Propogated AuthenticationHolder effects; this is untested but compiles and I think it is mostly correct

openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java

@@ -56,7 +56,7 @@ import org.springframework.security.oauth2.common.OAuth2RefreshToken;
 	@NamedQuery(name = "OAuth2AccessTokenEntity.getByRefreshToken", query = "select a from OAuth2AccessTokenEntity a where a.refreshToken = :refreshToken"),
 	@NamedQuery(name = "OAuth2AccessTokenEntity.getByClient", query = "select a from OAuth2AccessTokenEntity a where a.client = :client"),
 	@NamedQuery(name = "OAuth2AccessTokenEntity.getExpired", query = "select a from OAuth2AccessTokenEntity a where a.expiration is not null and a.expiration < current_timestamp"),
-	@NamedQuery(name = "OAuth2AccessTokenEntity.getByAuthentication", query = "select a from OAuth2AccessTokenEntity a where a.authentication = :authentication"),
+	@NamedQuery(name = "OAuth2AccessTokenEntity.getByAuthentication", query = "select a from OAuth2AccessTokenEntity a where a.authenticationHolder.authentication = :authentication"),
 	@NamedQuery(name = "OAuth2AccessTokenEntity.getByTokenValue", query = "select a from OAuth2AccessTokenEntity a where a.value = :tokenValue")
 })
 //@JsonSerialize(using = OAuth2AccessTokenSerializer.class)

openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2RefreshTokenEntity.java

@@ -50,12 +50,15 @@ import org.springframework.security.oauth2.common.OAuth2RefreshToken;
 @NamedQueries({
 	@NamedQuery(name = "OAuth2RefreshTokenEntity.getByClient", query = "select r from OAuth2RefreshTokenEntity r where r.client = :client"),
 	@NamedQuery(name = "OAuth2RefreshTokenEntity.getExpired", query = "select r from OAuth2RefreshTokenEntity r where r.expiration is not null and r.expiration < current_timestamp"),
-	@NamedQuery(name = "OAuth2RefreshTokenEntity.getByTokenValue", query = "selecr r from OAuth2RefreshTokenEntity r where r.tokenValue = :tokenValue")
+	@NamedQuery(name = "OAuth2RefreshTokenEntity.getByTokenValue", query = "select r from OAuth2RefreshTokenEntity r where r.tokenValue = :tokenValue"),
+	@NamedQuery(name = "OAuth2RefreshTokenEntity.getByAuthentication", query = "select r from OAuth2RefreshTokenEntity r where r.authenticationHolder.authentication = :authentication")
 })
 public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
 
 	private Long id;
 	
+	private AuthenticationHolder authenticationHolder;
+	
 	private ClientDetailsEntity client;
 
 	//JWT-encoded representation of this access token entity
@@ -89,6 +92,25 @@ public class OAuth2RefreshTokenEntity implements OAuth2RefreshToken {
 		this.id = id;
 	}
 	
+	/**
+	 * The authentication in place when the original access token was 
+	 * created
+	 * 
+     * @return the authentication
+     */
+	@ManyToOne
+	@JoinColumn(name = "owner_id")
+    public AuthenticationHolder getAuthenticationHolder() {
+    	return authenticationHolder;
+    }
+
+	/**
+     * @param authentication the authentication to set
+     */
+    public void setAuthenticationHolder(AuthenticationHolder authenticationHolder) {
+    	this.authenticationHolder = authenticationHolder;
+    }
+
 	/**
 	 * Get the JWT-encoded value of this token
 	 */

openid-connect-common/src/main/java/org/mitre/oauth2/repository/AuthenticationHolderRepository.java

@@ -9,9 +9,9 @@ public interface AuthenticationHolderRepository {
 	
 	public AuthenticationHolder getByAuthentication(OAuth2Authentication a);
 	
-	public AuthenticationHolder removeById(Long id);
+	public void removeById(Long id);
 	
-	public AuthenticationHolder remove(AuthenticationHolder a);
+	public void remove(AuthenticationHolder a);
 	
 	public AuthenticationHolder save(AuthenticationHolder a);
 	

openid-connect-server/src/main/java/org/mitre/oauth2/repository/impl/JpaAuthenticationHolderRepository.java

