scope in refresh token request should be a subset of those authorized by the resource owner.

2019-07-23 10:03:17 +01:00 · 2019-07-23 10:03:17 +01:00 · e314cddbe6
commit e314cddbe6
parent 7486f1a305
2 changed files with 16 additions and 23 deletions
--- a/oauth2-framework-impl/oauth2-client/src/main/java/com/baeldung/oauth2/client/CallbackServlet.java
+++ b/oauth2-framework-impl/oauth2-client/src/main/java/com/baeldung/oauth2/client/CallbackServlet.java
@ -4,10 +4,8 @@ import org.eclipse.microprofile.config.Config;
 import javax.inject.Inject;
 import javax.json.JsonObject;
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletException;
 import javax.servlet.annotation.WebServlet;
 import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.client.Client;
@ -18,10 +16,9 @@ import javax.ws.rs.core.Form;
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MediaType;
 import java.io.IOException;
 import java.util.Base64;
@WebServlet(urlPatterns = "/callback")
-public class CallbackServlet extends HttpServlet {
+public class CallbackServlet extends AbstractServlet {
    @Inject
    private Config config;
@ -56,24 +53,15 @@ public class CallbackServlet extends HttpServlet {
        form.param("code", code);
        form.param("redirect_uri", config.getValue("client.redirectUri", String.class));
-        JsonObject tokenResponse = target.request(MediaType.APPLICATION_JSON_TYPE)
+        try {
-                .header(HttpHeaders.AUTHORIZATION, getAuthorizationHeaderValue())
+            JsonObject tokenResponse = target.request(MediaType.APPLICATION_JSON_TYPE)
-                .post(Entity.entity(form, MediaType.APPLICATION_FORM_URLENCODED_TYPE), JsonObject.class);
+                    .header(HttpHeaders.AUTHORIZATION, getAuthorizationHeaderValue(clientId, clientSecret))
-
+                    .post(Entity.entity(form, MediaType.APPLICATION_FORM_URLENCODED_TYPE), JsonObject.class);
-        request.getSession().setAttribute("tokenResponse", tokenResponse);
+            request.getSession().setAttribute("tokenResponse", tokenResponse);
        } catch (Exception ex) {
            System.out.println(ex.getMessage());
            request.setAttribute("error", ex.getMessage());
        }
        dispatch("/", request, response);
    }
    private void dispatch(String location, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        RequestDispatcher requestDispatcher = request.getRequestDispatcher(location);
        requestDispatcher.forward(request, response);
    }
    private String getAuthorizationHeaderValue() {
        String clientId = config.getValue("client.clientId", String.class);
        String clientSecret = config.getValue("client.clientSecret", String.class);
        String token = clientId + ":" + clientSecret;
        String encodedString = Base64.getEncoder().encodeToString(token.getBytes());
        return "Basic " + encodedString;
    }
 }
--- a/oauth2-framework-impl/oauth2-client/src/main/java/com/baeldung/oauth2/client/RefreshTokenServlet.java
+++ b/oauth2-framework-impl/oauth2-client/src/main/java/com/baeldung/oauth2/client/RefreshTokenServlet.java
@ -46,7 +46,12 @@ public class RefreshTokenServlet extends AbstractServlet {
                .header(HttpHeaders.AUTHORIZATION, getAuthorizationHeaderValue(clientId, clientSecret))
                .post(Entity.entity(form, MediaType.APPLICATION_FORM_URLENCODED_TYPE), JsonObject.class);
-        request.getSession().setAttribute("tokenResponse", tokenResponse);
+        String error = tokenResponse.getString("error");
        if (error != null) {
            request.setAttribute("error", error);
        } else {
            request.getSession().setAttribute("tokenResponse", tokenResponse);
        }
        dispatch("/", request, response);
    }
 }