From 64ddcfc3ec4a987bb3aaa8ce03dcc71a363f82b7 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Mon, 8 May 2023 13:36:05 -0400 Subject: [PATCH] Polish gh-1152 --- .../OAuth2AuthenticationProviderUtils.java | 20 --------------- ...thorizationCodeAuthenticationProvider.java | 25 +++++++++++-------- 2 files changed, 15 insertions(+), 30 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthenticationProviderUtils.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthenticationProviderUtils.java index 99224cd7..97bc402f 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthenticationProviderUtils.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthenticationProviderUtils.java @@ -17,7 +17,6 @@ package org.springframework.security.oauth2.server.authorization.authentication; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.core.Authentication; -import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2ErrorCodes; import org.springframework.security.oauth2.core.OAuth2RefreshToken; @@ -56,25 +55,6 @@ final class OAuth2AuthenticationProviderUtils { (metadata) -> metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); - if (OAuth2AuthorizationCode.class.isAssignableFrom(token.getClass())) { - OAuth2Authorization.Token accessToken = authorization.getAccessToken(); - if (accessToken != null && !accessToken.isInvalidated()) { - authorizationBuilder.token( - accessToken.getToken(), - (metadata) -> - metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); - } - - OAuth2Authorization.Token refreshToken = authorization.getRefreshToken(); - if (refreshToken != null && !refreshToken.isInvalidated()) { - authorizationBuilder.token( - refreshToken.getToken(), - (metadata) -> - metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); - } - - } - if (OAuth2RefreshToken.class.isAssignableFrom(token.getClass())) { authorizationBuilder.token( authorization.getAccessToken().getToken(), diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java index 51c8af24..6fa29c8c 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java @@ -150,10 +150,16 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth if (!authorizationCode.isActive()) { if (authorizationCode.isInvalidated()) { - authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, authorizationCode.getToken()); - this.authorizationService.save(authorization); - if (this.logger.isWarnEnabled()) { - this.logger.warn(LogMessage.format("Invalidated authorization tokens previously issued based on the authorization code")); + OAuth2Token token = authorization.getRefreshToken() != null ? + authorization.getRefreshToken().getToken() : + authorization.getAccessToken().getToken(); + if (token != null) { + // Invalidate the access (and refresh) token as the client is attempting to use the authorization code more than once + authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, token); + this.authorizationService.save(authorization); + if (this.logger.isWarnEnabled()) { + this.logger.warn(LogMessage.format("Invalidated authorization token(s) previously issued to registered client '%s'", registeredClient.getId())); + } } } throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT); @@ -176,12 +182,7 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth .authorizationGrant(authorizationCodeAuthentication); // @formatter:on - // @formatter:off - OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization) - // Invalidate the authorization code as it can only be used once - .token(authorizationCode.getToken(), metadata -> - metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); - // @formatter:on + OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization); // ----- Access token ----- OAuth2TokenContext tokenContext = tokenContextBuilder.tokenType(OAuth2TokenType.ACCESS_TOKEN).build(); @@ -262,6 +263,9 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth authorization = authorizationBuilder.build(); + // Invalidate the authorization code as it can only be used once + authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, authorizationCode.getToken()); + this.authorizationService.save(authorization); if (this.logger.isTraceEnabled()) { @@ -314,4 +318,5 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth } return sessionInformation; } + }