[GitHub] [cxf] coheigea commented on a diff in pull request #989: Make opaque access token generation extensible

Mon, 29 Aug 2022 04:56:27 -0700 


coheigea commented on code in PR #989:
URL: https://github.com/apache/cxf/pull/989#discussion_r957229553


##########
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java:
##########
@@ -394,35 +419,31 @@ protected void linkRefreshTokenToAccessToken(RefreshToken 
rt, ServerAccessToken
     protected ServerAccessToken doRefreshAccessToken(Client client,
                                                      RefreshToken 
oldRefreshToken,
                                                      List<String> 
restrictedScopes) {
-        ServerAccessToken at = createNewAccessToken(client, 
oldRefreshToken.getSubject());
-        at.setAudiences(oldRefreshToken.getAudiences() != null
-                ? new ArrayList<String>(oldRefreshToken.getAudiences()) : 
null);
-        at.setGrantType(oldRefreshToken.getGrantType());
-        at.setGrantCode(oldRefreshToken.getGrantCode());
-        at.setSubject(oldRefreshToken.getSubject());
-        at.setNonce(oldRefreshToken.getNonce());
-        at.setClientCodeVerifier(oldRefreshToken.getClientCodeVerifier());
-        at.getExtraProperties().putAll(oldRefreshToken.getExtraProperties());
+
+        List<OAuthPermission> theNewScopes = null;
+
         if (restrictedScopes.isEmpty()) {
-            at.setScopes(oldRefreshToken.getScopes() != null
-                    ? new 
ArrayList<OAuthPermission>(oldRefreshToken.getScopes()) : null);
+            theNewScopes = oldRefreshToken.getScopes() != null ?
+                    new 
ArrayList<OAuthPermission>(oldRefreshToken.getScopes()) : null;
         } else {
-            List<OAuthPermission> theNewScopes = 
convertScopeToPermissions(client, restrictedScopes);
-            if (oldRefreshToken.getScopes().containsAll(theNewScopes)) {
-                at.setScopes(theNewScopes);
-            } else {
+            theNewScopes = convertScopeToPermissions(client, restrictedScopes);
+            if (!oldRefreshToken.getScopes().containsAll(theNewScopes)) {
                 throw new OAuthServiceException("Invalid scopes");
             }
         }
 
+        ServerAccessToken at =
+            doCreateAccessToken(
+                oldRefreshToken.getAudiences() != null ?
+                    new ArrayList<String>(oldRefreshToken.getAudiences()) : 
null,
+                client, oldRefreshToken.getClientCodeVerifier(),
+                oldRefreshToken.getExtraProperties(), 
oldRefreshToken.getGrantCode(),
+                oldRefreshToken.getGrantType(), oldRefreshToken.getNonce(),
+                oldRefreshToken.getResponseType(), theNewScopes,

Review Comment:
   It looks like the response type was not set on the old access token on 
refresh - is it correct to set it here?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to