// TODO The secret should be a char[].
private Representation doRefreshFlow(
String clientId, String clientSecret, Series<Parameter> params) {
String rToken = params.getFirstValue(REFRESH_TOKEN);
if ((rToken == null) || (rToken.length() == 0)) {
setStatus(Status.CLIENT_ERROR_BAD_REQUEST);
return sendError(
OAuthError.invalid_request, "Mandatory parameter refresh_token is missing", null);
}
Client client = validate(clientId, clientSecret);
// null check on failed
if (client == null) {
setStatus(Status.CLIENT_ERROR_FORBIDDEN);
return sendError(OAuthError.invalid_client, "Client id verification failed.", null);
}
Token token = generator.findToken(rToken);
if ((token != null) && (token instanceof ExpireToken)) {
AuthenticatedUser user = token.getUser();
// Make sure that the user owning the token is owned by this client
if (client.containsUser(user.getId())) {
// refresh the token
generator.refreshToken((ExpireToken) token);
JSONObject body = createJsonToken(token, null); // Scopes N/A
// Sets the no-store Cache-Control header
getResponse().setCacheDirectives(noStore);
return new JsonStringRepresentation(body);
} else { // error not owner
setStatus(Status.CLIENT_ERROR_FORBIDDEN);
return sendError(OAuthError.unauthorized_client, "User does not match.", null);
}
} else { // error no such token.
setStatus(Status.CLIENT_ERROR_UNAUTHORIZED);
return sendError(OAuthError.invalid_grant, "Refresh token.", null);
}
}
