fix: fix refresh auds for tokens via token exchange granter

06053a3b · Dominik Frantisek Bucik · 6f87a32e · 06053a3b
Verified Commit 06053a3b authored 1 year ago by Dominik Frantisek Bucik
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/exchange/OAuthTokenExchangeGranter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/exchange/OAuthTokenExchangeGranter.java
@@ -154,16 +154,6 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
 		authenticationHolder = authenticationHolderRepository.save(authenticationHolder);
 		token.setAuthenticationHolder(authenticationHolder);

-		// attach a refresh token, if this client is allowed to request them and the user gets the offline scope
-		if (token.getScope().contains(OFFLINE_ACCESS)) {
-			if (client.isAllowRefresh()) {
-				OAuth2RefreshTokenEntity savedRefreshToken = createRefreshToken(client, token.getAuthenticationHolder());
-				token.setRefreshToken(savedRefreshToken);
-			} else {
-				throw new InvalidScopeException("Not authorized to request " + OFFLINE_ACCESS);
-			}
-		}
-
 		//Add approved site reference, if any
 		OAuth2Request originalAuthRequest = subjectToken.getAuthenticationHolder().getAuthentication().getOAuth2Request();
 		if (originalAuthRequest.getExtensions() != null && originalAuthRequest.getExtensions().containsKey("approved_site")) {
@@ -199,6 +189,16 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
 			audiences.add(client.getClientId());
 		}

+		// attach a refresh token, if this client is allowed to request them and the user gets the offline scope
+		if (token.getScope().contains(OFFLINE_ACCESS)) {
+			if (client.isAllowRefresh()) {
+				OAuth2RefreshTokenEntity savedRefreshToken = createRefreshToken(client, token.getAuthenticationHolder(), audiences);
+				token.setRefreshToken(savedRefreshToken);
+			} else {
+				throw new InvalidScopeException("Not authorized to request " + OFFLINE_ACCESS);
+			}
+		}
+
 		JWTClaimsSet originalJwtClaims;
 		try {
 			originalJwtClaims = subjectToken.getJwtValue().getJWTClaimsSet();
@@ -250,7 +250,11 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
 		return true;
 	}

-	private OAuth2RefreshTokenEntity createRefreshToken(ClientDetailsEntity client, AuthenticationHolderEntity authHolder) {
+	private OAuth2RefreshTokenEntity createRefreshToken(
+			ClientDetailsEntity client,
+			AuthenticationHolderEntity authHolder,
+			Set<String> resources
+	) {
 		OAuth2RefreshTokenEntity refreshToken = new OAuth2RefreshTokenEntity();
 		JWTClaimsSet.Builder refreshClaims = new JWTClaimsSet.Builder();

@@ -265,11 +269,16 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
 		refreshClaims.jwtID(UUID.randomUUID().toString());
 		refreshClaims.issuer(config.getConfigBean().getIssuer());

-		String audience = client.getClientId();
-		if (!Strings.isNullOrEmpty(audience)) {
-			refreshClaims.audience(Lists.newArrayList(audience));
+		if (resources == null || resources.isEmpty()) {
+			String audience = client.getClientId();
+			if (!Strings.isNullOrEmpty(audience)) {
+				refreshClaims.audience(Lists.newArrayList(audience));
+			}
+		} else {
+			refreshClaims.audience(Lists.newArrayList(resources));
 		}

+
 		JWTClaimsSet claims = refreshClaims.build();
 		JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
 		JWSHeader header = new JWSHeader(signingAlg, JOSEObjectType.JWT, null, null, null, null, null, null, null, null,