Merge pull request #1261 from stormpath/1247_oauth_revoke

Oauth revoke endpoint

Author: mrioan

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/config/Config.java

@@ -109,6 +109,8 @@ public interface Config extends Map<String, String> {
 
     String getAccessTokenUrl();
 
+    String getRevokeTokenUrl();
+
     String getUnauthorizedUrl();
 
     boolean isMeEnabled();

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/config/filter/DefaultFilterChainManagerConfigurer.java

@@ -107,6 +107,10 @@ public FilterChainManager configure() throws ServletException {
         boolean accessTokenChainSpecified = false;
         boolean oauthEnabled = config.isOAuthEnabled();
 
+        String revokeTokenUrl = config.getRevokeTokenUrl();
+        String revokeTokenUrlPattern = cleanUri(revokeTokenUrl);
+        boolean revokeTokenChainSpecified = false;
+
         String unauthorizedUrl = config.getUnauthorizedUrl();
         String unauthorizedUrlPattern = cleanUri(unauthorizedUrl);
         boolean unauthorizedChainSpecified = false;
@@ -240,6 +244,14 @@ public FilterChainManager configure() throws ServletException {
                         chainDefinition += Strings.DEFAULT_DELIMITER_CHAR + filterName;
                     }
 
+                } else if (uriPattern.startsWith(revokeTokenUrlPattern)) {
+                    revokeTokenChainSpecified = true;
+
+                    String filterName = DefaultFilter.revokeToken.name();
+                    if (!chainDefinition.contains(filterName)) {
+                        chainDefinition += Strings.DEFAULT_DELIMITER_CHAR + filterName;
+                    }
+
                 } else if (uriPattern.startsWith(unauthorizedUrlPattern)) {
                     unauthorizedChainSpecified = true;
 
@@ -321,6 +333,9 @@ public FilterChainManager configure() throws ServletException {
         if (!accessTokenChainSpecified && oauthEnabled) {
             mgr.createChain(accessTokenUrlPattern, DefaultFilter.accessToken.name());
         }
+        if (!revokeTokenChainSpecified && oauthEnabled) {
+            mgr.createChain(revokeTokenUrlPattern, DefaultFilter.revokeToken.name());
+        }
         if (!samlChainSpecified && callbackEnabled) {
             mgr.createChain(samlUrlPattern, DefaultFilter.saml.name());
             mgr.createChain(samlCallbackPattern, DefaultFilter.samlResult.name());

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/config/filter/RevokeTokenFilterFactory.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2017 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.stormpath.sdk.servlet.config.filter;
+
+import com.stormpath.sdk.servlet.config.Config;
+import com.stormpath.sdk.servlet.mvc.RevokeTokenController;
+
+/**
+ * https://github.com/stormpath/stormpath-sdk-java/issues/1247
+ *
+ * @since 1.5.0
+ */
+public class RevokeTokenFilterFactory extends ControllerFilterFactory<RevokeTokenController> {
+
+    @Override
+    protected RevokeTokenController newController() {
+        return new RevokeTokenController();
+    }
+
+    @Override
+    protected void configure(RevokeTokenController controller, Config config) throws Exception {
+        controller.setApplicationResolver(config.getApplicationResolver());
+    }
+}

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/config/impl/DefaultConfig.java

@@ -80,6 +80,7 @@ public class DefaultConfig implements Config {
     public static final String UNAUTHORIZED_URL = "stormpath.web.unauthorized.uri";
     public static final String LOGOUT_INVALIDATE_HTTP_SESSION = "stormpath.web.logout.invalidateHttpSession";
     public static final String ACCESS_TOKEN_URL = "stormpath.web.oauth2.uri";
+    public static final String REVOKE_TOKEN_URL = "stormpath.web.oauth2.revoke.uri";
     public static final String ACCESS_TOKEN_VALIDATION_STRATEGY = "stormpath.web.oauth2.password.validationStrategy";
 
     protected static final String SERVER_URI_RESOLVER = "stormpath.web.oauth2.origin.authorizer.serverUriResolver";
@@ -274,6 +275,11 @@ public String getAccessTokenUrl() {
         return CFG.getString(ACCESS_TOKEN_URL);
     }
 
+    @Override
+    public String getRevokeTokenUrl() {
+        return CFG.getString(REVOKE_TOKEN_URL);
+    }
+
     @Override
     public String getUnauthorizedUrl() {
         return CFG.getString(UNAUTHORIZED_URL);

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/event/TokenRevocationRequestEventListener.java

@@ -15,17 +15,28 @@
  */
 package com.stormpath.sdk.servlet.event;
 
