.Options;
if (!options.UseReferenceTokens)
{
return;
}
Debug.Assert(!string.IsNullOrEmpty(context.Request.ClientId), "The client identifier shouldn't be null or empty.");
var ticket = await ReceiveTokenAsync(context.AccessToken, options, context.Request,
context.DataFormat, context.HttpContext.RequestAborted);
if (!options.DisableTokenRevocation)
// If a valid ticket was returned by ReceiveTokenAsync(),
// force the OpenID Connect server middleware to use it.
if (ticket != null)
{
// Resolve the subject from the authentication ticket. If it cannot be found, throw an exception.
var subject = context.Ticket.Principal.GetClaim(OpenIdConnectConstants.Claims.Subject);
if (string.IsNullOrEmpty(subject))
{
throw new InvalidOperationException("The subject associated with the authentication ticket cannot be retrieved.");
}
context.Ticket = ticket;
context.HandleDeserialization();
}
// Otherwise, let the OpenID Connect server middleware
// deserialize the token using its default internal logic.
}
public override async Task DeserializeAuthorizationCode([NotNull] DeserializeAuthorizationCodeContext context)
{
var options = (OpenIddictOptions) context.Options;
if (!options.UseReferenceTokens)
{
return;
}
var ticket = await ReceiveTokenAsync(context.AuthorizationCode, options, context.Request,
context.DataFormat, context.HttpContext.RequestAborted);
// If a valid ticket was returned by ReceiveTokenAsync(),
// force the OpenID Connect server middleware to use it.
if (ticket != null)
{
context.Ticket = ticket;
context.HandleDeserialization();
}
// Otherwise, let the OpenID Connect server middleware
// deserialize the token using its default internal logic.
}
public override async Task DeserializeRefreshToken([NotNull] DeserializeRefreshTokenContext context)
{
var options = (OpenIddictOptions) context.Options;
if (!options.UseReferenceTokens)
{
return;
}
var ticket = await ReceiveTokenAsync(context.RefreshToken, options, context.Request,
context.DataFormat, context.HttpContext.RequestAborted);
// If a valid ticket was returned by ReceiveTokenAsync(),
// force the OpenID Connect server middleware to use it.
if (ticket != null)
{
context.Ticket = ticket;
context.HandleDeserialization();
}
// Otherwise, let the OpenID Connect server middleware
// deserialize the token using its default internal logic.
}
public override async Task SerializeAccessToken([NotNull] SerializeAccessTokenContext context)
{
var token = await CreateTokenAsync(OpenIdConnectConstants.TokenUsages.AccessToken,
(OpenIddictOptions) context.Options, context.Request, context.DataFormat,
context.Ticket, context.HttpContext.RequestAborted);
// If a reference token was returned by CreateTokenAsync(),
// force the OpenID Connect server middleware to use it.
if (!string.IsNullOrEmpty(token))
{
context.AccessToken = token;
context.HandleSerialization();
}
// Otherwise, let the OpenID Connect server middleware
// serialize the token using its default internal logic.
}
public override async Task SerializeAuthorizationCode([NotNull] SerializeAuthorizationCodeContext context)
{
var token = await CreateTokenAsync(OpenIdConnectConstants.TokenUsages.AuthorizationCode,
(OpenIddictOptions) context.Options, context.Request, context.DataFormat,
context.Ticket, context.HttpContext.RequestAborted);
// If a reference token was returned by CreateTokenAsync(),
// force the OpenID Connect server middleware to use it.
if (!string.IsNullOrEmpty(token))
{
context.AuthorizationCode = token;
context.HandleSerialization();
}
// Otherwise, let the OpenID Connect server middleware
// serialize the token using its default internal logic.
}
public override async Task SerializeRefreshToken([NotNull] SerializeRefreshTokenContext context)
{
var token = await CreateTokenAsync(OpenIdConnectConstants.TokenUsages.RefreshToken,
(OpenIddictOptions) context.Options, context.Request, context.DataFormat,
context.Ticket, context.HttpContext.RequestAborted);
// If a reference token was returned by CreateTokenAsync(),
// force the OpenID Connect server middleware to use it.
if (!string.IsNullOrEmpty(token))
{
context.RefreshToken = token;
context.HandleSerialization();
}
// Otherwise, let the OpenID Connect server middleware
// serialize the token using its default internal logic.
}
private async Task<string> CreateTokenAsync(
[NotNull] string type, [NotNull] OpenIddictOptions options,
[NotNull] OpenIdConnectRequest request,
[NotNull] ISecureDataFormat<AuthenticationTicket> format,
[NotNull] AuthenticationTicket ticket, CancellationToken cancellationToken)
{
Debug.Assert(!(options.DisableTokenRevocation && options.UseReferenceTokens),
"Token revocation cannot be disabled when using reference tokens.");
Debug.Assert(!string.Equals(type, OpenIdConnectConstants.TokenUsages.IdToken, StringComparison.OrdinalIgnoreCase),
"Identity tokens shouldn't be stored in the database.");
if (options.DisableTokenRevocation)
{
return null;
}
// Resolve the subject from the authentication ticket. If it cannot be found, throw an exception.
var subject = ticket.Principal.GetClaim(OpenIdConnectConstants.Claims.Subject);
if (string.IsNullOrEmpty(subject))
{
throw new InvalidOperationException("The subject associated with the authentication ticket cannot be retrieved.");
}
TToken token;
string result = null;
// If reference tokens are enabled, create a new entry for
// authorization codes, refresh tokens and access tokens.
if (options.UseReferenceTokens)
{
// When the token is a reference token, remove the token identifier from the
// authentication ticket as it is restored when receiving and decrypting it.
ticket.RemoveProperty(OpenIdConnectConstants.Properties.TokenId);
// Note: the data format is automatically replaced at startup time to ensure
// that encrypted tokens stored in the database cannot be considered as
// valid tokens if the developer decides to disable reference tokens support.
var ciphertext = format.Protect(ticket);
// If a null value was returned by CreateAsync, return immediately.
var token = await Tokens.CreateAsync(OpenIdConnectConstants.TokenTypeHints.AuthorizationCode, subject, context.HttpContext.RequestAborted);
if (token == null)
// Generate a new crypto-secure random identifier that will be
// substituted to the ciphertext returned by the data format.
var bytes = new byte[256 / 8];
options.RandomNumberGenerator.GetBytes(bytes);
result = Base64UrlEncoder.Encode(bytes);
// Compute the digest of the generated identifier and use
// it as the hashed identifier of the reference token.
// Doing that prevents token identifiers stolen from
// the database from being used as valid reference tokens.
string hash;
using (var algorithm = SHA256.Create())
{
return;
hash = Convert.ToBase64String(algorithm.ComputeHash(bytes));
}
// Throw an exception if the token identifier can't be resolved.
var identifier = await Tokens.GetIdAsync(token, context.HttpContext.RequestAborted);
if (string.IsNullOrEmpty(identifier))
token = await Tokens.CreateAsync(type, subject, hash, ciphertext, cancellationToken);
}
// Otherwise, only create a token metadata entry for authorization codes and refresh tokens.
else if (string.Equals(type, OpenIdConnectConstants.TokenUsages.AuthorizationCode, StringComparison.OrdinalIgnoreCase) ||
string.Equals(type, OpenIdConnectConstants.TokenUsages.RefreshToken, StringComparison.OrdinalIgnoreCase))
{
token = await Tokens.CreateAsync(type, subject, cancellationToken);
}
else
{
return null;
}
// If a null value was returned by CreateAsync(), return immediately.
if (token == null)
{
return null;
}
// Throw an exception if the token identifier can't be resolved.
var identifier = await Tokens.GetIdAsync(token, cancellationToken);
if (string.IsNullOrEmpty(identifier))
{
throw new InvalidOperationException("The unique key associated with a refresh token cannot be null or empty.");
}
// Attach the key returned by the underlying store
// to the refresh token to override the default GUID
