chore: merge branch 'fix_refresh_audience' into 'main'

fix: fix refresh auds for tokens via token exchange granter See merge request !373

chore: merge branch 'fix_refresh_audience' into 'main'
44f6911d · Dominik František Bučík · 52bb1c95 · 06053a3b · 44f6911d
Commit 44f6911d authored 1 year ago by Dominik František Bučík
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/exchange/OAuthTokenExchangeGranter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/exchange/OAuthTokenExchangeGranter.java
@@ -154,16 +154,6 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
 		authenticationHolder = authenticationHolderRepository.save(authenticationHolder);
 		token.setAuthenticationHolder(authenticationHolder);
-		// attach a refresh token, if this client is allowed to request them and the user gets the offline scope
-		if (token.getScope().contains(OFFLINE_ACCESS)) {
-			if (client.isAllowRefresh()) {
-				OAuth2RefreshTokenEntity savedRefreshToken = createRefreshToken(client, token.getAuthenticationHolder());
-				token.setRefreshToken(savedRefreshToken);
-			} else {
-				throw new InvalidScopeException("Not authorized to request " + OFFLINE_ACCESS);
-			}
-		}
 		//Add approved site reference, if any
 		OAuth2Request originalAuthRequest = subjectToken.getAuthenticationHolder().getAuthentication().getOAuth2Request();
 		if (originalAuthRequest.getExtensions() != null && originalAuthRequest.getExtensions().containsKey("approved_site")) {
@@ -199,6 +189,16 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
 			audiences.add(client.getClientId());
 		}
+		// attach a refresh token, if this client is allowed to request them and the user gets the offline scope
+		if (token.getScope().contains(OFFLINE_ACCESS)) {
+			if (client.isAllowRefresh()) {
+				OAuth2RefreshTokenEntity savedRefreshToken = createRefreshToken(client, token.getAuthenticationHolder(), audiences);
+				token.setRefreshToken(savedRefreshToken);
+			} else {
+				throw new InvalidScopeException("Not authorized to request " + OFFLINE_ACCESS);
+			}
+		}
 		JWTClaimsSet originalJwtClaims;
 		try {
 			originalJwtClaims = subjectToken.getJwtValue().getJWTClaimsSet();
@@ -250,7 +250,11 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
 		return true;
 	}
-	private OAuth2RefreshTokenEntity createRefreshToken(ClientDetailsEntity client, AuthenticationHolderEntity authHolder) {
+	private OAuth2RefreshTokenEntity createRefreshToken(
+			ClientDetailsEntity client,
+			AuthenticationHolderEntity authHolder,
+			Set<String> resources
+	) {
 		OAuth2RefreshTokenEntity refreshToken = new OAuth2RefreshTokenEntity();
 		JWTClaimsSet.Builder refreshClaims = new JWTClaimsSet.Builder();
@@ -265,11 +269,16 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
 		refreshClaims.jwtID(UUID.randomUUID().toString());
 		refreshClaims.issuer(config.getConfigBean().getIssuer());
-		String audience = client.getClientId();
+		if (resources == null || resources.isEmpty()) {
-		if (!Strings.isNullOrEmpty(audience)) {
+			String audience = client.getClientId();
-			refreshClaims.audience(Lists.newArrayList(audience));
+			if (!Strings.isNullOrEmpty(audience)) {
+				refreshClaims.audience(Lists.newArrayList(audience));
+			}
+		} else {
+			refreshClaims.audience(Lists.newArrayList(resources));
 		}
 		JWTClaimsSet claims = refreshClaims.build();
 		JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
 		JWSHeader header = new JWSHeader(signingAlg, JOSEObjectType.JWT, null, null, null, null, null, null, null, null,