From fa407f471a8e319431934f772feca8c8225c961e Mon Sep 17 00:00:00 2001 From: Mauro Mugnaini Date: Wed, 16 Dec 2020 15:53:26 +0100 Subject: [PATCH] Forced refresh of access token when current scope changes --- .../threadlocalexec/SmartGearsPortalValve.java | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java index 5d7974c..5cb5778 100644 --- a/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java +++ b/src/main/java/org/gcube/portal/threadlocalexec/SmartGearsPortalValve.java @@ -113,9 +113,11 @@ public class SmartGearsPortalValve extends ValveBase { umaToken = JWTCacheProxy.getInstance().getUMAToken(user, session); } if (umaToken == null || !umaToken.getAud().contains(urlEncodedScope)) { + boolean scopeIsChanged = false; if (umaToken == null) { _log.debug("UMA token is null. Getting new one..."); } else { + scopeIsChanged = true; _log.info("UMA token has been issued for another scope (" + umaToken.getAud() + "). Getting new one for scope: " + urlEncodedScope); } @@ -141,8 +143,12 @@ public class SmartGearsPortalValve extends ValveBase { } OpenIdConnectConfiguration configuration = LiferayOpenIdConnectConfiguration.getConfiguration(request); try { - if (authToken.isExpired()) { - _log.debug("OIDC token is expired, refreshing it"); + if (scopeIsChanged || authToken.isExpired()) { + if (scopeIsChanged) { + _log.info("Scope is changed, refreshing token to be sure that new grants are present"); + } else { + _log.debug("OIDC token is expired, refreshing it"); + } try { authToken = OpenIdConnectRESTHelper.refreshToken(configuration.getTokenURL(), authToken); } catch (Exception e) { @@ -155,8 +161,8 @@ public class SmartGearsPortalValve extends ValveBase { JWTTokenUtil.putOIDCInSession(authToken, session); } _log.info("Getting UMA token from OIDC endpoint for scope: " + urlEncodedScope); - umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(), authToken.getAsBearer(), - urlEncodedScope, null); + umaToken = OpenIdConnectRESTHelper.queryUMAToken(configuration.getTokenURL(), + authToken.getAccessTokenAsBearer(), urlEncodedScope, null); } catch (Exception e) { _log.error("Getting UMA token from server", e); return;