Examples with RefreshToken oidc.model.RefreshToken used on opensource projects

Example 1 with RefreshToken

use of oidc.model.RefreshToken in project OpenConext-oidcng by OpenConext.

the class TokenController method convertToken.

private Map<String, Object> convertToken(AccessToken token) {
    Map<String, Object> result = new HashMap<>();
    result.put("id", token.getId());
    Optional<OpenIDClient> optionalClient = openIDClientRepository.findOptionalByClientId(token.getClientId());
    if (!optionalClient.isPresent()) {
        return result;
    }
    OpenIDClient openIDClient = optionalClient.get();
    result.put("clientId", openIDClient.getClientId());
    result.put("clientName", openIDClient.getName());
    List<OpenIDClient> resourceServers = openIDClient.getAllowedResourceServers().stream().map(rs -> openIDClientRepository.findOptionalByClientId(rs)).filter(Optional::isPresent).map(Optional::get).collect(toList());
    result.put("audiences", resourceServers.stream().map(OpenIDClient::getName));
    result.put("createdAt", token.getCreatedAt());
    result.put("expiresIn", token.getExpiresIn());
    result.put("type", token instanceof RefreshToken ? TokenType.REFRESH : TokenType.ACCESS);
    Map<String, Scope> allScopes = resourceServers.stream().map(OpenIDClient::getScopes).flatMap(List::stream).filter(distinctByKey(Scope::getName)).collect(toMap(Scope::getName, s -> s));
    List<Scope> scopes = token.getScopes().stream().filter(name -> !name.equalsIgnoreCase("openid")).map(allScopes::get).filter(Objects::nonNull).collect(toList());
    result.put("scopes", scopes);
    return result;
}

Example 2 with RefreshToken

use of oidc.model.RefreshToken in project OpenConext-oidcng by OpenConext.

the class RefreshTokenRepositoryTest method findByJwtId.

@Test
public void findByJwtId() {
    String jwtId = UUID.randomUUID().toString();
    RefreshToken refreshToken = refreshTokenWithValue(jwtId);
    subject.insert(refreshToken);
    RefreshToken token = subject.findByJwtId(jwtId).get();
    assertEquals(jwtId, token.getJwtId());
}

Example 3 with RefreshToken

use of oidc.model.RefreshToken in project OpenConext-oidcng by OpenConext.

the class TokenEndpoint method handleRefreshCodeGrant.

private ResponseEntity handleRefreshCodeGrant(RefreshTokenGrant refreshTokenGrant, OpenIDClient client) throws java.text.ParseException {
    String refreshTokenValue = refreshTokenGrant.getRefreshToken().getValue();
    RefreshToken refreshToken;
    SignedJWT signedJWT = null;
    boolean oldFormat = uuidPattern.matcher(refreshTokenValue).matches();
    if (oldFormat) {
        // Old refreshToken
        refreshToken = refreshTokenRepository.findByInnerValue(refreshTokenValue);
    } else {
        Optional<SignedJWT> optionalSignedJWT = tokenGenerator.parseAndValidateSignedJWT(refreshTokenValue);
        signedJWT = optionalSignedJWT.orElseThrow(() -> new UnauthorizedException("Invalid refresh_token value"));
        String jwtId = signedJWT.getJWTClaimsSet().getJWTID();
        refreshToken = refreshTokenRepository.findByJwtId(jwtId).orElseThrow(() -> new IllegalArgumentException("RefreshToken not found"));
    }
    if (!refreshToken.getClientId().equals(client.getClientId())) {
        throw new InvalidClientException("Client is not authorized for the refresh token");
    }
    if (refreshToken.isExpired(Clock.systemDefaultZone())) {
        throw new UnauthorizedException("Refresh token expired");
    }
    // New tokens will be issued
    refreshTokenRepository.delete(refreshToken);
    // It is possible that the access token is already removed by cron cleanup actions
    Optional<AccessToken> accessToken;
    if (oldFormat) {
        // It is possible that the access token is already removed by cron cleanup actions
        accessToken = accessTokenRepository.findOptionalAccessTokenByValue(refreshToken.getAccessTokenValue());
    } else {
        accessToken = accessTokenRepository.findById(refreshToken.getAccessTokenId());
    }
    accessToken.ifPresent(accessTokenRepository::delete);
    Optional<User> optionalUser;
    if (refreshToken.isClientCredentials()) {
        optionalUser = Optional.empty();
    } else if (oldFormat) {
        optionalUser = Optional.of(tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(refreshToken.getAccessTokenValue()));
    } else {
        optionalUser = Optional.of(tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(signedJWT));
    }
    Map<String, Object> body = tokenEndpointResponse(optionalUser, client, refreshToken.getScopes(), Collections.emptyList(), false, null, optionalUser.map(User::getUpdatedAt), Optional.empty());
    return new ResponseEntity<>(body, responseHttpHeaders, HttpStatus.OK);
}

