Dyn-reg endpoint now creates the registration access token from scratch instead of calling token services; token services no longer needs to check for RAT scope to avoid expiring RATs

lientDynamicRegistrationEndpoint.java

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -134,12 +134,10 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 			Set<String> scopes = Sets.newHashSet(clientAuth.getScope());
 			token.setScope(scopes);
 
-			// make it expire if necessary - exclude Registration Tokens as these should always be long-lived
+			// make it expire if necessary 
-			if (!scopes.contains(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE)) {
+			if (client.getAccessTokenValiditySeconds() != null && client.getAccessTokenValiditySeconds() > 0) {
-				if (client.getAccessTokenValiditySeconds() != null && client.getAccessTokenValiditySeconds() > 0) {
+				Date expiration = new Date(System.currentTimeMillis() + (client.getAccessTokenValiditySeconds() * 1000L));
-					Date expiration = new Date(System.currentTimeMillis() + (client.getAccessTokenValiditySeconds() * 1000L));
+				token.setExpiration(expiration);
-					token.setExpiration(expiration);
-				}
 			}
 
 			// attach the authorization so that we can look it up later

openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java

@@ -15,14 +15,20 @@
  ******************************************************************************/
 package org.mitre.openid.connect.web;
 
+import java.util.Date;
+import java.util.Map;
 import java.util.Set;
+import java.util.UUID;
 import java.util.concurrent.TimeUnit;
 
+import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
+import org.mitre.oauth2.model.AuthenticationHolderEntity;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.model.RegisteredClient;
 import org.mitre.oauth2.model.SystemScope;
+import org.mitre.oauth2.repository.AuthenticationHolderRepository;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
 import org.mitre.oauth2.service.SystemScopeService;
@@ -45,7 +51,13 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
 
 @Controller
 @RequestMapping(value = "register")
@@ -56,6 +68,15 @@ public class ClientDynamicRegistrationEndpoint {
 
 	@Autowired
 	private OAuth2TokenEntityService tokenService;
+	
+	@Autowired
+	private JwtSigningAndValidationService jwtService;
+	
+	@Autowired
+	private ConfigurationPropertiesBean configBean;
+	
+	@Autowired
+	private AuthenticationHolderRepository authenticationHolderRepository;
 
 	@Autowired
 	private SystemScopeService scopeService;
@@ -326,14 +347,42 @@ public class ClientDynamicRegistrationEndpoint {
 	 * @throws AuthenticationException
 	 */
 	private OAuth2AccessTokenEntity createRegistrationAccessToken(ClientDetailsEntity client) throws AuthenticationException {
-		// create a registration access token, treat it like a client credentials flow
+		Map<String, String> authorizationParameters = Maps.newHashMap();
-		// I can't use the auth request interface here because it has no setters and bad constructors -- THIS IS BAD API DESIGN
+		// This is replaced in 1.1 with a proper storage object
-		DefaultAuthorizationRequest authorizationRequest = new DefaultAuthorizationRequest(client.getClientId(), Sets.newHashSet(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE));
+		DefaultAuthorizationRequest clientAuth = new DefaultAuthorizationRequest(authorizationParameters, null, client.getClientId(), Sets.newHashSet(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE));
-		authorizationRequest.setApproved(true);
+		clientAuth.setApproved(true);
-		authorizationRequest.setAuthorities(Sets.newHashSet(new SimpleGrantedAuthority("ROLE_CLIENT")));
+		clientAuth.setAuthorities(Sets.newHashSet(new SimpleGrantedAuthority("ROLE_CLIENT")));
-		OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest, null);
+		OAuth2Authentication authentication = new OAuth2Authentication(clientAuth, null);
-		OAuth2AccessTokenEntity registrationAccessToken = (OAuth2AccessTokenEntity) tokenService.createAccessToken(authentication);
+		
-		return registrationAccessToken;
+		OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity();
+		token.setClient(client);
+		token.setScope(Sets.newHashSet(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE));
+
+		AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity();
+		authHolder.setAuthentication(authentication);
+		authHolder = authenticationHolderRepository.save(authHolder);
+		token.setAuthenticationHolder(authHolder);
+
+		JWTClaimsSet claims = new JWTClaimsSet();
+
+		claims.setAudience(Lists.newArrayList(client.getClientId()));
+		claims.setIssuer(configBean.getIssuer());
+		claims.setIssueTime(new Date());
+		claims.setExpirationTime(token.getExpiration());
+		claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
+
+		// TODO: use client's default signing algorithm
+		JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
+		SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);
+
+		jwtService.signJwt(signed);
+
+		token.setJwt(signed);
+
+		tokenService.saveAccessToken(token);
+
+		return token;
+		
 	}
 
 }