@Test
public void testExpiredRefreshToken() throws Exception {
OAuth2Authentication expectedAuthentication =
new OAuth2Authentication(
new AuthorizationRequest("id", Collections.singleton("read"), null, null),
new TestAuthentication("test2", false));
DefaultOAuth2AccessToken firstAccessToken =
(DefaultOAuth2AccessToken) getTokenServices().createAccessToken(expectedAuthentication);
assertNotNull(firstAccessToken.getRefreshToken());
// Make it expire (and rely on mutable state in volatile token store)
ReflectionTestUtils.setField(
firstAccessToken.getRefreshToken(),
"expiration",
new Date(System.currentTimeMillis() - 1000));
firstAccessToken.setExpiration(new Date(System.currentTimeMillis() - 1000));
expected.expect(InvalidTokenException.class);
expected.expectMessage("refresh token (expired)");
getTokenServices().refreshAccessToken(firstAccessToken.getRefreshToken().getValue(), null);
}
@Test
public void testDifferentRefreshTokenMaintainsState() throws Exception {
// create access token
getTokenServices().setAccessTokenValiditySeconds(1);
getTokenServices()
.setClientDetailsService(
new ClientDetailsService() {
public ClientDetails loadClientByClientId(String clientId) throws OAuth2Exception {
BaseClientDetails client = new BaseClientDetails();
client.setAccessTokenValiditySeconds(1);
return client;
}
});
OAuth2Authentication expectedAuthentication =
new OAuth2Authentication(
new AuthorizationRequest("id", Collections.singleton("read"), null, null),
new TestAuthentication("test2", false));
DefaultOAuth2AccessToken firstAccessToken =
(DefaultOAuth2AccessToken) getTokenServices().createAccessToken(expectedAuthentication);
OAuth2RefreshToken expectedExpiringRefreshToken = firstAccessToken.getRefreshToken();
// Make it expire (and rely on mutable state in volatile token store)
firstAccessToken.setExpiration(new Date(System.currentTimeMillis() - 1000));
// create another access token
OAuth2AccessToken secondAccessToken =
getTokenServices().createAccessToken(expectedAuthentication);
assertFalse(
"The new access token should be different",
firstAccessToken.getValue().equals(secondAccessToken.getValue()));
assertEquals(
"The new access token should have the same refresh token",
expectedExpiringRefreshToken.getValue(),
secondAccessToken.getRefreshToken().getValue());
// refresh access token with refresh token
getTokenServices()
.refreshAccessToken(
expectedExpiringRefreshToken.getValue(),
expectedAuthentication.getAuthorizationRequest().getScope());
assertEquals(1, getAccessTokenCount());
}