private OAuth2AccessTokenEntity fetchValidRegistrationToken(
OAuth2Authentication auth, ClientDetailsEntity client) {
OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails();
OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue());
if (config.getRegTokenLifeTime() != null) {
try {
// Re-issue the token if it has been issued before [currentTime - validity]
Date validToDate =
new Date(System.currentTimeMillis() - config.getRegTokenLifeTime() * 1000);
if (token.getJwt().getJWTClaimsSet().getIssueTime().before(validToDate)) {
logger.info("Rotating the registration access token for " + client.getClientId());
tokenService.revokeAccessToken(token);
OAuth2AccessTokenEntity newToken = connectTokenService.createResourceAccessToken(client);
tokenService.saveAccessToken(newToken);
return newToken;
} else {
// it's not expired, keep going
return token;
}
} catch (ParseException e) {
logger.error("Couldn't parse a known-valid token?", e);
return token;
}
} else {
// tokens don't expire, just return it
return token;
}
}
/**
* Get the meta information for a client.
*
* @param clientId
* @param m
* @param auth
* @return
*/
@PreAuthorize(
"hasRole('ROLE_CLIENT') and #oauth2.hasScope('"
+ OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE
+ "')")
@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = "application/json")
public String readClientConfiguration(
@PathVariable("id") String clientId, Model m, OAuth2Authentication auth) {
ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) {
// we return the token that we got in
OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails();
OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue());
// TODO: urlencode the client id for safety?
RegisteredClient registered =
new RegisteredClient(
client, token.getValue(), config.getIssuer() + "register/" + client.getClientId());
// send it all out to the view
m.addAttribute("client", registered);
m.addAttribute("code", HttpStatus.OK); // http 200
return "clientInformationResponseView";
} else {
// client mismatch
logger.error(
"readClientConfiguration failed, client ID mismatch: "
+ clientId
+ " and "
+ auth.getOAuth2Request().getClientId()
+ " do not match.");
m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403
return "httpCodeView";
}
}
/**
* Update the metainformation for a given client.
*
* @param clientId
* @param jsonString
* @param m
* @param auth
* @return
*/
@PreAuthorize(
"hasRole('ROLE_CLIENT') and #oauth2.hasScope('"
+ OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE
+ "')")
@RequestMapping(
value = "/{id}",
method = RequestMethod.PUT,
produces = "application/json",
consumes = "application/json")
public String updateClient(
@PathVariable("id") String clientId,
@RequestBody String jsonString,
Model m,
OAuth2Authentication auth) {
ClientDetailsEntity newClient = ClientDetailsEntityJsonProcessor.parse(jsonString);
ClientDetailsEntity oldClient = clientService.loadClientByClientId(clientId);
if (newClient != null
&& oldClient != null // we have an existing client and the new one parsed
&& oldClient
.getClientId()
.equals(
auth.getOAuth2Request()
.getClientId()) // the client passed in the URI matches the one in the auth
&& oldClient
.getClientId()
.equals(
newClient.getClientId()) // the client passed in the body matches the one in the URI
) {
// a client can't ask to update its own client secret to any particular value
newClient.setClientSecret(oldClient.getClientSecret());
// we need to copy over all of the local and SECOAUTH fields
newClient.setAccessTokenValiditySeconds(oldClient.getAccessTokenValiditySeconds());
newClient.setIdTokenValiditySeconds(oldClient.getIdTokenValiditySeconds());
newClient.setRefreshTokenValiditySeconds(oldClient.getRefreshTokenValiditySeconds());
newClient.setDynamicallyRegistered(true); // it's still dynamically registered
newClient.setAllowIntrospection(oldClient.isAllowIntrospection());
newClient.setAuthorities(oldClient.getAuthorities());
newClient.setClientDescription(oldClient.getClientDescription());
newClient.setCreatedAt(oldClient.getCreatedAt());
newClient.setReuseRefreshToken(oldClient.isReuseRefreshToken());
// set of scopes that are OK for clients to dynamically register for
Set<SystemScope> dynScopes = scopeService.getDynReg();
// scopes that the client is asking for
Set<SystemScope> requestedScopes = scopeService.fromStrings(newClient.getScope());
// the scopes that the client can have must be a subset of the dynamically allowed scopes
Set<SystemScope> allowedScopes = Sets.intersection(dynScopes, requestedScopes);
// make sure that the client doesn't ask for scopes it can't have
newClient.setScope(scopeService.toStrings(allowedScopes));
try {
// save the client
ClientDetailsEntity savedClient = clientService.updateClient(oldClient, newClient);
// we return the token that we got in
// TODO: rotate this after some set amount of time
OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails();
OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue());
// TODO: urlencode the client id for safety?
RegisteredClient registered =
new RegisteredClient(
savedClient,
token.getValue(),
config.getIssuer() + "register/" + savedClient.getClientId());
// send it all out to the view
m.addAttribute("client", registered);
m.addAttribute("code", HttpStatus.OK); // http 200
return "clientInformationResponseView";
} catch (IllegalArgumentException e) {
logger.error("Couldn't save client", e);
m.addAttribute("code", HttpStatus.BAD_REQUEST);
return "httpCodeView";
}
} else {
// client mismatch
logger.error(
"readClientConfiguration failed, client ID mismatch: "
+ clientId
+ " and "
+ auth.getOAuth2Request().getClientId()
+ " do not match.");
m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403
return "httpCodeView";
}
}
