Skip to content

Commit 15b0179

Browse files
jricherjricher
committed
added DELETE to token api because revocation endpoint doesn't work for this kind of management, closes mitreid-connect#191 
1 parent 89f015c commit 15b0179

File tree

1 file changed

+45
-1
lines changed
  • openid-connect-server/src/main/java/org/mitre/oauth2/web

1 file changed

+45
-1
lines changed

openid-connect-server/src/main/java/org/mitre/oauth2/web/TokenAPI.java

Lines changed: 45 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@
3434
import org.springframework.web.bind.annotation.RequestMethod;
3535

3636
/**
37-
* REST-ish API for managing access tokens (GET/read only)
37+
* REST-ish API for managing access tokens (GET/DELETE only)
3838
* @author Amanda Anganes
3939
*
4040
*/
@@ -77,6 +77,28 @@ public String getAccessTokenById(@PathVariable("id") Long id, ModelMap m, Princi
7777
}
7878
}
7979

80+
@RequestMapping(value = "/access/{id}", method = RequestMethod.DELETE, produces = "application/json")
81+
public String deleteAccessTokenById(@PathVariable("id") Long id, ModelMap m, Principal p) {
82+
83+
OAuth2AccessTokenEntity token = tokenService.getAccessTokenById(id);
84+
85+
if (token == null) {
86+
logger.error("getToken failed; token not found: " + id);
87+
m.put("code", HttpStatus.NOT_FOUND);
88+
m.put("errorMessage", "The requested token with id " + id + " could not be found.");
89+
return "jsonErrorView";
90+
} else if (!token.getAuthenticationHolder().getAuthentication().getName().equals(p.getName())) {
91+
logger.error("getToken failed; token does not belong to principal " + p.getName());
92+
m.put("code", HttpStatus.FORBIDDEN);
93+
m.put("errorMessage", "You do not have permission to view this token");
94+
return "jsonErrorView";
95+
} else {
96+
tokenService.revokeAccessToken(token);
97+
98+
return "httpCodeView";
99+
}
100+
}
101+
80102
@RequestMapping(value = "/refresh", method = RequestMethod.GET, produces = "application/json")
81103
public String getAllRefreshTokens(ModelMap m, Principal p) {
82104

@@ -108,4 +130,26 @@ public String getRefreshTokenById(@PathVariable("id") Long id, ModelMap m, Princ
108130
}
109131
}
110132

133+
@RequestMapping(value = "/refresh/{id}", method = RequestMethod.DELETE, produces = "application/json")
134+
public String deleteRefreshTokenById(@PathVariable("id") Long id, ModelMap m, Principal p) {
135+
136+
OAuth2RefreshTokenEntity token = tokenService.getRefreshTokenById(id);
137+
138+
if (token == null) {
139+
logger.error("refresh token not found: " + id);
140+
m.put("code", HttpStatus.NOT_FOUND);
141+
m.put("errorMessage", "The requested token with id " + id + " could not be found.");
142+
return "jsonErrorView";
143+
} else if (!token.getAuthenticationHolder().getAuthentication().getName().equals(p.getName())) {
144+
logger.error("refresh token " + id + " does not belong to principal " + p.getName());
145+
m.put("code", HttpStatus.FORBIDDEN);
146+
m.put("errorMessage", "You do not have permission to view this token");
147+
return "jsonErrorView";
148+
} else {
149+
tokenService.revokeRefreshToken(token);
150+
151+
return "httpCodeView";
152+
}
153+
}
154+
111155
}

0 commit comments

Comments
 (0)