// generated by the OpenID Connect server middleware.
ticket.SetTokenId(identifier);
// If the client application is known, associate it with the token.
if (!string.IsNullOrEmpty(request.ClientId))
{
var application = await Applications.FindByClientIdAsync(request.ClientId, cancellationToken);
if (application == null)
{
throw new InvalidOperationException("The unique key associated with an authorization code cannot be null or empty.");
throw new InvalidOperationException("The client application cannot be retrieved from the database.");
}
// Attach the key returned by the underlying store
// to the authorization code to override the default GUID
// generated by the OpenID Connect server middleware.
context.Ticket.SetProperty(OpenIdConnectConstants.Properties.TokenId, identifier);
var key = await Applications.GetIdAsync(application, cancellationToken);
await Tokens.SetClientAsync(token, key, cancellationToken);
}
// If an authorization identifier was specified, bind it to the token.
if (ticket.HasProperty(OpenIddictConstants.Properties.AuthorizationId))
{
await Tokens.SetAuthorizationAsync(token,
ticket.GetProperty(OpenIddictConstants.Properties.AuthorizationId), cancellationToken);
}
// Otherwise, create an ad-hoc authorization if the token is an authorization code.
else if (string.Equals(type, OpenIdConnectConstants.TokenUsages.AuthorizationCode, StringComparison.OrdinalIgnoreCase))
{
Debug.Assert(!string.IsNullOrEmpty(request.ClientId), "The client identifier shouldn't be null.");
var application = await Applications.FindByClientIdAsync(context.Request.ClientId, context.HttpContext.RequestAborted);
var application = await Applications.FindByClientIdAsync(request.ClientId, cancellationToken);
if (application == null)
{
throw new InvalidOperationException("The client application cannot be retrieved from the database.");
}
await Tokens.SetClientAsync(token, await Applications.GetIdAsync(application, context.HttpContext.RequestAborted), context.HttpContext.RequestAborted);
var authorization = await Authorizations.CreateAsync(subject,
await Applications.GetIdAsync(application, cancellationToken), request.GetScopes(), cancellationToken);
// If an authorization identifier was specified, bind it to the token.
var authorization = context.Ticket.GetProperty(OpenIddictConstants.Properties.AuthorizationId);
if (!string.IsNullOrEmpty(authorization))
if (authorization != null)
{
await Tokens.SetAuthorizationAsync(token, authorization, context.HttpContext.RequestAborted);
var key = await Authorizations.GetIdAsync(authorization, cancellationToken);
ticket.SetProperty(OpenIddictConstants.Properties.AuthorizationId, key);
await Tokens.SetAuthorizationAsync(token, key, cancellationToken);
}
}
if (!string.IsNullOrEmpty(result))
{
Logger.LogTrace("A new reference token was successfully generated and persisted " +
"in the database: {Token} ; {Claims} ; {Properties}.",
result, ticket.Principal.Claims, ticket.Properties.Items);
}
return result;
}
public override async Task SerializeRefreshToken([NotNull] SerializeRefreshTokenContext context)
private async Task<AuthenticationTicket> ReceiveTokenAsync(
[NotNull] string value, [NotNull] OpenIddictOptions options,
[NotNull] OpenIdConnectRequest request,
[NotNull] ISecureDataFormat<AuthenticationTicket> format, CancellationToken cancellationToken)
{
var options = (OpenIddictOptions) context.Options;
if (!options.UseReferenceTokens)
{
return null;
}
if (!options.DisableTokenRevocation)
string hash;
try
{
// Resolve the subject from the authentication ticket. If it cannot be found, throw an exception.
var subject = context.Ticket.Principal.GetClaim(OpenIdConnectConstants.Claims.Subject);
if (string.IsNullOrEmpty(subject))
// Compute the digest of the received token and use it
// to retrieve the reference token from the database.
using (var algorithm = SHA256.Create())
{
throw new InvalidOperationException("The subject associated with the authentication ticket cannot be retrieved.");
hash = Convert.ToBase64String(algorithm.ComputeHash(Base64UrlEncoder.DecodeBytes(value)));
}
}
// If a null value was returned by CreateAsync, return immediately.
var token = await Tokens.CreateAsync(OpenIdConnectConstants.TokenTypeHints.RefreshToken, subject, context.HttpContext.RequestAborted);
if (token == null)
{
return;
}
// Swallow format-related exceptions to ensure badly formed
// or tampered tokens don't cause an exception at this stage.
catch
{
return null;
}
// Throw an exception if the token identifier can't be resolved.
var identifier = await Tokens.GetIdAsync(token, context.HttpContext.RequestAborted);
if (string.IsNullOrEmpty(identifier))
{
throw new InvalidOperationException("The unique key associated with a refresh token cannot be null or empty.");
}
// Retrieve the token entry from the database. If it
// cannot be found, assume the token is not valid.
var token = await Tokens.FindByHashAsync(hash, cancellationToken);
if (token == null)
{
Logger.LogInformation("The reference token corresponding to the '{Hash}' hashed " +
"identifier cannot be found in the database.", hash);
// Attach the key returned by the underlying store
// to the refresh token to override the default GUID
// generated by the OpenID Connect server middleware.
context.Ticket.SetProperty(OpenIdConnectConstants.Properties.TokenId, identifier);
return null;
}
// If the client application is known, associate it with the token.
if (!string.IsNullOrEmpty(context.Request.ClientId))
{
var application = await Applications.FindByClientIdAsync(context.Request.ClientId, context.HttpContext.RequestAborted);
if (application == null)
{
throw new InvalidOperationException("The client application cannot be retrieved from the database.");
}
var identifier = await Tokens.GetIdAsync(token, cancellationToken);
if (string.IsNullOrEmpty(identifier))
{
Logger.LogWarning("The identifier associated with the received token cannot be retrieved. " +
"This may indicate that the token entry is corrupted.");
await Tokens.SetClientAsync(token, await Applications.GetIdAsync(application, context.HttpContext.RequestAborted), context.HttpContext.RequestAborted);
}
return null;
}
// If an authorization identifier was specified, bind it to the token.
var authorization = context.Ticket.GetProperty(OpenIddictConstants.Properties.AuthorizationId);
if (!string.IsNullOrEmpty(authorization))
{
await Tokens.SetAuthorizationAsync(token, authorization, context.HttpContext.RequestAborted);
}
// Extract the encrypted payload from the token. If it's null or empty,
// assume the token is not a reference token and consider it as invalid.
var ciphertext = await Tokens.GetCiphertextAsync(token, cancellationToken);
if (string.IsNullOrEmpty(ciphertext))
{
Logger.LogWarning("The ciphertext associated with the token '{Identifier}' cannot be retrieved. " +
"This may indicate that the token is not a reference token.", identifier);
return null;
}
var ticket = format.Unprotect(ciphertext);
if (ticket == null)
{
Logger.LogWarning("The ciphertext associated with the token '{Identifier}' cannot be decrypted. " +
"This may indicate that the token entry is corrupted or tampered.",
await Tokens.GetIdAsync(token, cancellationToken));
return null;
}
// Restore the token identifier using the unique
// identifier attached with the database entry.
ticket.SetTokenId(identifier);
// If the authorization identifier cannot be found in the ticket properties,
// try to restore it using the identifier associated with the database entry.
if (!ticket.HasProperty(OpenIddictConstants.Properties.AuthorizationId))
{
ticket.SetProperty(OpenIddictConstants.Properties.AuthorizationId,
await Tokens.GetAuthorizationIdAsync(token, cancellationToken));
}
Logger.LogTrace("The reference token '{Identifier}' was successfully retrieved " +
"from the database and decrypted: {Claims} ; {Properties}.",
identifier, ticket.Principal.Claims, ticket.Properties.Items);
return ticket;
}
}
}

