Add Cache-Control and Pragma headers to Access Token responses

a-p-o · web-flow · commit 98eda1668bca · 2019-09-05T15:06:46.000-07:00
See section 5.1 Successful Response: https://tools.ietf.org/html/rfc6749#section-5.1 > The authorization server MUST include the HTTP "Cache-Control" > response header field [RFC2616] with a value of "no-store" in any > response containing tokens, credentials, or other sensitive > information, as well as the "Pragma" response header field [RFC2616] > with a value of "no-cache".
diff --git a/oauth2-server-core/src/main/java/nl/myndocs/oauth2/grant/CallRouterDefault.kt b/oauth2-server-core/src/main/java/nl/myndocs/oauth2/grant/CallRouterDefault.kt
@@ -21,6 +21,8 @@ fun GrantingCall.grantPassword() = granter("password") {
             )
     )
 
+    callContext.respondHeader("Cache-Control", "no-store")
+    callContext.respondHeader("Pragma", "no-cache")
     callContext.respondJson(accessTokenResponder.createResponse(accessToken))
 }
 
@@ -31,6 +33,8 @@ fun GrantingCall.grantClientCredentials() = granter("client_credentials") {
             callContext.formParameters["scope"]
     ))
 
+    callContext.respondHeader("Cache-Control", "no-store")
+    callContext.respondHeader("Pragma", "no-cache")
     callContext.respondJson(accessTokenResponder.createResponse(accessToken))
 }
 
@@ -43,6 +47,8 @@ fun GrantingCall.grantRefreshToken() = granter("refresh_token") {
             )
     )
 
+    callContext.respondHeader("Cache-Control", "no-store")
+    callContext.respondHeader("Pragma", "no-cache")
     callContext.respondJson(accessTokenResponder.createResponse(accessToken))
 }
 
@@ -56,6 +62,8 @@ fun GrantingCall.grantAuthorizationCode() = granter("authorization_code") {
             )
     )
 
+    callContext.respondHeader("Cache-Control", "no-store")
+    callContext.respondHeader("Pragma", "no-cache")
     callContext.respondJson(accessTokenResponder.createResponse(accessToken))
 }
 
@@ -106,4 +114,4 @@ fun GrantingCall.throwExceptionIfUnverifiedClient(clientRequest: ClientRequest)
 
 fun GrantingCall.scopesAllowed(clientScopes: Set<String>, requestedScopes: Set<String>): Boolean {
     return clientScopes.containsAll(requestedScopes)
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,8 @@ fun GrantingCall.grantPassword() = granter("password") {`
`21`	`21`	`)`
`22`	`22`	`)`
`23`	`23`
	`24`	`+ callContext.respondHeader("Cache-Control", "no-store")`
	`25`	`+ callContext.respondHeader("Pragma", "no-cache")`
`24`	`26`	`callContext.respondJson(accessTokenResponder.createResponse(accessToken))`
`25`	`27`	`}`
`26`	`28`
`@@ -31,6 +33,8 @@ fun GrantingCall.grantClientCredentials() = granter("client_credentials") {`
`31`	`33`	`callContext.formParameters["scope"]`
`32`	`34`	`))`
`33`	`35`
	`36`	`+ callContext.respondHeader("Cache-Control", "no-store")`
	`37`	`+ callContext.respondHeader("Pragma", "no-cache")`
`34`	`38`	`callContext.respondJson(accessTokenResponder.createResponse(accessToken))`
`35`	`39`	`}`
`36`	`40`
`@@ -43,6 +47,8 @@ fun GrantingCall.grantRefreshToken() = granter("refresh_token") {`
`43`	`47`	`)`
`44`	`48`	`)`
`45`	`49`
	`50`	`+ callContext.respondHeader("Cache-Control", "no-store")`
	`51`	`+ callContext.respondHeader("Pragma", "no-cache")`
`46`	`52`	`callContext.respondJson(accessTokenResponder.createResponse(accessToken))`
`47`	`53`	`}`
`48`	`54`
`@@ -56,6 +62,8 @@ fun GrantingCall.grantAuthorizationCode() = granter("authorization_code") {`
`56`	`62`	`)`
`57`	`63`	`)`
`58`	`64`
	`65`	`+ callContext.respondHeader("Cache-Control", "no-store")`
	`66`	`+ callContext.respondHeader("Pragma", "no-cache")`
`59`	`67`	`callContext.respondJson(accessTokenResponder.createResponse(accessToken))`
`60`	`68`	`}`
`61`	`69`
`@@ -106,4 +114,4 @@ fun GrantingCall.throwExceptionIfUnverifiedClient(clientRequest: ClientRequest)`
`106`	`114`
`107`	`115`	`fun GrantingCall.scopesAllowed(clientScopes: Set<String>, requestedScopes: Set<String>): Boolean {`
`108`	`116`	`return clientScopes.containsAll(requestedScopes)`
`109`		`-}`
	`117`	`+}`