split scopes table

openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java

@@ -451,7 +451,7 @@ public class ClientDetailsEntity implements ClientDetails {
      */
 	@ElementCollection(fetch = FetchType.EAGER)
 	@CollectionTable(
-			name="scope",
+			name="client_scope",
 			joinColumns=@JoinColumn(name="owner_id")
 	)
 	@Override

openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java

@@ -215,7 +215,7 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
     @ElementCollection(fetch=FetchType.EAGER)
     @CollectionTable(
     		joinColumns=@JoinColumn(name="owner_id"),
-    		name="scope"
+    		name="token_scope"
     )
     public Set<String> getScope() {
 	    return scope;

openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java

@@ -70,8 +70,6 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
 	// our refresh tokens might expire
 	private Date expiration;
 
-	private  Set<String> scope; // we save the scope issued to the refresh token so that we can reissue a new access token	
-	
 	/**
 	 * 
 	 */
@@ -173,25 +171,6 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
     	this.client = client;
     }
 
-	/**
-     * @return the scope
-     */
-	@ElementCollection(fetch = FetchType.EAGER)
-	@CollectionTable(
-			joinColumns=@JoinColumn(name="owner_id"),
-			name="scope"
-	)
-    public Set<String> getScope() {
-    	return scope;
-    }
-
-	/**
-     * @param scope the scope to set
-     */
-    public void setScope(Set<String> scope) {
-    	this.scope = scope;
-    }
-    
     /**
      * Get the JWT object directly
      * @return the jwt

openid-connect-server/db/tables/database_tables.sql

@@ -131,7 +131,12 @@ CREATE TABLE resource_id (
 	resource_id VARCHAR(256) 
 );
 
-CREATE TABLE scope (
+CREATE TABLE client_scope (
+	owner_id VARCHAR(4096),
+	scope VARCHAR(2048)
+);
+
+CREATE TABLE token_scope (
 	owner_id VARCHAR(4096),
 	scope VARCHAR(2048)
 );

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -111,12 +111,6 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		    		Date expiration = new Date(System.currentTimeMillis() + (client.getRefreshTokenValiditySeconds() * 1000L));
 		    		refreshToken.setExpiration(expiration);
 	    		}
-	    		
-	    		// save our scopes so that we can reuse them later for more auth tokens
-	    		// TODO: save the auth instead of the just the scope?
-			    if (client.isScoped()) {
-			    	refreshToken.setScope(token.getScope());
-			    }
 
 			    //Add the authentication
 			    refreshToken.setAuthenticationHolder(authHolder);
@@ -173,20 +167,22 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 
 		OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); 
 
+		// get the stored scopes from the authentication holder's authorization request; these are the scopes associated with the refresh token
+		Set<String> refreshScopes = refreshToken.getAuthenticationHolder().getAuthentication().getAuthorizationRequest().getScope();
 		
 		if (scope != null && !scope.isEmpty()) { 
-			// ensure a proper subset of scopes 
-			if (refreshToken.getScope() != null && refreshToken.getScope().containsAll(scope)) {
+			// ensure a proper subset of scopes
+			if (refreshScopes != null && refreshScopes.containsAll(scope)) {
 				// set the scope of the new access token if requested
 				token.setScope(scope);
 			} else {
 				// up-scoping is not allowed
 				// (TODO: should this throw InvalidScopeException? For now just pass through)
-				token.setScope(refreshToken.getScope());
+				token.setScope(refreshScopes);
 			}
 		} else {
 			// otherwise inherit the scope of the refresh token (if it's there -- this can return a null scope set)
-			token.setScope(refreshToken.getScope());
+			token.setScope(refreshScopes);
 		}
 	    
     	token.setClient(client);