Add additional jti claim logic when loading auth object

[#158847208] Signed-off-by: Bruce Ricard <bruce.ricard@gmail.com>
cloudfoundry · Jul 11, 2018 · 4fa3e35 · 4fa3e35
1 parent 2f98fcd
commit 4fa3e35
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 0 deletions.
diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java b/server/src/main/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServices.java
@@ -1029,6 +1029,19 @@ public OAuth2Authentication loadAuthentication(String accessToken) throws Authen
 
         TokenValidation tokenValidation = validateToken(accessToken);
         Map<String, Object> claims = tokenValidation.getClaims();
+
+        Object jtiClaim = claims.get(JTI);
+
+        if (jtiClaim == null) {
+            throw new InvalidTokenException("The token must contain a jti claim.");
+        } else {
+            if (jtiClaim.toString().endsWith(REFRESH_TOKEN_SUFFIX)) {
+                throw new InvalidTokenException(
+                  "Invalid access token was provided."
+                );
+            }
+        }
+
         accessToken = tokenValidation.getJwt().getEncoded();
 
         // Check token expiry

diff --git a/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java b/server/src/test/java/org/cloudfoundry/identity/uaa/oauth/UaaTokenServicesTests.java
@@ -31,6 +31,7 @@
 import org.cloudfoundry.identity.uaa.user.UaaUser;
 import org.cloudfoundry.identity.uaa.user.UaaUserPrototype;
 import org.cloudfoundry.identity.uaa.util.JsonUtils;
+import org.cloudfoundry.identity.uaa.util.TokenValidation;
 import org.cloudfoundry.identity.uaa.zone.ClientServicesExtension;
 import org.cloudfoundry.identity.uaa.zone.IdentityZone;
 import org.cloudfoundry.identity.uaa.zone.IdentityZoneConfiguration;
@@ -1899,6 +1900,59 @@ public void testLoad_Opaque_AuthenticationForAUser() {
         System.out.println("newAccessToken = " + newAccessToken);
     }
 
+    @Test
+    public void loadAuthentication_when_given_an_opaque_refreshToken_should_throw_exception() {
+        tokenSupport.defaultClient.setAutoApproveScopes(singleton("true"));
+        AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID,tokenSupport.requestedAuthScopes);
+        authorizationRequest.setResponseTypes(new HashSet(Arrays.asList("token")));
+        authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
+        Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters());
+        azParameters.put(GRANT_TYPE, AUTHORIZATION_CODE);
+
+        azParameters.put(REQUEST_TOKEN_FORMAT, TokenConstants.OPAQUE);
+
+        authorizationRequest.setRequestParameters(azParameters);
+        Authentication userAuthentication = tokenSupport.defaultUserAuthentication;
+
+        OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication);
+        OAuth2AccessToken compositeToken = tokenServices.createAccessToken(authentication);
+
+        String refreshTokenValue = tokenProvisioning.retrieve(compositeToken.getRefreshToken().getValue(), IdentityZoneHolder.get().getId()).getValue();
+
+        expectedException.expect(InvalidTokenException.class);
+        expectedException.expectMessage("Invalid access token was provided.");
+
+        tokenServices.loadAuthentication(refreshTokenValue);
+    }
+
+    @Rule
+    public ExpectedException expectedException = ExpectedException.none();
+
+    @Test
+    public void loadAuthentication_when_given_an_refresh_jwt_should_throw_exception() {
+        IdentityZoneHolder.get().getConfig().getTokenPolicy().setJwtRevocable(true);
+        tokenSupport.defaultClient.setAutoApproveScopes(singleton("true"));
+        AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID,tokenSupport.requestedAuthScopes);
+        authorizationRequest.setResponseTypes(new HashSet(Arrays.asList("token")));
+        authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds));
+        Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters());
+        azParameters.put(GRANT_TYPE, AUTHORIZATION_CODE);
+
+        azParameters.put(REQUEST_TOKEN_FORMAT, JWT.getStringValue());
+
+        authorizationRequest.setRequestParameters(azParameters);
+        Authentication userAuthentication = tokenSupport.defaultUserAuthentication;
+
+        OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication);
+        OAuth2AccessToken compositeToken = tokenServices.createAccessToken(authentication);
+        TokenValidation refreshToken = tokenServices.validateToken(compositeToken.getRefreshToken().getValue());
+
+        String refreshTokenValue = tokenProvisioning.retrieve(refreshToken.getClaims().get("jti").toString(), IdentityZoneHolder.get().getId()).getValue();
+
+        expectedException.expect(InvalidTokenException.class);
+        expectedException.expectMessage("Invalid access token was provided.");
+        tokenServices.loadAuthentication(refreshTokenValue);
+    }
 
     @Test
     public void testLoadAuthenticationForAClient() {