Make the caching policy configurable

Author: kevinchalet

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -18,7 +18,6 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Authentication;
 using Microsoft.AspNetCore.Http.Features.Authentication;
-using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
 using Microsoft.Net.Http.Headers;
 using Newtonsoft.Json;
@@ -361,7 +360,7 @@ protected override async Task<bool> HandleUnauthorizedAsync(ChallengeContext con
             return false;
         }
 
-        protected virtual async Task<JObject> GetIntrospectionPayloadAsync(string token)
+        private async Task<JObject> GetIntrospectionPayloadAsync(string token)
         {
             var configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted);
             if (configuration == null)
@@ -455,7 +454,7 @@ exception is JsonReaderException ||
             }
         }
 
-        protected virtual bool ValidateAudience(AuthenticationTicket ticket)
+        private bool ValidateAudience(AuthenticationTicket ticket)
         {
             // If no explicit audience has been configured,
             // skip the default audience validation.
@@ -464,9 +463,9 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket)
                 return true;
             }
 
-            string audiences;
             // Extract the audiences from the authentication ticket.
-            if (!ticket.Properties.Items.TryGetValue(OAuthIntrospectionConstants.Properties.Audiences, out audiences))
+            var audiences = ticket.Properties.GetProperty(OAuthIntrospectionConstants.Properties.Audiences);
+            if (string.IsNullOrEmpty(audiences))
             {
                 return false;
             }
@@ -483,7 +482,7 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket)
             return false;
         }
 
-        protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject payload)
+        private async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject payload)
         {
             var identity = new ClaimsIdentity(Options.AuthenticationScheme, Options.NameClaimType, Options.RoleClaimType);
             var properties = new AuthenticationProperties();
@@ -743,19 +742,26 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
             return notification.Ticket;
         }
 
-        protected virtual Task StoreTicketAsync(string token, AuthenticationTicket ticket)
+        private Task StoreTicketAsync(string token, AuthenticationTicket ticket)
         {
+            if (Options.CachingPolicy == null)
+            {
+                return Task.FromResult(0);
+            }
+
             var bytes = Encoding.UTF8.GetBytes(Options.AccessTokenFormat.Protect(ticket));
             Debug.Assert(bytes != null);
 
-            return Options.Cache.SetAsync(token, bytes, new DistributedCacheEntryOptions
-            {
-                AbsoluteExpiration = Options.SystemClock.UtcNow + TimeSpan.FromMinutes(15)
-            });
+            return Options.Cache.SetAsync(token, bytes, Options.CachingPolicy);
         }
 
-        protected virtual async Task<AuthenticationTicket> RetrieveTicketAsync(string token)
+        private async Task<AuthenticationTicket> RetrieveTicketAsync(string token)
         {
+            if (Options.CachingPolicy == null)
+            {
+                return null;
+            }
+
             // Retrieve the serialized ticket from the distributed cache.
             // If no corresponding entry can be found, null is returned.
             var bytes = await Options.Cache.GetAsync(token);

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHelpers.cs

@@ -27,8 +27,7 @@ public static string GetProperty([NotNull] this AuthenticationProperties propert
                 throw new ArgumentException("The property name cannot be null or empty.", nameof(property));
             }
 
-            string value;
-            if (!properties.Items.TryGetValue(property, out value))
+            if (!properties.Items.TryGetValue(property, out string value))
             {
                 return null;
             }

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs

@@ -109,11 +109,22 @@ public OAuthIntrospectionOptions()
         public string RoleClaimType { get; set; } = OAuthIntrospectionConstants.Claims.Role;
 
         /// <summary>
-        /// Gets or sets the cache used to store the authentication tickets
-        /// resolved from the access tokens received by the resource server.
+        /// Gets or sets the cache used to store the access tokens/authentication tickets
+        /// and the introspection responses returned received by the resource server.
         /// </summary>
         public IDistributedCache Cache { get; set; }
 
+        /// <summary>
+        /// Gets or sets the caching policy used to determine
+        /// how long the introspection responses should be cached.
+        /// Note: this property can be set to <c>null</c> to
+        /// prevent the introspection responses from being cached.
+        /// </summary>
+        public DistributedCacheEntryOptions CachingPolicy { get; set; } = new DistributedCacheEntryOptions
+        {
+            AbsoluteExpirationRelativeToNow = TimeSpan.FromMinutes(15)
+        };
+
         /// <summary>
         /// Gets or sets the object provided by the application to process events raised by the authentication middleware.
         /// The application may implement the interface fully, or it may create an instance of

src/AspNet.Security.OAuth.Validation/OAuthValidationHandler.cs

@@ -339,7 +339,7 @@ protected override async Task<bool> HandleUnauthorizedAsync(ChallengeContext con
             return false;
         }
 
