2 years ago · 64ddcfc3ec
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthenticationProviderUtils.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthenticationProviderUtils.java
@@ -17,7 +17,6 @@ package org.springframework.security.oauth2.server.authorization.authentication;
 
				 
			
 
				 import org.springframework.security.authentication.AuthenticationProvider;
			
 
				 import org.springframework.security.core.Authentication;
			
 
				-import org.springframework.security.oauth2.core.OAuth2AccessToken;
			
 
				 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
			
 
				 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
			
 
				 import org.springframework.security.oauth2.core.OAuth2RefreshToken;
			
@@ -56,25 +55,6 @@ final class OAuth2AuthenticationProviderUtils {
 
				 						(metadata) ->
			
 
				 								metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true));
			
 
				 
			
 
				-		if (OAuth2AuthorizationCode.class.isAssignableFrom(token.getClass())) {
			
 
				-			OAuth2Authorization.Token<OAuth2AccessToken> accessToken = authorization.getAccessToken();
			
 
				-			if (accessToken != null && !accessToken.isInvalidated()) {
			
 
				-				authorizationBuilder.token(
			
 
				-						accessToken.getToken(),
			
 
				-						(metadata) ->
			
 
				-								metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true));
			
 
				-			}
			
 
				-
			
 
				-			OAuth2Authorization.Token<OAuth2RefreshToken> refreshToken = authorization.getRefreshToken();
			
 
				-			if (refreshToken != null && !refreshToken.isInvalidated()) {
			
 
				-				authorizationBuilder.token(
			
 
				-						refreshToken.getToken(),
			
 
				-						(metadata) ->
			
 
				-								metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true));
			
 
				-			}
			
 
				-
			
 
				-		}
			
 
				-
			
 
				 		if (OAuth2RefreshToken.class.isAssignableFrom(token.getClass())) {
			
 
				 			authorizationBuilder.token(
			
 
				 					authorization.getAccessToken().getToken(),
			
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java
@@ -150,10 +150,16 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth
 
				 
			
 
				 		if (!authorizationCode.isActive()) {
			
 
				 			if (authorizationCode.isInvalidated()) {
			
 
				-				authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, authorizationCode.getToken());
			
 
				-				this.authorizationService.save(authorization);
			
 
				-				if (this.logger.isWarnEnabled()) {
			
 
				-					this.logger.warn(LogMessage.format("Invalidated authorization tokens previously issued based on the authorization code"));
			
 
				+				OAuth2Token token = authorization.getRefreshToken() != null ?
			
 
				+						authorization.getRefreshToken().getToken() :
			
 
				+						authorization.getAccessToken().getToken();
			
 
				+				if (token != null) {
			
 
				+					// Invalidate the access (and refresh) token as the client is attempting to use the authorization code more than once
			
 
				+					authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, token);
			
 
				+					this.authorizationService.save(authorization);
			
 
				+					if (this.logger.isWarnEnabled()) {
			
 
				+						this.logger.warn(LogMessage.format("Invalidated authorization token(s) previously issued to registered client '%s'", registeredClient.getId()));
			
 
				+					}
			
 
				 				}
			
 
				 			}
			
 
				 			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
			
@@ -176,12 +182,7 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth
 
				 				.authorizationGrant(authorizationCodeAuthentication);
			
 
				 		// @formatter:on
			
 
				 
			
 
				-		// @formatter:off
			
 
				-		OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization)
			
 
				-				// Invalidate the authorization code as it can only be used once
			
 
				-				.token(authorizationCode.getToken(), metadata ->
			
 
				-						metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true));
			
 
				-		// @formatter:on
			
 
				+		OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization);
			
 
				 
			
 
				 		// ----- Access token -----
			
 
				 		OAuth2TokenContext tokenContext = tokenContextBuilder.tokenType(OAuth2TokenType.ACCESS_TOKEN).build();
			
@@ -262,6 +263,9 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth
 
				 
			
 
				 		authorization = authorizationBuilder.build();
			
 
				 
			
 
				+		// Invalidate the authorization code as it can only be used once
			
 
				+		authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, authorizationCode.getToken());
			
 
				+
			
 
				 		this.authorizationService.save(authorization);
			
 
				 
			
 
				 		if (this.logger.isTraceEnabled()) {
			
@@ -314,4 +318,5 @@ public final class OAuth2AuthorizationCodeAuthenticationProvider implements Auth
 
				 		}
			
 
				 		return sessionInformation;
			
 
				 	}
			
 
				+
			
 
				 }