fix(jans-auth-server): disabled issuing AT by refresh token if user s…

…tatus=inactive

#1093

jans-auth-server/common/src/main/java/io/jans/as/common/model/common/User.java

@@ -78,4 +78,8 @@ public void removeAttribute(String attributeName) {
         }
     }
 
+    public String getStatus() {
+        return getAttribute("gluuStatus");
+    }
+
 }

jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java

@@ -263,6 +263,7 @@ public class AppConfiguration implements Configuration {
     private Boolean removeRefreshTokensForClientOnLogout = true;
     private Boolean skipRefreshTokenDuringRefreshing = false;
     private Boolean refreshTokenExtendLifetimeOnRotation = false;
+    private Boolean checkUserPresenceOnRefreshToken = false;
     private Boolean consentGatheringScriptBackwardCompatibility = false; // means ignore client configuration (as defined in 4.2) and determine it globally (as in 4.1 and earlier)
     private Boolean introspectionScriptBackwardCompatibility = false; // means ignore client configuration (as defined in 4.2) and determine it globally (as in 4.1 and earlier)
     private Boolean introspectionResponseScopesBackwardCompatibility = false;
@@ -358,6 +359,15 @@ public void setDiscoveryAllowedKeys(List<String> discoveryAllowedKeys) {
         this.discoveryAllowedKeys = discoveryAllowedKeys;
     }
 
+    public Boolean getCheckUserPresenceOnRefreshToken() {
+        if (checkUserPresenceOnRefreshToken == null) checkUserPresenceOnRefreshToken = true;
+        return checkUserPresenceOnRefreshToken;
+    }
+
+    public void setCheckUserPresenceOnRefreshToken(Boolean checkUserPresenceOnRefreshToken) {
+        this.checkUserPresenceOnRefreshToken = checkUserPresenceOnRefreshToken;
+    }
+
     public Set<ComponentType> getEnabledComponentTypes() {
         return ComponentType.fromValues(getEnabledComponents());
     }

jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenRestWebServiceImpl.java

@@ -593,12 +593,26 @@ public Response requestAccessToken(String grantType, String code,
         return response(builder, oAuth2AuditLog);
     }
 
+    private void checkUser(AuthorizationGrant authorizationGrant) {
+        if (!appConfiguration.getCheckUserPresenceOnRefreshToken()) {
+            return;
+        }
+
+        final User user = authorizationGrant.getUser();
+        if (user == null || "inactive".equalsIgnoreCase(user.getStatus())) {
+            log.trace("The user associated with this grant is not found or otherwise with status=inactive.");
+            throw new WebApplicationException(error(400, TokenErrorResponseType.INVALID_GRANT, "The user associated with this grant is not found or otherwise with status=inactive.").build());
+        }
+    }
+
     @Nullable
     private RefreshToken createRefreshToken(@NotNull HttpServletRequest request, @NotNull Client client, @NotNull String scope, @NotNull AuthorizationGrant grant, String dpop) {
         if (!isRefreshTokenAllowed(client, scope, grant)) {
             return null;
         }
 
+        checkUser(grant);
+
         ExecutionContext executionContext = new ExecutionContext(request, null);
         executionContext.setGrant(grant);
         executionContext.setClient(client);

jans-config-api/docs/jans-config-api-swagger.yaml

@@ -4675,6 +4675,10 @@ components:
             - OLDER
             - NEWER
             - FIRST
+        checkUserPresenceOnRefreshToken:
+          type: string
+          description: Check whether user exists and is active before creating RefreshToken. Set it to true if check is needed(Default value is false - don't check.)
+          example: false
         oxElevenTestModeToken:
           type: string
           description: oxEleven Test Mode Token.