Test Refresh Tokens in IdentityServer4

0
votes

We are using IdentityServer4 to protect our APIs with EntityFrameworkCore to store configuration and operational data. Here is our client data:

public static IEnumerable<Client> GetClients()
    {
        return new List<Client>
         {
         new Client
        {
        ClientId = "client",

        // no interactive user, use the clientid/secret for authentication
            AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

        // secret for authentication
            ClientSecrets =
            {
            new Secret("secret".Sha256())
            },

        // scopes that client has access to
            AllowedScopes = { "api1" },

            AllowOfflineAccess=true
    },
          new Client
        {
        ClientId = "client2",

        // no interactive user, use the clientid/secret for authentication
            AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

        // secret for authentication
            ClientSecrets =
            {
            new Secret("secret".Sha256())
            },

        // scopes that client has access to
            AllowedScopes = { "sup_api" },

            AllowOfflineAccess=true
    }

};
    }

We posted request to connect/token endpoint,with following data in "x-www-form-urlencoded" format

client_id:client2
client_secret:secret
grant_type:client_credentials
scope:sup_api

and we have got the following response:

{
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjM2ZWE2MGZlNGY2NDZkYjIxZjI0Y2ExNjEzZTBmMTgyIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1MTk4OTM1MTYsImV4cCI6MTUxOTg5MzU2NiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjpbImh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJzdXBfYXBpIl0sImNsaWVudF9pZCI6ImNsaWVudDIiLCJzY29wZSI6WyJzdXBfYXBpIl19.cOznF6F6AL8onLZvvJaSX137P19k6doNa2BoJJTs6WY1LL47UOWoPhR7xIffQVSKyxGp4r-Z02kZrABjjyXzcdTaCR4538Pexep2sjlPobmKI0rfjR2apBSaMBVFXqDW-3VLTnMPyqicIBYjll5iS8YFGpUh0jZwq4rzNvYR4OooHssijQtkhpWxGzuokjKj8ZK1conySqEqorlaFJevY2x4jNlP3v0wpJ_6p77H4Lh12XENw4laGlrejtOkilnRaT7V8CclRGNsgPc81NLJhQZEp89cl37iQ1vLH74hCSs4MllO_eAZ_3Rmdan6QWUM1_zbcCEjGbXJM0QQ2qCpHw",
"expires_in": 3600,
"token_type": "Bearer"

}

But now, how we can test refresh tokens?

1
identityserver4

1 Answers

0
votes

One way to do this is check if user still has access after the access token expiration time.

E.g.

At a high level this is what it would look like

  • Set access token lifetime to 1 minute
  • Run access test against API at 6 minute mark (there is a inbuilt delay when it actually expires the token)
  • You should assert that 401 will return, if it does then pass
  • Activate offline token
  • Run access test after 6 minute mark
  • Assert that you get non 401 response, if so then pass

It more testing of