+import com.stormpath.sdk.application.Application;
 import com.stormpath.sdk.client.Client;
 import com.stormpath.sdk.impl.ds.InternalDataStore;
+import com.stormpath.sdk.impl.error.DefaultError;
+import com.stormpath.sdk.lang.Strings;
 import com.stormpath.sdk.oauth.AccessToken;
+import com.stormpath.sdk.oauth.OAuthRequests;
+import com.stormpath.sdk.oauth.OAuthRevocationRequest;
+import com.stormpath.sdk.oauth.OAuthRevocationRequestBuilder;
+import com.stormpath.sdk.oauth.OAuthTokenRevocators;
 import com.stormpath.sdk.oauth.RefreshToken;
+import com.stormpath.sdk.oauth.TokenTypeHint;
 import com.stormpath.sdk.resource.ResourceException;
 import com.stormpath.sdk.servlet.account.event.RegisteredAccountRequestEvent;
 import com.stormpath.sdk.servlet.account.event.VerifiedAccountRequestEvent;
+import com.stormpath.sdk.servlet.application.ApplicationResolver;
 import com.stormpath.sdk.servlet.authc.FailedAuthenticationRequestEvent;
 import com.stormpath.sdk.servlet.authc.LogoutRequestEvent;
 import com.stormpath.sdk.servlet.authc.SuccessfulAuthenticationRequestEvent;
 import com.stormpath.sdk.servlet.client.ClientResolver;
+import com.stormpath.sdk.servlet.filter.oauth.OAuthErrorCode;
+import com.stormpath.sdk.servlet.filter.oauth.OAuthException;
 import com.stormpath.sdk.servlet.http.CookieResolver;
 import com.stormpath.sdk.servlet.oauth.impl.JwtTokenSigningKeyResolver;
 import io.jsonwebtoken.Claims;
@@ -37,6 +48,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.servlet.http.HttpServletRequest;
 import java.security.Key;
 import java.util.LinkedHashMap;
 import java.util.Map;
@@ -51,9 +63,7 @@ public class TokenRevocationRequestEventListener implements RequestEventListener
     private final TokenExtractor tokenExtractor = new BearerHeaderTokenExtractor();
     private final CookieResolver accessTokenCookieResolver = new CookieResolver("access_token");
 
-    private final JwtTokenSigningKeyResolver jwtTokenSigningKeyResolver = new JwtTokenSigningKeyResolver();
-
-    private Client client = null;
+    protected ApplicationResolver applicationResolver = ApplicationResolver.INSTANCE;
 
     @Override
     public void on(SuccessfulAuthenticationRequestEvent event) {
@@ -78,30 +88,17 @@ public void on(VerifiedAccountRequestEvent event) {
     @Override
     public void on(LogoutRequestEvent event) {
         String jwt = getJwtFromLogoutRequestEvent(event);
-        if (jwt != null) {
-            if (this.client == null) {
-                this.client = ClientResolver.INSTANCE.getClient(event.getRequest()); //will throw if not found
-            }
-
-            Key signingKey = jwtTokenSigningKeyResolver.getSigningKey(event.getRequest(), event.getResponse(), null, SignatureAlgorithm.HS256);
-            JwsHeader header = Jwts.parser().setSigningKey(signingKey.getEncoded()).parseClaimsJws(jwt).getHeader();
-            Claims claims = Jwts.parser().setSigningKey(signingKey.getEncoded()).parseClaimsJws(jwt).getBody();
-
-            //Let's be sure this jwt is actually an access token otherwise we will have an error when trying to retrieve
-            //a resource (in order to delete it) that actually is not what we expect
-            if (isAccessToken(header)) {
-                gracefullyDeleteRefreshToken((String) claims.get("rti"));
-                gracefullyDeleteAccessToken(claims.getId());
+        HttpServletRequest request = event.getRequest();
+        Application application = applicationResolver.getApplication(request);
+        if (application != null && jwt != null) {
+            try {
+                OAuthRevocationRequest revocationRequest = OAuthRequests.OAUTH_TOKEN_REVOCATION_REQUEST.builder().setToken(jwt).build();
+                OAuthTokenRevocators.OAUTH_TOKEN_REVOCATOR.forApplication(application).revoke(revocationRequest);
+            } catch (ResourceException e) {
+                com.stormpath.sdk.error.Error error = e.getStormpathError();
+                String message = error.getMessage();
+                log.warn("There was an error trying to revoke a token", message);
             }
-            //There should never be a refresh token here. Therefore we will not even try to identify if the received JWT is
-            //a refresh token. That would be a bug in the filter chain as a refresh token should never be used to anything other than
-            //obtaining a new access token
-
-            //Fix for https://github.com/stormpath/stormpath-sdk-java/issues/611
-            log.debug(
-                "The current access and refresh tokens for '{}' have been revoked.",
-                (event.getAccount() != null) ? event.getAccount().getEmail() : "unknown user"
-            );
         }
     }
 
