From 54c0af96dda52b26e7d7bbb00d2d26a9fcc6987c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?K=C3=A9vin=20Chalet?= Date: Fri, 22 Sep 2017 07:47:27 +0200 Subject: [PATCH] Prevent the OpenID Connect server middleware from using its default logic when deserializing reference tokens --- .../OpenIddictProvider.Serialization.cs | 45 +++++-------------- .../OpenIddictProviderTests.Introspection.cs | 34 +++++++------- 2 files changed, 27 insertions(+), 52 deletions(-) diff --git a/src/OpenIddict/OpenIddictProvider.Serialization.cs b/src/OpenIddict/OpenIddictProvider.Serialization.cs index 739c6147..a9ca6009 100644 --- a/src/OpenIddict/OpenIddictProvider.Serialization.cs +++ b/src/OpenIddict/OpenIddictProvider.Serialization.cs @@ -31,20 +31,13 @@ namespace OpenIddict return; } - var ticket = await ReceiveTokenAsync( + context.Ticket = await ReceiveTokenAsync( context.AccessToken, options, context.HttpContext, context.Request, context.DataFormat); - // If a valid ticket was returned by ReceiveTokenAsync(), - // force the OpenID Connect server middleware to use it. - if (ticket != null) - { - context.Ticket = ticket; - context.HandleDeserialization(); - } - - // Otherwise, let the OpenID Connect server middleware - // deserialize the token using its default internal logic. + // Prevent the OpenID Connect server middleware from using + // its default logic to deserialize the reference token. + context.HandleDeserialization(); } public override async Task DeserializeAuthorizationCode([NotNull] DeserializeAuthorizationCodeContext context) @@ -55,20 +48,13 @@ namespace OpenIddict return; } - var ticket = await ReceiveTokenAsync( + context.Ticket = await ReceiveTokenAsync( context.AuthorizationCode, options, context.HttpContext, context.Request, context.DataFormat); - // If a valid ticket was returned by ReceiveTokenAsync(), - // force the OpenID Connect server middleware to use it. - if (ticket != null) - { - context.Ticket = ticket; - context.HandleDeserialization(); - } - - // Otherwise, let the OpenID Connect server middleware - // deserialize the token using its default internal logic. + // Prevent the OpenID Connect server middleware from using + // its default logic to deserialize the reference token. + context.HandleDeserialization(); } public override async Task DeserializeRefreshToken([NotNull] DeserializeRefreshTokenContext context) @@ -79,20 +65,13 @@ namespace OpenIddict return; } - var ticket = await ReceiveTokenAsync( + context.Ticket = await ReceiveTokenAsync( context.RefreshToken, options, context.HttpContext, context.Request, context.DataFormat); - // If a valid ticket was returned by ReceiveTokenAsync(), - // force the OpenID Connect server middleware to use it. - if (ticket != null) - { - context.Ticket = ticket; - context.HandleDeserialization(); - } - - // Otherwise, let the OpenID Connect server middleware - // deserialize the token using its default internal logic. + // Prevent the OpenID Connect server middleware from using + // its default logic to deserialize the reference token. + context.HandleDeserialization(); } public override async Task SerializeAccessToken([NotNull] SerializeAccessTokenContext context) diff --git a/test/OpenIddict.Tests/OpenIddictProviderTests.Introspection.cs b/test/OpenIddict.Tests/OpenIddictProviderTests.Introspection.cs index 6af88080..69f6165c 100644 --- a/test/OpenIddict.Tests/OpenIddictProviderTests.Introspection.cs +++ b/test/OpenIddict.Tests/OpenIddictProviderTests.Introspection.cs @@ -347,22 +347,9 @@ namespace OpenIddict.Tests var identity = new ClaimsIdentity(OpenIdConnectServerDefaults.AuthenticationScheme); identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "Bob le Bricoleur"); - var ticket = new AuthenticationTicket( - new ClaimsPrincipal(identity), - new AuthenticationProperties(), - OpenIdConnectServerDefaults.AuthenticationScheme); - - ticket.SetTokenId("3E228451-1555-46F7-A471-951EFBA23A56"); - ticket.SetTokenUsage(OpenIdConnectConstants.TokenUsages.AccessToken); - - var format = new Mock>(); - - format.Setup(mock => mock.Unprotect("2YotnFZFEjr1zCsicMWpAA")) - .Returns(ticket); - var manager = CreateTokenManager(instance => { - instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny())) + instance.Setup(mock => mock.FindByHashAsync("coYFMTIt6jDp2O41qaUfV+XGhPsils3Z3YfmUvudrVw=", It.IsAny())) .ReturnsAsync(value: null); }); @@ -384,8 +371,6 @@ namespace OpenIddict.Tests builder.Services.AddSingleton(manager); - builder.Configure(options => options.AccessTokenFormat = format.Object); - builder.UseReferenceTokens(); }); @@ -396,14 +381,15 @@ namespace OpenIddict.Tests { ClientId = "Fabrikam", ClientSecret = "7Fjfp0ZBr1KtDRbnfVdmIw", - Token = "2YotnFZFEjr1zCsicMWpAA" + Token = "QaTk2f6UPe9trKismGBJr0OIs0KqpvNrqRsJqGuJAAI" }); // Assert Assert.Single(response.GetParameters()); Assert.False((bool) response[OpenIdConnectConstants.Claims.Active]); - Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny()), Times.Once()); + + Mock.Get(manager).Verify(mock => mock.FindByHashAsync("coYFMTIt6jDp2O41qaUfV+XGhPsils3Z3YfmUvudrVw=", It.IsAny()), Times.Exactly(3)); } [Fact] @@ -430,6 +416,15 @@ namespace OpenIddict.Tests var manager = CreateTokenManager(instance => { + instance.Setup(mock => mock.FindByHashAsync("coYFMTIt6jDp2O41qaUfV+XGhPsils3Z3YfmUvudrVw=", It.IsAny())) + .ReturnsAsync(token); + + instance.Setup(mock => mock.GetIdAsync(token, It.IsAny())) + .ReturnsAsync("3E228451-1555-46F7-A471-951EFBA23A56"); + + instance.Setup(mock => mock.GetCiphertextAsync(token, It.IsAny())) + .ReturnsAsync("2YotnFZFEjr1zCsicMWpAA"); + instance.Setup(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny())) .ReturnsAsync(token); @@ -467,13 +462,14 @@ namespace OpenIddict.Tests { ClientId = "Fabrikam", ClientSecret = "7Fjfp0ZBr1KtDRbnfVdmIw", - Token = "2YotnFZFEjr1zCsicMWpAA" + Token = "QaTk2f6UPe9trKismGBJr0OIs0KqpvNrqRsJqGuJAAI" }); // Assert Assert.Single(response.GetParameters()); Assert.False((bool) response[OpenIdConnectConstants.Claims.Active]); + Mock.Get(manager).Verify(mock => mock.FindByHashAsync("coYFMTIt6jDp2O41qaUfV+XGhPsils3Z3YfmUvudrVw=", It.IsAny()), Times.Once()); Mock.Get(manager).Verify(mock => mock.FindByIdAsync("3E228451-1555-46F7-A471-951EFBA23A56", It.IsAny()), Times.Once()); Mock.Get(manager).Verify(mock => mock.IsValidAsync(token, It.IsAny()), Times.Once()); }