private String replaceFromTokenId(String keyValue) {
TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
try {
return tokenMgtDAO.getTokenIdByToken(keyValue);
} catch (IdentityOAuth2Exception e) {
log.error("Failed to retrieve token id by token from store for - ." + keyValue, e);
}
return keyValue;
}
private String replaceFromCodeId(String authzCode) {
TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
try {
return tokenMgtDAO.getCodeIdByAuthorizationCode(authzCode);
} catch (IdentityOAuth2Exception e) {
log.error(
"Failed to retrieve authorization code id by authorization code from store for - ."
+ authzCode,
e);
}
return authzCode;
}
/**
* Revoke tokens issued to OAuth clients
*
* @param revokeRequestDTO DTO representing consumerKey, consumerSecret and tokens[]
* @return revokeRespDTO DTO representing success or failure message
*/
public OAuthRevocationResponseDTO revokeTokenByOAuthClient(
OAuthRevocationRequestDTO revokeRequestDTO) {
// fix here remove associated cache entry
TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
OAuthRevocationResponseDTO revokeResponseDTO = new OAuthRevocationResponseDTO();
try {
if (StringUtils.isNotEmpty(revokeRequestDTO.getConsumerKey())
&& StringUtils.isNotEmpty(revokeRequestDTO.getToken())) {
boolean refreshTokenFirst = false;
if (StringUtils.equals(
GrantType.REFRESH_TOKEN.toString(), revokeRequestDTO.getToken_type())) {
refreshTokenFirst = true;
}
RefreshTokenValidationDataDO refreshTokenDO = null;
AccessTokenDO accessTokenDO = null;
if (refreshTokenFirst) {
refreshTokenDO =
tokenMgtDAO.validateRefreshToken(
revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getToken());
if (refreshTokenDO == null
|| StringUtils.isEmpty(refreshTokenDO.getRefreshTokenState())
|| !(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE.equals(
refreshTokenDO.getRefreshTokenState())
|| OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED.equals(
refreshTokenDO.getRefreshTokenState()))) {
accessTokenDO = tokenMgtDAO.retrieveAccessToken(revokeRequestDTO.getToken(), true);
refreshTokenDO = null;
}
} else {
accessTokenDO = tokenMgtDAO.retrieveAccessToken(revokeRequestDTO.getToken(), true);
if (accessTokenDO == null) {
refreshTokenDO =
tokenMgtDAO.validateRefreshToken(
revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getToken());
if (refreshTokenDO == null
|| StringUtils.isEmpty(refreshTokenDO.getRefreshTokenState())
|| !(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE.equals(
refreshTokenDO.getRefreshTokenState())
|| OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED.equals(
refreshTokenDO.getRefreshTokenState()))) {
return revokeResponseDTO;
}
}
}
String grantType = StringUtils.EMPTY;
if (accessTokenDO != null) {
grantType = accessTokenDO.getGrantType();
} else if (refreshTokenDO != null) {
grantType = refreshTokenDO.getGrantType();
}
if (!StringUtils.equals(OAuthConstants.GrantTypes.IMPLICIT, grantType)
&& !OAuth2Util.authenticateClient(
revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getConsumerSecret())) {
OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO();
revokeRespDTO.setError(true);
revokeRespDTO.setErrorCode(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
revokeRespDTO.setErrorMsg("Unauthorized Client");
return revokeRespDTO;
}
if (refreshTokenDO != null) {
org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(
revokeRequestDTO.getConsumerKey(),
refreshTokenDO.getAuthorizedUser(),
OAuth2Util.buildScopeString(refreshTokenDO.getScope()));
org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(
revokeRequestDTO.getConsumerKey(), refreshTokenDO.getAuthorizedUser());
org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(refreshTokenDO.getAccessToken());
tokenMgtDAO.revokeTokens(new String[] {refreshTokenDO.getAccessToken()});
addRevokeResponseHeaders(
revokeResponseDTO,
refreshTokenDO.getAccessToken(),
revokeRequestDTO.getToken(),
refreshTokenDO.getAuthorizedUser().toString());
} else if (accessTokenDO != null) {
org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(
revokeRequestDTO.getConsumerKey(),
accessTokenDO.getAuthzUser(),
OAuth2Util.buildScopeString(accessTokenDO.getScope()));
org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(
revokeRequestDTO.getConsumerKey(), accessTokenDO.getAuthzUser());
org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(revokeRequestDTO.getToken());
tokenMgtDAO.revokeTokens(new String[] {revokeRequestDTO.getToken()});
addRevokeResponseHeaders(
revokeResponseDTO,
revokeRequestDTO.getToken(),
accessTokenDO.getRefreshToken(),
accessTokenDO.getAuthzUser().toString());
}
return revokeResponseDTO;
} else {
revokeResponseDTO.setError(true);
revokeResponseDTO.setErrorCode(OAuth2ErrorCodes.INVALID_REQUEST);
revokeResponseDTO.setErrorMsg("Invalid revocation request");
return revokeResponseDTO;
}
} catch (InvalidOAuthClientException e) {
log.error("Unauthorized Client", e);
OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO();
revokeRespDTO.setError(true);
revokeRespDTO.setErrorCode(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
revokeRespDTO.setErrorMsg("Unauthorized Client");
return revokeRespDTO;
} catch (IdentityException e) {
log.error("Error occurred while revoking authorization grant for applications", e);
OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO();
revokeRespDTO.setError(true);
revokeRespDTO.setErrorCode(OAuth2ErrorCodes.SERVER_ERROR);
revokeRespDTO.setErrorMsg(
"Error occurred while revoking authorization grant for applications");
return revokeRespDTO;
}
}
