fixed checking of refresh token permissions in client service, clients can now request either refresh_token grant type or offline_access scope and it will work. added checkbox to dynreg page for ease-of-use

closes #734
2014-11-22 22:43:01 -05:00 · 2014-11-22 22:43:01 -05:00 · 4ccd948ad2
parent e983e8a0c9
commit 4ccd948ad2
2 changed files with 28 additions and 38 deletions
--- a/openid-connect-server-webapp/src/main/webapp/resources/template/dynreg.html
+++ b/openid-connect-server-webapp/src/main/webapp/resources/template/dynreg.html
@ -264,6 +264,9 @@
                    <label class="checkbox">
                        <input id="grantTypes-redelegate" type="checkbox" <%-($.inArray("urn:ietf:params:oauth:grant_type:redelegate", client.grant_types) > -1 ? 'checked' : '')%>> redelegate
                    </label>
+                    <label class="checkbox">
+                        <input id="grantTypes-refresh_token" type="checkbox" <%-($.inArray("refresh_token", client.grant_types) > -1 ? 'checked' : '')%>> refresh token
+                    </label>

                </div>
            </div>
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
@ -108,18 +108,28 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 			client = generateClientId(client);
 		}

-		// if the client is flagged to allow for refresh tokens, make sure it's got the right granted scopes
-		if (client.isAllowRefresh()) {
-			client.getScope().add(SystemScopeService.OFFLINE_ACCESS);
-		} else {
-			client.getScope().remove(SystemScopeService.OFFLINE_ACCESS);
-		}
+		// for refresh tokens, ensure consistency between grant types and tokens
+		ensureRefreshTokenConsistency(client);

 		// timestamp this to right now
 		client.setCreatedAt(new Date());


 		// check the sector URI
+		checkSectorIdentifierUri(client);
+
+
+		// make sure a client doesn't get any special system scopes
+		client.setScope(scopeService.removeRestrictedScopes(client.getScope()));
+
+		ClientDetailsEntity c = clientRepository.saveClient(client);
+
+		statsService.resetCache();
+
+		return c;
+	}
+
+	private void checkSectorIdentifierUri(ClientDetailsEntity client) {
 		if (!Strings.isNullOrEmpty(client.getSectorIdentifierUri())) {
 			try {
 				List<String> redirects = sectorRedirects.get(client.getSectorIdentifierUri());
@ -136,16 +146,13 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 				throw new IllegalArgumentException("Unable to load sector identifier URI: " + client.getSectorIdentifierUri());
 			}
 		}
+	}

-
-		// make sure a client doesn't get any special system scopes
-		client.setScope(scopeService.removeRestrictedScopes(client.getScope()));
-
-		ClientDetailsEntity c = clientRepository.saveClient(client);
-
-		statsService.resetCache();
-
-		return c;
+	private void ensureRefreshTokenConsistency(ClientDetailsEntity client) {
+		if (client.getAuthorizedGrantTypes().contains("refresh_token") || client.getScope().contains(SystemScopeService.OFFLINE_ACCESS)) {
+			client.getScope().add(SystemScopeService.OFFLINE_ACCESS);
+			client.getAuthorizedGrantTypes().add("refresh_token");
+		}
 	}

 	/**
@ -230,30 +237,10 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 			}

 			// if the client is flagged to allow for refresh tokens, make sure it's got the right scope
-			if (newClient.isAllowRefresh()) {
-				newClient.getScope().add(SystemScopeService.OFFLINE_ACCESS);
-			} else {
-				newClient.getScope().remove(SystemScopeService.OFFLINE_ACCESS);
-			}
+			ensureRefreshTokenConsistency(newClient);
 			
 			// check the sector URI
-			if (!Strings.isNullOrEmpty(newClient.getSectorIdentifierUri())) {
-				try {
-					List<String> redirects = sectorRedirects.get(newClient.getSectorIdentifierUri());
-
-					if (newClient.getRegisteredRedirectUri() != null) {
-						for (String uri : newClient.getRegisteredRedirectUri()) {
-							if (!redirects.contains(uri)) {
-								throw new IllegalArgumentException("Requested Redirect URI " + uri + " is not listed at sector identifier " + redirects);
-							}
-						}
-					}
-				} catch (UncheckedExecutionException ue) {
-					throw new IllegalArgumentException("Unable to load sector identifier URI: " + newClient.getSectorIdentifierUri());
-				} catch (ExecutionException e) {
-					throw new IllegalArgumentException("Unable to load sector identifier URI: " + newClient.getSectorIdentifierUri());
-				}
-			}
+			checkSectorIdentifierUri(newClient);

 			// make sure a client doesn't get any special system scopes
 			newClient.setScope(scopeService.removeRestrictedScopes(newClient.getScope()));