use of oidc.model.AccessToken in project OpenConext-oidcng by OpenConext.
the class TokenEndpoint method handleRefreshCodeGrant.
private ResponseEntity handleRefreshCodeGrant(RefreshTokenGrant refreshTokenGrant, OpenIDClient client) throws java.text.ParseException {
String refreshTokenValue = refreshTokenGrant.getRefreshToken().getValue();
RefreshToken refreshToken;
SignedJWT signedJWT = null;
boolean oldFormat = uuidPattern.matcher(refreshTokenValue).matches();
if (oldFormat) {
// Old refreshToken
refreshToken = refreshTokenRepository.findByInnerValue(refreshTokenValue);
} else {
Optional<SignedJWT> optionalSignedJWT = tokenGenerator.parseAndValidateSignedJWT(refreshTokenValue);
signedJWT = optionalSignedJWT.orElseThrow(() -> new UnauthorizedException("Invalid refresh_token value"));
String jwtId = signedJWT.getJWTClaimsSet().getJWTID();
refreshToken = refreshTokenRepository.findByJwtId(jwtId).orElseThrow(() -> new IllegalArgumentException("RefreshToken not found"));
}
if (!refreshToken.getClientId().equals(client.getClientId())) {
throw new InvalidClientException("Client is not authorized for the refresh token");
}
if (refreshToken.isExpired(Clock.systemDefaultZone())) {
throw new UnauthorizedException("Refresh token expired");
}
// New tokens will be issued
refreshTokenRepository.delete(refreshToken);
// It is possible that the access token is already removed by cron cleanup actions
Optional<AccessToken> accessToken;
if (oldFormat) {
// It is possible that the access token is already removed by cron cleanup actions
accessToken = accessTokenRepository.findOptionalAccessTokenByValue(refreshToken.getAccessTokenValue());
} else {
accessToken = accessTokenRepository.findById(refreshToken.getAccessTokenId());
}
accessToken.ifPresent(accessTokenRepository::delete);
Optional<User> optionalUser;
if (refreshToken.isClientCredentials()) {
optionalUser = Optional.empty();
} else if (oldFormat) {
optionalUser = Optional.of(tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(refreshToken.getAccessTokenValue()));
} else {
optionalUser = Optional.of(tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(signedJWT));
}
Map<String, Object> body = tokenEndpointResponse(optionalUser, client, refreshToken.getScopes(), Collections.emptyList(), false, null, optionalUser.map(User::getUpdatedAt), Optional.empty());
return new ResponseEntity<>(body, responseHttpHeaders, HttpStatus.OK);
}
use of oidc.model.AccessToken in project OpenConext-oidcng by OpenConext.
the class TokenEndpoint method tokenEndpointResponse.
private Map<String, Object> tokenEndpointResponse(Optional<User> user, OpenIDClient client, List<String> scopes, List<String> idTokenClaims, boolean clientCredentials, String nonce, Optional<Long> authorizationTime, Optional<String> authorizationCodeId) {
Map<String, Object> map = new LinkedHashMap<>();
EncryptedTokenValue encryptedAccessToken = user.map(u -> tokenGenerator.generateAccessTokenWithEmbeddedUserInfo(u, client, scopes)).orElse(tokenGenerator.generateAccessToken(client, scopes));
String sub = user.map(User::getSub).orElse(client.getClientId());
String unspecifiedUrnHash = user.map(u -> KeyGenerator.oneWayHash(u.getUnspecifiedNameId(), this.salt)).orElse(null);
AccessToken accessToken = new AccessToken(encryptedAccessToken.getJwtId(), sub, client.getClientId(), scopes, encryptedAccessToken.getKeyId(), accessTokenValidity(client), !user.isPresent(), authorizationCodeId.orElse(null), unspecifiedUrnHash);
accessToken = accessTokenRepository.insert(accessToken);
map.put("access_token", encryptedAccessToken.getValue());
map.put("token_type", "Bearer");
if (client.getGrants().contains(GrantType.REFRESH_TOKEN.getValue())) {
EncryptedTokenValue encryptedRefreshToken = user.map(u -> tokenGenerator.generateRefreshTokenWithEmbeddedUserInfo(u, client)).orElse(tokenGenerator.generateRefreshToken(client));
String refreshTokenValue = encryptedRefreshToken.getValue();
refreshTokenRepository.insert(new RefreshToken(encryptedRefreshToken.getJwtId(), accessToken, refreshTokenValidity(client)));
map.put("refresh_token", refreshTokenValue);
}
map.put("expires_in", client.getAccessTokenValidity());
if (isOpenIDRequest(scopes) && !clientCredentials) {
TokenValue tokenValue = tokenGenerator.generateIDTokenForTokenEndpoint(user, client, nonce, idTokenClaims, scopes, authorizationTime);
map.put("id_token", tokenValue.getValue());
}
return map;
}
use of oidc.model.AccessToken in project OpenConext-oidcng by OpenConext.
the class UserInfoEndpoint method userInfo.
private ResponseEntity<Map<String, Object>> userInfo(HttpServletRequest request) throws ParseException, IOException, java.text.ParseException {
HTTPRequest httpRequest = ServletUtils.createHTTPRequest(request);
UserInfoRequest userInfoRequest = UserInfoRequest.parse(httpRequest);
String accessTokenValue = userInfoRequest.getAccessToken().getValue();
MDCContext.mdcContext("action", "Userinfo", "accessTokenValue", accessTokenValue);
Optional<SignedJWT> optionalSignedJWT = tokenGenerator.parseAndValidateSignedJWT(accessTokenValue);
if (!optionalSignedJWT.isPresent()) {
return errorResponse("Access Token not found");
}
SignedJWT signedJWT = optionalSignedJWT.get();
String jwtId = signedJWT.getJWTClaimsSet().getJWTID();
Optional<AccessToken> optionalAccessToken = accessTokenRepository.findByJwtId(jwtId);
if (!optionalAccessToken.isPresent()) {
return errorResponse("Access Token not found");
}
AccessToken accessToken = optionalAccessToken.get();
if (accessToken.isExpired(Clock.systemDefaultZone())) {
return errorResponse("Access Token expired");
}
if (accessToken.isClientCredentials()) {
throw new InvalidGrantException("UserEndpoint not allowed for Client Credentials");
}
User user = tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(signedJWT);
MDCContext.mdcContext(user);
Map<String, Object> attributes = user.getAttributes();
List<String> acrClaims = user.getAcrClaims();
if (!CollectionUtils.isEmpty(acrClaims)) {
attributes.put("acr", String.join(" ", acrClaims));
}
attributes.put("updated_at", user.getUpdatedAt());
attributes.put("sub", user.getSub());
return ResponseEntity.ok(new TreeMap(attributes));
}
Aggregations