Merge branch 'dev'

default.ps1

@@ -11,7 +11,7 @@ properties {
 	$nuget_path = "$base_directory\nuget.exe"
 
 	$buildNumber = 0;
-	$version = "2.5.2.0"
+	$version = "2.5.3.0"
 	$preRelease = $null
 }
 

source/Core/Configuration/Hosting/ValidateAntiForgeryTokenAttribute.cs

@@ -58,6 +58,17 @@ private static async Task ValidateTokens(HttpActionContext actionContext)
                           actionContext.Request.Content.IsFormData();
             if (success)
             {
+                // ReadAsByteArrayAsync buffers the request body stream
+                // so Web API will re-use that later for model binding
+                // unfortunately the stream pointer is at the end, but 
+                // in our anti-forgery logic we use our internal ReadRequestFormAsync
+                // API to read the body, which has the side effect of resetting
+                // the stream pointer to the begining. subsequet calls to 
+                // read the form body will then succeed (e.g. via OwinContext)
+                // this is all rather unfortunate that web api prevents others
+                // from re-reading the form, but this sequence of code allow it. #lame
+                var bytes = await actionContext.Request.Content.ReadAsByteArrayAsync();
+
                 var antiForgeryToken = env.ResolveDependency<AntiForgeryToken>();
                 success = await antiForgeryToken.IsTokenValid();
             }

source/Core/Core.csproj

@@ -147,6 +147,7 @@
     <Compile Include="Endpoints\Connect\RevocationEndpointController.cs" />
     <Compile Include="Endpoints\WelcomeController.cs" />
     <Compile Include="Events\Authentication\ClientAuthenticationDetails.cs" />
+    <Compile Include="Events\Authentication\TokenRevokedDetails.cs" />
     <Compile Include="Events\EndpointDetail.cs" />
     <Compile Include="Extensions\DateTimeOffsetHelper.cs" />
     <Compile Include="Extensions\DateTimeHelper.cs" />

source/Core/Endpoints/Connect/DiscoveryEndpointController.cs

@@ -210,7 +210,14 @@ public async Task<IHttpActionResult> GetConfiguration()
                         throw new Exception("Item does already exist - cannot add it via a custom entry: " + item.Key);
                     }
 
-                    jobject.Add(new JProperty(item.Key, item.Value));
+                    if (item.Value.GetType().IsClass)
+                    {
+                        jobject.Add(new JProperty(item.Key, JToken.FromObject(item.Value)));
+                    }
+                    else
+                    {
+                        jobject.Add(new JProperty(item.Key, item.Value));
+                    }
                 }
             }
 

source/Core/Endpoints/Connect/RevocationEndpointController.cs

@@ -120,12 +120,13 @@ public async Task<IHttpActionResult> ProcessAsync(Client client, NameValueCollec
         private async Task<bool> RevokeAccessTokenAsync(string handle, Client client)
         {
             var token = await _tokenHandles.GetAsync(handle);
-
+            
             if (token != null)
             {
                 if (token.ClientId == client.ClientId)
                 {
                     await _tokenHandles.RemoveAsync(handle);
+                    await _events.RaiseTokenRevokedEventAsync(token.SubjectId, handle, Constants.TokenTypeHints.AccessToken);
                 }
                 else
                 {
@@ -152,6 +153,7 @@ private async Task<bool> RevokeRefreshTokenAsync(string handle, Client client)
                 {
                     await _refreshTokens.RevokeAsync(token.SubjectId, token.ClientId);
                     await _tokenHandles.RevokeAsync(token.SubjectId, token.ClientId);
+                    await _events.RaiseTokenRevokedEventAsync(token.SubjectId, handle, Constants.TokenTypeHints.RefreshToken);
                 }
                 else
                 {

source/Core/Events/Authentication/TokenRevokedDetails.cs

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2014, 2015 Dominick Baier, Brock Allen
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+using IdentityServer3.Core.Models;
+
+namespace IdentityServer3.Core.Events
+{
+    /// <summary>
+    /// Event details for token revocation event
+    /// </summary>
+    public class TokenRevokedDetails
+    {
+        /// <summary>
+        /// Gets or sets the token.
+        /// </summary>
+        /// <value>
+        /// The token that was revoked.
+        /// </value>
+        public string Token { get; set; }
+
+        /// <summary>
+        /// Gets or sets the token toke.
+        /// </summary>
+        /// <value>
+        /// The type of token that was revoked. Access token or Refresh.
+        /// </value>
+        public string TokenType { get; set; }
+
+        /// <summary>
+        /// Gets or sets the subject Id
+        /// </summary>
+        /// <value></value>
+        public string SubjectId { get; set; }
+    }
+}

source/Core/Events/Base/EventConstants.cs

@@ -70,6 +70,8 @@ public static class Ids
 
             public const int Logout = AuthenticationEventsStart + 30;
 
+            public const int TokenRevoked = AuthenticationEventsStart + 35;
+
             public const int PartialLogin = AuthenticationEventsStart + 40;
             public const int PartialLoginComplete = AuthenticationEventsStart + 41;
 

source/Core/Extensions/IEventServiceExtensions.cs

@@ -406,6 +406,23 @@ public static async Task RaiseSuccessfulRefreshTokenRefreshEventAsync(this IEven
             await events.RaiseEventAsync(evt);
         }
 
