use of org.apereo.cas.ticket.refreshtoken.OAuth20RefreshToken in project cas by apereo.
the class OAuth20DefaultTokenGenerator method updateOAuthCode.
/**
* Update OAuth code.
*
* @param holder the holder
* @param accessToken the accessToken
* @throws Exception the exception
*/
protected void updateOAuthCode(final AccessTokenRequestContext holder, final OAuth20AccessToken accessToken) throws Exception {
if (holder.isRefreshToken()) {
val refreshToken = (OAuth20RefreshToken) holder.getToken();
refreshToken.getAccessTokens().add(accessToken.getId());
this.centralAuthenticationService.updateTicket(refreshToken);
} else if (holder.isCodeToken()) {
val codeState = Ticket.class.cast(holder.getToken());
codeState.update();
if (holder.getToken().isExpired()) {
this.centralAuthenticationService.deleteTicket(holder.getToken().getId());
} else {
this.centralAuthenticationService.updateTicket(holder.getToken());
}
this.centralAuthenticationService.updateTicket(holder.getTicketGrantingTicket());
}
}
use of org.apereo.cas.ticket.refreshtoken.OAuth20RefreshToken in project cas by apereo.
the class OAuth20RefreshTokenGrantTypeTokenRequestValidator method validateInternal.
@Override
protected boolean validateInternal(final WebContext context, final String grantType, final ProfileManager manager, final UserProfile uProfile) {
val clientId = OAuth20Utils.getClientIdAndClientSecret(context, getConfigurationContext().getSessionStore()).getLeft();
val refreshTokenResult = OAuth20Utils.getRequestParameter(context, OAuth20Constants.REFRESH_TOKEN);
if (refreshTokenResult.isEmpty() || clientId.isEmpty()) {
return false;
}
var refreshToken = (OAuth20RefreshToken) null;
val token = refreshTokenResult.get();
try {
refreshToken = getConfigurationContext().getCentralAuthenticationService().getTicket(token, OAuth20RefreshToken.class);
LOGGER.trace("Found valid refresh token [{}] in the registry", refreshToken);
} catch (final InvalidTicketException e) {
LOGGER.warn("Provided refresh token [{}] cannot be found in the registry or has expired", token);
return false;
}
LOGGER.debug("Received grant type [{}] with client id [{}]", grantType, clientId);
val registeredService = OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), clientId);
val audit = AuditableContext.builder().registeredService(registeredService).build();
val accessResult = getConfigurationContext().getRegisteredServiceAccessStrategyEnforcer().execute(audit);
accessResult.throwExceptionIfNeeded();
if (!isGrantTypeSupportedBy(registeredService, grantType)) {
LOGGER.warn("Requested grant type [{}] is not authorized by service definition [{}]", getGrantType(), Objects.requireNonNull(registeredService).getServiceId());
return false;
}
if (!StringUtils.equalsIgnoreCase(refreshToken.getClientId(), clientId)) {
LOGGER.warn("Provided refresh token [{}] does not belong to client [{}]", refreshToken.getId(), clientId);
return false;
}
return true;
}
use of org.apereo.cas.ticket.refreshtoken.OAuth20RefreshToken in project cas by apereo.
the class AbstractOAuth20Tests method assertRefreshTokenOk.
protected Pair<OAuth20AccessToken, OAuth20RefreshToken> assertRefreshTokenOk(final OAuthRegisteredService service, final OAuth20RefreshToken refreshToken, final Principal principal) throws Exception {
val mockRequest = new MockHttpServletRequest(HttpMethod.GET.name(), CONTEXT + OAuth20Constants.ACCESS_TOKEN_URL);
mockRequest.setParameter(OAuth20Constants.GRANT_TYPE, OAuth20GrantTypes.REFRESH_TOKEN.name().toLowerCase());
mockRequest.setParameter(OAuth20Constants.CLIENT_ID, CLIENT_ID);
mockRequest.setParameter(OAuth20Constants.CLIENT_SECRET, CLIENT_SECRET);
mockRequest.setParameter(OAuth20Constants.REFRESH_TOKEN, refreshToken.getId());
val mockResponse = new MockHttpServletResponse();
requiresAuthenticationInterceptor.preHandle(mockRequest, mockResponse, null);
val mv = accessTokenController.handleRequest(mockRequest, mockResponse);
assertEquals(HttpStatus.SC_OK, mockResponse.getStatus());
assertTrue(mv.getModel().containsKey(OAuth20Constants.ACCESS_TOKEN));
if (service.isGenerateRefreshToken()) {
assertTrue(mv.getModel().containsKey(OAuth20Constants.REFRESH_TOKEN));
if (service.isRenewRefreshToken()) {
assertNull(this.ticketRegistry.getTicket(refreshToken.getId()));
}
}
val newRefreshToken = service.isRenewRefreshToken() ? ticketRegistry.getTicket(mv.getModel().get(OAuth20Constants.REFRESH_TOKEN).toString(), OAuth20RefreshToken.class) : refreshToken;
assertTrue(mv.getModel().containsKey(OAuth20Constants.EXPIRES_IN));
val accessTokenId = mv.getModel().get(OAuth20Constants.ACCESS_TOKEN).toString();
val accessToken = this.ticketRegistry.getTicket(accessTokenId, OAuth20AccessToken.class);
assertEquals(principal, accessToken.getAuthentication().getPrincipal());
val timeLeft = Integer.parseInt(mv.getModel().get(OAuth20Constants.EXPIRES_IN).toString());
assertTrue(timeLeft >= TIMEOUT - 10 - DELTA);
return Pair.of(accessToken, newRefreshToken);
}
use of org.apereo.cas.ticket.refreshtoken.OAuth20RefreshToken in project cas by apereo.
the class OAuth20RevocationEndpointController method generateRevocationResponse.
/**
* Generate revocation token response.
*
* @param token the token to revoke
* @param clientId the client who requests the revocation
* @param response the response
* @return the model and view
* @throws Exception the exception
*/
protected ModelAndView generateRevocationResponse(final String token, final String clientId, final HttpServletResponse response) throws Exception {
val registryToken = getConfigurationContext().getTicketRegistry().getTicket(token, OAuth20Token.class);
if (registryToken == null) {
LOGGER.error("Provided token [{}] has not been found in the ticket registry", token);
} else if (isRefreshToken(registryToken) || isAccessToken(registryToken)) {
if (!StringUtils.equals(clientId, registryToken.getClientId())) {
LOGGER.warn("Provided token [{}] has not been issued for the service [{}]", token, clientId);
return OAuth20Utils.writeError(response, OAuth20Constants.INVALID_REQUEST);
}
if (isRefreshToken(registryToken)) {
revokeToken((OAuth20RefreshToken) registryToken);
} else {
revokeToken(registryToken.getId());
}
} else {
LOGGER.error("Provided token [{}] is either not a refresh token or not an access token", token);
return OAuth20Utils.writeError(response, OAuth20Constants.INVALID_REQUEST);
}
val mv = new ModelAndView(new MappingJackson2JsonView());
mv.setStatus(HttpStatus.OK);
return mv;
}
Aggregations