Example 4 with RefreshToken

use of oidc.model.RefreshToken in project OpenConext-oidcng by OpenConext.

the class TokenEndpoint method tokenEndpointResponse.

private Map<String, Object> tokenEndpointResponse(Optional<User> user, OpenIDClient client, List<String> scopes, List<String> idTokenClaims, boolean clientCredentials, String nonce, Optional<Long> authorizationTime, Optional<String> authorizationCodeId) {
    Map<String, Object> map = new LinkedHashMap<>();
    EncryptedTokenValue encryptedAccessToken = user.map(u -> tokenGenerator.generateAccessTokenWithEmbeddedUserInfo(u, client, scopes)).orElse(tokenGenerator.generateAccessToken(client, scopes));
    String sub = user.map(User::getSub).orElse(client.getClientId());
    String unspecifiedUrnHash = user.map(u -> KeyGenerator.oneWayHash(u.getUnspecifiedNameId(), this.salt)).orElse(null);
    AccessToken accessToken = new AccessToken(encryptedAccessToken.getJwtId(), sub, client.getClientId(), scopes, encryptedAccessToken.getKeyId(), accessTokenValidity(client), !user.isPresent(), authorizationCodeId.orElse(null), unspecifiedUrnHash);
    accessToken = accessTokenRepository.insert(accessToken);
    map.put("access_token", encryptedAccessToken.getValue());
    map.put("token_type", "Bearer");
    if (client.getGrants().contains(GrantType.REFRESH_TOKEN.getValue())) {
        EncryptedTokenValue encryptedRefreshToken = user.map(u -> tokenGenerator.generateRefreshTokenWithEmbeddedUserInfo(u, client)).orElse(tokenGenerator.generateRefreshToken(client));
        String refreshTokenValue = encryptedRefreshToken.getValue();
        refreshTokenRepository.insert(new RefreshToken(encryptedRefreshToken.getJwtId(), accessToken, refreshTokenValidity(client)));
        map.put("refresh_token", refreshTokenValue);
    }
    map.put("expires_in", client.getAccessTokenValidity());
    if (isOpenIDRequest(scopes) && !clientCredentials) {
        TokenValue tokenValue = tokenGenerator.generateIDTokenForTokenEndpoint(user, client, nonce, idTokenClaims, scopes, authorizationTime);
        map.put("id_token", tokenValue.getValue());
    }
    return map;
}

Example 5 with RefreshToken

use of oidc.model.RefreshToken in project OpenConext-oidcng by OpenConext.

the class KeyRolloverTest method rolloverSigningKeysWithRemainingRefreshTokens.

@Test
public void rolloverSigningKeysWithRemainingRefreshTokens() throws GeneralSecurityException, ParseException, IOException {
    resetAndCreateSigningKeys(3);
    final List<String> signingKeys = mongoTemplate.findAll(SigningKey.class).stream().map(SigningKey::getKeyId).sorted().collect(toList());
    assertEquals(3, signingKeys.size());
    List<RefreshToken> tokens = Arrays.asList(refreshToken(signingKeys.get(0)));
    mongoTemplate.bulkOps(BulkOperations.BulkMode.ORDERED, RefreshToken.class).remove(new Query()).insert(tokens).execute();
    KeyRollover keyRollover = new KeyRollover(tokenGenerator, mongoTemplate, true, sequenceRepository);
    keyRollover.rollover();
    List<String> keys = mongoTemplate.findAll(SigningKey.class).stream().map(SigningKey::getKeyId).sorted().collect(toList());
    // Because of the keyRollover there is a new signing key and two are removed, because no token references, hence 2 remain
    assertEquals(2, keys.size());
    assertTrue(keys.contains(signingKeys.get(0)));
    assertFalse(keys.contains(signingKeys.get(1)));
    assertFalse(keys.contains(signingKeys.get(2)));
}