check access token expiration on read. closes mitreid-connect#983

Author: jricher

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -335,15 +335,13 @@ public OAuth2Authentication loadAuthentication(String accessTokenValue) throws A
 
 if (accessToken == null) {
 throw new InvalidTokenException("Invalid access token: " + accessTokenValue);
-}
-
-if (accessToken.isExpired()) {
+} else if (accessToken.isExpired()) {
 //tokenRepository.removeAccessToken(accessToken);
 revokeAccessToken(accessToken);
 throw new InvalidTokenException("Expired access token: " + accessTokenValue);
+} else {
+return accessToken.getAuthenticationHolder().getAuthentication();
 }
-
-return accessToken.getAuthenticationHolder().getAuthentication();
 }
 
 
@@ -355,8 +353,11 @@ public OAuth2AccessTokenEntity readAccessToken(String accessTokenValue) throws A
 OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenByValue(accessTokenValue);
 if (accessToken == null) {
 throw new InvalidTokenException("Access token for value " + accessTokenValue + " was not found");
-}
-else {
+} else if (accessToken.isExpired()) {
+// immediately revoke the expired token
+revokeAccessToken(accessToken);
+throw new InvalidTokenException("Access token for value " + accessTokenValue + " is expired");
+} else {
 return accessToken;
 }
 }