diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java b/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java index 281dc4f8c..a8b3a4630 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java @@ -6,15 +6,18 @@ package org.mitre.oauth2.token; import java.util.HashSet; import java.util.Set; +import org.mitre.oauth2.model.ClientDetailsEntity; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.oauth2.service.OAuth2TokenEntityService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.oauth2.common.OAuth2AccessToken; import org.springframework.security.oauth2.common.exceptions.InvalidScopeException; +import org.springframework.security.oauth2.common.util.OAuth2Utils; import org.springframework.security.oauth2.provider.AuthorizationRequest; import org.springframework.security.oauth2.provider.ClientDetailsService; import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest; +import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.oauth2.provider.token.AbstractTokenGranter; import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices; import org.springframework.stereotype.Component; @@ -66,6 +69,14 @@ public class ChainedTokenGranter extends AbstractTokenGranter { requestedScopes = new HashSet(); } + // do a check on the requested scopes -- if they exactly match the client scopes, they were probably shadowed by the token granter + // FIXME: bug in SECOAUTH functionality + ClientDetailsEntity client = incomingToken.getClient(); + if (client.getScope().equals(requestedScopes)) { + requestedScopes = new HashSet(); + } + + // if our scopes are a valid subset of what's allowed, we can continue if (approvedScopes.containsAll(requestedScopes)) { @@ -84,7 +95,9 @@ public class ChainedTokenGranter extends AbstractTokenGranter { // NOTE: don't revoke the existing access token // create a new access token - return tokenServices.createAccessToken(getOAuth2Authentication(outgoingAuthRequest)); + OAuth2Authentication authentication = new OAuth2Authentication(outgoingAuthRequest, incomingToken.getAuthenticationHolder().getAuthentication().getUserAuthentication()); + + return tokenServices.createAccessToken(authentication); } else { throw new InvalidScopeException("Invalid scope requested in chained request", approvedScopes);