Update the introspection middleware to support the "token_usage" claim

Author: kevinchalet

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionConstants.cs

@@ -21,6 +21,7 @@ public static class Claims
             public const string Scope = "scope";
             public const string Subject = "sub";
             public const string TokenType = "token_type";
+            public const string TokenUsage = "token_usage";
             public const string Username = "username";
         }
 
@@ -64,15 +65,16 @@ public static class Parameters
 
         public static class Properties
         {
+            public const string AccessToken = "access_token";
             public const string Audiences = ".audiences";
             public const string Error = ".error";
             public const string ErrorDescription = ".error_description";
             public const string ErrorUri = ".error_uri";
             public const string Realm = ".realm";
             public const string Scope = ".scope";
             public const string Scopes = ".scopes";
-            public const string TicketId = ".ticket_id";
-            public const string Token = "access_token";
+            public const string TokenId = ".token_id";
+            public const string TokenUsage = ".token_usage";
         }
 
         public static class Schemes
@@ -90,5 +92,10 @@ public static class TokenTypeHints
         {
             public const string AccessToken = "access_token";
         }
+
+        public static class TokenUsages
+        {
+            public const string AccessToken = "access_token";
+        }
     }
 }

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -120,6 +120,21 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
                 await StoreTicketAsync(token, ticket);
             }
 
+            // Ensure that the token can be used as an access token.
+            if (!ValidateTokenUsage(ticket))
+            {
+                Context.Features.Set(new OAuthIntrospectionFeature
+                {
+                    Error = new OAuthIntrospectionError
+                    {
+                        Error = OAuthIntrospectionConstants.Errors.InvalidToken,
+                        ErrorDescription = "The access token is not valid."
+                    }
+                });
+
+                return AuthenticateResult.Fail("Authentication failed because the token was not an access token.");
+            }
+
             // Ensure that the authentication ticket is still valid.
             if (ticket.Properties.ExpiresUtc.HasValue &&
                 ticket.Properties.ExpiresUtc.Value < Options.SystemClock.UtcNow)
@@ -484,6 +499,21 @@ exception is JsonReaderException ||
             }
         }
 
+        private bool ValidateTokenUsage(AuthenticationTicket ticket)
+        {
+            // Try to extract the "token_usage" resolved from the introspection response.
+            // If this non-standard claim was not returned by the authorization server,
+            // assume the validated token can be used as an access token.
+            var usage = ticket.Properties.GetProperty(OAuthIntrospectionConstants.Properties.TokenUsage);
+            if (string.IsNullOrEmpty(usage))
+            {
+                return true;
+            }
+
+            // If the "token_usage" claim was returned, it must be equal to "access_token".
+            return string.Equals(usage, OAuthIntrospectionConstants.TokenUsages.AccessToken, StringComparison.OrdinalIgnoreCase);
+        }
+
         private bool ValidateAudience(AuthenticationTicket ticket)
         {
             // If no explicit audience has been configured,
@@ -522,7 +552,7 @@ private async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject
                 // Store the access token in the authentication ticket.
                 properties.StoreTokens(new[]
                 {
-                    new AuthenticationToken { Name = OAuthIntrospectionConstants.Properties.Token, Value = token }
+                    new AuthenticationToken { Name = OAuthIntrospectionConstants.Properties.AccessToken, Value = token }
                 });
             }
 
@@ -546,6 +576,20 @@ private async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject
                     case OAuthIntrospectionConstants.Claims.NotBefore:
                         continue;
 
+                    case OAuthIntrospectionConstants.Claims.TokenUsage:
+                    {
+                        if (property.Value.Type != JTokenType.String)
+                        {
+                            Logger.LogWarning("The 'token_usage' claim was ignored because it was not a string value.");
+
+                            continue;
+                        }
+
+                        properties.Items[OAuthIntrospectionConstants.Properties.TokenUsage] = (string) property.Value;
+
+                        continue;
+                    }
+
                     case OAuthIntrospectionConstants.Claims.IssuedAt:
                     {
                         // Note: the iat claim must be a numeric date value.
@@ -594,7 +638,7 @@ private async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject
                             continue;
                         }
 
-                        properties.Items[OAuthIntrospectionConstants.Properties.TicketId] = (string) property;
+                        properties.Items[OAuthIntrospectionConstants.Properties.TokenId] = (string) property;
 
