pulled checks for expired tokens into utility functions

Author: jricher

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -46,6 +46,7 @@
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.security.oauth2.provider.ClientAlreadyExistsException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.TokenRequest;
@@ -84,14 +85,18 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 @Autowired
 private SystemScopeService scopeService;
 
+@Autowired
+private ApprovedSiteService approvedSiteService;
+
+
 @Override
 public Set<OAuth2AccessTokenEntity> getAllAccessTokensForUser(String id) {
 
 Set<OAuth2AccessTokenEntity> all = tokenRepository.getAllAccessTokens();
 Set<OAuth2AccessTokenEntity> results = Sets.newLinkedHashSet();
 
 for (OAuth2AccessTokenEntity token : all) {
-if (token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
+if (clearExpiredAccessToken(token) != null && token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
 results.add(token);
 }
 }
@@ -106,7 +111,7 @@ public Set<OAuth2RefreshTokenEntity> getAllRefreshTokensForUser(String id) {
 Set<OAuth2RefreshTokenEntity> results = Sets.newLinkedHashSet();
 
 for (OAuth2RefreshTokenEntity token : all) {
-if (token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
+if (clearExpiredRefreshToken(token) != null && token.getAuthenticationHolder().getAuthentication().getName().equals(id)) {
 results.add(token);
 }
 }
@@ -116,18 +121,50 @@ public Set<OAuth2RefreshTokenEntity> getAllRefreshTokensForUser(String id) {
 
 @Override
 public OAuth2AccessTokenEntity getAccessTokenById(Long id) {
-return tokenRepository.getAccessTokenById(id);
+return clearExpiredAccessToken(tokenRepository.getAccessTokenById(id));
 }
 
 @Override
 public OAuth2RefreshTokenEntity getRefreshTokenById(Long id) {
-return tokenRepository.getRefreshTokenById(id);
+return clearExpiredRefreshToken(tokenRepository.getRefreshTokenById(id));
 }
 
-@Autowired
-private ApprovedSiteService approvedSiteService;
-
-
+/**
+ * Utility function to delete an access token that's expired before returning it.
+ * @param token the token to check
+ * @return null if the token is null or expired, the input token (unchanged) if it hasn't
+ */
+private OAuth2AccessTokenEntity clearExpiredAccessToken(OAuth2AccessTokenEntity token) {
+if (token == null) {
+return null;
+} else if (token.isExpired()) {
+// immediately revoke expired token
+logger.debug("Clearing expired access token: " + token.getValue());
+revokeAccessToken(token);
+return null;
+} else {
+return token;
+}
+}
+
+/**
+ * Utility function to delete a refresh token that's expired before returning it.
+ * @param token the token to check
+ * @return null if the token is null or expired, the input token (unchanged) if it hasn't
+ */
+private OAuth2RefreshTokenEntity clearExpiredRefreshToken(OAuth2RefreshTokenEntity token) {
+if (token == null) {
+return null;
+} else if (token.isExpired()) {
+// immediately revoke expired token
+logger.debug("Clearing expired refresh token: " + token.getValue());
+revokeRefreshToken(token);
+return null;
+} else {
+return token;
+}
+}
+
 @Override
 public OAuth2AccessTokenEntity createAccessToken(OAuth2Authentication authentication) throws AuthenticationException, InvalidClientException {
 if (authentication != null && authentication.getOAuth2Request() != null) {
@@ -238,7 +275,7 @@ private OAuth2RefreshTokenEntity createRefreshToken(ClientDetailsEntity client,
 @Override
 public OAuth2AccessTokenEntity refreshAccessToken(String refreshTokenValue, TokenRequest authRequest) throws AuthenticationException {
 
-OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenByValue(refreshTokenValue);
+OAuth2RefreshTokenEntity refreshToken = clearExpiredRefreshToken(tokenRepository.getRefreshTokenByValue(refreshTokenValue));
 
 if (refreshToken == null) {
 throw new InvalidTokenException("Invalid refresh token: " + refreshTokenValue);
@@ -331,14 +368,10 @@ public OAuth2AccessTokenEntity refreshAccessToken(String refreshTokenValue, Toke
 @Override
 public OAuth2Authentication loadAuthentication(String accessTokenValue) throws AuthenticationException {
 
-OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenByValue(accessTokenValue);
+OAuth2AccessTokenEntity accessToken = clearExpiredAccessToken(tokenRepository.getAccessTokenByValue(accessTokenValue));
 
 if (accessToken == null) {
 throw new InvalidTokenException("Invalid access token: " + accessTokenValue);
-} else if (accessToken.isExpired()) {
-//tokenRepository.removeAccessToken(accessToken);
-revokeAccessToken(accessToken);
-throw new InvalidTokenException("Expired access token: " + accessTokenValue);
 } else {
 return accessToken.getAuthenticationHolder().getAuthentication();
 }
@@ -350,13 +383,9 @@ public OAuth2Authentication loadAuthentication(String accessTokenValue) throws A
  */
 @Override
 public OAuth2AccessTokenEntity readAccessToken(String accessTokenValue) throws AuthenticationException {
-OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenByValue(accessTokenValue);
+OAuth2AccessTokenEntity accessToken = clearExpiredAccessToken(tokenRepository.getAccessTokenByValue(accessTokenValue));
 if (accessToken == null) {
 throw new InvalidTokenException("Access token for value " + accessTokenValue + " was not found");
-} else if (accessToken.isExpired()) {
-// immediately revoke the expired token
-revokeAccessToken(accessToken);
-throw new InvalidTokenException("Access token for value " + accessTokenValue + " is expired");
 } else {
 return accessToken;
 }