add refresh token support

brockallen · brockallen · commit 14ed10882995 · 2018-12-13T11:26:18.000-05:00
diff --git a/samples/VanillaJS/public/code-identityserver-sample.html b/samples/VanillaJS/public/code-identityserver-sample.html
@@ -22,7 +22,7 @@
         </div>
         <div>
             <button id='popupSignin'>signin with popup</button>
-            <button id='iframeSignin'>signin with iframe</button>
+            <button id='iframeSignin'>signin silent/renew access token</button>
         </div>
         <div>
             <button id='startSignoutMainWindow'>start signout main window</button>
diff --git a/samples/VanillaJS/public/code-identityserver-sample.js b/samples/VanillaJS/public/code-identityserver-sample.js
@@ -36,7 +36,7 @@ var settings = {
     post_logout_redirect_uri: url + '/code-identityserver-sample.html',
     response_type: 'code',
     //response_mode: 'fragment',
-    scope: 'openid profile',
+    scope: 'openid profile api offline_access',
     
     popup_redirect_uri: url + '/code-identityserver-sample-popup-signin.html',
     popup_post_logout_redirect_uri: url + '/code-identityserver-sample-popup-signout.html',
@@ -46,7 +46,8 @@ var settings = {
     //silentRequestTimeout:10000,
 
     filterProtocolClaims: true,
-    loadUserInfo: true
+    loadUserInfo: true,
+    revokeAccessTokenOnSignout : true
 };
 var mgr = new Oidc.UserManager(settings);
 
diff --git a/src/TokenClient.js b/src/TokenClient.js
@@ -19,6 +19,8 @@ export class TokenClient {
 
     exchangeCode(args = {}) {
         args.grant_type = args.grant_type || "authorization_code";
+        args.client_id = args.client_id || this._settings.client_id;
+        args.redirect_uri = args.redirect_uri || this._settings.redirect_uri;
 
         if (!args.code) {
             Log.error("TokenClient.exchangeCode: No code passed");
@@ -41,7 +43,30 @@ export class TokenClient {
             Log.debug("TokenClient.exchangeCode: Received token endpoint");
 
             return this._jsonService.postForm(url, args).then(response => {
-                Log.debug("TokenClient.exchangeCode: response received", response);
+                Log.debug("TokenClient.exchangeCode: response received");
+                return response;
+            });
+        });
+    }
+
+    exchangeRefreshToken(args = {}) {
+        args.grant_type = args.grant_type || "refresh_token";
+        args.client_id = args.client_id || this._settings.client_id;
+
+        if (!args.refresh_token) {
+            Log.error("TokenClient.exchangeRefreshToken: No refresh_token passed");
+            return Promise.reject(new Error("A refresh_token is required"));
+        }
+        if (!args.client_id) {
+            Log.error("TokenClient.exchangeRefreshToken: No client_id passed");
+            return Promise.reject(new Error("A client_id is required"));
+        }
+
+        return this._metadataService.getTokenEndpoint(false).then(url => {
+            Log.debug("TokenClient.exchangeRefreshToken: Received token endpoint");
+
+            return this._jsonService.postForm(url, args).then(response => {
+                Log.debug("TokenClient.exchangeRefreshToken: response received");
                 return response;
             });
         });
diff --git a/src/TokenRevocationClient.js b/src/TokenRevocationClient.js
@@ -6,6 +6,7 @@ import { MetadataService } from './MetadataService';
 import { Global } from './Global';
 
 const AccessTokenTypeHint = "access_token";
+const RefreshTokenTypeHint = "refresh_token";
 
 export class TokenRevocationClient {
     constructor(settings, XMLHttpRequestCtor = Global.XMLHttpRequest, MetadataServiceCtor = MetadataService) {
@@ -19,10 +20,15 @@ export class TokenRevocationClient {
         this._metadataService = new MetadataServiceCtor(this._settings);
     }
 
-    revoke(accessToken, required) {
-        if (!accessToken) {
-            Log.error("TokenRevocationClient.revoke: No accessToken provided");
-            throw new Error("No accessToken provided.");
+    revoke(token, required, type = "access_token") {
+        if (!token) {
+            Log.error("TokenRevocationClient.revoke: No token provided");
+            throw new Error("No token provided.");
+        }
+
+        if (type !== AccessTokenTypeHint && type != RefreshTokenTypeHint) {
+            Log.error("TokenRevocationClient.revoke: Invalid token type");
+            throw new Error("Invalid token type.");
         }
 
         return this._metadataService.getRevocationEndpoint().then(url => {
@@ -36,14 +42,14 @@ export class TokenRevocationClient {
                 return;
             }
 