                         continue;
                     }

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionConstants.cs

@@ -21,6 +21,7 @@ public static class Claims
             public const string Scope = "scope";
             public const string Subject = "sub";
             public const string TokenType = "token_type";
+            public const string TokenUsage = "token_usage";
             public const string Username = "username";
         }
 
@@ -70,15 +71,16 @@ public static class Parameters
 
         public static class Properties
         {
+            public const string AccessToken = "access_token";
             public const string Audiences = ".audiences";
             public const string Error = ".error";
             public const string ErrorDescription = ".error_description";
             public const string ErrorUri = ".error_uri";
             public const string Realm = ".realm";
             public const string Scope = ".scope";
             public const string Scopes = ".scopes";
-            public const string TicketId = ".ticket_id";
-            public const string Token = "access_token";
+            public const string TokenId = ".token_id";
+            public const string TokenUsage = ".token_usage";
         }
 
         public static class Schemes
@@ -96,5 +98,10 @@ public static class TokenTypeHints
         {
             public const string AccessToken = "access_token";
         }
+
+        public static class TokenUsages
+        {
+            public const string AccessToken = "access_token";
+        }
     }
 }

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -118,6 +118,20 @@ protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
                 await StoreTicketAsync(token, ticket);
             }
 
+            // Ensure that the token can be used as an access token.
+            if (!ValidateTokenUsage(ticket))
+            {
+                Logger.LogError("Authentication failed because the token was not an access token.");
+
+                Context.Set(typeof(OAuthIntrospectionError).FullName, new OAuthIntrospectionError
+                {
+                    Error = OAuthIntrospectionConstants.Errors.InvalidToken,
+                    ErrorDescription = "The access token is not valid."
+                });
+
+                return null;
+            }
+
             // Ensure that the authentication ticket is still valid.
             if (ticket.Properties.ExpiresUtc.HasValue &&
                 ticket.Properties.ExpiresUtc.Value < Options.SystemClock.UtcNow)
@@ -474,6 +488,21 @@ exception is JsonReaderException ||
             }
         }
 
+        private bool ValidateTokenUsage(AuthenticationTicket ticket)
+        {
+            // Try to extract the "token_usage" resolved from the introspection response.
+            // If this non-standard claim was not returned by the authorization server,
+            // assume the validated token can be used as an access token.
+            var usage = ticket.Properties.GetProperty(OAuthIntrospectionConstants.Properties.TokenUsage);
+            if (string.IsNullOrEmpty(usage))
+            {
+                return true;
+            }
+
+            // If the "token_usage" claim was returned, it must be equal to "access_token".
+            return string.Equals(usage, OAuthIntrospectionConstants.TokenUsages.AccessToken, StringComparison.OrdinalIgnoreCase);
+        }
+
         private bool ValidateAudience(AuthenticationTicket ticket)
         {
             // If no explicit audience has been configured,
@@ -510,7 +539,7 @@ private async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject
             if (Options.SaveToken)
             {
                 // Store the access token in the authentication ticket.
-                properties.Dictionary[OAuthIntrospectionConstants.Properties.Token] = token;
+                properties.Dictionary[OAuthIntrospectionConstants.Properties.AccessToken] = token;
             }
 
             foreach (var property in payload.Properties())
@@ -533,6 +562,20 @@ private async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject
                     case OAuthIntrospectionConstants.Claims.NotBefore:
                         continue;
 
+                    case OAuthIntrospectionConstants.Claims.TokenUsage:
+                    {
+                        if (property.Value.Type != JTokenType.String)
+                        {
+                            Logger.LogWarning("The 'token_usage' claim was ignored because it was not a string value.");
+
+                            continue;
+                        }
+
+                        properties.Dictionary[OAuthIntrospectionConstants.Properties.TokenUsage] = (string) property.Value;
+
+                        continue;
+                    }
+
                     case OAuthIntrospectionConstants.Claims.IssuedAt:
                     {
                         // Note: the iat claim must be a numeric date value.
@@ -581,7 +624,7 @@ private async Task<AuthenticationTicket> CreateTicketAsync(string token, JObject
                             continue;
                         }
 
-                        properties.Dictionary[OAuthIntrospectionConstants.Properties.TicketId] = (string) property;
+                        properties.Dictionary[OAuthIntrospectionConstants.Properties.TokenId] = (string) property;
 
                         continue;
                     }

test/AspNet.Security.OAuth.Introspection.Tests/OAuthIntrospectionHandlerTests.cs

@@ -82,6 +82,77 @@ public async Task HandleAuthenticateAsync_ValidTokenAllowsSuccessfulAuthenticati
             Assert.Equal("Fabrikam", await response.Content.ReadAsStringAsync());
         }
 
