Merge pull request #740 from morten-nielsen/feature/refresh-token-sup…

…port

Refresh token management on the identity-facade reference

references/identity-facade/README.md

@@ -116,5 +116,5 @@ Available endpoints are the following ones:
 
 1. GET /authorize: to deal with the initiation of the authentication sequence
 2. GET /callback: to deal with access token issuance
-3. POST /token: to deal with access token issuance
+3. POST /token: to deal with access token and refresh token issuance
 4. GET /protected: to simulate access to a protected resource

references/identity-facade/apiproxy/policies/AM-BuildIdpRefreshTokenRequest.xml

@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+ Copyright 2020 Google LLC
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<AssignMessage name="AM-BuildIdpRefreshTokenRequest">
+ <AssignTo createNew="true" type="request">idpPostTokenRequest</AssignTo>
+ <Set>
+ <Headers>
+ <Header name="content-type">application/x-www-form-urlencoded</Header>
+ <Header name="accept">application/json</Header>
+ <Header name="Authorization">{private.flow.idp.Authorization}</Header>
+ </Headers>
+ <FormParams>
+ <FormParam name="refresh_token">{oauthv2refreshtoken.OA2-GetRefreshTokenAttributes.accesstoken.idp.refresh_token}</FormParam>
+ <FormParam name="grant_type">refresh_token</FormParam>
+ </FormParams>
+ <Verb>POST</Verb>
+ </Set>
+ <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
+</AssignMessage>

references/identity-facade/apiproxy/policies/EV-JwtFromIdpResponse.xml

@@ -22,7 +22,10 @@
  <Variable name="oidc.flow.access_token">
  <JSONPath>$.access_token</JSONPath>
  </Variable>
+ <Variable name="oidc.flow.refresh_token">
+ <JSONPath>$.refresh_token</JSONPath>
+ </Variable>
  </JSONPayload>
  <Source clearPayload="false">tokenResponse</Source>
- <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
+ <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
 </ExtractVariables>

references/identity-facade/apiproxy/policies/OA2-GenerateAccessToken.xml

@@ -19,9 +19,11 @@
  <GrantType>authorization_code</GrantType>
  </SupportedGrantTypes>
  <GrantType>request.formparam.grant_type</GrantType>
+ <RFCCompliantRequestResponse>true</RFCCompliantRequestResponse>
  <Attributes>
  <Attribute name="idp.jwt" ref="oidc.flow.jwt" display="false"/>
  <Attribute name="idp.access_token" ref="oidc.flow.access_token" display="false"/>
+ <Attribute name="idp.refresh_token" ref="oidc.flow.refresh_token" display="false"/>
  <Attribute name="idp.scope" ref="oidc.flow.scope" display="false"/>
  <Attribute name="idp.expires_in" ref="oidc.flow.expires_in" display="false"/>
  </Attributes>

references/identity-facade/apiproxy/policies/OA2-GenerateRefreshToken.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+ Copyright 2020 Google LLC
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<OAuthV2 name="OA2-GenerateRefreshToken">
+ <Operation>RefreshAccessToken</Operation>
+ <ExpiresIn ref="private.flow.idp.expires_in">1800000</ExpiresIn>
+ <RefreshTokenExpiresIn ref="private.flow.idp.expires_in">1800000</RefreshTokenExpiresIn>
+ <RefreshToken>request.formparam.refresh_token</RefreshToken>
+ <GrantType>request.formparam.grant_type</GrantType>
+ <RFCCompliantRequestResponse>true</RFCCompliantRequestResponse>
+ <GenerateResponse enabled="true"/>
+</OAuthV2>

references/identity-facade/apiproxy/policies/OA2-GetRefreshTokenAttributes.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+ Copyright 2020 Google LLC
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<GetOAuthV2Info name="OA2-GetRefreshTokenAttributes">
+ <RefreshToken ref="request.formparam.refresh_token"/>
+ <IgnoreAccessTokenStatus>true</IgnoreAccessTokenStatus>
+</GetOAuthV2Info>

references/identity-facade/apiproxy/policies/OA2-SetUpdateTokenAttributes.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+ Copyright 2020 Google LLC
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<SetOAuthV2Info name="OA2-SetUpdateTokenAttributes">
+ <AccessToken ref="oauthv2accesstoken.OA2-GenerateRefreshToken.access_token"/>
+ <Attributes>
+ <Attribute name="idp.jwt" ref="oidc.flow.jwt" display="false"/>
+ <Attribute name="idp.access_token" ref="oidc.flow.access_token" display="false"/>
+ <Attribute name="idp.refresh_token" ref="oidc.flow.refresh_token" display="false"/>
+ <Attribute name="idp.scope" ref="oidc.flow.scope" display="false"/>
+ <Attribute name="idp.expires_in" ref="oidc.flow.expires_in" display="false"/>
+ </Attributes>
+</SetOAuthV2Info>

