Skip to content

Commit

Permalink
On OBO, When a token is user disabled, it should be possible to use t…
Browse files Browse the repository at this point in the history
…he short lived token to delete
  • Loading branch information
amontenegro committed Aug 1, 2024
1 parent 3132245 commit 64e8c47
Showing 1 changed file with 9 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,6 @@
*/
public class IETFExchangeTokenGranter implements TokenGranter {

public static final String IETF_EXCHANGE = "urn:ietf:params:oauth:grant-type:token-exchange";
private AuthorizationServerTokenServices tokenServices;

@Resource(name = "orcidOauth2AuthoriziationCodeDetailDao")
Expand All @@ -75,7 +74,7 @@ public class IETFExchangeTokenGranter implements TokenGranter {
@Resource
OpenIDConnectTokenEnhancer openIDConnectTokenEnhancer;

private List<String> doNotAllowDeleteOnTheseRevokeReasons = List.of(RevokeReason.CLIENT_REVOKED.name(), RevokeReason.STAFF_REVOKED.name());
private final List<RevokeReason> doNotAllowDeleteOnTheseRevokeReasons = List.of(RevokeReason.CLIENT_REVOKED, RevokeReason.STAFF_REVOKED, RevokeReason.RECORD_DEACTIVATED, RevokeReason.AUTH_CODE_REUSED);

public IETFExchangeTokenGranter(AuthorizationServerTokenServices tokenServices) {
this.tokenServices = tokenServices;
Expand Down Expand Up @@ -239,10 +238,12 @@ private OAuth2AccessToken generateAccessToken(TokenRequest tokenRequest, String
Set<ScopePathType> inactiveScopesOBO = Sets.newHashSet();
boolean issueRevokedToken = false;
RevokeReason revokeReason = null;
// Lets consider token expiration time anything that goes beyond this date
Date now = new Date();
for (OrcidOauth2TokenDetail d : details) {
Set<ScopePathType> scopesInToken = ScopePathType.getScopesFromSpaceSeparatedString(d.getScope());
// If token is expired, we should ignore it
if (d.getTokenExpiration().after(new Date())) {
if (d.getTokenExpiration().after(now)) {
// If token is disabled, we should know if it have the /activities/update scope on it
if(d.getTokenDisabled() == null || !d.getTokenDisabled()) {
activeScopesOBO.addAll(scopesInToken);
Expand All @@ -257,8 +258,12 @@ private OAuth2AccessToken generateAccessToken(TokenRequest tokenRequest, String
// Keep only the /activities/update scope if the token was not revoked by a client or staff member
if(revokeReason == null || !doNotAllowDeleteOnTheseRevokeReasons.contains(revokeReason)) {
inactiveScopesOBO.add(ScopePathType.ACTIVITIES_UPDATE);
} else {
throw new OrcidInvalidScopeException("The id_token is disabled and does not contain any valid scope");
}
}
} else {
throw new OrcidInvalidScopeException("The id_token is disabled and does not contain any valid scope");
}
}
}
}
Expand Down

0 comments on commit 64e8c47

Please sign in to comment.