asp.net mvc - Refresh token doesn't fail after deleting the user -


i'd know if it's failure or bug/feature of asp.net identity.

we use asp.net identity 1.0 in our asp.net mvc 5 project. oauth configured this:

public partial class startup {     static startup()     {         publicclientid = "self";          usermanagerfactory = () => new usermanager<applicationuser>(new userstore<applicationuser>(new applicationdbcontext()));          oauthoptions = new oauthauthorizationserveroptions         {             tokenendpointpath = new pathstring("/token"),             provider = new applicationoauthprovider(publicclientid, usermanagerfactory),             refreshtokenprovider = new authenticationtokenprovider()             {                 oncreate = createrefreshtoken,                 onreceive = receiverefreshtoken             },             authorizeendpointpath = new pathstring("/api/account/externallogin"),             accesstokenexpiretimespan = timespan.fromdays(14),             allowinsecurehttp = true         };     }      public static oauthauthorizationserveroptions oauthoptions { get; private set; }      public static func<sphusermanager> usermanagerfactory { get; set; }      public static string publicclientid { get; private set; }      // more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?linkid=301864     public void configureauth(iappbuilder app)     {         // enable application use cookie store information signed in user         app.usecookieauthentication(new cookieauthenticationoptions         {             authenticationtype = defaultauthenticationtypes.applicationcookie,             loginpath = new pathstring("/login")         });          // use cookie temporarily store information user logging in third party login provider         app.useexternalsignincookie(defaultauthenticationtypes.externalcookie);          // enable application use bearer tokens authenticate users         app.useoauthbearertokens(oauthoptions);     }      private static void createrefreshtoken(authenticationtokencreatecontext context)     {         context.settoken(context.serializeticket());     }     private static void receiverefreshtoken(authenticationtokenreceivecontext context)     {         context.deserializeticket(context.token);     } }

we use web api register , login user. refresh token used refresh access token. didn't expect:

  1. register user
  2. login user , obtain access token , refresh token (/token, grant_type=password...)
  3. delete user (directly database or in administration).
  4. call refresh token , request not fail. access token prolonged , user still authenticated (/token, grant_type=refresh_token...)

is correct behavior? should special "invalidate" tokens?

refresh token supports in katana oauth2 middleware you, if delete user it's logic revoke (delete) refresh tokens user.


Comments

Post a Comment

Popular posts from this blog

android - Get AccessToken using signpost OAuth without opening a browser (Two legged Oauth) -

i using signpost oauth access data magento server. have read various tutorials on same , reach point open browser user can enter credentials. however, per requirement have automate part. hence, user should not browser page. have set-up done on server side ( magento ), hit url , returned call page. same through program in android. i have tried below, consumer = new commonshttpoauthconsumer(key, secret); provider = new commonshttpoauthprovider(oauth_init_url,access_token_url, authorize_url); try { provider.retrieverequesttoken(consumer, oauth.out_of_band); log.d("tokens" , consumer.gettoken() + " -- " + consumer.gettokensecret()); } and request tokens. dont know how bypass next step. tried directly accessing accesstoken (stupid of me) provider.retrieveaccesstoken(consumer, "mycallback://callback"); no luck, ends in oauth.signpost.exception.oauthnotauthorizedexception: authorization failed (server replied 401). ...
Read more

org.mockito.exceptions.misusing.InvalidUseOfMatchersException: mockito -

getting error org.mockito.exceptions.misusing.invaliduseofmatchersexception: invalid use of argument matchers! 1 matchers expected, 2 recorded. exception may occur if matchers combined raw values: //incorrect: somemethod(anyobject(), "raw string"); when using matchers, arguments have provided matchers. example: //correct: somemethod(anyobject(), eq("string matcher")); at when( getprogramservice .callservice(any(getprogramtype.class))) .thenreturn(jaxbresponse); please explain error , possible resolution the code posted looks fine; don't see problem it. code before or above causing exception. key here: invalid use of argument matchers! 1 matchers expected, 2 recorded. any , used above, doesn't return "special kind of null" or "special kind of getprogramtype"; don't exist. instead, returns null , side effect puts matcher on stack. whe...
Read more

google shop client API returns 400 bad request error while adding an item -

i'm working on solution add items in google shopping market java application. following tutorial real mess because of missing classes of laste release, after setting 1.5-beta maven managed make base example typecheck correctly classes. still can make simple task of adding 1 item. instead of posting whole code i'm posting part creates product feed. private product createproduct(string id) { product product = new product(); product.title = "red wool sweater"; product.content = new content( "text", "comfortable , soft, sweater keep warm on " + "cold winter nights. red , blue stripes."); product.appcontrol = new appcontrol(); product.appcontrol.addrequireddestination("productads"); product.externalid = id; product.lang = "it"; product.country = "it"; product.condition = "nuovo"; product.price = new price("eu...
Read more