From 698feb49cd54a41a6cb5726c92f2b5fc408b413d Mon Sep 17 00:00:00 2001 From: Justin Richer Date: Wed, 16 Dec 2015 22:46:42 -0500 Subject: [PATCH] check access token expiration on read. closes #983 --- .../impl/DefaultOAuth2ProviderTokenService.java | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java index e69250dc5..e2e25016e 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java @@ -335,15 +335,13 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi if (accessToken == null) { throw new InvalidTokenException("Invalid access token: " + accessTokenValue); - } - - if (accessToken.isExpired()) { + } else if (accessToken.isExpired()) { //tokenRepository.removeAccessToken(accessToken); revokeAccessToken(accessToken); throw new InvalidTokenException("Expired access token: " + accessTokenValue); + } else { + return accessToken.getAuthenticationHolder().getAuthentication(); } - - return accessToken.getAuthenticationHolder().getAuthentication(); } @@ -355,8 +353,11 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenByValue(accessTokenValue); if (accessToken == null) { throw new InvalidTokenException("Access token for value " + accessTokenValue + " was not found"); - } - else { + } else if (accessToken.isExpired()) { + // immediately revoke the expired token + revokeAccessToken(accessToken); + throw new InvalidTokenException("Access token for value " + accessTokenValue + " is expired"); + } else { return accessToken; } }