Karl von Randow created CXF-6559:
------------------------------------
Summary: AbstractOAuthDataProvider.refreshAccessToken method can't
handle an invalid refresh token
Key: CXF-6559
URL: https://issues.apache.org/jira/browse/CXF-6559
Project: CXF
Issue Type: Bug
Components: JAX-RS Security
Affects Versions: 3.1.2
Reporter: Karl von Randow
The refreshAccessToken method calls revokeRefreshAndAccessTokens, which calls
revokeRefreshToken, which is an abstract method which declares no exceptions.
Implementations assume that the method will return null if the refresh token
doesn't exist (see the DefaultEHCacheOAuthDataProvider, although the
DefaultEncryptingOAuthDataProvider implementation may throw a SecurityException
in that case as it can't really / doesn't support revoking).
However if a null is returned, refreshAccessToken passes that null to
doRefreshAccessToken which will then fail with a NullPointerException.
I suggest that refreshAccessToken check for a null refresh token and throws an
OAuthServiceException, possibly with OAuthConstants.ACCESS_DENIED.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