+        public static async Task RaiseTokenRevokedEventAsync(this IEventService events, string subjectId, string token, string tokenType)
+        {
+            var evt = new Event<TokenRevokedDetails>(
+                EventConstants.Categories.Authentication,
+                Resources.Events.TokenRevoked,
+                EventTypes.Success,
+                EventConstants.Ids.TokenRevoked,
+                new TokenRevokedDetails()
+                {
+                    SubjectId = subjectId,
+                    Token = ObfuscateToken(token),
+                    TokenType = tokenType
+                });
+
+            await events.RaiseEventAsync(evt);
+        }
+
         public static async Task RaiseUnhandledExceptionEventAsync(this IEventService events, Exception exception)
         {
             var evt = new Event<object>(
@@ -478,20 +495,14 @@ public static async Task RaiseFailureEndpointEventAsync(this IEventService event
 
         public static async Task RaiseSuccessfulIntrospectionEndpointEventAsync(this IEventService events, string token, string tokenStatus, string scopeName)
         {
-            string last4chars = "****";
-            if (token.IsPresent() && token.Length > 4)
-            {
-                last4chars = token.Substring(token.Length - 4);
-            }
-
             var evt = new Event<IntrospectionEndpointDetail>(
                 EventConstants.Categories.Endpoints,
                 "Introspection endpoint success",
                 EventTypes.Success,
                 EventConstants.Ids.IntrospectionEndpointSuccess,
                 new IntrospectionEndpointDetail
                 {
-                    Token = "***" + last4chars,
+                    Token = ObfuscateToken(token),
                     TokenStatus = tokenStatus,
                     ScopeName = scopeName
                 });
@@ -501,20 +512,14 @@ public static async Task RaiseSuccessfulIntrospectionEndpointEventAsync(this IEv
 
         public static async Task RaiseFailureIntrospectionEndpointEventAsync(this IEventService events, string error, string token, string scopeName)
         {
-            string last4chars = "****";
-            if (token.IsPresent() && token.Length > 4)
-            {
-                last4chars = token.Substring(token.Length - 4);
-            }
-
             var evt = new Event<IntrospectionEndpointDetail>(
                  EventConstants.Categories.Endpoints,
                  "Introspection endpoint failure",
                  EventTypes.Failure,
                  EventConstants.Ids.IntrospectionEndpointFailure,
                  new IntrospectionEndpointDetail
                  {
-                     Token = "***" + last4chars,
+                     Token = ObfuscateToken(token),
                      ScopeName = scopeName
                  },
                  error);
@@ -659,5 +664,16 @@ private static async Task RaiseEventAsync<T>(this IEventService events, Event<T>
 
             await events.RaiseAsync(evt);
         }
+
+        private static string ObfuscateToken(string token)
+        {
+            string last4chars = "****";
+            if (token.IsPresent() && token.Length > 4)
+            {
+                last4chars = token.Substring(token.Length - 4);
+            }
+
+            return "****" + last4chars;
+        }
     }
 }

source/Core/Resources/Events.resx

@@ -159,4 +159,7 @@
   <data name="ResourceOwnerFlowLoginSuccess" xml:space="preserve">
     <value>Resource Owner Password Flow Login Success</value>
   </data>
+  <data name="TokenRevoked" xml:space="preserve">
+    <value>Token Revoked Event</value>
+  </data>
 </root>

source/Core/Results/TokenResult.cs

@@ -22,7 +22,6 @@
 using System.Linq;
 using System.Net;
 using System.Net.Http;
-using System.Net.Http.Formatting;
 using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
@@ -76,13 +75,19 @@ private HttpResponseMessage Execute()
                         throw new Exception("Item does already exist - cannot add it via a custom entry: " + item.Key);
                     }
 
-                    jobject.Add(new JProperty(item.Key, item.Value));
+                    if (item.Value.GetType().IsClass)
+                    {
+                        jobject.Add(new JProperty(item.Key, JToken.FromObject(item.Value)));
+                    }
+                    else
+                    {
+                        jobject.Add(new JProperty(item.Key, item.Value));
+                    }
                 }
             }
 
             var response = new HttpResponseMessage(HttpStatusCode.OK)
             {
-                //Content = new ObjectContent<JObject>(jobject, new JsonMediaTypeFormatter())
                 Content = new StringContent(jobject.ToString(Formatting.None), Encoding.UTF8, "application/json")
             };
 

source/Host.Configuration/Extensions/CustomTokenResponseGenerator.cs

@@ -10,8 +10,16 @@ class CustomTokenResponseGenerator : ICustomTokenResponseGenerator
         public Task<TokenResponse> GenerateAsync(ValidatedTokenRequest request, TokenResponse response)
         {
             response.Custom.Add("custom_field", "custom data");
+            response.Custom.Add("custom_complex_field", new ResponsePoco { SomeString = "foo", SomeInt = 42 });
+
 
             return Task.FromResult(response);
         }
     }
+
+    class ResponsePoco
+    {
+        public string SomeString { get; set; }
+        public int SomeInt { get; set; }
+    }
 }

source/Tests/UnitTests/Core.Tests.csproj

@@ -194,6 +194,7 @@
     <Compile Include="Endpoints\Connect\PoP\PoPAsymmetricTestsRefresh.cs" />
     <Compile Include="Endpoints\Connect\PoP\PoPAsymmetricTestsCode.cs" />
     <Compile Include="Endpoints\Connect\PoP\RsaPublicKeyJwk.cs" />
+    <Compile Include="Endpoints\Setup\MockUserService.cs" />
     <Compile Include="Services\Default\DefaultCorsPolicyServiceTests.cs" />
     <Compile Include="Services\Default\DefaultLocalizationServiceTests.cs" />
     <Compile Include="Services\Default\DefaultRefreshTokenServiceTests.cs" />