Update the validation middleware to validate the expiration date before the audience to be consistent with the introspection middleware

kevinchalet · kevinchalet · commit ebecb8ba8562 · 2017-04-22T19:04:01.000+02:00
diff --git a/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs b/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs
@@ -126,7 +126,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                     Error = new OAuthIntrospectionError
                     {
                         Error = OAuthIntrospectionConstants.Errors.InvalidToken,
-                        ErrorDescription = "The access token is expired."
+                        ErrorDescription = "The access token is no longer valid."
                     }
                 });
 
diff --git a/src/AspNet.Security.OAuth.Validation/OAuthValidationHandler.cs b/src/AspNet.Security.OAuth.Validation/OAuthValidationHandler.cs
@@ -96,37 +96,37 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 return AuthenticateResult.Fail("Authentication failed because the access token was invalid.");
             }
 
-            // Ensure that the access token was issued
-            // to be used with this resource server.
-            if (!ValidateAudience(ticket))
+            // Ensure that the authentication ticket is still valid.
+            if (ticket.Properties.ExpiresUtc.HasValue &&
+                ticket.Properties.ExpiresUtc.Value < Options.SystemClock.UtcNow)
             {
                 Context.Features.Set(new OAuthValidationFeature
                 {
                     Error = new OAuthValidationError
                     {
                         Error = OAuthValidationConstants.Errors.InvalidToken,
-                        ErrorDescription = "The access token is not valid for this resource server."
+                        ErrorDescription = "The access token is no longer valid."
                     }
                 });
 
-                return AuthenticateResult.Fail("Authentication failed because the access token " +
-                                               "was not valid for this resource server.");
+                return AuthenticateResult.Fail("Authentication failed because the access token was expired.");
             }
 
-            // Ensure that the authentication ticket is still valid.
-            if (ticket.Properties.ExpiresUtc.HasValue &&
-                ticket.Properties.ExpiresUtc.Value < Options.SystemClock.UtcNow)
+            // Ensure that the access token was issued
+            // to be used with this resource server.
+            if (!ValidateAudience(ticket))
             {
                 Context.Features.Set(new OAuthValidationFeature
                 {
                     Error = new OAuthValidationError
                     {
                         Error = OAuthValidationConstants.Errors.InvalidToken,
-                        ErrorDescription = "The access token is expired."
+                        ErrorDescription = "The access token is not valid for this resource server."
                     }
                 });
 
-                return AuthenticateResult.Fail("Authentication failed because the access token was expired.");
+                return AuthenticateResult.Fail("Authentication failed because the access token " +
+                                               "was not valid for this resource server.");
             }
 
             var notification = new ValidateTokenContext(Context, Options, ticket);
diff --git a/src/Owin.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs b/src/Owin.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs
@@ -14,7 +14,6 @@
 using System.Security.Claims;
 using System.Text;
 using System.Threading.Tasks;
-using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
 using Microsoft.Owin.Security;
 using Microsoft.Owin.Security.Infrastructure;
@@ -125,7 +124,7 @@ protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
                 Context.Set(typeof(OAuthIntrospectionError).FullName, new OAuthIntrospectionError
                 {
                     Error = OAuthIntrospectionConstants.Errors.InvalidToken,
-                    ErrorDescription = "The access token is expired."
+                    ErrorDescription = "The access token is no longer valid."
                 });
 
                 return null;
diff --git a/src/Owin.Security.OAuth.Validation/OAuthValidationHandler.cs b/src/Owin.Security.OAuth.Validation/OAuthValidationHandler.cs
@@ -94,32 +94,32 @@ protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
                 return null;
             }
 
-            // Ensure that the access token was issued
-            // to be used with this resource server.
-            if (!ValidateAudience(ticket))
+            // Ensure that the authentication ticket is still valid.
+            if (ticket.Properties.ExpiresUtc.HasValue &&
+                ticket.Properties.ExpiresUtc.Value < Options.SystemClock.UtcNow)
             {
-                Logger.LogError("Authentication failed because the access token " +
-                                "was not valid for this resource server.");
+                Logger.LogError("Authentication failed because the access token was expired.");
 