-        protected virtual bool ValidateAudience(AuthenticationTicket ticket)
+        private bool ValidateAudience(AuthenticationTicket ticket)
         {
             // If no explicit audience has been configured,
             // skip the default audience validation.
@@ -348,9 +348,9 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket)
                 return true;
             }
 
-            string audiences;
             // Extract the audiences from the authentication ticket.
-            if (!ticket.Properties.Items.TryGetValue(OAuthValidationConstants.Properties.Audiences, out audiences))
+            var audiences = ticket.Properties.GetProperty(OAuthValidationConstants.Properties.Audiences);
+            if (string.IsNullOrEmpty(audiences))
             {
                 return false;
             }
@@ -367,7 +367,7 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket)
             return false;
         }
 
-        protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string token)
+        private async Task<AuthenticationTicket> CreateTicketAsync(string token)
         {
             var ticket = Options.AccessTokenFormat.Unprotect(token);
             if (ticket == null)
@@ -387,10 +387,10 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
             // Resolve the primary identity associated with the principal.
             var identity = (ClaimsIdentity) ticket.Principal.Identity;
 
-            string scopes;
             // Copy the scopes extracted from the authentication ticket to the
             // ClaimsIdentity to make them easier to retrieve from application code.
-            if (ticket.Properties.Items.TryGetValue(OAuthValidationConstants.Properties.Scopes, out scopes))
+            var scopes = ticket.Properties.GetProperty(OAuthValidationConstants.Properties.Scopes);
+            if (!string.IsNullOrEmpty(scopes))
             {
                 foreach (var scope in JArray.Parse(scopes).Values<string>())
                 {

src/AspNet.Security.OAuth.Validation/OAuthValidationHelpers.cs

@@ -27,8 +27,7 @@ public static string GetProperty([NotNull] this AuthenticationProperties propert
                 throw new ArgumentException("The property name cannot be null or empty.", nameof(property));
             }
 
-            string value;
-            if (!properties.Items.TryGetValue(property, out value))
+            if (!properties.Items.TryGetValue(property, out string value))
             {
                 return null;
             }

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -350,7 +350,7 @@ protected override async Task ApplyResponseChallengeAsync()
             }
         }
 
-        protected virtual async Task<JObject> GetIntrospectionPayloadAsync(string token)
+        private async Task<JObject> GetIntrospectionPayloadAsync(string token)
         {
             var configuration = await Options.ConfigurationManager.GetConfigurationAsync(Request.CallCancelled);
             if (configuration == null)
@@ -445,7 +445,7 @@ exception is JsonReaderException ||
             }
         }
 
-        protected virtual bool ValidateAudience(AuthenticationTicket ticket)
+        private bool ValidateAudience(AuthenticationTicket ticket)
         {
             // If no explicit audience has been configured,
             // skip the default audience validation.
@@ -454,9 +454,9 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket)
                 return true;
             }
 
-            string audiences;
             // Extract the audiences from the authentication ticket.
-            if (!ticket.Properties.Dictionary.TryGetValue(OAuthIntrospectionConstants.Properties.Audiences, out audiences))
+            var audiences = ticket.Properties.GetProperty(OAuthIntrospectionConstants.Properties.Audiences);
+            if (string.IsNullOrEmpty(audiences))
             {
                 return false;
             }
@@ -473,7 +473,7 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket)
             return false;
         }
 
-        protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject payload)
+        private async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject payload)
         {
             var identity = new ClaimsIdentity(Options.AuthenticationType, Options.NameClaimType, Options.RoleClaimType);
             var properties = new AuthenticationProperties();
@@ -728,19 +728,26 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
             return notification.Ticket;
         }
 
-        protected virtual Task StoreTicketAsync(string token, AuthenticationTicket ticket)
+        private Task StoreTicketAsync(string token, AuthenticationTicket ticket)
         {
+            if (Options.CachingPolicy == null)
+            {
+                return Task.FromResult(0);
+            }
+
             var bytes = Encoding.UTF8.GetBytes(Options.AccessTokenFormat.Protect(ticket));
             Debug.Assert(bytes != null);
 
-            return Options.Cache.SetAsync(token, bytes, new DistributedCacheEntryOptions
-            {
-                AbsoluteExpiration = Options.SystemClock.UtcNow + TimeSpan.FromMinutes(15)
-            });
+            return Options.Cache.SetAsync(token, bytes, Options.CachingPolicy);
         }
 
