use of oidc.model.RefreshToken in project OpenConext-oidcng by OpenConext.
the class TokenController method convertToken.
private Map<String, Object> convertToken(AccessToken token) {
Map<String, Object> result = new HashMap<>();
result.put("id", token.getId());
Optional<OpenIDClient> optionalClient = openIDClientRepository.findOptionalByClientId(token.getClientId());
if (!optionalClient.isPresent()) {
return result;
}
OpenIDClient openIDClient = optionalClient.get();
result.put("clientId", openIDClient.getClientId());
result.put("clientName", openIDClient.getName());
List<OpenIDClient> resourceServers = openIDClient.getAllowedResourceServers().stream().map(rs -> openIDClientRepository.findOptionalByClientId(rs)).filter(Optional::isPresent).map(Optional::get).collect(toList());
result.put("audiences", resourceServers.stream().map(OpenIDClient::getName));
result.put("createdAt", token.getCreatedAt());
result.put("expiresIn", token.getExpiresIn());
result.put("type", token instanceof RefreshToken ? TokenType.REFRESH : TokenType.ACCESS);
Map<String, Scope> allScopes = resourceServers.stream().map(OpenIDClient::getScopes).flatMap(List::stream).filter(distinctByKey(Scope::getName)).collect(toMap(Scope::getName, s -> s));
List<Scope> scopes = token.getScopes().stream().filter(name -> !name.equalsIgnoreCase("openid")).map(allScopes::get).filter(Objects::nonNull).collect(toList());
result.put("scopes", scopes);
return result;
}
use of oidc.model.RefreshToken in project OpenConext-oidcng by OpenConext.
the class RefreshTokenRepositoryTest method findByJwtId.
@Test
public void findByJwtId() {
String jwtId = UUID.randomUUID().toString();
RefreshToken refreshToken = refreshTokenWithValue(jwtId);
subject.insert(refreshToken);
RefreshToken token = subject.findByJwtId(jwtId).get();
assertEquals(jwtId, token.getJwtId());
}
use of oidc.model.RefreshToken in project OpenConext-oidcng by OpenConext.
the class TokenEndpoint method handleRefreshCodeGrant.
private ResponseEntity handleRefreshCodeGrant(RefreshTokenGrant refreshTokenGrant, OpenIDClient client) throws java.text.ParseException {
String refreshTokenValue = refreshTokenGrant.getRefreshToken().getValue();
RefreshToken refreshToken;
SignedJWT signedJWT = null;
boolean oldFormat = uuidPattern.matcher(refreshTokenValue).matches();
if (oldFormat) {
// Old refreshToken
refreshToken = refreshTokenRepository.findByInnerValue(refreshTokenValue);
} else {
Optional<SignedJWT> optionalSignedJWT = tokenGenerator.parseAndValidateSignedJWT(refreshTokenValue);
signedJWT = optionalSignedJWT.orElseThrow(() -> new UnauthorizedException("Invalid refresh_token value"));
String jwtId = signedJWT.getJWTClaimsSet().getJWTID();
refreshToken = refreshTokenRepository.findByJwtId(jwtId).orElseThrow(() -> new IllegalArgumentException("RefreshToken not found"));
}
if (!refreshToken.getClientId().equals(client.getClientId())) {
throw new InvalidClientException("Client is not authorized for the refresh token");
}
if (refreshToken.isExpired(Clock.systemDefaultZone())) {
throw new UnauthorizedException("Refresh token expired");
}
// New tokens will be issued
refreshTokenRepository.delete(refreshToken);
// It is possible that the access token is already removed by cron cleanup actions
Optional<AccessToken> accessToken;
if (oldFormat) {
// It is possible that the access token is already removed by cron cleanup actions
accessToken = accessTokenRepository.findOptionalAccessTokenByValue(refreshToken.getAccessTokenValue());
} else {
accessToken = accessTokenRepository.findById(refreshToken.getAccessTokenId());
}
accessToken.ifPresent(accessTokenRepository::delete);
Optional<User> optionalUser;
if (refreshToken.isClientCredentials()) {
optionalUser = Optional.empty();
} else if (oldFormat) {
optionalUser = Optional.of(tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(refreshToken.getAccessTokenValue()));
} else {
optionalUser = Optional.of(tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(signedJWT));
}
Map<String, Object> body = tokenEndpointResponse(optionalUser, client, refreshToken.getScopes(), Collections.emptyList(), false, null, optionalUser.map(User::getUpdatedAt), Optional.empty());
return new ResponseEntity<>(body, responseHttpHeaders, HttpStatus.OK);
}
use of oidc.model.RefreshToken in project OpenConext-oidcng by OpenConext.
