github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Registration Token regeneration - when they are beyond their lifetime 

(in read/update calls)
pull/620/head
Trilok Jain 2014-06-13 03:10:50 +05:30 committed by Justin Richer
parent ed3e6a2814
commit 4e09ec687b
2 changed files with 25 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
openid-connect-server-webapp/src/main/webapp/WEB-INF/server-config.xml
View File

@ -32,6 +32,7 @@
<property name="issuer" value="http://localhost:8080/openid-connect-server-webapp/" /> <property name="issuer" value="http://localhost:8080/openid-connect-server-webapp/" />
<property name="logoImageUrl" value="resources/images/openid_connect_small.png" /> <property name="logoImageUrl" value="resources/images/openid_connect_small.png" />
<property name="topbarTitle" value="OpenID Connect Server" /> <property name="topbarTitle" value="OpenID Connect Server" />
<property name="regTokenLifeTime" value="172800" />
</bean> </bean>
</beans> </beans>

34
openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java
View File

@ -17,6 +17,8 @@
package org.mitre.openid.connect.web; package org.mitre.openid.connect.web;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.text.ParseException;
import java.util.Date;
import java.util.HashSet; import java.util.HashSet;
import java.util.Set; import java.util.Set;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
@ -202,10 +204,8 @@ public class ClientDynamicRegistrationEndpoint {
if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) { if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) {
//Get rid of the old token and issue a new token
OAuth2AccessTokenEntity token = rotateRegistrationToken(auth, client);
try { try {
OAuth2AccessTokenEntity token = fetchValidRegistrationToken(auth, client);
RegisteredClient registered = new RegisteredClient(client, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(client.getClientId(), "UTF-8")); RegisteredClient registered = new RegisteredClient(client, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(client.getClientId(), "UTF-8"));
// send it all out to the view // send it all out to the view
@ -217,7 +217,12 @@ public class ClientDynamicRegistrationEndpoint {
logger.error("Unsupported encoding", e); logger.error("Unsupported encoding", e);
m.addAttribute("code", HttpStatus.INTERNAL_SERVER_ERROR); m.addAttribute("code", HttpStatus.INTERNAL_SERVER_ERROR);
return "httpCodeView"; return "httpCodeView";
} catch (ParseException e) {
logger.error("Invalid Token", e);
m.addAttribute("code", HttpStatus.BAD_REQUEST);
return "httpCodeView";
} }
} else { } else {
// client mismatch // client mismatch
logger.error("readClientConfiguration failed, client ID mismatch: " logger.error("readClientConfiguration failed, client ID mismatch: "
@ -291,8 +296,7 @@ public class ClientDynamicRegistrationEndpoint {
// save the client // save the client
ClientDetailsEntity savedClient = clientService.updateClient(oldClient, newClient); ClientDetailsEntity savedClient = clientService.updateClient(oldClient, newClient);
//Get rid of the old token and issue a new token OAuth2AccessTokenEntity token = fetchValidRegistrationToken(auth, savedClient);
OAuth2AccessTokenEntity token = rotateRegistrationToken(auth, savedClient);
RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8")); RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "register/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
@ -310,6 +314,10 @@ public class ClientDynamicRegistrationEndpoint {
logger.error("Unsupported encoding", e); logger.error("Unsupported encoding", e);
m.addAttribute("code", HttpStatus.INTERNAL_SERVER_ERROR); m.addAttribute("code", HttpStatus.INTERNAL_SERVER_ERROR);
return "httpCodeView"; return "httpCodeView";
} catch (ParseException e) {
logger.error("Invalid Token", e);
m.addAttribute("code", HttpStatus.BAD_REQUEST);
return "httpCodeView";
} }
} else { } else {
// client mismatch // client mismatch
@ -520,14 +528,18 @@ public class ClientDynamicRegistrationEndpoint {
return newClient; return newClient;
} }
private OAuth2AccessTokenEntity rotateRegistrationToken(OAuth2Authentication auth, ClientDetailsEntity client) private OAuth2AccessTokenEntity fetchValidRegistrationToken(OAuth2Authentication auth, ClientDetailsEntity client) throws ParseException
{ {
OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails(); OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails();
OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue()); OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue());
tokenService.revokeAccessToken(token); // Re-issue the token if it has been issued before [currentTime - validity]
Date validToDate = new Date(System.currentTimeMillis() - config.getRegTokenLifeTime() * 1000);
OAuth2AccessTokenEntity newToken = connectTokenService.createRegistrationAccessToken(client); if(token.getJwt().getJWTClaimsSet().getIssueTime().before(validToDate))
tokenService.saveAccessToken(newToken); {
return newToken; tokenService.revokeAccessToken(token);
token = connectTokenService.createRegistrationAccessToken(client);
tokenService.saveAccessToken(token);
}
return token;
} }
} }