16
test/OpenIddict.Tests/OpenIddictExtensionsTests.cs
View File

@ -614,6 +614,22 @@ namespace OpenIddict.Tests
Assert.IsType<JwtSecurityTokenHandler>(options.AccessTokenHandler);
}
[Fact]
public void UseReferenceTokens_ReferenceTokensAreEnabled()
{
// Arrange
var services = CreateServices();
var builder = new OpenIddictBuilder(services);
// Act
builder.UseReferenceTokens();
var options = GetOptions(services);
// Assert
Assert.True(options.UseReferenceTokens);
}
private static IServiceCollection CreateServices()
{
var services = new ServiceCollection();

67
test/OpenIddict.Tests/OpenIddictInitializerTests.cs
View File

@ -16,6 +16,27 @@ namespace OpenIddict.Tests
{
public class OpenIddictInitializerTests
{
[Fact]
public async Task PostConfigure_ThrowsAnExceptionWhenRandomNumberGeneratorIsNull()
{
// Arrange
var server = CreateAuthorizationServer(builder =>
{
builder.Configure(options => options.RandomNumberGenerator = null);
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act and assert
var exception = await Assert.ThrowsAsync<InvalidOperationException>(delegate
{
return client.GetAsync("/");
});
// Assert
Assert.Equal("A random number generator must be registered.", exception.Message);
}
[Fact]
public async Task PostConfigure_ThrowsAnExceptionWhenNoFlowIsEnabled()
{
@ -111,6 +132,52 @@ namespace OpenIddict.Tests
Assert.Equal("The revocation endpoint cannot be enabled when token revocation is disabled.", exception.Message);
}
[Fact]
public async Task PostConfigure_ThrowsAnExceptionWhenUsingReferenceTokensWithTokenRevocationDisabled()
{
// Arrange
var server = CreateAuthorizationServer(builder =>
{
builder.EnableAuthorizationEndpoint("/connect/authorize")
.AllowImplicitFlow()
.DisableTokenRevocation()
.UseReferenceTokens();
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act and assert
var exception = await Assert.ThrowsAsync<InvalidOperationException>(delegate
{
return client.GetAsync("/");
});
Assert.Equal("Reference tokens cannot be used when disabling token revocation.", exception.Message);
}
[Fact]
public async Task PostConfigure_ThrowsAnExceptionWhenUsingReferenceTokensIfAnAccessTokenHandlerIsSet()
{
// Arrange
var server = CreateAuthorizationServer(builder =>
{
builder.EnableAuthorizationEndpoint("/connect/authorize")
.AllowImplicitFlow()
.UseReferenceTokens()
.UseJsonWebTokens();
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act and assert
var exception = await Assert.ThrowsAsync<InvalidOperationException>(delegate
{
return client.GetAsync("/");
});
Assert.Equal("Reference tokens cannot be used when configuring JWT as the access token format.", exception.Message);
}
[Fact]
public async Task PostConfigure_ThrowsAnExceptionWhenNoSigningKeyIsRegisteredIfAnAccessTokenHandlerIsSet()
{