the class TokenEndpoint method tokenEndpointResponse.
private Map<String, Object> tokenEndpointResponse(Optional<User> user, OpenIDClient client, List<String> scopes, List<String> idTokenClaims, boolean clientCredentials, String nonce, Optional<Long> authorizationTime, Optional<String> authorizationCodeId) {
Map<String, Object> map = new LinkedHashMap<>();
EncryptedTokenValue encryptedAccessToken = user.map(u -> tokenGenerator.generateAccessTokenWithEmbeddedUserInfo(u, client, scopes)).orElse(tokenGenerator.generateAccessToken(client, scopes));
String sub = user.map(User::getSub).orElse(client.getClientId());
String unspecifiedUrnHash = user.map(u -> KeyGenerator.oneWayHash(u.getUnspecifiedNameId(), this.salt)).orElse(null);
AccessToken accessToken = new AccessToken(encryptedAccessToken.getJwtId(), sub, client.getClientId(), scopes, encryptedAccessToken.getKeyId(), accessTokenValidity(client), !user.isPresent(), authorizationCodeId.orElse(null), unspecifiedUrnHash);
accessToken = accessTokenRepository.insert(accessToken);
map.put("access_token", encryptedAccessToken.getValue());
map.put("token_type", "Bearer");
if (client.getGrants().contains(GrantType.REFRESH_TOKEN.getValue())) {
EncryptedTokenValue encryptedRefreshToken = user.map(u -> tokenGenerator.generateRefreshTokenWithEmbeddedUserInfo(u, client)).orElse(tokenGenerator.generateRefreshToken(client));
String refreshTokenValue = encryptedRefreshToken.getValue();
refreshTokenRepository.insert(new RefreshToken(encryptedRefreshToken.getJwtId(), accessToken, refreshTokenValidity(client)));
map.put("refresh_token", refreshTokenValue);
}
map.put("expires_in", client.getAccessTokenValidity());
if (isOpenIDRequest(scopes) && !clientCredentials) {
TokenValue tokenValue = tokenGenerator.generateIDTokenForTokenEndpoint(user, client, nonce, idTokenClaims, scopes, authorizationTime);
map.put("id_token", tokenValue.getValue());
}
return map;
}
use of oidc.model.RefreshToken in project OpenConext-oidcng by OpenConext.
the class KeyRolloverTest method rolloverSigningKeysWithRemainingRefreshTokens.
@Test
public void rolloverSigningKeysWithRemainingRefreshTokens() throws GeneralSecurityException, ParseException, IOException {
resetAndCreateSigningKeys(3);
final List<String> signingKeys = mongoTemplate.findAll(SigningKey.class).stream().map(SigningKey::getKeyId).sorted().collect(toList());
assertEquals(3, signingKeys.size());
List<RefreshToken> tokens = Arrays.asList(refreshToken(signingKeys.get(0)));
mongoTemplate.bulkOps(BulkOperations.BulkMode.ORDERED, RefreshToken.class).remove(new Query()).insert(tokens).execute();
KeyRollover keyRollover = new KeyRollover(tokenGenerator, mongoTemplate, true, sequenceRepository);
keyRollover.rollover();
List<String> keys = mongoTemplate.findAll(SigningKey.class).stream().map(SigningKey::getKeyId).sorted().collect(toList());
// Because of the keyRollover there is a new signing key and two are removed, because no token references, hence 2 remain
assertEquals(2, keys.size());
assertTrue(keys.contains(signingKeys.get(0)));
assertFalse(keys.contains(signingKeys.get(1)));
assertFalse(keys.contains(signingKeys.get(2)));
}
Aggregations