+        [Fact]
+        public async Task HandleAuthenticateAsync_MissingTokenUsageAllowsSuccessfulAuthentication()
+        {
+            // Arrange
+            var server = CreateResourceServer();
+            var client = server.CreateClient();
+
+            var request = new HttpRequestMessage(HttpMethod.Get, "/");
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "valid-token-without-usage");
+
+            // Act
+            var response = await client.SendAsync(request);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+            Assert.Equal("Fabrikam", await response.Content.ReadAsStringAsync());
+        }
+
+        [Fact]
+        public async Task HandleAuthenticateAsync_InvalidTokenUsageCausesInvalidAuthentication()
+        {
+            // Arrange
+            var server = CreateResourceServer();
+            var client = server.CreateClient();
+
+            var request = new HttpRequestMessage(HttpMethod.Get, "/");
+            request.Headers.Authorization = new AuthenticationHeaderValue(
+                "Bearer", "valid-token-with-invalid-usage");
+
+            // Act
+            var response = await client.SendAsync(request);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+        }
+
+        [Fact]
+        public async Task HandleAuthenticateAsync_ValidTokenUsageAllowsSuccessfulAuthentication()
+        {
+            // Arrange
+            var server = CreateResourceServer();
+            var client = server.CreateClient();
+
+            var request = new HttpRequestMessage(HttpMethod.Get, "/");
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "valid-token");
+
+            // Act
+            var response = await client.SendAsync(request);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+            Assert.Equal("Fabrikam", await response.Content.ReadAsStringAsync());
+        }
+
+        [Fact]
+        public async Task HandleAuthenticateAsync_ExpiredTicketCausesInvalidAuthentication()
+        {
+            // Arrange
+            var server = CreateResourceServer();
+            var client = server.CreateClient();
+
+            var request = new HttpRequestMessage(HttpMethod.Get, "/");
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "expired-token");
+
+            // Act
+            var response = await client.SendAsync(request);
+
+            // Assert
+            Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+        }
+
         [Fact]
         public async Task HandleAuthenticateAsync_MissingAudienceCausesInvalidAuthentication()
         {
@@ -196,23 +267,6 @@ public async Task HandleAuthenticateAsync_MultipleMatchingAudienceCausesSuccessf
             Assert.Equal("Fabrikam", await response.Content.ReadAsStringAsync());
         }
 
-        [Fact]
-        public async Task HandleAuthenticateAsync_ExpiredTicketCausesInvalidAuthentication()
-        {
-            // Arrange
-            var server = CreateResourceServer();
-            var client = server.CreateClient();
-
-            var request = new HttpRequestMessage(HttpMethod.Get, "/");
-            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "expired-token");
-
-            // Act
-            var response = await client.SendAsync(request);
-
-            // Assert
-            Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
-        }
-
         [Fact]
         public async Task HandleAuthenticateAsync_AuthenticationTicketContainsRequiredClaims()
         {
@@ -846,6 +900,27 @@ private static TestServer CreateAuthorizationServer()
                                 payload[OAuthIntrospectionConstants.Claims.Active] = true;
                                 payload[OAuthIntrospectionConstants.Claims.JwtId] = "jwt-token-identifier";
                                 payload[OAuthIntrospectionConstants.Claims.Subject] = "Fabrikam";
+                                payload[OAuthIntrospectionConstants.Claims.TokenUsage] =
+                                    OAuthIntrospectionConstants.TokenUsages.AccessToken;
+
+                                break;
+                            }
+
+                            case "valid-token-without-usage":
+                            {
+                                payload[OAuthIntrospectionConstants.Claims.Active] = true;
+                                payload[OAuthIntrospectionConstants.Claims.JwtId] = "jwt-token-identifier";
+                                payload[OAuthIntrospectionConstants.Claims.Subject] = "Fabrikam";
+
+                                break;
+                            }
+
+                            case "valid-token-with-invalid-usage":
+                            {
+                                payload[OAuthIntrospectionConstants.Claims.Active] = true;
+                                payload[OAuthIntrospectionConstants.Claims.JwtId] = "jwt-token-identifier";
+                                payload[OAuthIntrospectionConstants.Claims.Subject] = "Fabrikam";
+                                payload[OAuthIntrospectionConstants.Claims.TokenUsage] = "refresh_token";
 
                                 break;
                             }