316
test/OpenIddict.Tests/OpenIddictProviderTests.Exchange.cs
View File

@ -1,4 +1,5 @@
using System.Security.Claims;
using System.Collections.Generic;
using System.Security.Claims;
using System.Threading;
using System.Threading.Tasks;
using AspNet.Security.OpenIdConnect.Client;
@ -457,7 +458,7 @@ namespace OpenIddict.Tests
}
[Fact]
public async Task HandleTokenRequest_RequestIsRejectedWhenAuthorizationCodeIsExpired()
public async Task HandleTokenRequest_RequestIsRejectedWhenAuthorizationCodeIsUnknown()
{
// Arrange
var ticket = new AuthenticationTicket(
@ -511,13 +512,235 @@ namespace OpenIddict.Tests
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.InvalidGrant, response.Error);
Assert.Equal("The authorization code is no longer valid.", response.ErrorDescription);
Assert.Equal("The specified authorization code is no longer valid.", response.ErrorDescription);
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task HandleTokenRequest_RequestIsRejectedWhenRefreshTokenIsExpired()
public async Task HandleTokenRequest_RequestIsRejectedWhenAuthorizationCodeIsAlreadyRedeemed()
{
// Arrange
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetPresenters("Fabrikam");
ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56");
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AuthorizationCode);
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
format.Setup(mock => mock.Unprotect("SplxlOBeZQQYbYS6WxSbIA"))
.Returns(ticket);
var token = new OpenIddictToken();
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(CreateApplicationManager(instance =>
{
var application = new OpenIddictApplication();
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(OpenIddictConstants.ClientTypes.Public);
}));
builder.Services.AddSingleton(manager);
builder.Configure(options => options.AuthorizationCodeFormat = format.Object);
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
Code = "SplxlOBeZQQYbYS6WxSbIA",
GrantType = OpenIdConnectConstants.GrantTypes.AuthorizationCode,
RedirectUri = "http://www.fabrikam.com/path"
});
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.InvalidGrant, response.Error);
Assert.Equal("The specified authorization code has already been redemeed.", response.ErrorDescription);
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task HandleTokenRequest_RevokesTokensWhenAuthorizationCodeIsAlreadyRedeemed()
{
// Arrange
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetPresenters("Fabrikam");
ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56");
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AuthorizationCode);
ticket.SetProperty(OpenIddictConstants.Properties.AuthorizationId, "18D15F73-BE2B-6867-DC01-B3C1E8AFDED0");
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
format.Setup(mock => mock.Unprotect("SplxlOBeZQQYbYS6WxSbIA"))
.Returns(ticket);
var tokens = new[]
{
new OpenIddictToken(),
new OpenIddictToken(),
new OpenIddictToken()
};
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()))
.ReturnsAsync(tokens[0]);
instance.Setup(mock => mock.IsRedeemedAsync(tokens[0], It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.FindByAuthorizationIdAsync("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0", It.IsAny<CancellationToken>()))
.ReturnsAsync(tokens);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(CreateApplicationManager(instance =>
{
var application = new OpenIddictApplication();
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(OpenIddictConstants.ClientTypes.Public);
}));
builder.Services.AddSingleton(CreateAuthorizationManager(instance =>
{
var authorization = new OpenIddictAuthorization();
instance.Setup(mock => mock.FindByIdAsync("18D15F73-BE2B-6867-DC01-B3C1E8AFDED0", It.IsAny<CancellationToken>()))
.ReturnsAsync(authorization);
}));
builder.Services.AddSingleton(manager);
builder.Configure(options => options.AuthorizationCodeFormat = format.Object);
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
Code = "SplxlOBeZQQYbYS6WxSbIA",
GrantType = OpenIdConnectConstants.GrantTypes.AuthorizationCode,
RedirectUri = "http://www.fabrikam.com/path"
});
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.InvalidGrant, response.Error);
Assert.Equal("The specified authorization code has already been redemeed.", response.ErrorDescription);
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.IsRedeemedAsync(tokens[0], It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.RevokeAsync(tokens[0], It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.RevokeAsync(tokens[1], It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.RevokeAsync(tokens[2], It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task HandleTokenRequest_RequestIsRejectedWhenAuthorizationCodeIsInvalid()
{
// Arrange
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetPresenters("Fabrikam");
ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56");
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AuthorizationCode);
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
format.Setup(mock => mock.Unprotect("SplxlOBeZQQYbYS6WxSbIA"))
.Returns(ticket);
var token = new OpenIddictToken();
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync(false);
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync(false);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(CreateApplicationManager(instance =>
{
var application = new OpenIddictApplication();
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(OpenIddictConstants.ClientTypes.Public);
}));
builder.Services.AddSingleton(manager);
builder.Configure(options => options.AuthorizationCodeFormat = format.Object);
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
Code = "SplxlOBeZQQYbYS6WxSbIA",
GrantType = OpenIdConnectConstants.GrantTypes.AuthorizationCode,
RedirectUri = "http://www.fabrikam.com/path"
});
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.InvalidGrant, response.Error);
Assert.Equal("The specified authorization code is no longer valid.", response.ErrorDescription);
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task HandleTokenRequest_RequestIsRejectedWhenRefreshTokenIsUnknown()
{
// Arrange
var ticket = new AuthenticationTicket(
@ -568,13 +791,76 @@ namespace OpenIddict.Tests
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.InvalidGrant, response.Error);
Assert.Equal("The refresh token is no longer valid.", response.ErrorDescription);
Assert.Equal("The specified refresh token is no longer valid.", response.ErrorDescription);
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task HandleTokenRequest_AuthorizationCodeIsAutomaticallyRevoked()
public async Task HandleTokenRequest_RequestIsRejectedWhenRefreshTokenIsInvalid()
{
// Arrange
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetTokenId("60FFF7EA-F98E-437B-937E-5073CC313103");
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken);
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
format.Setup(mock => mock.Unprotect("8xLOxBtZp8"))
.Returns(ticket);
var token = new OpenIddictToken();
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync(false);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(CreateApplicationManager(instance =>
{
var application = new OpenIddictApplication();
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(OpenIddictConstants.ClientTypes.Public);
}));
builder.Services.AddSingleton(manager);
builder.Configure(options => options.RefreshTokenFormat = format.Object);
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
{
GrantType = OpenIdConnectConstants.GrantTypes.RefreshToken,
RefreshToken = "8xLOxBtZp8"
});
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.InvalidGrant, response.Error);
Assert.Equal("The specified refresh token is no longer valid.", response.ErrorDescription);
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task HandleTokenRequest_AuthorizationCodeIsAutomaticallyRedeemed()
{
// Arrange
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
@ -600,6 +886,9 @@ namespace OpenIddict.Tests
{
instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
});
var server = CreateAuthorizationServer(builder =>
@ -633,11 +922,11 @@ namespace OpenIddict.Tests
// Assert
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.RevokeAsync(token, It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.RedeemAsync(token, It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task HandleTokenRequest_RefreshTokenIsAutomaticallyRevokedWhenSlidingExpirationIsEnabled()
public async Task HandleTokenRequest_RefreshTokenIsAutomaticallyRedeemedWhenSlidingExpirationIsEnabled()
{
// Arrange
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
@ -662,6 +951,12 @@ namespace OpenIddict.Tests
{
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.IsRedeemedAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync(false);
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
});
var server = CreateAuthorizationServer(builder =>
@ -693,7 +988,7 @@ namespace OpenIddict.Tests
// Assert
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.RevokeAsync(token, It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.RedeemAsync(token, It.IsAny<CancellationToken>()), Times.Once());
}
[Theory]
@ -738,6 +1033,9 @@ namespace OpenIddict.Tests
{
instance.Setup(mock => mock.FindByIdAsync("60FFF7EA-F98E-437B-937E-5073CC313103", It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
});
var server = CreateAuthorizationServer(builder =>

