revocation endpoint cleanup, still needs views
parent
27219c066d
commit
5c72d8b95f
|
@ -20,6 +20,7 @@ import java.util.List;
|
||||||
import org.mitre.oauth2.model.ClientDetailsEntity;
|
import org.mitre.oauth2.model.ClientDetailsEntity;
|
||||||
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
|
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
|
||||||
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
|
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
|
||||||
|
import org.springframework.security.oauth2.provider.OAuth2Authentication;
|
||||||
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
|
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
|
||||||
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
|
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
|
||||||
|
|
||||||
|
@ -43,4 +44,6 @@ public interface OAuth2TokenEntityService extends AuthorizationServerTokenServic
|
||||||
|
|
||||||
public OAuth2RefreshTokenEntity saveRefreshToken(OAuth2RefreshTokenEntity refreshToken);
|
public OAuth2RefreshTokenEntity saveRefreshToken(OAuth2RefreshTokenEntity refreshToken);
|
||||||
|
|
||||||
|
public OAuth2AccessTokenEntity getAccessToken(OAuth2Authentication authentication);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -41,7 +41,7 @@ public class IntrospectionEndpoint {
|
||||||
@RequestMapping("/oauth/verify")
|
@RequestMapping("/oauth/verify")
|
||||||
public ModelAndView verify(@RequestParam("token") String tokenValue,
|
public ModelAndView verify(@RequestParam("token") String tokenValue,
|
||||||
ModelAndView modelAndView) {
|
ModelAndView modelAndView) {
|
||||||
OAuth2AccessTokenEntity token = tokenServices.getAccessToken(tokenValue);
|
OAuth2AccessTokenEntity token = tokenServices.readAccessToken(tokenValue);
|
||||||
|
|
||||||
if (token == null) {
|
if (token == null) {
|
||||||
// if it's not a valid token, we'll print a 404
|
// if it's not a valid token, we'll print a 404
|
||||||
|
|
|
@ -15,6 +15,8 @@
|
||||||
******************************************************************************/
|
******************************************************************************/
|
||||||
package org.mitre.oauth2.web;
|
package org.mitre.oauth2.web;
|
||||||
|
|
||||||
|
import java.security.Principal;
|
||||||
|
|
||||||
import org.mitre.oauth2.exception.PermissionDeniedException;
|
import org.mitre.oauth2.exception.PermissionDeniedException;
|
||||||
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
|
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
|
||||||
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
|
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
|
||||||
|
@ -47,23 +49,35 @@ public class RevocationEndpoint {
|
||||||
// TODO
|
// TODO
|
||||||
@PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_CLIENT')")
|
@PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_CLIENT')")
|
||||||
@RequestMapping("/oauth/revoke")
|
@RequestMapping("/oauth/revoke")
|
||||||
public ModelAndView revoke(@RequestParam("token") String tokenValue,
|
public ModelAndView revoke(@RequestParam("token") String tokenValue, Principal principal,
|
||||||
ModelAndView modelAndView) {
|
ModelAndView modelAndView) {
|
||||||
|
|
||||||
OAuth2RefreshTokenEntity refreshToken = tokenServices.getRefreshToken(tokenValue);
|
|
||||||
OAuth2AccessTokenEntity accessToken = tokenServices.getAccessToken(tokenValue);
|
OAuth2RefreshTokenEntity refreshToken = null;
|
||||||
|
OAuth2AccessTokenEntity accessToken = null;
|
||||||
|
try {
|
||||||
|
refreshToken = tokenServices.getRefreshToken(tokenValue);
|
||||||
|
} catch (InvalidTokenException e) {
|
||||||
|
// it's OK if either of these tokens are bad
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
accessToken = tokenServices.readAccessToken(tokenValue);
|
||||||
|
} catch (InvalidTokenException e) {
|
||||||
|
// it's OK if either of these tokens are bad
|
||||||
|
}
|
||||||
|
|
||||||
if (refreshToken == null && accessToken == null) {
|
if (refreshToken == null && accessToken == null) {
|
||||||
// TODO: this should throw a 400 with a JSON error code
|
// TODO: this should throw a 400 with a JSON error code
|
||||||
throw new InvalidTokenException("Invalid OAuth token: " + tokenValue);
|
throw new InvalidTokenException("Invalid OAuth token: " + tokenValue);
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: there should be a way to do this in SPEL, right?
|
if (principal instanceof OAuth2Authentication) {
|
||||||
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
|
OAuth2AccessTokenEntity tok = tokenServices.getAccessToken((OAuth2Authentication) principal);
|
||||||
if (auth instanceof OAuth2Authentication) {
|
|
||||||
// we've got a client acting on its own behalf, not an admin
|
// we've got a client acting on its own behalf, not an admin
|
||||||
//ClientAuthentication clientAuth = (ClientAuthenticationToken) ((OAuth2Authentication) auth).getClientAuthentication();
|
//ClientAuthentication clientAuth = (ClientAuthenticationToken) ((OAuth2Authentication) auth).getClientAuthentication();
|
||||||
AuthorizationRequest clientAuth = ((OAuth2Authentication) auth).getAuthorizationRequest();
|
AuthorizationRequest clientAuth = ((OAuth2Authentication) principal).getAuthorizationRequest();
|
||||||
|
|
||||||
if (refreshToken != null) {
|
if (refreshToken != null) {
|
||||||
if (!refreshToken.getClient().getClientId().equals(clientAuth.getClientId())) {
|
if (!refreshToken.getClient().getClientId().equals(clientAuth.getClientId())) {
|
||||||
|
|
Loading…
Reference in New Issue