[Dev] [IAM] Access Token revocation in OAuthAdminService

Wed, 17 Jan 2018 09:40:56 -0800 

Hi All,

In the method [1] which is used to revoke access tokens by resource owners,
it iterates all ACTIVE or EXPIRED access tokens for the particular client
authorized by the user.

// retrieve all ACTIVE or EXPIRED access tokens for particular client
authorized by this user


Set<AccessTokenDO> accessTokenDOs = OAuthTokenPersistenceFactory.
getInstance()
.getAccessTokenDAO().getAccessTokens(appDTO.getOauthConsumerKey(),
user, userStoreDomain, true);
Inside the foreach the auth cache is cleared for the tokens one by one
which is fetched from the accessTokenDOs.

for (AccessTokenDO accessTokenDO : accessTokenDOs) { ...
OAuthUtil.clearOAuthCache(accessTokenDO.getAccessToken());


// retrieve latest access token for particular client, user and scope
combination if its ACTIVE or EXPIRED
scopedToken = OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO().
getLatestAccessToken(appDTO.getOauthConsumerKey(), user, userStoreDomain,
Auth2Util.buildScopeString(accessTokenDO.getScope()), true); .... //Revoking
token from database
OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO()
.revokeAccessTokens(new String[]{scopedToken.getAccessToken()});

...
}

Then inside the for each it self it retrieves the latest access token for
the particular client, user and for the particular scope if the token is
ACTIVE or EXPIRED. This token is revoked from the db inside the for each.

I have two questions here.

1. We clear the auth cache based on the access token which is fetched from
accessTokensDo  and revoke the scopedToken from the db which can be
different.

2. As there are multiple db calls are happening here can't we move the
logic of revoking token from db to out side of the for each as the DAO
method is supporting for batch operations.

Highly appreciate your feedback on this.

[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminService.java#L627

Thanks.

-- 

Hasanthi Dissanayake

Senior Software Engineer | WSO2

E: [email protected]
M :0718407133| http://wso2.com <http://wso2.com/>

_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to