282
test/OpenIddict.Tests/OpenIddictProviderTests.Introspection.cs
View File

@ -341,7 +341,145 @@ namespace OpenIddict.Tests
}
[Fact]
public async Task HandleIntrospectionRequest_RequestIsRejectedWhenAuthorizationCodeIsRevoked()
public async Task HandleIntrospectionRequest_RequestIsRejectedWhenAccessTokenIsUnknown()
{
// Arrange
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56");
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AccessToken);
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
format.Setup(mock => mock.Unprotect("2YotnFZFEjr1zCsicMWpAA"))
.Returns(ticket);
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()))
.ReturnsAsync(value: null);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(CreateApplicationManager(instance =>
{
var application = new OpenIddictApplication();
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(OpenIddictConstants.ClientTypes.Confidential);
instance.Setup(mock => mock.ValidateClientSecretAsync(application, "7Fjfp0ZBr1KtDRbnfVdmIw", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
}));
builder.Services.AddSingleton(manager);
builder.Configure(options => options.AccessTokenFormat = format.Object);
builder.UseReferenceTokens();
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(IntrospectionEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
ClientSecret = "7Fjfp0ZBr1KtDRbnfVdmIw",
Token = "2YotnFZFEjr1zCsicMWpAA"
});
// Assert
Assert.Single(response.GetParameters());
Assert.False((bool) response[OpenIdConnectConstants.Claims.Active]);
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task HandleIntrospectionRequest_RequestIsRejectedWhenAccessTokenIsInvalid()
{
// Arrange
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56");
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AccessToken);
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
format.Setup(mock => mock.Unprotect("2YotnFZFEjr1zCsicMWpAA"))
.Returns(ticket);
var token = new OpenIddictToken();
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync(false);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(CreateApplicationManager(instance =>
{
var application = new OpenIddictApplication();
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(OpenIddictConstants.ClientTypes.Confidential);
instance.Setup(mock => mock.ValidateClientSecretAsync(application, "7Fjfp0ZBr1KtDRbnfVdmIw", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
}));
builder.Services.AddSingleton(manager);
builder.Configure(options => options.AccessTokenFormat = format.Object);
builder.UseReferenceTokens();
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(IntrospectionEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
ClientSecret = "7Fjfp0ZBr1KtDRbnfVdmIw",
Token = "2YotnFZFEjr1zCsicMWpAA"
});
// Assert
Assert.Single(response.GetParameters());
Assert.False((bool) response[OpenIdConnectConstants.Claims.Active]);
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task HandleIntrospectionRequest_RequestIsRejectedWhenAuthorizationCodeIsUnknown()
{
// Arrange
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
@ -405,7 +543,77 @@ namespace OpenIddict.Tests
}
[Fact]
public async Task HandleIntrospectionRequest_RequestIsRejectedWhenRefreshTokenIsRevoked()
public async Task HandleIntrospectionRequest_RequestIsRejectedWhenAuthorizationCodeIsInvalid()
{
// Arrange
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56");
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AuthorizationCode);
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
format.Setup(mock => mock.Unprotect("2YotnFZFEjr1zCsicMWpAA"))
.Returns(ticket);
var token = new OpenIddictToken();
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync(false);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(CreateApplicationManager(instance =>
{
var application = new OpenIddictApplication();
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(OpenIddictConstants.ClientTypes.Confidential);
instance.Setup(mock => mock.ValidateClientSecretAsync(application, "7Fjfp0ZBr1KtDRbnfVdmIw", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
}));
builder.Services.AddSingleton(manager);
builder.Configure(options => options.AuthorizationCodeFormat = format.Object);
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(IntrospectionEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
ClientSecret = "7Fjfp0ZBr1KtDRbnfVdmIw",
Token = "2YotnFZFEjr1zCsicMWpAA"
});
// Assert
Assert.Single(response.GetParameters());
Assert.False((bool) response[OpenIdConnectConstants.Claims.Active]);
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task HandleIntrospectionRequest_RequestIsRejectedWhenRefreshTokenIsUnknown()
{
// Arrange
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
@ -467,5 +675,75 @@ namespace OpenIddict.Tests
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task HandleIntrospectionRequest_RequestIsRejectedWhenRefreshTokenIsInvalid()
{
// Arrange
var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme);
identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur");
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56");
ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.RefreshToken);
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
format.Setup(mock => mock.Unprotect("2YotnFZFEjr1zCsicMWpAA"))
.Returns(ticket);
var token = new OpenIddictToken();
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync(false);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(CreateApplicationManager(instance =>
{
var application = new OpenIddictApplication();
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(OpenIddictConstants.ClientTypes.Confidential);
instance.Setup(mock => mock.ValidateClientSecretAsync(application, "7Fjfp0ZBr1KtDRbnfVdmIw", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
}));
builder.Services.AddSingleton(manager);
builder.Configure(options => options.RefreshTokenFormat = format.Object);
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(IntrospectionEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
ClientSecret = "7Fjfp0ZBr1KtDRbnfVdmIw",
Token = "2YotnFZFEjr1zCsicMWpAA"
});
// Assert
Assert.Single(response.GetParameters());
Assert.False((bool) response[OpenIdConnectConstants.Claims.Active]);
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.IsValidAsync(token, It.IsAny<CancellationToken>()), Times.Once());
}
}
}

95
test/OpenIddict.Tests/OpenIddictProviderTests.Revocation.cs
View File

@ -1,6 +1,5 @@
using System;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Security.Claims;
using System.Threading;
using System.Threading.Tasks;
@ -21,10 +20,30 @@ namespace OpenIddict.Tests
{
public partial class OpenIddictProviderTests
{
[Theory]
[InlineData(OpenIdConnectConstants.TokenTypeHints.AccessToken)]
[InlineData(OpenIdConnectConstants.TokenTypeHints.IdToken)]
public async Task ValidateRevocationRequest_UnknownTokenTokenHintIsRejected(string hint)
[Fact]
public async Task ValidateRevocationRequest_IdTokenTokenTokenHintIsRejected()
{
// Arrange
var server = CreateAuthorizationServer();
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(RevocationEndpoint, new OpenIdConnectRequest
{
Token = "SlAV32hkKG",
TokenTypeHint = OpenIdConnectConstants.TokenTypeHints.IdToken
});
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.UnsupportedTokenType, response.Error);
Assert.Equal(
"Identity tokens cannot be revoked. When specifying a token_type_hint parameter, " +
"its value must be equal to 'access_token', 'authorization_code' or 'refresh_token'.", response.ErrorDescription);
}
[Fact]
public async Task ValidateRevocationRequest_AccessTokenTokenTokenHintIsRejectedWhenReferenceTokensAreDisabled()
{
// Arrange
var server = CreateAuthorizationServer();
@ -35,13 +54,14 @@ namespace OpenIddict.Tests
var response = await client.PostAsync(RevocationEndpoint, new OpenIdConnectRequest
{
Token = "SlAV32hkKG",
TokenTypeHint = hint
TokenTypeHint = OpenIdConnectConstants.TokenTypeHints.AccessToken
});
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.UnsupportedTokenType, response.Error);
Assert.Equal("Only authorization codes and refresh tokens can be revoked. When specifying a token_type_hint " +
"parameter, its value must be equal to 'authorization_code' or 'refresh_token'.", response.ErrorDescription);
Assert.Equal(
"Access tokens cannot be revoked. When specifying a token_type_hint parameter, " +
"its value must be equal to 'authorization_code' or 'refresh_token'.", response.ErrorDescription);
}
[Fact]
@ -218,7 +238,7 @@ namespace OpenIddict.Tests
}
[Fact]
public async Task HandleRevocationRequest_RequestIsRejectedWhenTokenIsAnAccessToken()
public async Task HandleRevocationRequest_RequestIsRejectedWhenTokenIsAnAccessTokenIfReferenceTokensAreDisabled()
{
// Arrange
var ticket = new AuthenticationTicket(
@ -249,13 +269,13 @@ namespace OpenIddict.Tests
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.UnsupportedTokenType, response.Error);
Assert.Equal("Only authorization codes and refresh tokens can be revoked.", response.ErrorDescription);
Assert.Equal("The specified access token cannot be revoked.", response.ErrorDescription);
format.Verify(mock => mock.Unprotect("SlAV32hkKG"), Times.Once());
}
[Fact]
public async Task HandleRevocationRequest_RequestIsNotRejectedWhenTokenIsAnIdentityToken()
public async Task HandleRevocationRequest_RequestIsRejectedWhenTokenIsAnIdentityToken()
{
// Arrange
var token = Mock.Of<SecurityToken>(mock =>
@ -289,7 +309,7 @@ namespace OpenIddict.Tests
// Assert
Assert.Equal(OpenIdConnectConstants.Errors.UnsupportedTokenType, response.Error);
Assert.Equal("Only authorization codes and refresh tokens can be revoked.", response.ErrorDescription);
Assert.Equal("Identity tokens cannot be revoked.", response.ErrorDescription);
handler.As<ISecurityTokenValidator>()
.Verify(mock => mock.CanReadToken("SlAV32hkKG"), Times.Once());
@ -299,7 +319,7 @@ namespace OpenIddict.Tests
}
[Fact]
public async Task HandleRevocationRequest_TokenIsNotRevokedWhenItIsAlreadyInvalid()
public async Task HandleRevocationRequest_TokenIsNotRevokedWhenItIsUnknown()
{
// Arrange
var ticket = new AuthenticationTicket(
@ -342,6 +362,55 @@ namespace OpenIddict.Tests
Mock.Get(manager).Verify(mock => mock.RevokeAsync(It.IsAny<OpenIddictToken>(), It.IsAny<CancellationToken>()), Times.Never());
}
[Fact]
public async Task HandleRevocationRequest_TokenIsNotRevokedWhenItIsAlreadyRevoked()
{
// Arrange
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(),
new AuthenticationProperties(),
OpenIdConnectServerDefaults.AuthenticationScheme);
ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56");
var format = new Mock<ISecureDataFormat<AuthenticationTicket>>();
format.Setup(mock => mock.Unprotect("SlAV32hkKG"))
.Returns(ticket);
var token = new OpenIddictToken();
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.IsRevokedAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(manager);
builder.Configure(options => options.RefreshTokenFormat = format.Object);
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(RevocationEndpoint, new OpenIdConnectRequest
{
Token = "SlAV32hkKG"
});
// Assert
Assert.Empty(response.GetParameters());
Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.RevokeAsync(It.IsAny<OpenIddictToken>(), It.IsAny<CancellationToken>()), Times.Never());
}
[Fact]
public async Task HandleRevocationRequest_TokenIsSuccessfullyRevoked()
{

