All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.gravitee.am.gateway.handler.common.oauth2.impl.IntrospectionTokenServiceImpl Maven / Gradle / Ivy

/**
 * Copyright (C) 2015 The Gravitee team (http://gravitee.io)
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *         http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package io.gravitee.am.gateway.handler.common.oauth2.impl;

import io.gravitee.am.common.exception.jwt.JWTException;
import io.gravitee.am.common.exception.oauth2.InvalidTokenException;
import io.gravitee.am.common.jwt.JWT;
import io.gravitee.am.gateway.handler.common.client.ClientSyncService;
import io.gravitee.am.gateway.handler.common.jwt.JWTService;
import io.gravitee.am.gateway.handler.common.oauth2.IntrospectionTokenService;
import io.gravitee.am.repository.oauth2.api.AccessTokenRepository;
import io.reactivex.rxjava3.core.Maybe;
import io.reactivex.rxjava3.core.Single;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Lazy;

import java.time.Instant;
import java.util.Date;

import static io.gravitee.am.gateway.handler.common.jwt.JWTService.TokenType.ACCESS_TOKEN;

/**
 * @author Titouan COMPIEGNE (titouan.compiegne at graviteesource.com)
 * @author GraviteeSource Team
 */
public class IntrospectionTokenServiceImpl implements IntrospectionTokenService {

    private static final Logger LOGGER = LoggerFactory.getLogger(IntrospectionTokenServiceImpl.class);
    private static final long OFFLINE_VERIFICATION_TIMER_SECONDS = 10;

    @Autowired
    private JWTService jwtService;

    @Autowired
    private ClientSyncService clientService;

    @Lazy
    @Autowired
    private AccessTokenRepository accessTokenRepository;

    @Override
    public Single introspect(String token, boolean offlineVerification) {
        return jwtService.decode(token, ACCESS_TOKEN)
                .flatMapMaybe(jwt -> clientService.findByDomainAndClientId(jwt.getDomain(), jwt.getAud()))
                .switchIfEmpty(Single.error(() -> new InvalidTokenException("Invalid or unknown client for this token")))
                .flatMap(client -> jwtService.decodeAndVerify(token, client, ACCESS_TOKEN))
                .flatMap(jwt -> {
                    // Just check the JWT signature and JWT validity if offline verification option is enabled
                    // or if the token has just been created (could not be in database so far because of async database storing process delay)
                    if (offlineVerification || Instant.now().isBefore(Instant.ofEpochSecond(jwt.getIat() + OFFLINE_VERIFICATION_TIMER_SECONDS))) {
                        return Single.just(jwt);
                    }

                    // check if token is not revoked
                    return accessTokenRepository.findByToken(jwt.getJti())
                            .switchIfEmpty(Single.error(() -> new InvalidTokenException("The token is invalid", "Token with JTI [" + jwt.getJti() + "] not found in the database", jwt)))
                            .map(accessToken -> {
                                if (accessToken.getExpireAt().before(new Date())) {
                                    throw new InvalidTokenException("The token expired", "Token with JTI [" + jwt.getJti() + "] is expired", jwt);
                                }
                                return jwt;
                            });
                })
                .onErrorResumeNext(ex -> {
                    if (ex instanceof JWTException) {
                        LOGGER.debug("An error occurs while decoding JWT access token : {}", token, ex);
                        return Single.error(new InvalidTokenException(ex.getMessage(), ex));
                    }
                    if (ex instanceof InvalidTokenException) {
                        InvalidTokenException invalidTokenException = (InvalidTokenException) ex;
                        String details = invalidTokenException.getDetails();
                        JWT jwt = invalidTokenException.getJwt();
                        LOGGER.debug("An error occurs while checking JWT access token validity: {}\n\t - details: {}\n\t - decoded jwt: {}",
                                token, details != null ? details : "none", jwt != null ? jwt.toString() : "{}", invalidTokenException);
                    }
                    return Single.error(ex);
                });
    }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy