// TODO The secret should be a char[]. private Representation doRefreshFlow( String clientId, String clientSecret, Series<Parameter> params) { String rToken = params.getFirstValue(REFRESH_TOKEN); if ((rToken == null) || (rToken.length() == 0)) { setStatus(Status.CLIENT_ERROR_BAD_REQUEST); return sendError( OAuthError.invalid_request, "Mandatory parameter refresh_token is missing", null); } Client client = validate(clientId, clientSecret); // null check on failed if (client == null) { setStatus(Status.CLIENT_ERROR_FORBIDDEN); return sendError(OAuthError.invalid_client, "Client id verification failed.", null); } Token token = generator.findToken(rToken); if ((token != null) && (token instanceof ExpireToken)) { AuthenticatedUser user = token.getUser(); // Make sure that the user owning the token is owned by this client if (client.containsUser(user.getId())) { // refresh the token generator.refreshToken((ExpireToken) token); JSONObject body = createJsonToken(token, null); // Scopes N/A // Sets the no-store Cache-Control header getResponse().setCacheDirectives(noStore); return new JsonStringRepresentation(body); } else { // error not owner setStatus(Status.CLIENT_ERROR_FORBIDDEN); return sendError(OAuthError.unauthorized_client, "User does not match.", null); } } else { // error no such token. setStatus(Status.CLIENT_ERROR_UNAUTHORIZED); return sendError(OAuthError.invalid_grant, "Refresh token.", null); } }