references/identity-facade/apiproxy/proxies/default.xml

@@ -149,30 +149,35 @@
  <Name>RF-InvalidClient</Name>
  </Step>
  <Step>
- <Condition>( verifyapikey.VAK-VerifyAPIKey-ClientId.redirection_uris != request.formparam.redirect_uri )</Condition>
+ <Condition>( verifyapikey.VAK-VerifyAPIKey-ClientId.redirection_uris != request.formparam.redirect_uri ) and ( request.formparam.grant_type == "authorization_code")</Condition>
  <Name>RF-InvalidRequest</Name>
  </Step>
  <Step>
- <Condition>( request.formparam.grant_type != "authorization_code" )</Condition>
+ <Condition>( request.formparam.grant_type != "authorization_code") and (request.formparam.grant_type != "refresh_token" )</Condition>
  <Name>RF-UnsupportedGrantType</Name>
  </Step>
  <Step>
- <Condition>( request.formparam.code Is null ) or ( request.formparam.code = "" )</Condition>
+ <Condition>((( request.formparam.code Is null ) or ( request.formparam.code = "" )) and (request.formparam.grant_type == "authorization_code"))</Condition>
  <Name>RF-InvalidGrant</Name>
  </Step>
  <Step>
- <Condition>(( request.formparam.code_verifier Is null ) or ( request.formparam.code_verifier = "" )) and ( flow.pkce.enabled = "true" )</Condition>
+ <Condition>(( request.formparam.code_verifier Is null ) or ( request.formparam.code_verifier = "" )) and ( flow.pkce.enabled = "true" ) and (request.formparam.grant_type == "authorization_code")</Condition>
  <Name>RF-InvalidGrant</Name>
  </Step>
  <Step>
+ <Condition>(request.formparam.grant_type == "authorization_code")</Condition>
  <Name>OA2-GetOriginalStateAttributes</Name>
  </Step>
  <Step>
- <Condition>( flow.pkce.enabled = "true" )</Condition>
+ <Condition>(request.formparam.grant_type == "refresh_token")</Condition>
+ <Name>OA2-GetRefreshTokenAttributes</Name>
+ </Step>
+ <Step>
+ <Condition>( flow.pkce.enabled = "true" ) and (request.formparam.grant_type == "authorization_code")</Condition>
  <Name>JS-PKCECodeVerification</Name>
  </Step>
  <Step>
- <Condition>( oidc.flow.isPKCECodeVerified == false ) and ( flow.pkce.enabled = "true" )</Condition>
+ <Condition>( oidc.flow.isPKCECodeVerified == false ) and ( flow.pkce.enabled = "true" ) and (request.formparam.grant_type == "authorization_code")</Condition>
  <Name>RF-InvalidGrant</Name>
  </Step>
  <Step>
@@ -185,8 +190,13 @@
  <Name>BA-AddClientID-ClientSecret-AzHeader</Name>
  </Step>
  <Step>
+ <Condition>(request.formparam.grant_type == "authorization_code")</Condition>
  <Name>AM-BuildIdpRequest</Name>
  </Step>
+ <Step>
+ <Condition>(request.formparam.grant_type == "refresh_token")</Condition>
+ <Name>AM-BuildIdpRefreshTokenRequest</Name>
+ </Step>
  <Step>
  <Name>SC-IdpTokenIssuance</Name>
  </Step>
@@ -220,10 +230,20 @@
  <Name>AM-SetClientIdAsFormParam</Name>
  </Step>
  <Step>
+ <Condition>(request.formparam.grant_type == "authorization_code")</Condition>
  <Name>OA2-GenerateAccessToken</Name>
  </Step>
+ <Step>
+ <Condition>(request.formparam.grant_type == "refresh_token")</Condition>
+ <Name>OA2-GenerateRefreshToken</Name>
+ </Step>
  </Request>
- <Response/>
+ <Response>
+ <Step>
+ <Condition>(request.formparam.grant_type == "refresh_token")</Condition>
+ <Name>OA2-SetUpdateTokenAttributes</Name>
+ </Step>
+ </Response>
  </Flow>
  <Flow name="GET /protected">
  <Condition>(proxy.pathsuffix MatchesPath "/protected") and (request.verb = "GET")</Condition>

references/identity-facade/diagram/sequence-identity-facade-v1.txt

@@ -137,4 +137,51 @@ deactivate nerp
 nerp -> b: 200 OK
 deactivate nerp
 
+note over u,backend: refresh token use
+opt Refresh Token
+ u -> b: User interaction
+ b -> b: App activity
+ b -> nerp: GET /protected\n(Authorization: Bearer <access_token>)
+ activate nerp
+ nerp -> nerp: verify access token
+ activate nerp
+ deactivate nerp
+ nerp -> b: status code: 401\n("error": "access_token_expired")
+ deactivate nerp
+ b ->> id: POST /token\n(refresh_token,\nclient credentials,\ngrant_type [refresh_token],\nredirect_uri)
+ activate id
+ id -> id: validate client credentials, redirect_uri, grant_type
+ activate id
+ deactivate id
+ id -> id: control presence and value of refresh token
+ activate id
+ deactivate id
+ id -> id: retrieve IdP client\ncredentials + IdP connection parameters from KVM (or PropertySet or Secret)
+ activate id
+ deactivate id
+ id -> idp: POST /token\n(w/ IdP client credentials, refresh_token)
+ activate id
+ idp -> id: access_token, refresh_token,\nid_token, expires_in
+ deactivate id
+ id -> idp: GET /certs\n(JWKS keys)
+ activate id
+ idp -> id: return latest JWKS keys
+ deactivate id
+ id -> id: cache JWKS keys
+ activate id
+ deactivate id
+ id -> id: validate id_token (JWT validation + JWKS)
+ activate id
+ deactivate id
+ id -> id: generate new access and refresh token using expires_in\n(attach IdP tokens as custom attributes)
+ activate id
+ deactivate id
+ opt
+ id -> id: generate new id_token,\nsign using Apigee private key,\nput Apigee access token in JWT
+ activate id
+ deactivate id
+ end
+ id -> b: 200 OK \n(apigee_tokens, state(1))
+ deactivate id
+end
 @enduml