Validate client details in DefaultTokenServices.loadAuthentication(to…

…ken) If the ClientDetailsService is not-null it is used to validate the client still exists and still has access to the scopes in the token. This commit only addresses the existence of the client. Scope checking is something that ought to be ain a strategy and we don't have an appropriate one right now so more thinking required. See spring-atticgh-185
agjgupta · Apr 18, 2014 · 97e2df1 · 97e2df1
1 parent aceebeb
commit 97e2df1
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 2 deletions.
diff --git a/...rc/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java b/...rc/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java
@@ -29,6 +29,7 @@
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
+import org.springframework.security.oauth2.provider.ClientRegistrationException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.TokenRequest;
@@ -213,6 +214,15 @@ else if (accessToken.isExpired()) {
 		}
 
 		OAuth2Authentication result = tokenStore.readAuthentication(accessToken);
+		if (clientDetailsService != null) {
+			String clientId = result.getOAuth2Request().getClientId();
+			try {
+				clientDetailsService.loadClientByClientId(clientId);
+			}
+			catch (ClientRegistrationException e) {
+				throw new InvalidTokenException("Client not valid: " + clientId, e);
+			}
+		}
 		return result;
 	}
 

diff --git a/...org/springframework/security/oauth2/provider/token/AbstractDefaultTokenServicesTests.java b/...org/springframework/security/oauth2/provider/token/AbstractDefaultTokenServicesTests.java
@@ -14,12 +14,14 @@
 package org.springframework.security.oauth2.provider.token;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Date;
 import java.util.LinkedHashSet;
+import java.util.concurrent.atomic.AtomicBoolean;
 
 import org.junit.Before;
 import org.junit.Test;
@@ -28,9 +30,11 @@
 import org.springframework.security.oauth2.common.ExpiringOAuth2RefreshToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
+import org.springframework.security.oauth2.provider.ClientRegistrationException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.RequestTokenFactory;
 import org.springframework.security.oauth2.provider.TokenRequest;
@@ -71,6 +75,27 @@ public ClientDetails loadClientByClientId(String clientId) throws OAuth2Exceptio
 		assertTrue(expectedExpiryDate.after(refreshToken.getExpiration()));
 	}
 
+	@Test(expected = InvalidTokenException.class)
+	public void testClientInvalidated() throws Exception {
+		final AtomicBoolean deleted = new AtomicBoolean();
+		getTokenServices().setClientDetailsService(new ClientDetailsService() {
+			public ClientDetails loadClientByClientId(String clientId) throws OAuth2Exception {
+				if (deleted.get()) {
+					throw new ClientRegistrationException("No such client: " + clientId);
+				}
+				BaseClientDetails client = new BaseClientDetails();
+				client.setRefreshTokenValiditySeconds(100);
+				client.setAuthorizedGrantTypes(Arrays.asList("authorization_code", "refresh_token"));
+				return client;
+			}
+		});
+		OAuth2AccessToken token = getTokenServices()
+				.createAccessToken(createAuthentication());
+		deleted.set(true);
+		OAuth2Authentication authentication = getTokenServices().loadAuthentication(token.getValue());
+		assertNotNull(authentication.getOAuth2Request());
+	}
+
 	@Test(expected = InvalidGrantException.class)
 	public void testRefreshedTokenInvalidWithWrongClient() throws Exception {
 		ExpiringOAuth2RefreshToken expectedExpiringRefreshToken = (ExpiringOAuth2RefreshToken) getTokenServices()
@@ -142,7 +167,7 @@ public void testRefreshedTokenHasScopes() throws Exception {
 
 	protected void configureTokenServices(DefaultTokenServices services) throws Exception {
 		services.setTokenStore(tokenStore);
-		services.setSupportRefreshToken(true);		
+		services.setSupportRefreshToken(true);
 		services.afterPropertiesSet();
 	}
 
@@ -182,5 +207,5 @@ public Object getPrincipal() {
 			return this.principal;
 		}
 	}
-	
+
 }