/**
* This method is intended to be overridden by subclasses.
*
* @param checkedScope
* @return
* @throws org.forgerock.openam.oauth2.exceptions.OAuthProblemException
*/
protected CoreToken createAccessToken(CoreToken refreshToken, Set<String> checkedScope) {
return getTokenStore()
.createAccessToken(
client.getClient().getAccessTokenType(),
checkedScope,
OAuth2Utils.getRealm(getRequest()),
refreshToken.getUserID(),
refreshToken.getClientID(),
refreshToken.getRedirectURI(),
null,
refreshToken.getTokenID());
}
@Post("form:json")
public Representation represent(Representation entity) {
/*
* o require client authentication for confidential clients or for any
* client that was issued client credentials (or with other
* authentication requirements), o authenticate the client if client
* authentication is included and ensure the refresh token was issued to
* the authenticated client, and o validate the refresh token.
*/
client = getAuthenticatedClient();
String refresh_token =
OAuth2Utils.getRequestParameter(
getRequest(), OAuth2Constants.Params.REFRESH_TOKEN, String.class);
// Find Token
CoreToken refreshToken = getTokenStore().readRefreshToken(refresh_token);
SessionClient refreshTokenClient =
new SessionClientImpl(refreshToken.getClientID(), refreshToken.getRedirectURI());
if (null == refreshToken) {
OAuth2Utils.DEBUG.error("Refresh token does not exist for id: " + refresh_token);
throw OAuthProblemException.OAuthError.INVALID_REQUEST.handle(
getRequest(), "RefreshToken does not exist");
} else if (!refreshTokenClient.getClientId().equals(client.getClient().getClientId())) {
OAuth2Utils.DEBUG.error(
"Refresh Token was issued to a different client id: " + refreshTokenClient.getClientId());
throw OAuthProblemException.OAuthError.INVALID_REQUEST.handle(
getRequest(), "Token was issued to a different client");
} else {
if (refreshToken.isExpired()) {
OAuth2Utils.DEBUG.warning("Refresh Token is expired for id: " + refresh_token);
throw OAuthProblemException.OAuthError.EXPIRED_TOKEN.handle(getRequest());
}
// Get the requested scope
String scope_before =
OAuth2Utils.getRequestParameter(getRequest(), OAuth2Constants.Params.SCOPE, String.class);
Set<String> granted_after = null;
// Get the granted scope
if (null != refreshToken.getScope()) {
granted_after = new TreeSet<String>(refreshToken.getScope());
} else {
granted_after = new TreeSet<String>();
}
// Validate the granted scope
Set<String> checkedScope = executeRefreshTokenScopePlugin(scope_before, granted_after);
// Generate Token
CoreToken token = createAccessToken(refreshToken, checkedScope);
Map<String, Object> response = token.convertToMap();
// execute post token creation pre return scope plugin for extra return data.
Map<String, String> data = new HashMap<String, String>();
response.putAll(executeExtraDataScopePlugin(data, token));
if (checkedScope != null && !checkedScope.isEmpty()) {
response.put(
OAuth2Constants.Params.SCOPE,
OAuth2Utils.join(checkedScope, OAuth2Utils.getScopeDelimiter(getContext())));
}
return new JacksonRepresentation<Map>(response);
}
}