Polish gh-1152
This commit is contained in:
@@ -17,7 +17,6 @@ package org.springframework.security.oauth2.server.authorization.authentication;
|
||||
|
||||
import org.springframework.security.authentication.AuthenticationProvider;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
||||
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
|
||||
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
|
||||
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
|
||||
@@ -56,25 +55,6 @@ final class OAuth2AuthenticationProviderUtils {
|
||||
(metadata) ->
|
||||
metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true));
|
||||
|
||||
if (OAuth2AuthorizationCode.class.isAssignableFrom(token.getClass())) {
|
||||
OAuth2Authorization.Token<OAuth2AccessToken> accessToken = authorization.getAccessToken();
|
||||
if (accessToken != null && !accessToken.isInvalidated()) {
|
||||
authorizationBuilder.token(
|
||||
accessToken.getToken(),
|
||||
(metadata) ->
|
||||
metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true));
|
||||
}
|
||||
|
||||
OAuth2Authorization.Token<OAuth2RefreshToken> refreshToken = authorization.getRefreshToken();
|
||||
if (refreshToken != null && !refreshToken.isInvalidated()) {
|
||||
authorizationBuilder.token(
|
||||
refreshToken.getToken(),
|
||||
(metadata) ->
|
||||
metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true));
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if (OAuth2RefreshToken.class.isAssignableFrom(token.getClass())) {
|
||||
authorizationBuilder.token(
|
||||
authorization.getAccessToken().getToken(),
|
||||
|
||||
@@ -150,10 +150,16 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth
|
||||
|
||||
if (!authorizationCode.isActive()) {
|
||||
if (authorizationCode.isInvalidated()) {
|
||||
authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, authorizationCode.getToken());
|
||||
this.authorizationService.save(authorization);
|
||||
if (this.logger.isWarnEnabled()) {
|
||||
this.logger.warn(LogMessage.format("Invalidated authorization tokens previously issued based on the authorization code"));
|
||||
OAuth2Token token = authorization.getRefreshToken() != null ?
|
||||
authorization.getRefreshToken().getToken() :
|
||||
authorization.getAccessToken().getToken();
|
||||
if (token != null) {
|
||||
// Invalidate the access (and refresh) token as the client is attempting to use the authorization code more than once
|
||||
authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, token);
|
||||
this.authorizationService.save(authorization);
|
||||
if (this.logger.isWarnEnabled()) {
|
||||
this.logger.warn(LogMessage.format("Invalidated authorization token(s) previously issued to registered client '%s'", registeredClient.getId()));
|
||||
}
|
||||
}
|
||||
}
|
||||
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
|
||||
@@ -176,12 +182,7 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth
|
||||
.authorizationGrant(authorizationCodeAuthentication);
|
||||
// @formatter:on
|
||||
|
||||
// @formatter:off
|
||||
OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization)
|
||||
// Invalidate the authorization code as it can only be used once
|
||||
.token(authorizationCode.getToken(), metadata ->
|
||||
metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true));
|
||||
// @formatter:on
|
||||
OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization);
|
||||
|
||||
// ----- Access token -----
|
||||
OAuth2TokenContext tokenContext = tokenContextBuilder.tokenType(OAuth2TokenType.ACCESS_TOKEN).build();
|
||||
@@ -262,6 +263,9 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth
|
||||
|
||||
authorization = authorizationBuilder.build();
|
||||
|
||||
// Invalidate the authorization code as it can only be used once
|
||||
authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, authorizationCode.getToken());
|
||||
|
||||
this.authorizationService.save(authorization);
|
||||
|
||||
if (this.logger.isTraceEnabled()) {
|
||||
@@ -314,4 +318,5 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth
|
||||
}
|
||||
return sessionInformation;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user