diff --git a/jans-auth-server/common/src/main/java/io/jans/as/common/model/common/User.java b/jans-auth-server/common/src/main/java/io/jans/as/common/model/common/User.java index a2bc834abf1..596f99de553 100644 --- a/jans-auth-server/common/src/main/java/io/jans/as/common/model/common/User.java +++ b/jans-auth-server/common/src/main/java/io/jans/as/common/model/common/User.java @@ -78,4 +78,8 @@ public void removeAttribute(String attributeName) { } } + public String getStatus() { + return getAttribute("gluuStatus"); + } + } \ No newline at end of file diff --git a/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java b/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java index 2559853bfc2..0266e148ea9 100644 --- a/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java +++ b/jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java @@ -263,6 +263,7 @@ public class AppConfiguration implements Configuration { private Boolean removeRefreshTokensForClientOnLogout = true; private Boolean skipRefreshTokenDuringRefreshing = false; private Boolean refreshTokenExtendLifetimeOnRotation = false; + private Boolean checkUserPresenceOnRefreshToken = false; private Boolean consentGatheringScriptBackwardCompatibility = false; // means ignore client configuration (as defined in 4.2) and determine it globally (as in 4.1 and earlier) private Boolean introspectionScriptBackwardCompatibility = false; // means ignore client configuration (as defined in 4.2) and determine it globally (as in 4.1 and earlier) private Boolean introspectionResponseScopesBackwardCompatibility = false; @@ -358,6 +359,15 @@ public void setDiscoveryAllowedKeys(List discoveryAllowedKeys) { this.discoveryAllowedKeys = discoveryAllowedKeys; } + public Boolean getCheckUserPresenceOnRefreshToken() { + if (checkUserPresenceOnRefreshToken == null) checkUserPresenceOnRefreshToken = true; + return checkUserPresenceOnRefreshToken; + } + + public void setCheckUserPresenceOnRefreshToken(Boolean checkUserPresenceOnRefreshToken) { + this.checkUserPresenceOnRefreshToken = checkUserPresenceOnRefreshToken; + } + public Set getEnabledComponentTypes() { return ComponentType.fromValues(getEnabledComponents()); } diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenRestWebServiceImpl.java b/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenRestWebServiceImpl.java index 0ede25eaeb8..4d39d5bf919 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenRestWebServiceImpl.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenRestWebServiceImpl.java @@ -593,12 +593,26 @@ public Response requestAccessToken(String grantType, String code, return response(builder, oAuth2AuditLog); } + private void checkUser(AuthorizationGrant authorizationGrant) { + if (!appConfiguration.getCheckUserPresenceOnRefreshToken()) { + return; + } + + final User user = authorizationGrant.getUser(); + if (user == null || "inactive".equalsIgnoreCase(user.getStatus())) { + log.trace("The user associated with this grant is not found or otherwise with status=inactive."); + throw new WebApplicationException(error(400, TokenErrorResponseType.INVALID_GRANT, "The user associated with this grant is not found or otherwise with status=inactive.").build()); + } + } + @Nullable private RefreshToken createRefreshToken(@NotNull HttpServletRequest request, @NotNull Client client, @NotNull String scope, @NotNull AuthorizationGrant grant, String dpop) { if (!isRefreshTokenAllowed(client, scope, grant)) { return null; } + checkUser(grant); + ExecutionContext executionContext = new ExecutionContext(request, null); executionContext.setGrant(grant); executionContext.setClient(client); diff --git a/jans-config-api/docs/jans-config-api-swagger.yaml b/jans-config-api/docs/jans-config-api-swagger.yaml index 7f91f3a5c71..b3b4502c043 100644 --- a/jans-config-api/docs/jans-config-api-swagger.yaml +++ b/jans-config-api/docs/jans-config-api-swagger.yaml @@ -4675,6 +4675,10 @@ components: - OLDER - NEWER - FIRST + checkUserPresenceOnRefreshToken: + type: string + description: Check whether user exists and is active before creating RefreshToken. Set it to true if check is needed(Default value is false - don't check.) + example: false oxElevenTestModeToken: type: string description: oxEleven Test Mode Token.