public String[] addOAuthConsumer(String username, int tenantId) throws IdentityOAuthAdminException { Connection connection = null; PreparedStatement prepStmt = null; String sqlStmt = null; String consumerKey; String consumerSecret = OAuthUtil.getRandomNumber(); do { consumerKey = OAuthUtil.getRandomNumber(); } while (isDuplicateConsumer(consumerKey)); try { connection = JDBCPersistenceManager.getInstance().getDBConnection(); sqlStmt = SQLQueries.OAuthAppDAOSQLQueries.ADD_OAUTH_CONSUMER; prepStmt = connection.prepareStatement(sqlStmt); prepStmt.setString(1, consumerKey); prepStmt.setString(2, consumerSecret); prepStmt.setString(3, username); prepStmt.setInt(4, tenantId); // it is assumed that the OAuth version is 1.0a because this is required with OAuth 1.0a prepStmt.setString(5, OAuthConstants.OAuthVersions.VERSION_1A); prepStmt.execute(); connection.commit(); } catch (IdentityException e) { String errorMsg = "Error when getting an Identity Persistence Store instance."; log.error(errorMsg, e); throw new IdentityOAuthAdminException(errorMsg, e); } catch (SQLException e) { log.error("Error when executing the SQL : " + sqlStmt); log.error(e.getMessage(), e); throw new IdentityOAuthAdminException("Error when adding a new OAuth consumer."); } finally { IdentityDatabaseUtil.closeAllConnections(connection, null, prepStmt); } return new String[] {consumerKey, consumerSecret}; }
/** * Revoke tokens issued to OAuth clients * * @param revokeRequestDTO DTO representing consumerKey, consumerSecret and tokens[] * @return revokeRespDTO DTO representing success or failure message */ public OAuthRevocationResponseDTO revokeTokenByOAuthClient( OAuthRevocationRequestDTO revokeRequestDTO) { // fix here remove associated cache entry TokenMgtDAO tokenMgtDAO = new TokenMgtDAO(); OAuthRevocationResponseDTO revokeResponseDTO = new OAuthRevocationResponseDTO(); try { if (StringUtils.isNotEmpty(revokeRequestDTO.getConsumerKey()) && StringUtils.isNotEmpty(revokeRequestDTO.getToken())) { boolean refreshTokenFirst = false; if (StringUtils.equals( GrantType.REFRESH_TOKEN.toString(), revokeRequestDTO.getToken_type())) { refreshTokenFirst = true; } RefreshTokenValidationDataDO refreshTokenDO = null; AccessTokenDO accessTokenDO = null; if (refreshTokenFirst) { refreshTokenDO = tokenMgtDAO.validateRefreshToken( revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getToken()); if (refreshTokenDO == null || StringUtils.isEmpty(refreshTokenDO.getRefreshTokenState()) || !(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE.equals( refreshTokenDO.getRefreshTokenState()) || OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED.equals( refreshTokenDO.getRefreshTokenState()))) { accessTokenDO = tokenMgtDAO.retrieveAccessToken(revokeRequestDTO.getToken(), true); refreshTokenDO = null; } } else { accessTokenDO = tokenMgtDAO.retrieveAccessToken(revokeRequestDTO.getToken(), true); if (accessTokenDO == null) { refreshTokenDO = tokenMgtDAO.validateRefreshToken( revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getToken()); if (refreshTokenDO == null || StringUtils.isEmpty(refreshTokenDO.getRefreshTokenState()) || !(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE.equals( refreshTokenDO.getRefreshTokenState()) || OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED.equals( refreshTokenDO.getRefreshTokenState()))) { return revokeResponseDTO; } } } String grantType = StringUtils.EMPTY; if (accessTokenDO != null) { grantType = accessTokenDO.getGrantType(); } else if (refreshTokenDO != null) { grantType = refreshTokenDO.getGrantType(); } if (!StringUtils.equals(OAuthConstants.GrantTypes.IMPLICIT, grantType) && !OAuth2Util.authenticateClient( revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getConsumerSecret())) { OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO(); revokeRespDTO.setError(true); revokeRespDTO.setErrorCode(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT); revokeRespDTO.setErrorMsg("Unauthorized Client"); return revokeRespDTO; } if (refreshTokenDO != null) { org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache( revokeRequestDTO.getConsumerKey(), refreshTokenDO.getAuthorizedUser(), OAuth2Util.buildScopeString(refreshTokenDO.getScope())); org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache( revokeRequestDTO.getConsumerKey(), refreshTokenDO.getAuthorizedUser()); org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(refreshTokenDO.getAccessToken()); tokenMgtDAO.revokeTokens(new String[] {refreshTokenDO.getAccessToken()}); addRevokeResponseHeaders( revokeResponseDTO, refreshTokenDO.getAccessToken(), revokeRequestDTO.getToken(), refreshTokenDO.getAuthorizedUser().toString()); } else if (accessTokenDO != null) { org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache( revokeRequestDTO.getConsumerKey(), accessTokenDO.getAuthzUser(), OAuth2Util.buildScopeString(accessTokenDO.getScope())); org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache( revokeRequestDTO.getConsumerKey(), accessTokenDO.getAuthzUser()); org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(revokeRequestDTO.getToken()); tokenMgtDAO.revokeTokens(new String[] {revokeRequestDTO.getToken()}); addRevokeResponseHeaders( revokeResponseDTO, revokeRequestDTO.getToken(), accessTokenDO.getRefreshToken(), accessTokenDO.getAuthzUser().toString()); } return revokeResponseDTO; } else { revokeResponseDTO.setError(true); revokeResponseDTO.setErrorCode(OAuth2ErrorCodes.INVALID_REQUEST); revokeResponseDTO.setErrorMsg("Invalid revocation request"); return revokeResponseDTO; } } catch (InvalidOAuthClientException e) { log.error("Unauthorized Client", e); OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO(); revokeRespDTO.setError(true); revokeRespDTO.setErrorCode(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT); revokeRespDTO.setErrorMsg("Unauthorized Client"); return revokeRespDTO; } catch (IdentityException e) { log.error("Error occurred while revoking authorization grant for applications", e); OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO(); revokeRespDTO.setError(true); revokeRespDTO.setErrorCode(OAuth2ErrorCodes.SERVER_ERROR); revokeRespDTO.setErrorMsg( "Error occurred while revoking authorization grant for applications"); return revokeRespDTO; } }