@@ -117,34 +114,4 @@ protected String getJwtFromLogoutRequestEvent(LogoutRequestEvent event) {
         return jwt;
     }
 
-    private boolean isAccessToken(JwsHeader header) {
-        return header.get("stt").equals("access");
-    }
-
-    private void gracefullyDeleteAccessToken(String accessTokenId) {
-        try {
-            String href = "/accessTokens/" + accessTokenId;
-            Map<String, Object> map = new LinkedHashMap<String, Object>();
-            map.put("href", href);
-            AccessToken accessToken = ((InternalDataStore)client.getDataStore()).instantiate(AccessToken.class, map, true);
-            accessToken.delete();
-        } catch (ResourceException e) {
-            //Let's prevent an error to allow the flow to continue
-            log.warn("There was an error trying to delete access token with ID {}", accessTokenId, e);
-        }
-    }
-
-    private void gracefullyDeleteRefreshToken(String refreshTokenId) {
-        try{
-            String href =  "/refreshTokens/" + refreshTokenId;
-            Map<String, Object> map = new LinkedHashMap<String, Object>();
-            map.put("href", href);
-            RefreshToken refreshToken = ((InternalDataStore)client.getDataStore()).instantiate(RefreshToken.class, map, true);
-            refreshToken.delete();
-        } catch (ResourceException e) {
-            //Let's prevent an error to allow the flow to continue, this component is basically a listener that tries to delete
-            //the current access and refresh tokens on logout, we will only post this error in the log
-            log.warn("There was an error trying to delete refresh token with ID {}", refreshTokenId, e);
-        }
-    }
 }

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/filter/DefaultFilter.java

@@ -34,6 +34,7 @@
 import com.stormpath.sdk.servlet.config.filter.LogoutFilterFactory;
 import com.stormpath.sdk.servlet.config.filter.MeFilterFactory;
 import com.stormpath.sdk.servlet.config.filter.RegisterFilterFactory;
+import com.stormpath.sdk.servlet.config.filter.RevokeTokenFilterFactory;
 import com.stormpath.sdk.servlet.config.filter.SamlFilterFactory;
 import com.stormpath.sdk.servlet.config.filter.SamlResultFilterFactory;
 import com.stormpath.sdk.servlet.config.filter.StaticResourceFilterFactory;
@@ -51,6 +52,7 @@
 public enum DefaultFilter {
 
     accessToken(ControllerFilter.class, AccessTokenFilterFactory.class),
+    revokeToken(ControllerFilter.class, RevokeTokenFilterFactory.class),
     account(AccountAuthorizationFilter.class, AccountAuthorizationFilterFactory.class),
     anon(AnonymousFilter.class, null),
     authc(AuthenticationFilter.class, AuthenticationFilterFactory.class),

extensions/servlet/src/main/java/com/stormpath/sdk/servlet/mvc/RevokeTokenController.java

