From 2f4d9ce54b4daf6eb0a49c2481b38484dcc824a3 Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Thu, 25 Jun 2015 12:07:38 -0400 Subject: [PATCH] clearing out refresh tokens is now configurable, closes #409 --- .../mitre/oauth2/model/ClientDetailsEntity.java | 17 +++++++++++++++++ .../db/tables/hsql_database_tables.sql | 3 ++- .../src/main/webapp/resources/js/client.js | 4 +++- .../webapp/resources/js/locale/en/messages.json | 1 + .../main/webapp/resources/template/client.html | 4 ++++ .../impl/DefaultOAuth2ProviderTokenService.java | 5 +++-- 6 files changed, 30 insertions(+), 4 deletions(-) diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java b/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java index 144d3c24c..e5634086e 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java @@ -140,6 +140,7 @@ public class ClientDetailsEntity implements ClientDetails { private boolean allowIntrospection = false; // do we let this client call the introspection endpoint? private Integer idTokenValiditySeconds; //timeout for id tokens private Date createdAt; // time the client was created + private boolean clearAccessTokensOnRefresh = true; // do we clear access tokens on refresh? public enum AuthMethod { SECRET_POST("client_secret_post"), @@ -947,5 +948,21 @@ public class ClientDetailsEntity implements ClientDetails { public boolean isAutoApprove(String scope) { return false; } + + /** + * @return the clearAccessTokensOnRefresh + */ + @Basic + @Column(name = "clear_access_tokens_on_refresh") + public boolean isClearAccessTokensOnRefresh() { + return clearAccessTokensOnRefresh; + } + + /** + * @param clearAccessTokensOnRefresh the clearAccessTokensOnRefresh to set + */ + public void setClearAccessTokensOnRefresh(boolean clearAccessTokensOnRefresh) { + this.clearAccessTokensOnRefresh = clearAccessTokensOnRefresh; + } } diff --git a/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql b/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql index 2e4d68e10..ff91c3990 100644 --- a/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql +++ b/openid-connect-server-webapp/src/main/resources/db/tables/hsql_database_tables.sql @@ -167,7 +167,8 @@ CREATE TABLE IF NOT EXISTS client_details ( require_auth_time BOOLEAN, created_at TIMESTAMP, initiate_login_uri VARCHAR(2048), - post_logout_redirect_uri VARCHAR(2048), + clear_access_tokens_on_refresh BOOLEAN DEFAULT true NOT NULL, + UNIQUE (client_id) ); diff --git a/openid-connect-server-webapp/src/main/webapp/resources/js/client.js b/openid-connect-server-webapp/src/main/webapp/resources/js/client.js index ed9b0d601..a892d5207 100644 --- a/openid-connect-server-webapp/src/main/webapp/resources/js/client.js +++ b/openid-connect-server-webapp/src/main/webapp/resources/js/client.js @@ -85,10 +85,11 @@ var ClientModel = Backbone.Model.extend({ clientDescription:"", reuseRefreshToken:true, + clearAccessTokensOnRefresh:true, dynamicallyRegistered:false, allowIntrospection:false, idTokenValiditySeconds: null, - createdAt:null, + createdAt:null, allowRefresh:false, displayClientSecret: false, @@ -966,6 +967,7 @@ var ClientFormView = Backbone.View.extend({ initiateLoginUri: $('#initiateLoginUri input').val(), postLogoutRedirectUris: this.postLogoutRedirectUrisCollection.pluck('item'), reuseRefreshToken: $('#reuseRefreshToken').is(':checked'), + clearAccessTokensOnRefresh: $('#clearAccessTokensOnRefresh').is(':checked'), requireAuthTime: $('#requireAuthTime input').is(':checked'), defaultMaxAge: parseInt($('#defaultMaxAge input').val()), contacts: this.contactsCollection.pluck('item'), diff --git a/openid-connect-server-webapp/src/main/webapp/resources/js/locale/en/messages.json b/openid-connect-server-webapp/src/main/webapp/resources/js/locale/en/messages.json index 98d51067e..90823c198 100644 --- a/openid-connect-server-webapp/src/main/webapp/resources/js/locale/en/messages.json +++ b/openid-connect-server-webapp/src/main/webapp/resources/js/locale/en/messages.json @@ -108,6 +108,7 @@ "refresh-tokens-issued": "Refresh tokens are issued for this client", "refresh-tokens-issued-help": "This will add the offline_access scope to the client's scopes.", "refresh-tokens-reused": "Refresh tokens for this client are re-used", + "clear-access-tokens": "Active access tokens are automatically revoked when the refresh token is used", "refresh-tokens-no-expire": "Refresh tokens do not time out", "registered": "Registered at", "registration-token": "Registration Token:", diff --git a/openid-connect-server-webapp/src/main/webapp/resources/template/client.html b/openid-connect-server-webapp/src/main/webapp/resources/template/client.html index 2f3386ed4..6a61f38c4 100644 --- a/openid-connect-server-webapp/src/main/webapp/resources/template/client.html +++ b/openid-connect-server-webapp/src/main/webapp/resources/template/client.html @@ -570,6 +570,10 @@
+ > + +
+
/>
diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java index c77e24a70..d93420717 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java @@ -261,8 +261,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi } // clear out any access tokens - // TODO: make this a configurable option - tokenRepository.clearAccessTokensForRefreshToken(refreshToken); + if (client.isClearAccessTokensOnRefresh()) { + tokenRepository.clearAccessTokensForRefreshToken(refreshToken); + } if (refreshToken.isExpired()) { tokenRepository.removeRefreshToken(refreshToken);