fix: remove addit. info. (aud, resource) from token responses

0e0996d2 · Dominik Frantisek Bucik · bd4d446a · 0e0996d2 · 0e0996d2
Verified Commit 0e0996d2 authored 1 year ago by Dominik Frantisek Bucik
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java
@@ -253,6 +253,8 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 			token.setApprovedSite(ap);
 		}

+		Set<String> aud = new HashSet<>();
+		aud.add(client.getClientId());
 		if (originalAuthRequest.getResourceIds() != null && !originalAuthRequest.getResourceIds().isEmpty()) {
 			if (!clientDetailsService.checkResourceIdsAreAllowedForClient(
 					client.getClientId(), originalAuthRequest.getResourceIds())
@@ -266,17 +268,15 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 				resourceIds.add(client.getClientId());
 				token.getAdditionalInformation().put(RESOURCE, resourceIds);
 			}
+			aud.addAll(originalAuthRequest.getResourceIds());
 		}
+		token.getAdditionalInformation().put(RESOURCE, aud);

 		OAuth2AccessTokenEntity enhancedToken = (OAuth2AccessTokenEntity) tokenEnhancer.enhance(token, authentication);

 		// attach a refresh token, if this client is allowed to request them and the user gets the offline scope
 		if (client.isAllowRefresh() && token.getScope().contains(SystemScopeService.OFFLINE_ACCESS)) {
-			OAuth2RefreshTokenEntity savedRefreshToken = createRefreshToken(
-					client,
-					authHolder,
-					(Set<String>) token.getAdditionalInformation().getOrDefault(RESOURCE, new HashSet<>())
-			);
+			OAuth2RefreshTokenEntity savedRefreshToken = createRefreshToken(client, authHolder, aud);
 			token.setRefreshToken(savedRefreshToken);
 		}

@@ -306,13 +306,12 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		refreshClaims.jwtID(UUID.randomUUID().toString());
 		refreshClaims.issuer(configBean.getIssuer());
 		if (resources == null || resources.isEmpty()) {
-			String audience = client.getClientId();
-			if (!Strings.isNullOrEmpty(audience)) {
-				refreshClaims.audience(Lists.newArrayList(audience));
-			}
-		} else {
-			refreshClaims.audience(new ArrayList<>(resources));
+			resources = new HashSet<>();
+		}
+		if (!Strings.isNullOrEmpty(client.getClientId())) {
+			resources.add(client.getClientId());
 		}
+		refreshClaims.audience(Lists.newArrayList(resources));

 		JWTClaimsSet claims = refreshClaims.build();

@@ -417,7 +416,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 			token.setExpiration(expiration);
 		}

-		Set<String> resources = new HashSet<>();
+		Set<String> aud = new HashSet<>();
+		aud.add(client.getClientId());
+
 		if (refreshToken.getJwt() != null) {
 			JWTClaimsSet claimsSet;
 			try {
@@ -428,21 +429,20 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 			if (claimsSet != null) {
 				List<String> audience = claimsSet.getAudience();
 				if (audience != null && !audience.isEmpty()) {
-					resources = new HashSet<>(audience);
-					token.getAdditionalInformation().put(AUD, audience.get(0));
-					if (audience.size() > 1) {
-						token.getAdditionalInformation().put(RESOURCE, resources);
-					}
+					aud.addAll(audience);
 				}
 			}
 		}

+		token.getAdditionalInformation().put(AUD, aud);
+		token.getAdditionalInformation().put(RESOURCE, aud);
+
 		if (client.isReuseRefreshToken()) {
 			// if the client re-uses refresh tokens, do that
 			token.setRefreshToken(refreshToken);
 		} else {
 			// otherwise, make a new refresh token
-			OAuth2RefreshTokenEntity newRefresh = createRefreshToken(client, authHolder, resources);
+			OAuth2RefreshTokenEntity newRefresh = createRefreshToken(client, authHolder, aud);
 			token.setRefreshToken(newRefresh);

 			// clean up the old refresh token

--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/PerunAccessTokenEnhancer.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/PerunAccessTokenEnhancer.java
@@ -33,11 +33,11 @@ import java.util.Set;
 import java.util.UUID;

 import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.ACR;
-import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.AUD;
 import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.AUTH_TIME;
 import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.CLIENT_ID;
 import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.SCOPE;
 import static cz.muni.ics.oauth2.service.IntrospectionResultAssembler.SCOPE_SEPARATOR;
+import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.AUD;
 import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.RESOURCE;

 /**
@@ -104,7 +104,9 @@ public class PerunAccessTokenEnhancer implements TokenEnhancer {
        audience.add(client.getClientId());
        if (token.getAdditionalInformation().containsKey(RESOURCE)) {
            audience.addAll((Set<String>) token.getAdditionalInformation().getOrDefault(RESOURCE, new HashSet<>()));
+            token.getAdditionalInformation().remove(RESOURCE);
        }
+
        String audExtension = (String) authentication.getOAuth2Request().getExtensions().getOrDefault(AUD, null);
        if (StringUtils.hasText(audExtension)) {
            audience.add(audExtension);