From 3b2271994fd81279058bcded89bad67fcbf72ce9 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Sat, 22 Nov 2014 21:32:47 -0500
Subject: [PATCH] make sure that client presenting refresh token is the same
 client the refresh token was issued to

closes #735
---
 .../service/impl/DefaultOAuth2ProviderTokenService.java  | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
index ee715c99b..eb123074d 100644
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
@@ -210,7 +210,14 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		ClientDetailsEntity client = refreshToken.getClient();
 
 		AuthenticationHolderEntity authHolder = refreshToken.getAuthenticationHolder();
-
+		
+		// make sure that the client requesting the token is the one who owns the refresh token
+		ClientDetailsEntity requestingClient = clientDetailsService.loadClientByClientId(authRequest.getClientId());
+		if (requestingClient.getClientId() != client.getClientId()) {
+			tokenRepository.removeRefreshToken(refreshToken);
+			throw new InvalidClientException("Client does not own the presented refresh token");
+		}
+		
 		//Make sure this client allows access token refreshing
 		if (!client.isAllowRefresh()) {
 			throw new InvalidClientException("Client does not allow refreshing access token!");