358
test/OpenIddict.Tests/OpenIddictProviderTests.Serialization.cs
View File

@ -1,4 +1,6 @@
using System.Threading;
using System.Collections;
using System.Collections.Generic;
using System.Threading;
using System.Threading.Tasks;
using AspNet.Security.OpenIdConnect.Client;
using AspNet.Security.OpenIdConnect.Primitives;
@ -14,6 +16,190 @@ namespace OpenIddict.Tests
{
public partial class OpenIddictProviderTests
{
[Fact]
public async Task SerializeAccessToken_AccessTokenIsNotPersistedWhenReferenceTokensAreDisabled()
{
// Arrange
var manager = CreateTokenManager();
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(manager);
builder.Configure(options => options.RevocationEndpointPath = PathString.Empty);
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
{
GrantType = OpenIdConnectConstants.GrantTypes.Password,
Username = "johndoe",
Password = "A3ddj3w",
Scope = OpenIdConnectConstants.Scopes.OfflineAccess
});
// Assert
Assert.NotNull(response.AccessToken);
Mock.Get(manager).Verify(mock => mock.CreateAsync(OpenIdConnectConstants.TokenTypeHints.AccessToken, "Bob le Magnifique", It.IsAny<CancellationToken>()), Times.Never());
}
[Fact]
public async Task SerializeAccessToken_ReferenceAccessTokenIsCorrectlyPersisted()
{
// Arrange
var token = new OpenIddictToken();
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.CreateAsync(
OpenIdConnectConstants.TokenTypeHints.AccessToken, "Bob le Magnifique",
It.IsNotNull<string>(), It.IsNotNull<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.GetIdAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync("3E228451-1555-46F7-A471-951EFBA23A56");
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(manager);
builder.UseReferenceTokens();
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
{
GrantType = OpenIdConnectConstants.GrantTypes.Password,
Username = "johndoe",
Password = "A3ddj3w",
Scope = OpenIdConnectConstants.Scopes.OfflineAccess
});
// Assert
Assert.NotNull(response.AccessToken);
Mock.Get(manager).Verify(mock => mock.CreateAsync(
OpenIdConnectConstants.TokenTypeHints.AccessToken, "Bob le Magnifique",
It.IsNotNull<string>(), It.IsNotNull<string>(), It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.GetIdAsync(token, It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task SerializeAccessToken_ClientApplicationIsAutomaticallyAttached()
{
// Arrange
var token = new OpenIddictToken();
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.CreateAsync(
OpenIdConnectConstants.TokenTypeHints.AccessToken, "Bob le Magnifique",
It.IsNotNull<string>(), It.IsNotNull<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.GetIdAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync("3E228451-1555-46F7-A471-951EFBA23A56");
instance.Setup(mock => mock.SetClientAsync(token, "3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()))
.Returns(Task.FromResult(0));
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(CreateApplicationManager(instance =>
{
var application = new OpenIddictApplication();
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(OpenIddictConstants.ClientTypes.Public);
instance.Setup(mock => mock.GetIdAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync("3E228451-1555-46F7-A471-951EFBA23A56");
}));
builder.Services.AddSingleton(manager);
builder.UseReferenceTokens();
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
GrantType = OpenIdConnectConstants.GrantTypes.Password,
Username = "johndoe",
Password = "A3ddj3w",
Scope = OpenIdConnectConstants.Scopes.OfflineAccess
});
// Assert
Assert.NotNull(response.AccessToken);
Mock.Get(manager).Verify(mock => mock.SetClientAsync(token, "3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task SerializeAccessToken_AuthorizationIsAutomaticallyAttached()
{
// Arrange
var token = new OpenIddictToken();
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.CreateAsync(
OpenIdConnectConstants.TokenTypeHints.AccessToken, "Bob le Magnifique",
It.IsNotNull<string>(), It.IsNotNull<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.GetIdAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync("3E228451-1555-46F7-A471-951EFBA23A56");
instance.Setup(mock => mock.SetAuthorizationAsync(token, "1AF06AB2-A0FC-4E3D-86AF-E04DA8C7BE70", It.IsAny<CancellationToken>()))
.Returns(Task.FromResult(0));
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(CreateAuthorizationManager(instance =>
{
instance.Setup(mock => mock.FindByIdAsync("1AF06AB2-A0FC-4E3D-86AF-E04DA8C7BE70", It.IsAny<CancellationToken>()))
.ReturnsAsync(new OpenIddictAuthorization());
}));
builder.Services.AddSingleton(manager);
builder.UseReferenceTokens();
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
{
GrantType = OpenIdConnectConstants.GrantTypes.Password,
Username = "johndoe",
Password = "A3ddj3w",
Scope = OpenIdConnectConstants.Scopes.OfflineAccess,
["attach-authorization"] = true
});
// Assert
Assert.NotNull(response.AccessToken);
Mock.Get(manager).Verify(mock => mock.SetAuthorizationAsync(token, "1AF06AB2-A0FC-4E3D-86AF-E04DA8C7BE70", It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task SerializeAuthorizationCode_AuthorizationCodeIsNotPersistedWhenRevocationIsDisabled()
{
@ -116,6 +302,65 @@ namespace OpenIddict.Tests
Mock.Get(manager).Verify(mock => mock.GetIdAsync(token, It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task SerializeAuthorizationCode_ReferenceAuthorizationCodeIsCorrectlyPersisted()
{
// Arrange
var token = new OpenIddictToken();
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.CreateAsync(
OpenIdConnectConstants.TokenTypeHints.AuthorizationCode, "Bob le Magnifique",
It.IsNotNull<string>(), It.IsNotNull<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.GetIdAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync("3E228451-1555-46F7-A471-951EFBA23A56");
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(CreateApplicationManager(instance =>
{
var application = new OpenIddictApplication();
