[GitHub] [cxf] arthurchan35 commented on a diff in pull request #989: Make opaque access token generation extensible

Sun, 11 Sep 2022 02:14:01 -0700 


arthurchan35 commented on code in PR #989:
URL: https://github.com/apache/cxf/pull/989#discussion_r967791463


##########
rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java:
##########
@@ -394,35 +419,31 @@ protected void linkRefreshTokenToAccessToken(RefreshToken 
rt, ServerAccessToken
     protected ServerAccessToken doRefreshAccessToken(Client client,
                                                      RefreshToken 
oldRefreshToken,
                                                      List<String> 
restrictedScopes) {
-        ServerAccessToken at = createNewAccessToken(client, 
oldRefreshToken.getSubject());
-        at.setAudiences(oldRefreshToken.getAudiences() != null
-                ? new ArrayList<String>(oldRefreshToken.getAudiences()) : 
null);
-        at.setGrantType(oldRefreshToken.getGrantType());
-        at.setGrantCode(oldRefreshToken.getGrantCode());
-        at.setSubject(oldRefreshToken.getSubject());
-        at.setNonce(oldRefreshToken.getNonce());
-        at.setClientCodeVerifier(oldRefreshToken.getClientCodeVerifier());
-        at.getExtraProperties().putAll(oldRefreshToken.getExtraProperties());
+
+        List<OAuthPermission> theNewScopes = null;
+
         if (restrictedScopes.isEmpty()) {
-            at.setScopes(oldRefreshToken.getScopes() != null
-                    ? new 
ArrayList<OAuthPermission>(oldRefreshToken.getScopes()) : null);
+            theNewScopes = oldRefreshToken.getScopes() != null ?
+                    new 
ArrayList<OAuthPermission>(oldRefreshToken.getScopes()) : null;
         } else {
-            List<OAuthPermission> theNewScopes = 
convertScopeToPermissions(client, restrictedScopes);
-            if (oldRefreshToken.getScopes().containsAll(theNewScopes)) {
-                at.setScopes(theNewScopes);
-            } else {
+            theNewScopes = convertScopeToPermissions(client, restrictedScopes);
+            if (!oldRefreshToken.getScopes().containsAll(theNewScopes)) {
                 throw new OAuthServiceException("Invalid scopes");
             }
         }
 
+        ServerAccessToken at =
+            doCreateAccessToken(
+                oldRefreshToken.getAudiences() != null ?
+                    new ArrayList<String>(oldRefreshToken.getAudiences()) : 
null,
+                client, oldRefreshToken.getClientCodeVerifier(),
+                oldRefreshToken.getExtraProperties(), 
oldRefreshToken.getGrantCode(),
+                oldRefreshToken.getGrantType(), oldRefreshToken.getNonce(),
+                oldRefreshToken.getResponseType(), theNewScopes,

Review Comment:
   Hi @coheigea ,
   Thanks for spotting, I have removed it in:
   
https://github.com/apache/cxf/pull/989/commits/4b2c2a27b357fe07354fee6db9fe005e8e2a9a50



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to