fix(oxauth): disable issuing AT by refresh token if user is not found…

… or otherwise inactive (4.4)

JanssenProject/jans#1093

Model/src/main/java/org/gluu/oxauth/model/configuration/AppConfiguration.java

@@ -225,6 +225,7 @@ public class AppConfiguration implements Configuration {
     private Boolean removeRefreshTokensForClientOnLogout  = true;
     private Boolean skipRefreshTokenDuringRefreshing  = false;
     private Boolean refreshTokenExtendLifetimeOnRotation  = false;
+    private Boolean checkUserPresenceOnRefreshToken = false;
     private Boolean consentGatheringScriptBackwardCompatibility = false; // means ignore client configuration (as defined in 4.2) and determine it globally (as in 4.1 and earlier)
     private Boolean introspectionScriptBackwardCompatibility = false; // means ignore client configuration (as defined in 4.2) and determine it globally (as in 4.1 and earlier)
     private Boolean introspectionResponseScopesBackwardCompatibility = false; // See #1499
@@ -355,6 +356,15 @@ public void setRefreshTokenExtendLifetimeOnRotation(Boolean refreshTokenExtendLi
         this.refreshTokenExtendLifetimeOnRotation = refreshTokenExtendLifetimeOnRotation;
     }
 
+    public Boolean getCheckUserPresenceOnRefreshToken() {
+        if (checkUserPresenceOnRefreshToken == null) checkUserPresenceOnRefreshToken = true;
+        return checkUserPresenceOnRefreshToken;
+    }
+
+    public void setCheckUserPresenceOnRefreshToken(Boolean checkUserPresenceOnRefreshToken) {
+        this.checkUserPresenceOnRefreshToken = checkUserPresenceOnRefreshToken;
+    }
+
     public Boolean getExpirationNotificatorEnabled() {
         if (expirationNotificatorEnabled == null) expirationNotificatorEnabled = false;
         return expirationNotificatorEnabled;

Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java

@@ -261,6 +261,8 @@ public Response requestAccessToken(String grantType, String code,
                     return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Unable to find refresh token or otherwise token type or client does not match."), oAuth2AuditLog);
                 }
 
+                checkUser(authorizationGrant, oAuth2AuditLog);
+
                 // The authorization server MAY issue a new refresh token, in which case
                 // the client MUST discard the old refresh token and replace it with the new refresh token.
                 RefreshToken reToken = null;
@@ -534,6 +536,18 @@ public Response requestAccessToken(String grantType, String code,
         return response(builder, oAuth2AuditLog);
     }
 
+    private void checkUser(AuthorizationGrant authorizationGrant, OAuth2AuditLog oAuth2AuditLog) {
+        if (!appConfiguration.getCheckUserPresenceOnRefreshToken()) {
+            return;
+        }
+
+        final User user = authorizationGrant.getUser();
+        if (user == null || "inactive".equalsIgnoreCase(user.getStatus())) {
+            log.trace("The user associated with this grant is not found or otherwise with status=inactive.");
+            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "The user associated with this grant is not found or otherwise with status=inactive."), oAuth2AuditLog));
+        }
+    }
+
     /**
      * Processes token request for device code grant type.
      * @param grantType Grant type used, should be device code.

common/src/main/java/org/gluu/oxauth/model/common/User.java

@@ -78,4 +78,7 @@ public void removeAttribute(String attributeName) {
 		}
 	}
 
+    public String getStatus() {
+        return getAttribute("gluuStatus");
+    }
 }