756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington * The contents of this file are subject to the terms of the Common Development and
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington * Distribution License (the License). You may not use this file except in compliance with the
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington * specific language governing permission and limitations under the License.
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington * When distributing Covered Software, include this CDDL Header Notice in each file and include
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington * Header, with the fields enclosed by brackets [] replaced by your own identifying
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington * information: "Portions copyright [year] [name of copyright owner]".
a093731116a8c24d49b903df7602cf586e499b45Phill Cunnington * Copyright 2014-2015 ForgeRock AS.
af38905e8a5231702db169603d942d5d2e0c4332David Lunaimport org.forgerock.oauth2.core.exceptions.InvalidGrantException;
af38905e8a5231702db169603d942d5d2e0c4332David Lunaimport org.forgerock.oauth2.core.exceptions.InvalidRequestException;
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington * @since 12.0.0
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington private AccessTokenServiceImpl accessTokenService;
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington private ClientAuthenticator clientAuthenticator;
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington private OAuth2ProviderSettings providerSettings;
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington Map<String, GrantTypeHandler> grantTypeHandlers = new HashMap<String, GrantTypeHandler>();
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington grantTypeHandler = mock(GrantTypeHandler.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington grantTypeHandlers.put("GRANT_TYPE", grantTypeHandler);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington clientAuthenticator = mock(ClientAuthenticator.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington OAuth2ProviderSettingsFactory providerSettingsFactory = mock(OAuth2ProviderSettingsFactory.class);
5db031755ab3a8762e266f96f5d74832548d330bPhill Cunnington OAuth2UrisFactory urisFactory = mock(OAuth2UrisFactory.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington accessTokenService = new AccessTokenServiceImpl(grantTypeHandlers, clientAuthenticator, tokenStore,
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington providerSettings = mock(OAuth2ProviderSettings.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(providerSettingsFactory.get(Matchers.<OAuth2Request>anyObject())).willReturn(providerSettings);
5db031755ab3a8762e266f96f5d74832548d330bPhill Cunnington given(urisFactory.get(any(OAuth2Request.class))).willReturn(uris);
77a123fe3fd0188a9552995da5a36a9f70b0d36fPhill Cunnington public void shouldRequestAccessToken() throws Exception {
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington OAuth2Request request = mock(OAuth2Request.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(request.getParameter("grant_type")).willReturn("GRANT_TYPE");
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington accessTokenService.requestAccessToken(request);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington @Test (expectedExceptions = InvalidGrantException.class)
77a123fe3fd0188a9552995da5a36a9f70b0d36fPhill Cunnington public void requestAccessTokenShouldThrowInvalidGrantExceptionWhenGrantTypeDoesNotMatchHandler() throws Exception {
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington OAuth2Request request = mock(OAuth2Request.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(request.getParameter("grant_type")).willReturn("UNKNOWN_GRANT_TYPE");
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington accessTokenService.requestAccessToken(request);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington // Expect InvalidGrantException
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington @Test (expectedExceptions = IllegalArgumentException.class)
77a123fe3fd0188a9552995da5a36a9f70b0d36fPhill Cunnington public void refreshTokenShouldThrowIllegalArgumentExceptionWhenRefreshTokenMissing() throws Exception {
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington OAuth2Request request = mock(OAuth2Request.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington // Expect IllegalArgumentException
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington @Test (expectedExceptions = IllegalArgumentException.class)
77a123fe3fd0188a9552995da5a36a9f70b0d36fPhill Cunnington public void refreshTokenShouldThrowIllegalArgumentExceptionWhenRefreshTokenIsEmpty() throws Exception {
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington OAuth2Request request = mock(OAuth2Request.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(request.getParameter("refresh_token")).willReturn("");
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington // Expect IllegalArgumentException
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington @Test (expectedExceptions = InvalidRequestException.class)
77a123fe3fd0188a9552995da5a36a9f70b0d36fPhill Cunnington public void refreshTokenShouldThrowInvalidRequestExceptionWhenRefreshTokenNotFound() throws Exception {
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington OAuth2Request request = mock(OAuth2Request.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington ClientRegistration clientRegistration = mock(ClientRegistration.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(request.getParameter("refresh_token")).willReturn("REFRESH_TOKEN_ID");
5db031755ab3a8762e266f96f5d74832548d330bPhill Cunnington given(uris.getTokenEndpoint()).willReturn("Token Endpoint");
a093731116a8c24d49b903df7602cf586e499b45Phill Cunnington given(clientAuthenticator.authenticate(request, "Token Endpoint")).willReturn(clientRegistration);
