Compare revisions

Dominik Frantisek Bucik · Dominik František Bučík · semantic-release-bot · bd4d446a · bd4d446a · bd4d446a
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
+## [17.1.2](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/compare/v17.1.1...v17.1.2) (2024-02-14)
+
+
+### Bug Fixes
+
+* 🐛 fix refresh auds for tokens via token exchange granter ([06053a3](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/commit/06053a3bf7f289c4fbc9c343fccc8ce7b077b222))
+
 ## [17.1.1](https://gitlab.ics.muni.cz/perun/perun-proxyidp/v1/OpenID-Connect-Java-Spring-Server/compare/v17.1.0...v17.1.1) (2024-02-09)



--- a/perun-oidc-server-webapp/pom.xml
+++ b/perun-oidc-server-webapp/pom.xml
@@ -21,7 +21,7 @@
 	<parent>
 		<groupId>cz.muni.ics</groupId>
 		<artifactId>perun-oidc-parent</artifactId>
-		<version>17.1.1</version>
+		<version>17.1.2</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>


--- a/perun-oidc-server/pom.xml
+++ b/perun-oidc-server/pom.xml
@@ -22,7 +22,7 @@
 	<parent>
 		<groupId>cz.muni.ics</groupId>
 		<artifactId>perun-oidc-parent</artifactId>
-		<version>17.1.1</version>
+		<version>17.1.2</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>


--- a/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/exchange/OAuthTokenExchangeGranter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oauth2/token/exchange/OAuthTokenExchangeGranter.java
@@ -154,16 +154,6 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
 		authenticationHolder = authenticationHolderRepository.save(authenticationHolder);
 		token.setAuthenticationHolder(authenticationHolder);

-		// attach a refresh token, if this client is allowed to request them and the user gets the offline scope
-		if (token.getScope().contains(OFFLINE_ACCESS)) {
-			if (client.isAllowRefresh()) {
-				OAuth2RefreshTokenEntity savedRefreshToken = createRefreshToken(client, token.getAuthenticationHolder());
-				token.setRefreshToken(savedRefreshToken);
-			} else {
-				throw new InvalidScopeException("Not authorized to request " + OFFLINE_ACCESS);
-			}
-		}
-
 		//Add approved site reference, if any
 		OAuth2Request originalAuthRequest = subjectToken.getAuthenticationHolder().getAuthentication().getOAuth2Request();
 		if (originalAuthRequest.getExtensions() != null && originalAuthRequest.getExtensions().containsKey("approved_site")) {
@@ -199,6 +189,16 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
 			audiences.add(client.getClientId());
 		}

+		// attach a refresh token, if this client is allowed to request them and the user gets the offline scope
+		if (token.getScope().contains(OFFLINE_ACCESS)) {
+			if (client.isAllowRefresh()) {
+				OAuth2RefreshTokenEntity savedRefreshToken = createRefreshToken(client, token.getAuthenticationHolder(), audiences);
+				token.setRefreshToken(savedRefreshToken);
+			} else {
+				throw new InvalidScopeException("Not authorized to request " + OFFLINE_ACCESS);
+			}
+		}
+
 		JWTClaimsSet originalJwtClaims;
 		try {
 			originalJwtClaims = subjectToken.getJwtValue().getJWTClaimsSet();
@@ -250,7 +250,11 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
 		return true;
 	}

-	private OAuth2RefreshTokenEntity createRefreshToken(ClientDetailsEntity client, AuthenticationHolderEntity authHolder) {
+	private OAuth2RefreshTokenEntity createRefreshToken(
+			ClientDetailsEntity client,
+			AuthenticationHolderEntity authHolder,
+			Set<String> resources
+	) {
 		OAuth2RefreshTokenEntity refreshToken = new OAuth2RefreshTokenEntity();
 		JWTClaimsSet.Builder refreshClaims = new JWTClaimsSet.Builder();

@@ -265,11 +269,16 @@ public class OAuthTokenExchangeGranter extends BaseTokenExchangeGranter {
 		refreshClaims.jwtID(UUID.randomUUID().toString());
 		refreshClaims.issuer(config.getConfigBean().getIssuer());

-		String audience = client.getClientId();
-		if (!Strings.isNullOrEmpty(audience)) {
-			refreshClaims.audience(Lists.newArrayList(audience));
+		if (resources == null || resources.isEmpty()) {
+			String audience = client.getClientId();
+			if (!Strings.isNullOrEmpty(audience)) {
+				refreshClaims.audience(Lists.newArrayList(audience));
+			}
+		} else {
+			refreshClaims.audience(Lists.newArrayList(resources));
 		}

+
 		JWTClaimsSet claims = refreshClaims.build();
 		JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
 		JWSHeader header = new JWSHeader(signingAlg, JOSEObjectType.JWT, null, null, null, null, null, null, null, null,

--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>cz.muni.ics</groupId>
 	<artifactId>perun-oidc-parent</artifactId>
-	<version>17.1.1</version>
+	<version>17.1.2</version>
 	<packaging>pom</packaging>

 	<modules>
No results found