-        protected virtual async Task<AuthenticationTicket> RetrieveTicketAsync(string token)
+        private async Task<AuthenticationTicket> RetrieveTicketAsync(string token)
         {
+            if (Options.CachingPolicy == null)
+            {
+                return null;
+            }
+
             // Retrieve the serialized ticket from the distributed cache.
             // If no corresponding entry can be found, null is returned.
             var bytes = await Options.Cache.GetAsync(token);
@@ -752,6 +759,6 @@ protected virtual async Task<AuthenticationTicket> RetrieveTicketAsync(string to
             return Options.AccessTokenFormat.Unprotect(Encoding.UTF8.GetString(bytes));
         }
 
-        public ILogger Logger => Options.Logger;
+        private ILogger Logger => Options.Logger;
     }
 }

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionHelpers.cs

@@ -27,8 +27,7 @@ public static string GetProperty([NotNull] this AuthenticationProperties propert
                 throw new ArgumentException("The property name cannot be null or empty.", nameof(property));
             }
 
-            string value;
-            if (!properties.Dictionary.TryGetValue(property, out value))
+            if (!properties.Dictionary.TryGetValue(property, out string value))
             {
                 return null;
             }

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs

@@ -108,11 +108,22 @@ public OAuthIntrospectionOptions()
         public string RoleClaimType { get; set; } = OAuthIntrospectionConstants.Claims.Role;
 
         /// <summary>
-        /// Gets or sets the cache used to store the authentication tickets
-        /// resolved from the access tokens received by the resource server.
+        /// Gets or sets the cache used to store the access tokens/authentication tickets
+        /// and the introspection responses returned received by the resource server.
         /// </summary>
         public IDistributedCache Cache { get; set; }
 
+        /// <summary>
+        /// Gets or sets the caching policy used to determine
+        /// how long the introspection responses should be cached.
+        /// Note: this property can be set to <c>null</c> to
+        /// prevent the introspection responses from being cached.
+        /// </summary>
+        public DistributedCacheEntryOptions CachingPolicy { get; set; } = new DistributedCacheEntryOptions
+        {
+            AbsoluteExpirationRelativeToNow = TimeSpan.FromMinutes(15)
+        };
+
         /// <summary>
         /// Gets or sets the object provided by the application to process events raised by the authentication middleware.
         /// The application may implement the interface fully, or it may create an instance of

src/Owin.Security.OAuth.Validation/OAuthValidationHandler.cs

@@ -328,7 +328,7 @@ protected override async Task ApplyResponseChallengeAsync()
             }
         }
 
-        protected virtual bool ValidateAudience(AuthenticationTicket ticket)
+        private bool ValidateAudience(AuthenticationTicket ticket)
         {
             // If no explicit audience has been configured,
             // skip the default audience validation.
@@ -337,9 +337,9 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket)
                 return true;
             }
 
-            string audiences;
             // Extract the audiences from the authentication ticket.
-            if (!ticket.Properties.Dictionary.TryGetValue(OAuthValidationConstants.Properties.Audiences, out audiences))
+            var audiences = ticket.Properties.GetProperty(OAuthValidationConstants.Properties.Audiences);
+            if (string.IsNullOrEmpty(audiences))
             {
                 return false;
             }
@@ -356,7 +356,7 @@ protected virtual bool ValidateAudience(AuthenticationTicket ticket)
             return false;
         }
 
-        protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string token)
+        private async Task<AuthenticationTicket> CreateTicketAsync(string token)
         {
             var ticket = Options.AccessTokenFormat.Unprotect(token);
             if (ticket == null)
@@ -370,10 +370,10 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
                 ticket.Properties.Dictionary[OAuthValidationConstants.Properties.Token] = token;
             }
 
-            string scopes;
             // Copy the scopes extracted from the authentication ticket to the
             // ClaimsIdentity to make them easier to retrieve from application code.
-            if (ticket.Properties.Dictionary.TryGetValue(OAuthValidationConstants.Properties.Scopes, out scopes))
+            var scopes = ticket.Properties.GetProperty(OAuthValidationConstants.Properties.Scopes);
+            if (!string.IsNullOrEmpty(scopes))
             {
                 foreach (var scope in JArray.Parse(scopes).Values<string>())
                 {
@@ -404,6 +404,6 @@ protected virtual async Task<AuthenticationTicket> CreateTicketAsync(string toke
             return notification.Ticket;
         }
 
-        public ILogger Logger => Options.Logger;
+        private ILogger Logger => Options.Logger;
     }
 }

src/Owin.Security.OAuth.Validation/OAuthValidationHelpers.cs

@@ -27,8 +27,7 @@ public static string GetProperty([NotNull] this AuthenticationProperties propert
                 throw new ArgumentException("The property name cannot be null or empty.", nameof(property));
             }
 
-            string value;
-            if (!properties.Dictionary.TryGetValue(property, out value))
+            if (!properties.Dictionary.TryGetValue(property, out string value))
             {
                 return null;
             }