Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
O
OpenID-Connect-Java-Spring-Server
Manage
Activity
Members
Labels
Plan
Jira
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package registry
Model registry
Operate
Terraform modules
Analyze
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Perun
Perun ProxyIdP
v1
OpenID-Connect-Java-Spring-Server
Commits
06053a3b
Verified
Commit
06053a3b
authored
1 year ago
by
Dominik Frantisek Bucik
Browse files
Options
Downloads
Patches
Plain Diff
fix:
fix refresh auds for tokens via token exchange granter
parent
6f87a32e
No related branches found
No related tags found
1 merge request
!373
fix: 🐛 fix refresh auds for tokens via token exchange granter
Pipeline
#394347
passed
1 year ago
Stage: .pre
Stage: build
Stage: test
Changes
1
Pipelines
2
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/exchange/OAuthTokenExchangeGranter.java
+23
-14
23 additions, 14 deletions
.../ics/oauth2/token/exchange/OAuthTokenExchangeGranter.java
with
23 additions
and
14 deletions
perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/exchange/OAuthTokenExchangeGranter.java
+
23
−
14
View file @
06053a3b
...
@@ -154,16 +154,6 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
...
@@ -154,16 +154,6 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
authenticationHolder
=
authenticationHolderRepository
.
save
(
authenticationHolder
);
authenticationHolder
=
authenticationHolderRepository
.
save
(
authenticationHolder
);
token
.
setAuthenticationHolder
(
authenticationHolder
);
token
.
setAuthenticationHolder
(
authenticationHolder
);
// attach a refresh token, if this client is allowed to request them and the user gets the offline scope
if
(
token
.
getScope
().
contains
(
OFFLINE_ACCESS
))
{
if
(
client
.
isAllowRefresh
())
{
OAuth2RefreshTokenEntity
savedRefreshToken
=
createRefreshToken
(
client
,
token
.
getAuthenticationHolder
());
token
.
setRefreshToken
(
savedRefreshToken
);
}
else
{
throw
new
InvalidScopeException
(
"Not authorized to request "
+
OFFLINE_ACCESS
);
}
}
//Add approved site reference, if any
//Add approved site reference, if any
OAuth2Request
originalAuthRequest
=
subjectToken
.
getAuthenticationHolder
().
getAuthentication
().
getOAuth2Request
();
OAuth2Request
originalAuthRequest
=
subjectToken
.
getAuthenticationHolder
().
getAuthentication
().
getOAuth2Request
();
if
(
originalAuthRequest
.
getExtensions
()
!=
null
&&
originalAuthRequest
.
getExtensions
().
containsKey
(
"approved_site"
))
{
if
(
originalAuthRequest
.
getExtensions
()
!=
null
&&
originalAuthRequest
.
getExtensions
().
containsKey
(
"approved_site"
))
{
...
@@ -199,6 +189,16 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
...
@@ -199,6 +189,16 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
audiences
.
add
(
client
.
getClientId
());
audiences
.
add
(
client
.
getClientId
());
}
}
// attach a refresh token, if this client is allowed to request them and the user gets the offline scope
if
(
token
.
getScope
().
contains
(
OFFLINE_ACCESS
))
{
if
(
client
.
isAllowRefresh
())
{
OAuth2RefreshTokenEntity
savedRefreshToken
=
createRefreshToken
(
client
,
token
.
getAuthenticationHolder
(),
audiences
);
token
.
setRefreshToken
(
savedRefreshToken
);
}
else
{
throw
new
InvalidScopeException
(
"Not authorized to request "
+
OFFLINE_ACCESS
);
}
}
JWTClaimsSet
originalJwtClaims
;
JWTClaimsSet
originalJwtClaims
;
try
{
try
{
originalJwtClaims
=
subjectToken
.
getJwtValue
().
getJWTClaimsSet
();
originalJwtClaims
=
subjectToken
.
getJwtValue
().
getJWTClaimsSet
();
...
@@ -250,7 +250,11 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
...
@@ -250,7 +250,11 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
return
true
;
return
true
;
}
}
private
OAuth2RefreshTokenEntity
createRefreshToken
(
ClientDetailsEntity
client
,
AuthenticationHolderEntity
authHolder
)
{
private
OAuth2RefreshTokenEntity
createRefreshToken
(
ClientDetailsEntity
client
,
AuthenticationHolderEntity
authHolder
,
Set
<
String
>
resources
)
{
OAuth2RefreshTokenEntity
refreshToken
=
new
OAuth2RefreshTokenEntity
();
OAuth2RefreshTokenEntity
refreshToken
=
new
OAuth2RefreshTokenEntity
();
JWTClaimsSet
.
Builder
refreshClaims
=
new
JWTClaimsSet
.
Builder
();
JWTClaimsSet
.
Builder
refreshClaims
=
new
JWTClaimsSet
.
Builder
();
...
@@ -265,11 +269,16 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
...
@@ -265,11 +269,16 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
refreshClaims
.
jwtID
(
UUID
.
randomUUID
().
toString
());
refreshClaims
.
jwtID
(
UUID
.
randomUUID
().
toString
());
refreshClaims
.
issuer
(
config
.
getConfigBean
().
getIssuer
());
refreshClaims
.
issuer
(
config
.
getConfigBean
().
getIssuer
());
String
audience
=
client
.
getClientId
();
if
(
resources
==
null
||
resources
.
isEmpty
())
{
if
(!
Strings
.
isNullOrEmpty
(
audience
))
{
String
audience
=
client
.
getClientId
();
refreshClaims
.
audience
(
Lists
.
newArrayList
(
audience
));
if
(!
Strings
.
isNullOrEmpty
(
audience
))
{
refreshClaims
.
audience
(
Lists
.
newArrayList
(
audience
));
}
}
else
{
refreshClaims
.
audience
(
Lists
.
newArrayList
(
resources
));
}
}
JWTClaimsSet
claims
=
refreshClaims
.
build
();
JWTClaimsSet
claims
=
refreshClaims
.
build
();
JWSAlgorithm
signingAlg
=
jwtService
.
getDefaultSigningAlgorithm
();
JWSAlgorithm
signingAlg
=
jwtService
.
getDefaultSigningAlgorithm
();
JWSHeader
header
=
new
JWSHeader
(
signingAlg
,
JOSEObjectType
.
JWT
,
null
,
null
,
null
,
null
,
null
,
null
,
null
,
null
,
JWSHeader
header
=
new
JWSHeader
(
signingAlg
,
JOSEObjectType
.
JWT
,
null
,
null
,
null
,
null
,
null
,
null
,
null
,
null
,
...
...
This diff is collapsed.
Click to expand it.
Perun-GitLab Service Account
@9045464
mentioned in commit
bd4d446a
·
1 year ago
mentioned in commit
bd4d446a
mentioned in commit bd4d446ab5f90b343113b979b137d3555e9bb1b0
Toggle commit list
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