@@ -0,0 +1,137 @@
+/*
+ * Copyright 2017 Stormpath, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.stormpath.sdk.servlet.mvc;
+
+import com.stormpath.sdk.application.Application;
+import com.stormpath.sdk.http.HttpMethod;
+import com.stormpath.sdk.impl.error.DefaultError;
+import com.stormpath.sdk.lang.Strings;
+import com.stormpath.sdk.oauth.OAuthRequests;
+import com.stormpath.sdk.oauth.OAuthRevocationRequest;
+import com.stormpath.sdk.oauth.OAuthRevocationRequestBuilder;
+import com.stormpath.sdk.oauth.OAuthTokenRevocators;
+import com.stormpath.sdk.oauth.TokenTypeHint;
+import com.stormpath.sdk.resource.ResourceException;
+import com.stormpath.sdk.servlet.filter.oauth.OAuthErrorCode;
+import com.stormpath.sdk.servlet.filter.oauth.OAuthException;
+import com.stormpath.sdk.servlet.http.MediaType;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * https://github.com/stormpath/stormpath-sdk-java/issues/1247
+ *
+ * @since 1.5.0
+ */
+public class RevokeTokenController extends AbstractController {
+
+    private static final Logger log = LoggerFactory.getLogger(RevokeTokenController.class);
+
+    private final static String TOKEN = "token";
+    private final static String TOKEN_TYPE_HINT = "token_type_hint";
+
+    public void init() {
+    }
+
+    @Override
+    public boolean isNotAllowedIfAuthenticated() {
+        return false;
+    }
+
+    @Override
+    public ViewModel handleRequest(HttpServletRequest request, HttpServletResponse response) throws Exception {
+        String method = request.getMethod();
+
+        if (HttpMethod.POST.name().equalsIgnoreCase(method)) {
+            return doPost(request, response);
+        }
+
+        return super.handleRequest(request, response);
+    }
+
+    @Override
+    protected ViewModel doPost(HttpServletRequest request, HttpServletResponse response) throws Exception {
+
+        OAuthRevocationRequestBuilder builder = OAuthRequests.OAUTH_TOKEN_REVOCATION_REQUEST.builder();
+
+        response.setHeader("Cache-Control", "no-store, no-cache");
+        response.setHeader("Pragma", "no-cache");
+
+        try {
+
+            //Form media type is required: https://tools.ietf.org/html/rfc6749#section-4.3.2
+            String contentType = Strings.clean(request.getContentType());
+            if (contentType == null || !contentType.startsWith(MediaType.APPLICATION_FORM_URLENCODED_VALUE)) {
+                String msg = "Content-Type must be " + MediaType.APPLICATION_FORM_URLENCODED_VALUE;
+                throw new OAuthException(OAuthErrorCode.INVALID_REQUEST, msg, null);
+            }
+
+            String tokenTypeHint = request.getParameter(TOKEN_TYPE_HINT);
+
+            if (Strings.hasText(tokenTypeHint)) {
+                builder.setTokenTypeHint(TokenTypeHint.fromValue(tokenTypeHint));
+            }
+
+            String token = request.getParameter(TOKEN);
+
+            if (!Strings.hasText(token)) {
+                throw new OAuthException(OAuthErrorCode.INVALID_REQUEST);
+            }
+
+            this.revoke(getApplication(request), builder.setToken(token).build());
+
+            response.setStatus(HttpServletResponse.SC_OK);
+            response.setHeader("Content-Length", "0");
+
+        } catch (OAuthException e) {
+
+            log.debug("Error occurred revoking token: {}", e.getMessage());
+
+            response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+
+            String json = e.toJson();
+
+            response.setHeader("Content-Length", String.valueOf(json.length()));
+            response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+            response.getWriter().print(json);
+            response.getWriter().flush();
+        }
+
+        //we rendered the response directly - no need for a view to be resolved, so return null:
+        return null;
+    }
+
+    private void revoke(Application application, OAuthRevocationRequest request) throws OAuthException {
+        try {
+            OAuthTokenRevocators.OAUTH_TOKEN_REVOCATOR.forApplication(application).revoke(request);
+        } catch (ResourceException e) {
+            com.stormpath.sdk.error.Error error = e.getStormpathError();
+            String message = error.getMessage();
+
+            OAuthErrorCode oauthError = OAuthErrorCode.INVALID_REQUEST;
+            if (error instanceof DefaultError) {
+                Object errorObject = ((DefaultError) error).getProperty("error");
+                oauthError = errorObject == null ? oauthError : new OAuthErrorCode(errorObject.toString());
+            }
+
+            throw new OAuthException(oauthError, message);
+        }
+    }
+
+}

extensions/servlet/src/main/resources/com/stormpath/sdk/servlet/config/web.stormpath.properties

@@ -25,6 +25,7 @@ stormpath.web.oauth2.uri = /oauth/token
 stormpath.web.oauth2.client_credentials.enabled = true
 stormpath.web.oauth2.password.enabled = true
 stormpath.web.oauth2.password.validationStrategy = local
+stormpath.web.oauth2.revoke.uri = /oauth/revoke
 stormpath.web.accessTokenCookie.name = access_token
 stormpath.web.accessTokenCookie.httpOnly = true
 stormpath.web.accessTokenCookie.secure =

extensions/servlet/src/test/groovy/com/stormpath/sdk/servlet/config/SpecConfigVersusWebPropertiesTest.groovy

@@ -85,7 +85,7 @@ class SpecConfigVersusWebPropertiesTest {
             specProperties.containsKey(k) ? null : k
         }
 
-        def expected_diff_size = 83
+        def expected_diff_size = 84
 
         if (diff.size != expected_diff_size) {
             println "It looks like a property was added or removed from the Framework Spec or web.stormpath.properties."