diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java index c6cba5246cb..aee64f67892 100644 --- a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java +++ b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java @@ -286,9 +286,9 @@ public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenReque if (authenticationData.clientAuth != null && CLIENT_AUTH_NONE.equals(authenticationData.clientAuth)) { // public refresh flow, allowed if access_token before was also without authentiation (claim: client_auth_method=none) if (!CLIENT_AUTH_NONE.equals(claims.getClientAuth())) { - throw new InvalidTokenException("Refresh without client authentication not allowed."); + throw new TokenRevokedException("Refresh without client authentication not allowed."); } - additionalRootClaims = addRootClaimEntry(additionalRootClaims, CLIENT_AUTH_METHOD, authenticationData.clientAuth); + addRootClaimEntry(additionalRootClaims, CLIENT_AUTH_METHOD, authenticationData.clientAuth); } String accessTokenId = generateUniqueTokenId(); diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/RefreshRotationTest.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/RefreshRotationTest.java index 921d625a223..46c3a0b96eb 100644 --- a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/RefreshRotationTest.java +++ b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/RefreshRotationTest.java @@ -14,7 +14,6 @@ import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.oauth2.common.OAuth2AccessToken; -import org.springframework.security.oauth2.common.exceptions.InvalidTokenException; import org.springframework.security.oauth2.provider.AuthorizationRequest; import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.oauth2.provider.OAuth2Request; @@ -38,10 +37,10 @@ import static org.hamcrest.CoreMatchers.notNullValue; import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.hasEntry; -import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertNotEquals; -import static org.junit.Assert.assertNull; -import static org.junit.Assert.assertThrows; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotEquals; +import static org.junit.jupiter.api.Assertions.assertNull; +import static org.junit.jupiter.api.Assertions.assertThrows; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; @@ -124,7 +123,7 @@ void testRefreshPublicClientWithRotation() { new IdentityZoneManagerImpl().getCurrentIdentityZone().getConfig().getTokenPolicy().setRefreshTokenRotate(true); CompositeToken accessToken = (CompositeToken) tokenServices.createAccessToken(authentication); - assertThat(UaaTokenUtils.getClaims(accessToken.getValue()), hasEntry(CLIENT_AUTH_METHOD, "none")); + assertThat(UaaTokenUtils.getClaims(accessToken.getValue()), hasEntry(CLIENT_AUTH_METHOD, CLIENT_AUTH_METHOD)); String refreshTokenValue = accessToken.getRefreshToken().getValue(); assertThat(refreshTokenValue, is(notNullValue())); @@ -132,11 +131,11 @@ void testRefreshPublicClientWithRotation() { OAuth2AccessToken refreshedToken = tokenServices.refreshAccessToken(refreshTokenValue, new TokenRequest(new HashMap<>(), CLIENT_ID, Lists.newArrayList("openid"), GRANT_TYPE_REFRESH_TOKEN)); assertThat(refreshedToken, is(notNullValue())); assertNotEquals("New access token should be different from the old one.", refreshTokenValue, refreshedToken.getRefreshToken().getValue()); - assertThat(UaaTokenUtils.getClaims(refreshedToken.getValue()), hasEntry(CLIENT_AUTH_METHOD, "none")); + assertThat(UaaTokenUtils.getClaims(refreshedToken.getValue()), hasEntry(CLIENT_AUTH_METHOD, CLIENT_AUTH_METHOD)); refreshedToken = tokenServices.refreshAccessToken(refreshTokenValue, new TokenRequest(new HashMap<>(), CLIENT_ID, Lists.newArrayList("openid"), GRANT_TYPE_REFRESH_TOKEN)); assertNotEquals("New access token should be different from the old one.", refreshTokenValue, refreshedToken.getRefreshToken().getValue()); - assertThat(UaaTokenUtils.getClaims(refreshedToken.getValue()), hasEntry(CLIENT_AUTH_METHOD, "none")); + assertThat(UaaTokenUtils.getClaims(refreshedToken.getValue()), hasEntry(CLIENT_AUTH_METHOD, CLIENT_AUTH_METHOD)); } @Test @@ -150,7 +149,7 @@ void testRefreshPublicClientWithoutRotation() { Map azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE); authorizationRequest.setRequestParameters(azParameters); - authorizationRequest.setExtensions(Map.of(CLIENT_AUTH_METHOD, "none")); + authorizationRequest.setExtensions(Map.of(CLIENT_AUTH_METHOD, CLIENT_AUTH_METHOD)); OAuth2Request oAuth2Request = authorizationRequest.createOAuth2Request(); OAuth2Authentication authentication = new OAuth2Authentication(oAuth2Request, tokenSupport.defaultUserAuthentication); CompositeToken accessToken = (CompositeToken) tokenServices.createAccessToken(authentication); @@ -160,7 +159,7 @@ void testRefreshPublicClientWithoutRotation() { assertThat(refreshTokenValue, is(notNullValue())); setupOAuth2Authentication(oAuth2Request); - Exception exception = assertThrows(InvalidTokenException.class, () -> + RuntimeException exception = assertThrows(TokenRevokedException.class, () -> tokenServices.refreshAccessToken(refreshTokenValue, new TokenRequest(new HashMap<>(), CLIENT_ID, Lists.newArrayList("openid"), GRANT_TYPE_REFRESH_TOKEN))); assertEquals("Refresh without client authentication not allowed.", exception.getMessage()); } diff --git a/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java b/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java index 019224a5632..fa62e96183c 100644 --- a/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java +++ b/uaa/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java @@ -55,6 +55,7 @@ import java.util.stream.Stream; import static org.cloudfoundry.identity.uaa.oauth.TokenTestSupport.GRANT_TYPE; +import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.CLIENT_AUTH_NONE; import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_AUTHORIZATION_CODE; import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_CLIENT_CREDENTIALS; import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_IMPLICIT; @@ -280,7 +281,7 @@ void happyCase() { false, new Date(), null, - null + Map.of(ClaimConstants.CLIENT_AUTH_METHOD, CLIENT_AUTH_NONE) ); UaaUser uaaUser = jdbcUaaUserDatabase.retrieveUserByName("admin", "uaa"); refreshToken = refreshTokenCreator.createRefreshToken(uaaUser, refreshTokenRequestData, null); @@ -289,12 +290,12 @@ void happyCase() { SecurityContextHolder.getContext().setAuthentication(authentication); OAuth2Request auth2Request = mock(OAuth2Request.class); when(authentication.getOAuth2Request()).thenReturn(auth2Request); - when(auth2Request.getExtensions()).thenReturn(Map.of(ClaimConstants.CLIENT_AUTH_METHOD, "none")); + when(auth2Request.getExtensions()).thenReturn(Map.of(ClaimConstants.CLIENT_AUTH_METHOD, CLIENT_AUTH_NONE)); OAuth2AccessToken refreshedToken = tokenServices.refreshAccessToken(this.refreshToken.getValue(), new TokenRequest(new HashMap<>(), "jku_test", Lists.newArrayList("openid", "user_attributes"), GRANT_TYPE_REFRESH_TOKEN)); assertThat(refreshedToken, is(notNullValue())); Map claims = UaaTokenUtils.getClaims(refreshedToken.getValue()); - assertThat(claims, hasEntry(ClaimConstants.CLIENT_AUTH_METHOD, "none")); + assertThat(claims, hasEntry(ClaimConstants.CLIENT_AUTH_METHOD, CLIENT_AUTH_NONE)); } @MethodSource("org.cloudfoundry.identity.uaa.oauth.UaaTokenServicesTests#dates")