This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/sling-whiteboard.git
commit c9003cde407e35a3adc491f6ae22603e14f5f274 Author: Robert Munteanu <[email protected]> AuthorDate: Fri Feb 10 17:00:47 2023 +0100 Start adding support for refresh tokens (persisted, not used) --- .../servlets/oidc_rp/impl/OidcCallbackServlet.java | 5 ++++- .../oidc_rp/impl/OidcConnectionFinderImpl.java | 20 +++++++++++++++----- .../oidc_rp/impl/OidcConnectionPersister.java | 2 +- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java index 05a75331..9685cc2b 100644 --- a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java +++ b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcCallbackServlet.java @@ -100,6 +100,7 @@ public class OidcCallbackServlet extends SlingAllMethodsServlet { String authCode = authResponse.toSuccessResponse().getAuthorizationCode().getValue(); + // TODO - this code should be extracted and reused to refresh the access token with a refresh token, if present HttpClient client = HttpClient.newHttpClient(); Endpoints ep = Endpoints.discover(connection.baseUrl(), client); @@ -125,6 +126,7 @@ public class OidcCallbackServlet extends SlingAllMethodsServlet { stateManager.unregisterState(authResponse.getState()); String accessToken; + String refreshToken = null; ZonedDateTime expiry = null; try ( JsonReader reader = Json.createReader(new StringReader(tokenResponse.body())) ) { @@ -134,9 +136,10 @@ public class OidcCallbackServlet extends SlingAllMethodsServlet { if ( expiresIn != null ) { expiry = LocalDateTime.now().plus(expiresIn.intValue(), ChronoUnit.SECONDS).atZone(ZoneId.systemDefault()); } + refreshToken = tokenObject.getString("refresh_token", null); } - persister.persistToken(request.getResourceResolver(), accessToken, expiry); + persister.persistToken(request.getResourceResolver(), accessToken, refreshToken, expiry); if ( redirect.isEmpty() ) { response.setStatus(HttpServletResponse.SC_OK); diff --git a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcConnectionFinderImpl.java b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcConnectionFinderImpl.java index a900da8c..d7350db1 100644 --- a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcConnectionFinderImpl.java +++ b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcConnectionFinderImpl.java @@ -43,7 +43,8 @@ import org.slf4j.LoggerFactory; public class OidcConnectionFinderImpl implements OidcConnectionFinder, OidcConnectionPersister { private static final String PROPERTY_NAME_EXPIRES_AT = "expiresAt"; - private static final String PROPERTY_NAME_TOKEN = "token"; + private static final String PROPERTY_NAME_ACCESS_TOKEN = "access_token"; + private static final String PROPERTY_NAME_REFRESH_TOKEN = "refresh_token"; private final Logger logger = LoggerFactory.getLogger(getClass()); @@ -68,8 +69,10 @@ public class OidcConnectionFinderImpl implements OidcConnectionFinder, OidcConne return Optional.empty(); } } + + // TODO - how to handle scenario when access_token is null but refresh_token exists? - Value[] tokenValue = user.getProperty(propertyPath(PROPERTY_NAME_TOKEN)); + Value[] tokenValue = user.getProperty(propertyPath(PROPERTY_NAME_ACCESS_TOKEN)); if ( tokenValue == null ) return Optional.empty(); @@ -83,15 +86,22 @@ public class OidcConnectionFinderImpl implements OidcConnectionFinder, OidcConne } @Override - public void persistToken(ResourceResolver resolver, String tokenValue, ZonedDateTime expiry) { + public void persistToken(ResourceResolver resolver, String tokenValue, String refreshToken, ZonedDateTime expiry) { try { User currentUser = resolver.adaptTo(User.class); Session session = resolver.adaptTo(Session.class); - currentUser.setProperty(propertyPath(PROPERTY_NAME_TOKEN), session.getValueFactory().createValue(tokenValue)); + currentUser.setProperty(propertyPath(PROPERTY_NAME_ACCESS_TOKEN), session.getValueFactory().createValue(tokenValue)); if ( expiry != null ) { Calendar cal = GregorianCalendar.from(expiry); currentUser.setProperty(propertyPath(PROPERTY_NAME_EXPIRES_AT), session.getValueFactory().createValue(cal)); - } + } else + currentUser.removeProperty(propertyPath(PROPERTY_NAME_EXPIRES_AT)); + + if ( refreshToken != null ) + currentUser.setProperty(propertyPath(PROPERTY_NAME_REFRESH_TOKEN), session.getValueFactory().createValue(refreshToken)); + else + currentUser.removeProperty(propertyPath(PROPERTY_NAME_REFRESH_TOKEN)); + session.save(); } catch (RepositoryException e) { throw new RuntimeException(e); diff --git a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcConnectionPersister.java b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcConnectionPersister.java index 781fd0ce..3850f69e 100644 --- a/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcConnectionPersister.java +++ b/org.apache.sling.servlets.oidc-rp/src/main/java/org/apache/sling/servlets/oidc_rp/impl/OidcConnectionPersister.java @@ -22,5 +22,5 @@ import org.apache.sling.api.resource.ResourceResolver; public interface OidcConnectionPersister { - void persistToken(ResourceResolver resourceResolver, String tokenValue, ZonedDateTime expiry); + void persistToken(ResourceResolver resourceResolver, String tokenValue, String refreshToken, ZonedDateTime expiry); }