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.HasRedirectUriAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.ValidateRedirectUriAsync(application, "http://www.fabrikam.com/path", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(OpenIddictConstants.ClientTypes.Public);
}));
builder.Services.AddSingleton(manager);
builder.UseReferenceTokens();
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(AuthorizationEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
RedirectUri = "http://www.fabrikam.com/path",
ResponseType = OpenIdConnectConstants.ResponseTypes.Code
});
// Assert
Assert.NotNull(response.Code);
Mock.Get(manager).Verify(mock => mock.CreateAsync(OpenIdConnectConstants.TokenTypeHints.AuthorizationCode,
"Bob le Magnifique", It.IsNotNull<string>(), It.IsNotNull<string>(), It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.GetIdAsync(token, It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task SerializeAuthorizationCode_ClientApplicationIsAutomaticallyAttached()
{
@ -235,6 +480,7 @@ namespace OpenIddict.Tests
ClientId = "Fabrikam",
RedirectUri = "http://www.fabrikam.com/path",
ResponseType = OpenIdConnectConstants.ResponseTypes.Code,
["attach-authorization"] = true
});
// Assert
@ -243,6 +489,69 @@ namespace OpenIddict.Tests
Mock.Get(manager).Verify(mock => mock.SetAuthorizationAsync(token, "1AF06AB2-A0FC-4E3D-86AF-E04DA8C7BE70", It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task SerializeAuthorizationCode_AdHocAuthorizationIsAutomaticallyCreated()
{
// Arrange
var token = new OpenIddictToken();
var manager = CreateAuthorizationManager(instance =>
{
instance.Setup(mock => mock.FindByIdAsync("1AF06AB2-A0FC-4E3D-86AF-E04DA8C7BE70", It.IsAny<CancellationToken>()))
.ReturnsAsync(new OpenIddictAuthorization());
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(CreateApplicationManager(instance =>
{
var application = new OpenIddictApplication();
instance.Setup(mock => mock.FindByClientIdAsync("Fabrikam", It.IsAny<CancellationToken>()))
.ReturnsAsync(application);
instance.Setup(mock => mock.HasRedirectUriAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.ValidateRedirectUriAsync(application, "http://www.fabrikam.com/path", It.IsAny<CancellationToken>()))
.ReturnsAsync(true);
instance.Setup(mock => mock.GetClientTypeAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync(OpenIddictConstants.ClientTypes.Public);
instance.Setup(mock => mock.GetIdAsync(application, It.IsAny<CancellationToken>()))
.ReturnsAsync("3E228451-1555-46F7-A471-951EFBA23A56");
}));
builder.Services.AddSingleton(CreateTokenManager(instance =>
{
instance.Setup(mock => mock.CreateAsync(OpenIdConnectConstants.TokenTypeHints.AuthorizationCode, "Bob le Magnifique", It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.GetIdAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync("3E228451-1555-46F7-A471-951EFBA23A56");
}));
builder.Services.AddSingleton(manager);
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(AuthorizationEndpoint, new OpenIdConnectRequest
{
ClientId = "Fabrikam",
RedirectUri = "http://www.fabrikam.com/path",
ResponseType = OpenIdConnectConstants.ResponseTypes.Code,
});
// Assert
Assert.NotNull(response.Code);
Mock.Get(manager).Verify(mock => mock.CreateAsync("Bob le Magnifique", "3E228451-1555-46F7-A471-951EFBA23A56",
It.IsAny<IEnumerable<string>>(), It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task SerializeRefreshToken_RefreshTokenIsNotPersistedWhenRevocationIsDisabled()
{
@ -313,6 +622,50 @@ namespace OpenIddict.Tests
Mock.Get(manager).Verify(mock => mock.GetIdAsync(token, It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task SerializeRefreshToken_ReferenceRefreshTokenIsCorrectlyPersisted()
{
// Arrange
var token = new OpenIddictToken();
var manager = CreateTokenManager(instance =>
{
instance.Setup(mock => mock.CreateAsync(
OpenIdConnectConstants.TokenTypeHints.RefreshToken, "Bob le Magnifique",
It.IsNotNull<string>(), It.IsNotNull<string>(), It.IsAny<CancellationToken>()))
.ReturnsAsync(token);
instance.Setup(mock => mock.GetIdAsync(token, It.IsAny<CancellationToken>()))
.ReturnsAsync("3E228451-1555-46F7-A471-951EFBA23A56");
});
var server = CreateAuthorizationServer(builder =>
{
builder.Services.AddSingleton(manager);
builder.UseReferenceTokens();
});
var client = new OpenIdConnectClient(server.CreateClient());
// Act
var response = await client.PostAsync(TokenEndpoint, new OpenIdConnectRequest
{
GrantType = OpenIdConnectConstants.GrantTypes.Password,
Username = "johndoe",
Password = "A3ddj3w",
Scope = OpenIdConnectConstants.Scopes.OfflineAccess
});
// Assert
Assert.NotNull(response.RefreshToken);
Mock.Get(manager).Verify(mock => mock.CreateAsync(
OpenIdConnectConstants.TokenTypeHints.RefreshToken, "Bob le Magnifique",
It.IsNotNull<string>(), It.IsNotNull<string>(), It.IsAny<CancellationToken>()), Times.Once());
Mock.Get(manager).Verify(mock => mock.GetIdAsync(token, It.IsAny<CancellationToken>()), Times.Once());
}
[Fact]
public async Task SerializeRefreshToken_ClientApplicationIsAutomaticallyAttached()
{
@ -405,7 +758,8 @@ namespace OpenIddict.Tests
GrantType = OpenIdConnectConstants.GrantTypes.Password,
Username = "johndoe",
Password = "A3ddj3w",
Scope = OpenIdConnectConstants.Scopes.OfflineAccess
Scope = OpenIdConnectConstants.Scopes.OfflineAccess,
["attach-authorization"] = true
});
// Assert

5
test/OpenIddict.Tests/OpenIddictProviderTests.cs
View File

@ -146,7 +146,10 @@ namespace OpenIddict.Tests
ticket.SetScopes(request.GetScopes());
ticket.SetProperty(OpenIddictConstants.Properties.AuthorizationId, "1AF06AB2-A0FC-4E3D-86AF-E04DA8C7BE70");
if (request.HasParameter("attach-authorization"))
{
ticket.SetProperty(OpenIddictConstants.Properties.AuthorizationId, "1AF06AB2-A0FC-4E3D-86AF-E04DA8C7BE70");
}
return context.SignInAsync(ticket.AuthenticationScheme, ticket.Principal, ticket.Properties);
}

Write Preview
Loading…
Cancel
Save