33908fb93167e643fbb21b47d87c5b632df0dc59Phill Cunnington given(tokenStore.readRefreshToken(request, "REFRESH_TOKEN_ID")).willReturn(refreshToken);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington // Expect InvalidRequestException
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington @Test (expectedExceptions = InvalidRequestException.class)
77a123fe3fd0188a9552995da5a36a9f70b0d36fPhill Cunnington public void refreshTokenShouldThrowInvalidRequestExceptionWhenClientIdsDontMatch() throws Exception {
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington OAuth2Request request = mock(OAuth2Request.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington ClientRegistration clientRegistration = mock(ClientRegistration.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington RefreshToken refreshToken = mock(RefreshToken.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(request.getParameter("refresh_token")).willReturn("REFRESH_TOKEN_ID");
5db031755ab3a8762e266f96f5d74832548d330bPhill Cunnington given(uris.getTokenEndpoint()).willReturn("Token Endpoint");
a093731116a8c24d49b903df7602cf586e499b45Phill Cunnington given(clientAuthenticator.authenticate(request, "Token Endpoint")).willReturn(clientRegistration);
33908fb93167e643fbb21b47d87c5b632df0dc59Phill Cunnington given(tokenStore.readRefreshToken(request, "REFRESH_TOKEN_ID")).willReturn(refreshToken);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(refreshToken.getClientId()).willReturn("CLIENT_ID");
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(clientRegistration.getClientId()).willReturn("OTHER_CLIENT_ID");
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington // Expect InvalidRequestException
e421b40da0f3b1dedf21b1b711151b32137de2b8Phill Cunnington @Test (expectedExceptions = InvalidGrantException.class)
e421b40da0f3b1dedf21b1b711151b32137de2b8Phill Cunnington public void refreshTokenShouldThrowInvalidGrantExceptionWhenRefreshTokenHasExpired() throws Exception {
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington OAuth2Request request = mock(OAuth2Request.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington ClientRegistration clientRegistration = mock(ClientRegistration.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington RefreshToken refreshToken = mock(RefreshToken.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(request.getParameter("refresh_token")).willReturn("REFRESH_TOKEN_ID");
5db031755ab3a8762e266f96f5d74832548d330bPhill Cunnington given(uris.getTokenEndpoint()).willReturn("Token Endpoint");
a093731116a8c24d49b903df7602cf586e499b45Phill Cunnington given(clientAuthenticator.authenticate(request, "Token Endpoint")).willReturn(clientRegistration);
33908fb93167e643fbb21b47d87c5b632df0dc59Phill Cunnington given(tokenStore.readRefreshToken(request, "REFRESH_TOKEN_ID")).willReturn(refreshToken);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(refreshToken.getClientId()).willReturn("CLIENT_ID");
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(clientRegistration.getClientId()).willReturn("CLIENT_ID");
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(refreshToken.getExpiryTime()).willReturn(System.currentTimeMillis() - 10);
e421b40da0f3b1dedf21b1b711151b32137de2b8Phill Cunnington // Expect InvalidGrantException
77a123fe3fd0188a9552995da5a36a9f70b0d36fPhill Cunnington public void shouldRefreshToken() throws Exception {
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington OAuth2Request request = mock(OAuth2Request.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington ClientRegistration clientRegistration = mock(ClientRegistration.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington RefreshToken refreshToken = mock(RefreshToken.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington Set<String> validatedScope = new HashSet<String>();
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington AccessToken accessToken = mock(AccessToken.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(request.getParameter("refresh_token")).willReturn("REFRESH_TOKEN_ID");
5db031755ab3a8762e266f96f5d74832548d330bPhill Cunnington given(uris.getTokenEndpoint()).willReturn("Token Endpoint");
a093731116a8c24d49b903df7602cf586e499b45Phill Cunnington given(clientAuthenticator.authenticate(request, "Token Endpoint")).willReturn(clientRegistration);
33908fb93167e643fbb21b47d87c5b632df0dc59Phill Cunnington given(tokenStore.readRefreshToken(request, "REFRESH_TOKEN_ID")).willReturn(refreshToken);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(refreshToken.getClientId()).willReturn("CLIENT_ID");
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(clientRegistration.getClientId()).willReturn("CLIENT_ID");
a47ad60319e5db7fc05944f49f96f0d8d4602a75Phill Cunnington given(refreshToken.getExpiryTime()).willReturn(System.currentTimeMillis() + 100);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(providerSettings.validateRefreshTokenScope(eq(clientRegistration), anySetOf(String.class),
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington anySetOf(String.class), eq(request))).willReturn(validatedScope);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(tokenStore.createAccessToken(anyString(), anyString(), anyString(), anyString(), anyString(),
af38905e8a5231702db169603d942d5d2e0c4332David Luna anyString(), anySetOf(String.class), eq(refreshToken), anyString(), anyString(), eq(request)))
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington AccessToken actualAccessToken = accessTokenService.refreshToken(request);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington verify(providerSettings).additionalDataToReturnFromTokenEndpoint(accessToken, request);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington verify(accessToken, never()).addExtraData(eq("scope"), anyString());
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington assertEquals(actualAccessToken, accessToken);
77a123fe3fd0188a9552995da5a36a9f70b0d36fPhill Cunnington public void shouldRefreshTokenAndIncludeScopeInAccessToken() throws Exception {
