use of oidc.exceptions.InvalidClientException in project OpenConext-oidcng by OpenConext.
the class TokenEndpoint method handleRefreshCodeGrant.
private ResponseEntity handleRefreshCodeGrant(RefreshTokenGrant refreshTokenGrant, OpenIDClient client) throws java.text.ParseException {
String refreshTokenValue = refreshTokenGrant.getRefreshToken().getValue();
RefreshToken refreshToken;
SignedJWT signedJWT = null;
boolean oldFormat = uuidPattern.matcher(refreshTokenValue).matches();
if (oldFormat) {
// Old refreshToken
refreshToken = refreshTokenRepository.findByInnerValue(refreshTokenValue);
} else {
Optional<SignedJWT> optionalSignedJWT = tokenGenerator.parseAndValidateSignedJWT(refreshTokenValue);
signedJWT = optionalSignedJWT.orElseThrow(() -> new UnauthorizedException("Invalid refresh_token value"));
String jwtId = signedJWT.getJWTClaimsSet().getJWTID();
refreshToken = refreshTokenRepository.findByJwtId(jwtId).orElseThrow(() -> new IllegalArgumentException("RefreshToken not found"));
}
if (!refreshToken.getClientId().equals(client.getClientId())) {
throw new InvalidClientException("Client is not authorized for the refresh token");
}
if (refreshToken.isExpired(Clock.systemDefaultZone())) {
throw new UnauthorizedException("Refresh token expired");
}
// New tokens will be issued
refreshTokenRepository.delete(refreshToken);
// It is possible that the access token is already removed by cron cleanup actions
Optional<AccessToken> accessToken;
if (oldFormat) {
// It is possible that the access token is already removed by cron cleanup actions
accessToken = accessTokenRepository.findOptionalAccessTokenByValue(refreshToken.getAccessTokenValue());
} else {
accessToken = accessTokenRepository.findById(refreshToken.getAccessTokenId());
}
accessToken.ifPresent(accessTokenRepository::delete);
Optional<User> optionalUser;
if (refreshToken.isClientCredentials()) {
optionalUser = Optional.empty();
} else if (oldFormat) {
optionalUser = Optional.of(tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(refreshToken.getAccessTokenValue()));
} else {
optionalUser = Optional.of(tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(signedJWT));
}
Map<String, Object> body = tokenEndpointResponse(optionalUser, client, refreshToken.getScopes(), Collections.emptyList(), false, null, optionalUser.map(User::getUpdatedAt), Optional.empty());
return new ResponseEntity<>(body, responseHttpHeaders, HttpStatus.OK);
}
Aggregations