                 Context.Set(typeof(OAuthValidationError).FullName, new OAuthValidationError
                 {
                     Error = OAuthValidationConstants.Errors.InvalidToken,
-                    ErrorDescription = "The access token is not valid for this resource server."
+                    ErrorDescription = "The access token is no longer valid."
                 });
 
                 return null;
             }
 
-            // Ensure that the authentication ticket is still valid.
-            if (ticket.Properties.ExpiresUtc.HasValue &&
-                ticket.Properties.ExpiresUtc.Value < Options.SystemClock.UtcNow)
+            // Ensure that the access token was issued
+            // to be used with this resource server.
+            if (!ValidateAudience(ticket))
             {
-                Logger.LogError("Authentication failed because the access token was expired.");
+                Logger.LogError("Authentication failed because the access token " +
+                                "was not valid for this resource server.");
 
                 Context.Set(typeof(OAuthValidationError).FullName, new OAuthValidationError
                 {
                     Error = OAuthValidationConstants.Errors.InvalidToken,
-                    ErrorDescription = "The access token is expired."
+                    ErrorDescription = "The access token is not valid for this resource server."
                 });
 
                 return null;
diff --git a/test/AspNet.Security.OAuth.Introspection.Tests/OAuthIntrospectionHandlerTests.cs b/test/AspNet.Security.OAuth.Introspection.Tests/OAuthIntrospectionHandlerTests.cs
@@ -571,7 +571,7 @@ public async Task HandleUnauthorizedAsync_ErrorDetailsAreResolvedFromChallengeCo
 
         [Theory]
         [InlineData("invalid-token", OAuthIntrospectionConstants.Errors.InvalidToken, "The access token is not valid.")]
-        [InlineData("expired-token", OAuthIntrospectionConstants.Errors.InvalidToken, "The access token is expired.")]
+        [InlineData("expired-token", OAuthIntrospectionConstants.Errors.InvalidToken, "The access token is no longer valid.")]
         public async Task HandleUnauthorizedAsync_ErrorDetailsAreInferredFromAuthenticationFailure(
             string token, string error, string description)
         {
diff --git a/test/AspNet.Security.OAuth.Validation.Tests/OAuthValidationHandlerTests.cs b/test/AspNet.Security.OAuth.Validation.Tests/OAuthValidationHandlerTests.cs
@@ -558,7 +558,7 @@ public async Task HandleUnauthorizedAsync_ErrorDetailsAreResolvedFromChallengeCo
 
         [Theory]
         [InlineData("invalid-token", OAuthValidationConstants.Errors.InvalidToken, "The access token is not valid.")]
-        [InlineData("expired-token", OAuthValidationConstants.Errors.InvalidToken, "The access token is expired.")]
+        [InlineData("expired-token", OAuthValidationConstants.Errors.InvalidToken, "The access token is no longer valid.")]
         public async Task HandleUnauthorizedAsync_ErrorDetailsAreInferredFromAuthenticationFailure(
             string token, string error, string description)
         {
diff --git a/test/Owin.Security.OAuth.Introspection.Tests/OAuthIntrospectionHandlerTests.cs b/test/Owin.Security.OAuth.Introspection.Tests/OAuthIntrospectionHandlerTests.cs
@@ -553,7 +553,7 @@ public async Task HandleUnauthorizedAsync_ErrorDetailsAreResolvedFromChallengeCo
 