-            Log.error("TokenRevocationClient.revoke: Revoking access token");
+            Log.debug("TokenRevocationClient.revoke: Revoking " + type);
             var client_id = this._settings.client_id;
             var client_secret = this._settings.client_secret;
-            return this._revoke(url, client_id, client_secret, accessToken);
+            return this._revoke(url, client_id, client_secret, token, type);
         });
     }
 
-    _revoke(url, client_id, client_secret, accessToken) {
+    _revoke(url, client_id, client_secret, token, type) {
 
         return new Promise((resolve, reject) => {
 
@@ -69,8 +75,8 @@ export class TokenRevocationClient {
             if (client_secret) {
                 body += "&client_secret=" + encodeURIComponent(client_secret);
             }
-            body += "&token_type_hint=" + encodeURIComponent(AccessTokenTypeHint);
-            body += "&token=" + encodeURIComponent(accessToken);
+            body += "&token_type_hint=" + encodeURIComponent(type);
+            body += "&token=" + encodeURIComponent(token);
 
             xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
             xhr.send(body);
diff --git a/src/User.js b/src/User.js
@@ -4,10 +4,11 @@
 import { Log } from './Log';
 
 export class User {
-    constructor({id_token, session_state, access_token, token_type, scope, profile, expires_at, state}) {
+    constructor({id_token, session_state, access_token, refresh_token, token_type, scope, profile, expires_at, state}) {
         this.id_token = id_token;
         this.session_state = session_state;
         this.access_token = access_token;
+        this.refresh_token = refresh_token;
         this.token_type = token_type;
         this.scope = scope;
         this.profile = profile;
@@ -22,6 +23,13 @@ export class User {
         }
         return undefined;
     }
+    set expires_in(value) {
+        let expires_in = parseInt(value);
+        if (typeof expires_in === 'number' && expires_in > 0) {
+            let now = parseInt(Date.now() / 1000);
+            this.expires_at = now + expires_in;
+        }
+    }
 
     get expired() {
         let expires_in = this.expires_in;
@@ -41,6 +49,7 @@ export class User {
             id_token: this.id_token,
             session_state: this.session_state,
             access_token: this.access_token,
+            refresh_token: this.refresh_token,
             token_type: this.token_type,
             scope: this.scope,
             profile: this.profile,
diff --git a/src/UserManager.js b/src/UserManager.js
@@ -9,12 +9,14 @@ import { UserManagerEvents } from './UserManagerEvents';
 import { SilentRenewService } from './SilentRenewService';
 import { SessionMonitor } from './SessionMonitor';
 import { TokenRevocationClient } from './TokenRevocationClient';
+import { TokenClient } from './TokenClient';
 
 export class UserManager extends OidcClient {
     constructor(settings = {},
         SilentRenewServiceCtor = SilentRenewService,
         SessionMonitorCtor = SessionMonitor,
-        TokenRevocationClientCtor = TokenRevocationClient
+        TokenRevocationClientCtor = TokenRevocationClient,
+        TokenClientCtor = TokenClient
     ) {
 
         if (!(settings instanceof UserManagerSettings)) {
@@ -37,6 +39,7 @@ export class UserManager extends OidcClient {
         }
 
         this._tokenRevocationClient = new TokenRevocationClientCtor(this._settings);
+        this._tokenClient = new TokenClientCtor(this._settings);
     }
 
     get _redirectNavigator() {
@@ -144,6 +147,51 @@ export class UserManager extends OidcClient {
     }
 
     signinSilent(args = {}) {
+        // first determine if we have a refresh token, or need to use iframe
+        return this._loadUser().then(user => {
+            if (user && user.refresh_token) {
+                args.refresh_token = user.refresh_token;
+                return this._useRefreshToken(args);
+            }
+            else {
+                args.id_token_hint = args.id_token_hint || (this.settings.includeIdTokenInSilentRenew && user.id_token);
+                return this._signinSilentIframe(args);
+            }
+        });
+    }
+
+    _useRefreshToken(args = {}) {
+        return this._tokenClient.exchangeRefreshToken(args).then(result => {
+            if (!result) {
+                Log.error("UserManager._useRefreshToken: No response returned from token endpoint");
+                return Promise.reject("No response returned from token endpoint");
+            }
+            if (!result.access_token) {
+                Log.error("UserManager._useRefreshToken: No access token returned from token endpoint");
+                return Promise.reject("No access token returned from token endpoint");
+            }
+
+            Log.debug("UserManager._useRefreshToken: refresh token response success");
+
+            return this._loadUser().then(user => {
+                if (user) {
+                    user.access_token = result.access_token;
+                    user.refresh_token = result.refresh_token || user.refresh_token;
+                    user.expires_in = result.expires_in;
+
+                    return this.storeUser(user).then(()=>{
+                        this._events.load(user);
+                        return user;
+                    });
+                }
+                else {
+                    return null;
+                }
+            });
+        });;
+    }
+    
+    _signinSilentIframe(args = {}) {
         let url = args.redirect_uri || this.settings.silent_redirect_uri;
         if (!url) {
             Log.error("UserManager.signinSilent: No silent_redirect_uri configured");
@@ -153,21 +201,9 @@ export class UserManager extends OidcClient {
         args.redirect_uri = url;
         args.prompt = args.prompt || "none";
 