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington OAuth2Request request = mock(OAuth2Request.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington ClientRegistration clientRegistration = mock(ClientRegistration.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington RefreshToken refreshToken = mock(RefreshToken.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington Set<String> validatedScope = Collections.singleton("SCOPE");
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington AccessToken accessToken = mock(AccessToken.class);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(request.getParameter("refresh_token")).willReturn("REFRESH_TOKEN_ID");
5db031755ab3a8762e266f96f5d74832548d330bPhill Cunnington given(uris.getTokenEndpoint()).willReturn("Token Endpoint");
a093731116a8c24d49b903df7602cf586e499b45Phill Cunnington given(clientAuthenticator.authenticate(request, "Token Endpoint")).willReturn(clientRegistration);
33908fb93167e643fbb21b47d87c5b632df0dc59Phill Cunnington given(tokenStore.readRefreshToken(request, "REFRESH_TOKEN_ID")).willReturn(refreshToken);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(refreshToken.getClientId()).willReturn("CLIENT_ID");
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(clientRegistration.getClientId()).willReturn("CLIENT_ID");
a47ad60319e5db7fc05944f49f96f0d8d4602a75Phill Cunnington given(refreshToken.getExpiryTime()).willReturn(System.currentTimeMillis() + 100);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(providerSettings.validateRefreshTokenScope(eq(clientRegistration), anySetOf(String.class),
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington anySetOf(String.class), eq(request))).willReturn(validatedScope);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington given(tokenStore.createAccessToken(anyString(), anyString(), anyString(), anyString(), anyString(),
af38905e8a5231702db169603d942d5d2e0c4332David Luna anyString(), anySetOf(String.class), eq(refreshToken), anyString(), anyString(), eq(request)))
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington AccessToken actualAccessToken = accessTokenService.refreshToken(request);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington verify(providerSettings).additionalDataToReturnFromTokenEndpoint(accessToken, request);
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington verify(accessToken).addExtraData(eq("scope"), anyString());
756d4b8bce5a58e5bd8fe686688b6c42d2e7052bPhill Cunnington assertEquals(actualAccessToken, accessToken);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden * OPENAM-3997 - ensure that when the setting to generate new refresh tokens is enabled that the new refresh
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden * token id is returned rather than the old one.
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden public void shouldReturnNewRefreshTokenIdWhenRefreshing() throws Exception {
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden OAuth2Request request = mock(OAuth2Request.class);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden ClientRegistration clientRegistration = mock(ClientRegistration.class);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden RefreshToken refreshToken = mock(RefreshToken.class);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden RefreshToken newRefreshToken = mock(RefreshToken.class);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden Set<String> validatedScope = new HashSet<String>();
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden AccessToken accessToken = mock(AccessToken.class);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden String newRefreshTokenId = "NEW_REFRESH_TOKEN_ID";
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden given(request.getParameter("refresh_token")).willReturn("REFRESH_TOKEN_ID");
5db031755ab3a8762e266f96f5d74832548d330bPhill Cunnington given(uris.getTokenEndpoint()).willReturn("Token Endpoint");
a093731116a8c24d49b903df7602cf586e499b45Phill Cunnington given(clientAuthenticator.authenticate(request, "Token Endpoint")).willReturn(clientRegistration);
33908fb93167e643fbb21b47d87c5b632df0dc59Phill Cunnington given(tokenStore.readRefreshToken(request, "REFRESH_TOKEN_ID")).willReturn(refreshToken);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden given(refreshToken.getClientId()).willReturn("CLIENT_ID");
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden given(clientRegistration.getClientId()).willReturn("CLIENT_ID");
a47ad60319e5db7fc05944f49f96f0d8d4602a75Phill Cunnington given(refreshToken.getExpiryTime()).willReturn(System.currentTimeMillis() + 100);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden given(providerSettings.validateRefreshTokenScope(eq(clientRegistration), anySetOf(String.class),
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden anySetOf(String.class), eq(request))).willReturn(validatedScope);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden given(providerSettings.issueRefreshTokensOnRefreshingToken()).willReturn(true);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden given(tokenStore.createRefreshToken(anyString(), anyString(), anyString(), anyString(), anySetOf(String.class),
dc95cd32a259f4595bac745b68b75b1414bfd2d5James Phillpotts eq(request), isNull(String.class))).willReturn(newRefreshToken);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden given(newRefreshToken.getTokenId()).willReturn(newRefreshTokenId);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden given(tokenStore.createAccessToken(anyString(), anyString(), anyString(), anyString(), anyString(),
af38905e8a5231702db169603d942d5d2e0c4332David Luna anyString(), anySetOf(String.class), eq(newRefreshToken), anyString(), anyString(), eq(request)))
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden AccessToken actualAccessToken = accessTokenService.refreshToken(request);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden verify(providerSettings).additionalDataToReturnFromTokenEndpoint(accessToken, request);
f95e3871868b3010834323b037e4c64f750b4e0bNeil Madden verify(accessToken, never()).addExtraData(eq("scope"), anyString());