|
|
|
|
@ -16,17 +16,24 @@
|
|
|
|
|
*******************************************************************************/ |
|
|
|
|
package org.mitre.oauth2.web; |
|
|
|
|
|
|
|
|
|
import java.security.Principal; |
|
|
|
|
import static org.mitre.oauth2.web.AuthenticationUtilities.ensureOAuthScope; |
|
|
|
|
|
|
|
|
|
import java.util.Collection; |
|
|
|
|
|
|
|
|
|
import org.mitre.oauth2.model.ClientDetailsEntity; |
|
|
|
|
import org.mitre.oauth2.model.OAuth2AccessTokenEntity; |
|
|
|
|
import org.mitre.oauth2.model.OAuth2RefreshTokenEntity; |
|
|
|
|
import org.mitre.oauth2.service.ClientDetailsEntityService; |
|
|
|
|
import org.mitre.oauth2.service.OAuth2TokenEntityService; |
|
|
|
|
import org.mitre.oauth2.service.SystemScopeService; |
|
|
|
|
import org.mitre.openid.connect.view.HttpCodeView; |
|
|
|
|
import org.mitre.uma.model.ResourceSet; |
|
|
|
|
import org.slf4j.Logger; |
|
|
|
|
import org.slf4j.LoggerFactory; |
|
|
|
|
import org.springframework.beans.factory.annotation.Autowired; |
|
|
|
|
import org.springframework.http.HttpStatus; |
|
|
|
|
import org.springframework.security.access.prepost.PreAuthorize; |
|
|
|
|
import org.springframework.security.core.Authentication; |
|
|
|
|
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException; |
|
|
|
|
import org.springframework.security.oauth2.provider.OAuth2Authentication; |
|
|
|
|
import org.springframework.security.oauth2.provider.OAuth2Request; |
|
|
|
|
@ -38,7 +45,10 @@ import org.springframework.web.bind.annotation.RequestParam;
|
|
|
|
|
@Controller |
|
|
|
|
public class RevocationEndpoint { |
|
|
|
|
@Autowired |
|
|
|
|
OAuth2TokenEntityService tokenServices; |
|
|
|
|
private ClientDetailsEntityService clientService; |
|
|
|
|
|
|
|
|
|
@Autowired |
|
|
|
|
private OAuth2TokenEntityService tokenServices; |
|
|
|
|
|
|
|
|
|
/** |
|
|
|
|
* Logger for this class
|
|
|
|
|
@ -49,32 +59,53 @@ public class RevocationEndpoint {
|
|
|
|
|
|
|
|
|
|
@PreAuthorize("hasRole('ROLE_ADMIN') or hasRole('ROLE_CLIENT')") |
|
|
|
|
@RequestMapping("/" + URL) |
|
|
|
|
public String revoke(@RequestParam("token") String tokenValue, @RequestParam(value = "token_type_hint", required = false) String tokenType, Principal principal, Model model) { |
|
|
|
|
public String revoke(@RequestParam("token") String tokenValue, @RequestParam(value = "token_type_hint", required = false) String tokenType, Authentication auth, Model model) { |
|
|
|
|
|
|
|
|
|
// This is the token as passed in from OAuth (in case we need it some day)
|
|
|
|
|
//OAuth2AccessTokenEntity tok = tokenServices.getAccessToken((OAuth2Authentication) principal);
|
|
|
|
|
|
|
|
|
|
OAuth2Request authRequest = null; |
|
|
|
|
if (principal instanceof OAuth2Authentication) { |
|
|
|
|
// if the client is acting on its own behalf (the common case), pull out the client authorization request
|
|
|
|
|
authRequest = ((OAuth2Authentication) principal).getOAuth2Request(); |
|
|
|
|
ClientDetailsEntity authClient = null; |
|
|
|
|
|
|
|
|
|
if (auth instanceof OAuth2Authentication) { |
|
|
|
|
// the client authenticated with OAuth, do our UMA checks
|
|
|
|
|
ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE); |
|
|
|
|
// get out the client that was issued the access token (not the token being revoked)
|
|
|
|
|
OAuth2Authentication o2a = (OAuth2Authentication) auth; |
|
|
|
|
|
|
|
|
|
String authClientId = o2a.getOAuth2Request().getClientId(); |
|
|
|
|
authClient = clientService.loadClientByClientId(authClientId); |
|
|
|
|
|
|
|
|
|
// the owner is the user who authorized the token in the first place
|
|
|
|
|
String ownerId = o2a.getUserAuthentication().getName(); |
|
|
|
|
|
