Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(oauth2): revalidate access tokens #4603

Merged
merged 5 commits into from
Sep 19, 2024
Merged

feat(oauth2): revalidate access tokens #4603

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2336fd3
feat(oauth2): revalidate access tokens
danielkelemen Sep 13, 2024
2a92b25
log access token expiry only
danielkelemen Sep 13, 2024
8b004df
handle missing authorization grants
danielkelemen Sep 17, 2024
742680e
Update spring-boot-starter/starter-security/src/main/java/org/camunda…
danielkelemen Sep 17, 2024
a976e65
use ClockUtil for comparing dates
danielkelemen Sep 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 23 additions & 10 deletions ...n/java/org/camunda/bpm/spring/boot/starter/security/oauth2/impl/AuthorizeTokenFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,11 @@
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.web.filter.OncePerRequestFilter;

import java.io.IOException;
import java.time.Clock;

/**
* Authorize or re-authorize (if required) oauth2 client using {@link OAuth2AuthorizedClientManager}.
Expand All @@ -54,6 +56,7 @@ public class AuthorizeTokenFilter extends OncePerRequestFilter {

private static final Logger logger = LoggerFactory.getLogger(AuthorizeTokenFilter.class);
private final OAuth2AuthorizedClientManager clientManager;
private final Clock clock = Clock.systemUTC();
danielkelemen marked this conversation as resolved.
Show resolved Hide resolved

public AuthorizeTokenFilter(OAuth2AuthorizedClientManager clientManager) {
this.clientManager = clientManager;
Expand All @@ -72,9 +75,21 @@ protected void doFilterInternal(@Nonnull HttpServletRequest request,
filterChain.doFilter(request, response);
}

private void authorizeToken(OAuth2AuthenticationToken token,
HttpServletRequest request,
HttpServletResponse response) {
protected boolean hasTokenExpired(OAuth2Token token) {
return token.getExpiresAt() == null || this.clock.instant().isAfter(token.getExpiresAt());
}

protected void clearContext(HttpServletRequest request) {
SecurityContextHolder.clearContext();
try {
request.getSession().invalidate();
} catch (Exception ignored) {
}
}

protected void authorizeToken(OAuth2AuthenticationToken token,
HttpServletRequest request,
HttpServletResponse response) {
// @formatter:off
var authRequest = OAuth2AuthorizeRequest
.withClientRegistrationId(token.getAuthorizedClientRegistrationId())
Expand All @@ -87,17 +102,15 @@ private void authorizeToken(OAuth2AuthenticationToken token,

try {
var res = clientManager.authorize(authRequest);
if (res != null) {
if (res == null || hasTokenExpired(res.getAccessToken())) {
logger.warn("Authorize failed: could not re-authorize expired access token");
clearContext(request);
} else {
logger.debug("Authorize successful, access token expiry: {}", res.getAccessToken().getExpiresAt());
}
} catch (OAuth2AuthorizationException e) {
logger.warn("Authorize failed: {}", e.getMessage());
// clear security context
SecurityContextHolder.clearContext();
try {
request.getSession().invalidate();
} catch (Exception ignored) {
}
clearContext(request);
}
}
}