-        let setIdToken;
-        if (args.id_token_hint || !this.settings.includeIdTokenInSilentRenew) {
-            setIdToken = Promise.resolve();
-        }
-        else {
-            setIdToken = this._loadUser().then(user => {
-                args.id_token_hint = user && user.id_token;
-            });
-        }
-
-        return setIdToken.then(() => {
-            return this._signin(args, this._iframeNavigator, {
-                startUrl: url,
-                silentRequestTimeout: args.silentRequestTimeout || this.settings.silentRequestTimeout
-            });
+        return this._signin(args, this._iframeNavigator, {
+            startUrl: url,
+            silentRequestTimeout: args.silentRequestTimeout || this.settings.silentRequestTimeout
         }).then(user => {
             if (user) {
                 if (user.profile && user.profile.sub) {
@@ -181,6 +217,7 @@ export class UserManager extends OidcClient {
             return user;
         });
     }
+
     signinSilentCallback(url) {
         return this._signinCallback(url, this._iframeNavigator).then(user => {
             if (user) {
@@ -384,6 +421,7 @@ export class UserManager extends OidcClient {
                     Log.debug("UserManager.revokeAccessToken: removing token properties from user and re-storing");
 
                     user.access_token = null;
+                    user.refresh_token = null;
                     user.expires_at = null;
                     user.token_type = null;
 
@@ -399,17 +437,43 @@ export class UserManager extends OidcClient {
     }
 
     _revokeInternal(user, required) {
-        var access_token = user && user.access_token;
+        if (user) {
+            var access_token = user.access_token;
+            var refresh_token = user.refresh_token;
+
+            return this._revokeAccessTokenInternal(access_token, require)
+                .then(atSuccess => {
+                    return this._revokeRefreshTokenInternal(refresh_token, required)
+                        .then(rtSuccess => {
+                            if (!atSuccess && !rtSuccess) {
+                                Log.debug("UserManager.revokeAccessToken: no need to revoke due to no token(s), or JWT format");
+                            }
+                            
+                            return atSuccess || rtSuccess;
+                        });
+                });
+        }
+
+        return Promise.resolve(false);
+    }
 
+    _revokeAccessTokenInternal(access_token, required) {
         // check for JWT vs. reference token
         if (!access_token || access_token.indexOf('.') >= 0) {
-            Log.debug("UserManager.revokeAccessToken: no need to revoke due to no user, token, or JWT format");
             return Promise.resolve(false);
         }
 
         return this._tokenRevocationClient.revoke(access_token, required).then(() => true);
     }
 
+    _revokeRefreshTokenInternal(refresh_token, required) {
+        if (!refresh_token) {
+            return Promise.resolve(false);
+        }
+
+        return this._tokenRevocationClient.revoke(refresh_token, required, "refresh_token").then(() => true);
+    }
+
     startSilentRenew() {
         this._silentRenewService.start();
     }
diff --git a/test/unit/UserManager.spec.js b/test/unit/UserManager.spec.js
@@ -33,7 +33,7 @@ describe("UserManager", function () {
         Global._testing();
 
         Log.logger = console;
-        Log.level = Log.NONE;
+        Log.level = Log.DEBUG;
 
         stubNavigator = {};
         stubUserStore = new StubStateStore();
@@ -95,7 +95,9 @@ describe("UserManager", function () {
 
     describe("signinSilent", function(){
 
-        it("should pass silentRequestTimeout from settings", function(done){
+        it("should pass silentRequestTimeout from settings", function(done) {
+
+            stubUserStore.item = new User({id_token:"id_token"}).toStorageString();
 
             settings.silentRequestTimeout = 123;
             settings.silent_redirect_uri = "http://client/silent_callback";
@@ -112,6 +114,8 @@ describe("UserManager", function () {
 
         it("should pass silentRequestTimeout from params", function(done){
 
+            stubUserStore.item = new User({id_token:"id_token"}).toStorageString();
+
             settings.silent_redirect_uri = "http://client/silent_callback";
             subject = new UserManager(settings);
 
@@ -124,6 +128,8 @@ describe("UserManager", function () {
 
         it("should pass prompt from params", function(done){
 
+            stubUserStore.item = new User({id_token:"id_token"}).toStorageString();
+
             settings.silent_redirect_uri = "http://client/silent_callback";
             subject = new UserManager(settings);
 
