private OAuth2AccessTokenRespDTO getAccessToken(CarbonOAuthTokenRequest oauthRequest) {
OAuth2AccessTokenReqDTO tokenReqDTO = new OAuth2AccessTokenReqDTO();
String grantType = oauthRequest.getGrantType();
tokenReqDTO.setGrantType(grantType);
tokenReqDTO.setClientId(oauthRequest.getClientId());
tokenReqDTO.setClientSecret(oauthRequest.getClientSecret());
tokenReqDTO.setCallbackURI(oauthRequest.getRedirectURI());
tokenReqDTO.setScope(
oauthRequest.getScopes().toArray(new String[oauthRequest.getScopes().size()]));
tokenReqDTO.setTenantDomain(oauthRequest.getTenantDomain());
// Check the grant type and set the corresponding parameters
if (GrantType.AUTHORIZATION_CODE.toString().equals(grantType)) {
tokenReqDTO.setAuthorizationCode(oauthRequest.getCode());
} else if (GrantType.PASSWORD.toString().equals(grantType)) {
tokenReqDTO.setResourceOwnerUsername(oauthRequest.getUsername());
tokenReqDTO.setResourceOwnerPassword(oauthRequest.getPassword());
} else if (GrantType.REFRESH_TOKEN.toString().equals(grantType)) {
tokenReqDTO.setRefreshToken(oauthRequest.getRefreshToken());
} else if (org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER
.toString()
.equals(grantType)) {
tokenReqDTO.setAssertion(oauthRequest.getAssertion());
} else if (org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM
.toString()
.equals(grantType)) {
tokenReqDTO.setWindowsToken(oauthRequest.getWindowsToken());
} else {
// Set all request parameters to the OAuth2AccessTokenReqDTO
tokenReqDTO.setRequestParameters(oauthRequest.getRequestParameters());
}
return EndpointUtil.getOAuth2Service().issueAccessToken(tokenReqDTO);
}
/**
* Revoke tokens issued to OAuth clients
*
* @param revokeRequestDTO DTO representing consumerKey, consumerSecret and tokens[]
* @return revokeRespDTO DTO representing success or failure message
*/
public OAuthRevocationResponseDTO revokeTokenByOAuthClient(
OAuthRevocationRequestDTO revokeRequestDTO) {
// fix here remove associated cache entry
TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
OAuthRevocationResponseDTO revokeResponseDTO = new OAuthRevocationResponseDTO();
try {
if (StringUtils.isNotEmpty(revokeRequestDTO.getConsumerKey())
&& StringUtils.isNotEmpty(revokeRequestDTO.getToken())) {
boolean refreshTokenFirst = false;
if (StringUtils.equals(
GrantType.REFRESH_TOKEN.toString(), revokeRequestDTO.getToken_type())) {
refreshTokenFirst = true;
}
RefreshTokenValidationDataDO refreshTokenDO = null;
AccessTokenDO accessTokenDO = null;
if (refreshTokenFirst) {
refreshTokenDO =
tokenMgtDAO.validateRefreshToken(
revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getToken());
if (refreshTokenDO == null
|| StringUtils.isEmpty(refreshTokenDO.getRefreshTokenState())
|| !(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE.equals(
refreshTokenDO.getRefreshTokenState())
|| OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED.equals(
refreshTokenDO.getRefreshTokenState()))) {
accessTokenDO = tokenMgtDAO.retrieveAccessToken(revokeRequestDTO.getToken(), true);
refreshTokenDO = null;
}
} else {
accessTokenDO = tokenMgtDAO.retrieveAccessToken(revokeRequestDTO.getToken(), true);
if (accessTokenDO == null) {
refreshTokenDO =
tokenMgtDAO.validateRefreshToken(
revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getToken());
if (refreshTokenDO == null
|| StringUtils.isEmpty(refreshTokenDO.getRefreshTokenState())
|| !(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE.equals(
refreshTokenDO.getRefreshTokenState())
|| OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED.equals(
refreshTokenDO.getRefreshTokenState()))) {
return revokeResponseDTO;
}
}
}
String grantType = StringUtils.EMPTY;
if (accessTokenDO != null) {
grantType = accessTokenDO.getGrantType();
} else if (refreshTokenDO != null) {
grantType = refreshTokenDO.getGrantType();
}
if (!StringUtils.equals(OAuthConstants.GrantTypes.IMPLICIT, grantType)
&& !OAuth2Util.authenticateClient(
revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getConsumerSecret())) {
OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO();
revokeRespDTO.setError(true);
revokeRespDTO.setErrorCode(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
revokeRespDTO.setErrorMsg("Unauthorized Client");
return revokeRespDTO;
}
if (refreshTokenDO != null) {
org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(
revokeRequestDTO.getConsumerKey(),
refreshTokenDO.getAuthorizedUser(),
OAuth2Util.buildScopeString(refreshTokenDO.getScope()));
org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(
revokeRequestDTO.getConsumerKey(), refreshTokenDO.getAuthorizedUser());
org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(refreshTokenDO.getAccessToken());
tokenMgtDAO.revokeTokens(new String[] {refreshTokenDO.getAccessToken()});
addRevokeResponseHeaders(
revokeResponseDTO,
refreshTokenDO.getAccessToken(),
revokeRequestDTO.getToken(),
refreshTokenDO.getAuthorizedUser().toString());
} else if (accessTokenDO != null) {
org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(
revokeRequestDTO.getConsumerKey(),
accessTokenDO.getAuthzUser(),
OAuth2Util.buildScopeString(accessTokenDO.getScope()));
org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(
revokeRequestDTO.getConsumerKey(), accessTokenDO.getAuthzUser());
org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(revokeRequestDTO.getToken());
tokenMgtDAO.revokeTokens(new String[] {revokeRequestDTO.getToken()});
addRevokeResponseHeaders(
revokeResponseDTO,
revokeRequestDTO.getToken(),
accessTokenDO.getRefreshToken(),
accessTokenDO.getAuthzUser().toString());
}
return revokeResponseDTO;
} else {
revokeResponseDTO.setError(true);
revokeResponseDTO.setErrorCode(OAuth2ErrorCodes.INVALID_REQUEST);
revokeResponseDTO.setErrorMsg("Invalid revocation request");
return revokeResponseDTO;
}
} catch (InvalidOAuthClientException e) {
log.error("Unauthorized Client", e);
OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO();
revokeRespDTO.setError(true);
revokeRespDTO.setErrorCode(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
revokeRespDTO.setErrorMsg("Unauthorized Client");
return revokeRespDTO;
} catch (IdentityException e) {
log.error("Error occurred while revoking authorization grant for applications", e);
OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO();
revokeRespDTO.setError(true);
revokeRespDTO.setErrorCode(OAuth2ErrorCodes.SERVER_ERROR);
revokeRespDTO.setErrorMsg(
"Error occurred while revoking authorization grant for applications");
return revokeRespDTO;
}
}
