github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

added DELETE to token api because revocation endpoint doesn't work for this kind of management, closes #191

pull/576/head
Justin Richer 2014-02-28 22:19:47 +00:00
parent 89f015cf1c
commit 15b017992c
1 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
openid-connect-server/src/main/java/org/mitre/oauth2/web/TokenAPI.java
View File

@ -34,7 +34,7 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
/**
* REST-ish API for managing access tokens (GET/read only)
* REST-ish API for managing access tokens (GET/DELETE only)
* @author Amanda Anganes
*
*/
@ -77,6 +77,28 @@ public class TokenAPI {
}
}
@RequestMapping(value = "/access/{id}", method = RequestMethod.DELETE, produces = "application/json")
public String deleteAccessTokenById(@PathVariable("id") Long id, ModelMap m, Principal p) {
OAuth2AccessTokenEntity token = tokenService.getAccessTokenById(id);
if (token == null) {
logger.error("getToken failed; token not found: " + id);
m.put("code", HttpStatus.NOT_FOUND);
m.put("errorMessage", "The requested token with id " + id + " could not be found.");
return "jsonErrorView";
} else if (!token.getAuthenticationHolder().getAuthentication().getName().equals(p.getName())) {
logger.error("getToken failed; token does not belong to principal " + p.getName());
m.put("code", HttpStatus.FORBIDDEN);
m.put("errorMessage", "You do not have permission to view this token");
return "jsonErrorView";
} else {
tokenService.revokeAccessToken(token);
return "httpCodeView";
}
}
@RequestMapping(value = "/refresh", method = RequestMethod.GET, produces = "application/json")
public String getAllRefreshTokens(ModelMap m, Principal p) {
@ -108,4 +130,26 @@ public class TokenAPI {
}
}
@RequestMapping(value = "/refresh/{id}", method = RequestMethod.DELETE, produces = "application/json")
public String deleteRefreshTokenById(@PathVariable("id") Long id, ModelMap m, Principal p) {
OAuth2RefreshTokenEntity token = tokenService.getRefreshTokenById(id);
if (token == null) {
logger.error("refresh token not found: " + id);
m.put("code", HttpStatus.NOT_FOUND);
m.put("errorMessage", "The requested token with id " + id + " could not be found.");
return "jsonErrorView";
} else if (!token.getAuthenticationHolder().getAuthentication().getName().equals(p.getName())) {
logger.error("refresh token " + id + " does not belong to principal " + p.getName());
m.put("code", HttpStatus.FORBIDDEN);
m.put("errorMessage", "You do not have permission to view this token");
return "jsonErrorView";
} else {
tokenService.revokeRefreshToken(token);
return "httpCodeView";
}
}
}