private String replaceFromTokenId(String keyValue) {
   TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
   try {
     return tokenMgtDAO.getTokenIdByToken(keyValue);
   } catch (IdentityOAuth2Exception e) {
     log.error("Failed to retrieve token id by token from store for - ." + keyValue, e);
   }
   return keyValue;
 }
 private String replaceFromCodeId(String authzCode) {
   TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
   try {
     return tokenMgtDAO.getCodeIdByAuthorizationCode(authzCode);
   } catch (IdentityOAuth2Exception e) {
     log.error(
         "Failed to retrieve authorization code id by authorization code from store for - ."
             + authzCode,
         e);
   }
   return authzCode;
 }
Exemplo n.º 3
0
  /**
   * Revoke tokens issued to OAuth clients
   *
   * @param revokeRequestDTO DTO representing consumerKey, consumerSecret and tokens[]
   * @return revokeRespDTO DTO representing success or failure message
   */
  public OAuthRevocationResponseDTO revokeTokenByOAuthClient(
      OAuthRevocationRequestDTO revokeRequestDTO) {

    // fix here remove associated cache entry
    TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
    OAuthRevocationResponseDTO revokeResponseDTO = new OAuthRevocationResponseDTO();

    try {
      if (StringUtils.isNotEmpty(revokeRequestDTO.getConsumerKey())
          && StringUtils.isNotEmpty(revokeRequestDTO.getToken())) {

        boolean refreshTokenFirst = false;
        if (StringUtils.equals(
            GrantType.REFRESH_TOKEN.toString(), revokeRequestDTO.getToken_type())) {
          refreshTokenFirst = true;
        }

        RefreshTokenValidationDataDO refreshTokenDO = null;
        AccessTokenDO accessTokenDO = null;

        if (refreshTokenFirst) {

          refreshTokenDO =
              tokenMgtDAO.validateRefreshToken(
                  revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getToken());

          if (refreshTokenDO == null
              || StringUtils.isEmpty(refreshTokenDO.getRefreshTokenState())
              || !(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE.equals(
                      refreshTokenDO.getRefreshTokenState())
                  || OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED.equals(
                      refreshTokenDO.getRefreshTokenState()))) {

            accessTokenDO = tokenMgtDAO.retrieveAccessToken(revokeRequestDTO.getToken(), true);
            refreshTokenDO = null;
          }

        } else {
          accessTokenDO = tokenMgtDAO.retrieveAccessToken(revokeRequestDTO.getToken(), true);
          if (accessTokenDO == null) {

            refreshTokenDO =
                tokenMgtDAO.validateRefreshToken(
                    revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getToken());

            if (refreshTokenDO == null
                || StringUtils.isEmpty(refreshTokenDO.getRefreshTokenState())
                || !(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE.equals(
                        refreshTokenDO.getRefreshTokenState())
                    || OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED.equals(
                        refreshTokenDO.getRefreshTokenState()))) {
              return revokeResponseDTO;
            }
          }
        }

        String grantType = StringUtils.EMPTY;

        if (accessTokenDO != null) {
          grantType = accessTokenDO.getGrantType();
        } else if (refreshTokenDO != null) {
          grantType = refreshTokenDO.getGrantType();
        }

        if (!StringUtils.equals(OAuthConstants.GrantTypes.IMPLICIT, grantType)
            && !OAuth2Util.authenticateClient(
                revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getConsumerSecret())) {

          OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO();
          revokeRespDTO.setError(true);
          revokeRespDTO.setErrorCode(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
          revokeRespDTO.setErrorMsg("Unauthorized Client");

          return revokeRespDTO;
        }

        if (refreshTokenDO != null) {

          org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(
              revokeRequestDTO.getConsumerKey(),
              refreshTokenDO.getAuthorizedUser(),
              OAuth2Util.buildScopeString(refreshTokenDO.getScope()));

          org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(
              revokeRequestDTO.getConsumerKey(), refreshTokenDO.getAuthorizedUser());

          org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(refreshTokenDO.getAccessToken());
          tokenMgtDAO.revokeTokens(new String[] {refreshTokenDO.getAccessToken()});

          addRevokeResponseHeaders(
              revokeResponseDTO,
              refreshTokenDO.getAccessToken(),
              revokeRequestDTO.getToken(),
              refreshTokenDO.getAuthorizedUser().toString());

        } else if (accessTokenDO != null) {
          org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(
              revokeRequestDTO.getConsumerKey(),
              accessTokenDO.getAuthzUser(),
              OAuth2Util.buildScopeString(accessTokenDO.getScope()));
          org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(
              revokeRequestDTO.getConsumerKey(), accessTokenDO.getAuthzUser());
          org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(revokeRequestDTO.getToken());
          tokenMgtDAO.revokeTokens(new String[] {revokeRequestDTO.getToken()});
          addRevokeResponseHeaders(
              revokeResponseDTO,
              revokeRequestDTO.getToken(),
              accessTokenDO.getRefreshToken(),
              accessTokenDO.getAuthzUser().toString());
        }

        return revokeResponseDTO;

      } else {
        revokeResponseDTO.setError(true);
        revokeResponseDTO.setErrorCode(OAuth2ErrorCodes.INVALID_REQUEST);
        revokeResponseDTO.setErrorMsg("Invalid revocation request");
        return revokeResponseDTO;
      }

    } catch (InvalidOAuthClientException e) {
      log.error("Unauthorized Client", e);
      OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO();
      revokeRespDTO.setError(true);
      revokeRespDTO.setErrorCode(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
      revokeRespDTO.setErrorMsg("Unauthorized Client");
      return revokeRespDTO;
    } catch (IdentityException e) {
      log.error("Error occurred while revoking authorization grant for applications", e);
      OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO();
      revokeRespDTO.setError(true);
      revokeRespDTO.setErrorCode(OAuth2ErrorCodes.SERVER_ERROR);
      revokeRespDTO.setErrorMsg(
          "Error occurred while revoking authorization grant for applications");
      return revokeRespDTO;
    }
  }