         [Theory]
         [InlineData("invalid-token", OAuthIntrospectionConstants.Errors.InvalidToken, "The access token is not valid.")]
-        [InlineData("expired-token", OAuthIntrospectionConstants.Errors.InvalidToken, "The access token is expired.")]
+        [InlineData("expired-token", OAuthIntrospectionConstants.Errors.InvalidToken, "The access token is no longer valid.")]
         public async Task HandleUnauthorizedAsync_ErrorDetailsAreInferredFromAuthenticationFailure(
             string token, string error, string description)
         {
diff --git a/test/Owin.Security.OAuth.Validation.Tests/OAuthValidationHandlerTests.cs b/test/Owin.Security.OAuth.Validation.Tests/OAuthValidationHandlerTests.cs
@@ -542,7 +542,7 @@ public async Task HandleUnauthorizedAsync_ErrorDetailsAreResolvedFromChallengeCo
 
         [Theory]
         [InlineData("invalid-token", OAuthValidationConstants.Errors.InvalidToken, "The access token is not valid.")]
-        [InlineData("expired-token", OAuthValidationConstants.Errors.InvalidToken, "The access token is expired.")]
+        [InlineData("expired-token", OAuthValidationConstants.Errors.InvalidToken, "The access token is no longer valid.")]
         public async Task HandleUnauthorizedAsync_ErrorDetailsAreInferredFromAuthenticationFailure(
             string token, string error, string description)
         {

Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()`
`126`	`126`	`Error = new OAuthIntrospectionError`
`127`	`127`	`{`
`128`	`128`	`Error = OAuthIntrospectionConstants.Errors.InvalidToken,`
`129`		`- ErrorDescription = "The access token is expired."`
	`129`	`+ ErrorDescription = "The access token is no longer valid."`
`130`	`130`	`}`
`131`	`131`	`});`
`132`	`132`
Original file line number	Diff line number	Diff line change
`@@ -96,37 +96,37 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()`
`96`	`96`	`return AuthenticateResult.Fail("Authentication failed because the access token was invalid.");`
`97`	`97`	`}`
`98`	`98`
`99`		`- // Ensure that the access token was issued`
`100`		`- // to be used with this resource server.`
`101`		`- if (!ValidateAudience(ticket))`
	`99`	`+ // Ensure that the authentication ticket is still valid.`
	`100`	`+ if (ticket.Properties.ExpiresUtc.HasValue &&`
	`101`	`+ ticket.Properties.ExpiresUtc.Value < Options.SystemClock.UtcNow)`
`102`	`102`	`{`
`103`	`103`	`Context.Features.Set(new OAuthValidationFeature`
`104`	`104`	`{`
`105`	`105`	`Error = new OAuthValidationError`
`106`	`106`	`{`
`107`	`107`	`Error = OAuthValidationConstants.Errors.InvalidToken,`
`108`		`- ErrorDescription = "The access token is not valid for this resource server."`
	`108`	`+ ErrorDescription = "The access token is no longer valid."`
`109`	`109`	`}`
`110`	`110`	`});`
`111`	`111`
`112`		`- return AuthenticateResult.Fail("Authentication failed because the access token " +`
`113`		`- "was not valid for this resource server.");`
	`112`	`+ return AuthenticateResult.Fail("Authentication failed because the access token was expired.");`
`114`	`113`	`}`
`115`	`114`
`116`		`- // Ensure that the authentication ticket is still valid.`
`117`		`- if (ticket.Properties.ExpiresUtc.HasValue &&`
`118`		`- ticket.Properties.ExpiresUtc.Value < Options.SystemClock.UtcNow)`
	`115`	`+ // Ensure that the access token was issued`
	`116`	`+ // to be used with this resource server.`
	`117`	`+ if (!ValidateAudience(ticket))`
`119`	`118`	`{`
`120`	`119`	`Context.Features.Set(new OAuthValidationFeature`
`121`	`120`	`{`
`122`	`121`	`Error = new OAuthValidationError`
`123`	`122`	`{`
`124`	`123`	`Error = OAuthValidationConstants.Errors.InvalidToken,`
`125`		`- ErrorDescription = "The access token is expired."`
	`124`	`+ ErrorDescription = "The access token is not valid for this resource server."`
`126`	`125`	`}`
`127`	`126`	`});`
`128`	`127`
`129`		`- return AuthenticateResult.Fail("Authentication failed because the access token was expired.");`
	`128`	`+ return AuthenticateResult.Fail("Authentication failed because the access token " +`
	`129`	`+ "was not valid for this resource server.");`
`130`	`130`	`}`
`131`	`131`
`132`	`132`	`var notification = new ValidateTokenContext(Context, Options, ticket);`
Original file line number	Diff line number	Diff line change
`@@ -571,7 +571,7 @@ public async Task HandleUnauthorizedAsync_ErrorDetailsAreResolvedFromChallengeCo`
`571`	`571`
`572`	`572`	`[Theory]`
`573`	`573`	`[InlineData("invalid-token", OAuthIntrospectionConstants.Errors.InvalidToken, "The access token is not valid.")]`
`574`		`- [InlineData("expired-token", OAuthIntrospectionConstants.Errors.InvalidToken, "The access token is expired.")]`
	`574`	`+ [InlineData("expired-token", OAuthIntrospectionConstants.Errors.InvalidToken, "The access token is no longer valid.")]`
`575`	`575`	`public async Task HandleUnauthorizedAsync_ErrorDetailsAreInferredFromAuthenticationFailure(`
`576`	`576`	`string token, string error, string description)`
`577`	`577`	`{`
Original file line number	Diff line number	Diff line change
`@@ -558,7 +558,7 @@ public async Task HandleUnauthorizedAsync_ErrorDetailsAreResolvedFromChallengeCo`
`558`	`558`
`559`	`559`	`[Theory]`
`560`	`560`	`[InlineData("invalid-token", OAuthValidationConstants.Errors.InvalidToken, "The access token is not valid.")]`
`561`		`- [InlineData("expired-token", OAuthValidationConstants.Errors.InvalidToken, "The access token is expired.")]`
	`561`	`+ [InlineData("expired-token", OAuthValidationConstants.Errors.InvalidToken, "The access token is no longer valid.")]`
`562`	`562`	`public async Task HandleUnauthorizedAsync_ErrorDetailsAreInferredFromAuthenticationFailure(`
`563`	`563`	`string token, string error, string description)`
`564`	`564`	`{`
Original file line number	Diff line number	Diff line change
`@@ -553,7 +553,7 @@ public async Task HandleUnauthorizedAsync_ErrorDetailsAreResolvedFromChallengeCo`
`553`	`553`
`554`	`554`	`[Theory]`
`555`	`555`	`[InlineData("invalid-token", OAuthIntrospectionConstants.Errors.InvalidToken, "The access token is not valid.")]`
`556`		`- [InlineData("expired-token", OAuthIntrospectionConstants.Errors.InvalidToken, "The access token is expired.")]`
	`556`	`+ [InlineData("expired-token", OAuthIntrospectionConstants.Errors.InvalidToken, "The access token is no longer valid.")]`
`557`	`557`	`public async Task HandleUnauthorizedAsync_ErrorDetailsAreInferredFromAuthenticationFailure(`
`558`	`558`	`string token, string error, string description)`
`559`	`559`	`{`
Original file line number	Diff line number	Diff line change
`@@ -542,7 +542,7 @@ public async Task HandleUnauthorizedAsync_ErrorDetailsAreResolvedFromChallengeCo`
`542`	`542`
`543`	`543`	`[Theory]`
`544`	`544`	`[InlineData("invalid-token", OAuthValidationConstants.Errors.InvalidToken, "The access token is not valid.")]`
`545`		`- [InlineData("expired-token", OAuthValidationConstants.Errors.InvalidToken, "The access token is expired.")]`
	`545`	`+ [InlineData("expired-token", OAuthValidationConstants.Errors.InvalidToken, "The access token is no longer valid.")]`
`546`	`546`	`public async Task HandleUnauthorizedAsync_ErrorDetailsAreInferredFromAuthenticationFailure(`
`547`	`547`	`string token, string error, string description)`
`548`	`548`	`{`