|
|
|
|
} else { |
|
|
|
|
// the client authenticated directly, make sure it's got the right access
|
|
|
|
|
|
|
|
|
|
String authClientId = auth.getName(); // direct authentication puts the client_id into the authentication's name field
|
|
|
|
|
authClient = clientService.loadClientByClientId(authClientId); |
|
|
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
try { |
|
|
|
|
// check and handle access tokens first
|
|
|
|
|
|
|
|
|
|
OAuth2AccessTokenEntity accessToken = tokenServices.readAccessToken(tokenValue); |
|
|
|
|
if (authRequest != null) { |
|
|
|
|
// client acting on its own, make sure it owns the token
|
|
|
|
|
if (!accessToken.getClient().getClientId().equals(authRequest.getClientId())) { |
|
|
|
|
// trying to revoke a token we don't own, throw a 403
|
|
|
|
|
model.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); |
|
|
|
|
return HttpCodeView.VIEWNAME; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// client acting on its own, make sure it owns the token
|
|
|
|
|
if (!accessToken.getClient().getClientId().equals(authClient.getClientId())) { |
|
|
|
|
// trying to revoke a token we don't own, throw a 403
|
|
|
|
|
|
|
|
|
|
logger.info("Client " + authClient.getClientId() + " tried to revoke a token owned by " + accessToken.getClient().getClientId()); |
|
|
|
|
|
|
|
|
|
model.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); |
|
|
|
|
return HttpCodeView.VIEWNAME; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// if we got this far, we're allowed to do this
|
|
|
|
|
tokenServices.revokeAccessToken(accessToken); |
|
|
|
|
|
|
|
|
|
logger.debug("Client " + authClient.getClientId() + " revoked access token " + tokenValue); |
|
|
|
|
|
|
|
|
|
model.addAttribute(HttpCodeView.CODE, HttpStatus.OK); |
|
|
|
|
return HttpCodeView.VIEWNAME; |
|
|
|
|
|
|
|
|
|
@ -84,17 +115,21 @@ public class RevocationEndpoint {
|
|
|
|
|
|
|
|
|
|
try { |
|
|
|
|
OAuth2RefreshTokenEntity refreshToken = tokenServices.getRefreshToken(tokenValue); |
|
|
|
|
if (authRequest != null) { |
|
|
|
|
// client acting on its own, make sure it owns the token
|
|
|
|
|
if (!refreshToken.getClient().getClientId().equals(authRequest.getClientId())) { |
|
|
|
|
// trying to revoke a token we don't own, throw a 403
|
|
|
|
|
model.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); |
|
|
|
|
return HttpCodeView.VIEWNAME; |
|
|
|
|
} |
|
|
|
|
// client acting on its own, make sure it owns the token
|
|
|
|
|
if (!refreshToken.getClient().getClientId().equals(authClient.getClientId())) { |
|
|
|
|
// trying to revoke a token we don't own, throw a 403
|
|
|
|
|
|
|
|
|
|
logger.info("Client " + authClient.getClientId() + " tried to revoke a token owned by " + refreshToken.getClient().getClientId()); |
|
|
|
|
|
|
|
|
|
model.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); |
|
|
|
|
return HttpCodeView.VIEWNAME; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
// if we got this far, we're allowed to do this
|
|
|
|
|
tokenServices.revokeRefreshToken(refreshToken); |
|
|
|
|
|
|
|
|
|
logger.debug("Client " + authClient.getClientId() + " revoked access token " + tokenValue); |
|
|
|
|
|
|
|
|
|
model.addAttribute(HttpCodeView.CODE, HttpStatus.OK); |
|
|
|
|
return HttpCodeView.VIEWNAME; |
|
|
|
|
|
|
|
|
|
@ -102,6 +137,8 @@ public class RevocationEndpoint {
|
|
|
|
|
|
|
|
|
|
// neither token type was found, simply say "OK" and be on our way.
|
|
|
|
|
|
|
|
|
|
logger.debug("Failed to revoke token " + tokenValue); |
|
|
|
|
|
|
|
|
|
model.addAttribute(HttpCodeView.CODE, HttpStatus.OK); |
|
|
|
|
return HttpCodeView.VIEWNAME; |
|
|
|
|
} |
|
|
|
|
|
Justin Richer
8 years ago