Forget old token when a refresh token is used

2015-09-30 16:46:33 +02:00 · 2015-09-30 16:46:33 +02:00 · f4dfa7303f
commit f4dfa7303f
parent 8d672cc1ba
2 changed files with 13 additions and 3 deletions
--- a/oidc_provider/lib/endpoints/token.py
+++ b/oidc_provider/lib/endpoints/token.py
@ -163,9 +163,8 @@ class TokenEndpoint(object):
        # Store the token.
        token.save()

-        # We don't need to store the code anymore.
-        self.token.refresh_token = None
-        self.token.save()
+        # Forget the old token.
+        self.token.delete()

        dic = {
            'access_token': token.access_token,
--- a/oidc_provider/tests/test_token_endpoint.py
+++ b/oidc_provider/tests/test_token_endpoint.py
@ -100,6 +100,13 @@ class TokenTestCase(TestCase):
        SIGKEYS.load_dict(jwks_dic)
        return SIGKEYS

+    def _get_userinfo(self, access_token):
+        url = reverse('oidc_provider:userinfo')
+        request = self.factory.get(url)
+        request.META['HTTP_AUTHORIZATION'] = 'Bearer ' + access_token
+
+        return userinfo(request)
+
    @override_settings(OIDC_TOKEN_EXPIRE=720)
    def test_authorization_code(self):
        """
@ -170,6 +177,10 @@ class TokenTestCase(TestCase):
        response = self._post_request(post_data)
        self.assertIn('invalid_grant', response.content.decode('utf-8'))

+        # Old access token is invalidated
+        self.assertEqual(self._get_userinfo(response_dic1['access_token']).status_code, 401)
+        self.assertEqual(self._get_userinfo(response_dic2['access_token']).status_code, 200)
+
        # Empty refresh token is invalid
        post_data = self._refresh_token_post_data('')
        response = self._post_request(post_data)