@@ -0,0 +1,61 @@
+package org.mitre.oauth2.repository.impl;
+
+import javax.persistence.EntityManager;
+import javax.persistence.PersistenceContext;
+import javax.persistence.TypedQuery;
+
+import org.mitre.oauth2.model.AuthenticationHolder;
+import org.mitre.oauth2.repository.AuthenticationHolderRepository;
+import org.mitre.util.jpa.JpaUtil;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.stereotype.Repository;
+import org.springframework.transaction.annotation.Transactional;
+
+@Repository
+@Transactional
+public class JpaAuthenticationHolderRepository implements AuthenticationHolderRepository {
+
+	@PersistenceContext
+	private EntityManager manager;
+	
+	@Override
+	public AuthenticationHolder getById(Long id) {
+		return manager.find(AuthenticationHolder.class, id);
+	}
+
+	@Override
+	public AuthenticationHolder getByAuthentication(OAuth2Authentication a) {
+		TypedQuery<AuthenticationHolder> query = manager.createNamedQuery("AuthenticationHolder.getByAuthentication", AuthenticationHolder.class);
+		query.setParameter("authentication", a);
+		return JpaUtil.getSingleResult(query.getResultList());
+	}
+
+	@Override
+	@Transactional
+	public void removeById(Long id) {
+		AuthenticationHolder found = getById(id);
+		if (found != null) {
+			manager.remove(found);
+		} else {
+			throw new IllegalArgumentException("AuthenticationHolder not found: " + id);
+		}
+	}
+
+	@Override
+	@Transactional
+	public void remove(AuthenticationHolder a) {
+		AuthenticationHolder found = getById(a.getId());
+		if (found != null) {
+			manager.remove(found);
+		} else {
+			throw new IllegalArgumentException("AuthenticationHolder not found: " + a);
+		}
+	}
+
+	@Override
+	@Transactional
+	public AuthenticationHolder save(AuthenticationHolder a) {
+		return JpaUtil.saveOrUpdate(a.getId(), manager, a);
+	}
+
+}

openid-connect-server/src/main/java/org/mitre/oauth2/repository/impl/JpaOAuth2TokenRepository.java

@@ -52,7 +52,7 @@ public class JpaOAuth2TokenRepository implements OAuth2TokenRepository {
 	@Override
 	@Transactional
 	public OAuth2AccessTokenEntity saveAccessToken(OAuth2AccessTokenEntity token) {
-		return JpaUtil.saveOrUpdate(token.getValue(), manager, token);
+		return JpaUtil.saveOrUpdate(token.getId(), manager, token);
 	}
 	
 	@Override
@@ -92,7 +92,7 @@ public class JpaOAuth2TokenRepository implements OAuth2TokenRepository {
 	@Override
 	@Transactional
 	public OAuth2RefreshTokenEntity saveRefreshToken(OAuth2RefreshTokenEntity refreshToken) {
-		return JpaUtil.saveOrUpdate(refreshToken.getValue(), manager, refreshToken);
+		return JpaUtil.saveOrUpdate(refreshToken.getId(), manager, refreshToken);
 	}
 	
 	@Override

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -118,6 +118,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 			    	refreshToken.setScope(token.getScope());
 			    }
 
+			    //Add the authentication
+			    refreshToken.setAuthenticationHolder(authHolder);
+			    
 			    // save the token first so that we can set it to a member of the access token (NOTE: is this step necessary?)
 			    tokenRepository.saveRefreshToken(refreshToken);
 			    
@@ -149,6 +152,8 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		
 		ClientDetailsEntity client = refreshToken.getClient();
 		
+		AuthenticationHolder authHolder = refreshToken.getAuthenticationHolder();
+		
 		//Make sure this client allows access token refreshing
 		if (!client.isAllowRefresh()) {
 			throw new InvalidClientException("Client does not allow refreshing access token!");
@@ -166,7 +171,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		// TODO: have the option to recycle the refresh token here, too
 		// for now, we just reuse it as long as it's valid, which is the original intent
 
-		OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); //accessTokenFactory.createNewAccessToken();
+		OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); 
 
 		
 		if (scope != null && !scope.isEmpty()) { 
@@ -193,8 +198,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
     	
     	token.setRefreshToken(refreshToken);
     	
-    	// TODO: call the token enhancer on refresh, too
+    	token.setAuthenticationHolder(authHolder);
-    	//tokenEnhancer.enhance(token, refreshToken.get)
+
+    	tokenEnhancer.enhance(token, authHolder.getAuthentication());
     	
     	tokenRepository.saveAccessToken(token);