clearing out refresh tokens is now configurable, closes #409

2015-06-25 12:07:38 -04:00 · 2015-06-25 12:07:38 -04:00 · 2f4d9ce54b
parent 8359ac2813
commit 2f4d9ce54b
6 changed files with 30 additions and 4 deletions
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java
@ -140,6 +140,7 @@ public class ClientDetailsEntity implements ClientDetails {
 	private boolean allowIntrospection = false; // do we let this client call the introspection endpoint?
 	private Integer idTokenValiditySeconds; //timeout for id tokens
 	private Date createdAt; // time the client was created
+	private boolean clearAccessTokensOnRefresh = true; // do we clear access tokens on refresh?

 	public enum AuthMethod {
 		SECRET_POST("client_secret_post"),
@ -947,5 +948,21 @@ public class ClientDetailsEntity implements ClientDetails {
 	public boolean isAutoApprove(String scope) {
 		return false;
 	}
+
+	/**
+	 * @return the clearAccessTokensOnRefresh
+	 */
+	@Basic
+	@Column(name = "clear_access_tokens_on_refresh")
+	public boolean isClearAccessTokensOnRefresh() {
+		return clearAccessTokensOnRefresh;
+	}
+
+	/**
+	 * @param clearAccessTokensOnRefresh the clearAccessTokensOnRefresh to set
+	 */
+	public void setClearAccessTokensOnRefresh(boolean clearAccessTokensOnRefresh) {
+		this.clearAccessTokensOnRefresh = clearAccessTokensOnRefresh;
+	}
 	
 }
--- a/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql
+++ b/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql
@ -167,7 +167,8 @@ CREATE TABLE IF NOT EXISTS client_details (
 	require_auth_time BOOLEAN,
 	created_at TIMESTAMP,
 	initiate_login_uri VARCHAR(2048),
-	post_logout_redirect_uri VARCHAR(2048),
+	clear_access_tokens_on_refresh BOOLEAN DEFAULT true NOT NULL,
+	
 	UNIQUE (client_id)
 );

--- a/openid-connect-server-webapp/src/main/webapp/resources/js/client.js
+++ b/openid-connect-server-webapp/src/main/webapp/resources/js/client.js
@ -85,10 +85,11 @@ var ClientModel = Backbone.Model.extend({
        
        clientDescription:"",
        reuseRefreshToken:true,
+        clearAccessTokensOnRefresh:true,
        dynamicallyRegistered:false,
        allowIntrospection:false,
        idTokenValiditySeconds: null,
-        createdAt:null,     
+        createdAt:null,

        allowRefresh:false,
        displayClientSecret: false,
@ -966,6 +967,7 @@ var ClientFormView = Backbone.View.extend({
            initiateLoginUri: $('#initiateLoginUri input').val(),
            postLogoutRedirectUris: this.postLogoutRedirectUrisCollection.pluck('item'),
            reuseRefreshToken: $('#reuseRefreshToken').is(':checked'),
+            clearAccessTokensOnRefresh: $('#clearAccessTokensOnRefresh').is(':checked'),
            requireAuthTime: $('#requireAuthTime input').is(':checked'),
            defaultMaxAge: parseInt($('#defaultMaxAge input').val()),
            contacts: this.contactsCollection.pluck('item'),
--- a/openid-connect-server-webapp/src/main/webapp/resources/js/locale/en/messages.json
+++ b/openid-connect-server-webapp/src/main/webapp/resources/js/locale/en/messages.json
@ -108,6 +108,7 @@
            "refresh-tokens-issued": "Refresh tokens are issued for this client",
 			"refresh-tokens-issued-help": "This will add the offline_access scope to the client's scopes.",
            "refresh-tokens-reused": "Refresh tokens for this client are re-used",
+            "clear-access-tokens": "Active access tokens are automatically revoked when the refresh token is used",
            "refresh-tokens-no-expire": "Refresh tokens do not time out",
            "registered": "Registered at",
            "registration-token": "Registration Token:",
--- a/openid-connect-server-webapp/src/main/webapp/resources/template/client.html
+++ b/openid-connect-server-webapp/src/main/webapp/resources/template/client.html
@ -570,6 +570,10 @@
                        <label for="reuseRefreshToken" class="checkbox" data-i18n="client.client-form.refresh-tokens-reused">Refresh tokens for this client are re-used</label>
 					</div>
 					<div>
+                        <input type="checkbox" id="clearAccessTokensOnRefresh" <%-(clearAccessTokensOnRefresh == true ? 'checked' : '')%>>
+                        <label for="clearAccessTokensOnRefresh" class="checkbox" data-i18n="client.client-form.clear-access-tokens">Active access tokens are revoked when the refresh token is used</label>
+					</div>
+					<div>
                        <input type="checkbox" id="disableRefreshTokenTimeout" <%-(refreshTokenValiditySeconds == null ? 'checked' : '')%>/> 
                        <label for="disableRefreshTokenTimeout" class="checkbox" data-i18n="client.client-form.refresh-tokens-no-expire">Refresh tokens do not time out</label>
 					</div>
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
@ -261,8 +261,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		}

 		// clear out any access tokens
-		// TODO: make this a configurable option
-		tokenRepository.clearAccessTokensForRefreshToken(refreshToken);
+		if (client.isClearAccessTokensOnRefresh()) {
+			tokenRepository.clearAccessTokensForRefreshToken(refreshToken);
+		}

 		if (refreshToken.isExpired()) {
 			tokenRepository.removeRefreshToken(refreshToken);