added redelegate scope to client list, fixed inconsistency with refresh token issuance (addresses #239)

2012-12-10 16:53:05 -05:00 · 2012-12-10 16:53:05 -05:00 · 94c37f5815
parent 510ddb48b7
commit 94c37f5815
4 changed files with 52 additions and 3 deletions
--- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java
@ -33,6 +33,7 @@ import org.mitre.openid.connect.service.WhitelistedSiteService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.provider.refresh.RefreshTokenGranter;
 import org.springframework.stereotype.Service;

 import com.google.common.base.Strings;
@ -85,6 +86,18 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
            client = generateClientId(client);
        }
        
+        // if the client is flagged to allow for refresh tokens, make sure it's got the right granted authority
+        if (client.isAllowRefresh()) {
+        	client.getAuthorizedGrantTypes().add("refresh_token");
+        } else {
+        	client.getAuthorizedGrantTypes().remove("refresh_token");
+        }
+        if (client.getAuthorizedGrantTypes().contains("refresh_token")) {
+        	client.setAllowRefresh(true);
+        } else {
+        	client.setAllowRefresh(false);
+        }
+        
        return clientRepository.saveClient(client);
 	}
 	
@ -156,7 +169,19 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 				}
 	        }
 			
-			return clientRepository.updateClient(oldClient.getId(), newClient);
+	        // if the client is flagged to allow for refresh tokens, make sure it's got the right granted authority
+	        if (newClient.isAllowRefresh()) {
+	        	newClient.getAuthorizedGrantTypes().add("refresh_token");
+	        } else {
+	        	newClient.getAuthorizedGrantTypes().remove("refresh_token");
+	        }
+	        if (newClient.getAuthorizedGrantTypes().contains("refresh_token")) {
+	        	newClient.setAllowRefresh(true);
+	        } else {
+	        	newClient.setAllowRefresh(false);
+	        }
+
+	        return clientRepository.updateClient(oldClient.getId(), newClient);
 		}
 		throw new IllegalArgumentException("Neither old client or new client can be null!");
    }
--- a/openid-connect-server/src/main/resources/db/clients.sql
+++ b/openid-connect-server/src/main/resources/db/clients.sql
@ -27,6 +27,7 @@ INSERT INTO redirect_uri_TEMP (owner_id, redirect_uri) VALUES
 	
 INSERT INTO authorized_grant_type_TEMP (owner_id, authorized_grant_type) VALUES
 	('client', 'authorization_code'),
+	('client', 'urn:ietf:params:oauth:grant_type:redelegate'),
 	('client', 'implicit');
 	
 --
--- a/openid-connect-server/src/main/webapp/resources/js/admin.js
+++ b/openid-connect-server/src/main/webapp/resources/js/admin.js
@ -513,6 +513,15 @@
            if (value == "") return null;
            else return value;
        },
+
+        // maps from a form-friendly name to the real grant parameter name
+        authorizedGrantMap:{
+        	"authorization_code": "authorization_code",
+        	"password": "password",
+        	"implicit": "implicit",
+        	"client_credentials": "client_credentials",
+        	"redelegate": "urn:ietf:params:oauth:grant_type:redelegate"
+        },
        
        saveClient:function (event) {

@ -520,9 +529,9 @@

            // build the grant type object
            var authorizedGrantTypes = [];
-            $.each(["authorization_code","client_credentials","password","implicit"],function(index,type) {
+            $.each(["authorization_code","client_credentials","password","implicit","urn:ietf:params:oauth:grant_type:redelegate"],function(index,type) {
                if ($('#authorizedGrantTypes-' + type).is(':checked')) {
-                    authorizedGrantTypes.push(type);
+                    authorizedGrantTypes.push(authorizedGrantMap[type]);
                }
            });

@ -548,6 +557,9 @@
            var refreshTokenValiditySeconds = null;
            if ($('#allowRefresh').is(':checked') && !$('disableRefreshTokenTimeout').is(':checked')) {
            	refreshTokenValiditySeconds = this.getFormTokenValue($('#refreshTokenValiditySeconds input[type=text]').val()); 
+            	if ($.inArray('refresh_token', authorizedGrantTypes) == -1) {
+            		authorizedGrantTypes.push('refresh_token');
+            	}
            }
            
            var valid = this.model.set({
--- a/openid-connect-server/src/main/webapp/resources/template/admin.html
+++ b/openid-connect-server/src/main/webapp/resources/template/admin.html
@ -179,6 +179,17 @@
                        <input id="authorizedGrantTypes-implicit" type="checkbox" <%=($.inArray("implicit",
                        authorizedGrantTypes) > -1 ? 'checked' : '')%>> implicit
                    </label>
+<!--
+                    <label class="checkbox">
+                        <input id="authorizedGrantTypes-refresh_token" type="checkbox" <%=($.inArray("refresh_token",
+                        authorizedGrantTypes) > -1 ? 'checked' : '')%>> refresh
+                    </label>
+-->
+                    <label class="checkbox">
+                        <input id="authorizedGrantTypes-redelegate" type="checkbox" <%=($.inArray("urn:ietf:params:oauth:grant_type:redelegate",
+                        authorizedGrantTypes) > -1 ? 'checked' : '')%>> redelegate
+                    </label>
+
                </div>
            </div>