Add support to revoke access token when bound session is expired/invalid.

Author: AfraHussaindeen

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/bindings/impl/AbstractTokenBinder.java

@@ -18,25 +18,19 @@
 
 package org.wso2.carbon.identity.oauth2.token.bindings.impl;
 
-import org.apache.commons.codec.digest.DigestUtils;
-import org.apache.commons.lang.ArrayUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
 import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
 import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
 import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
 import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
-import org.wso2.carbon.identity.oauth2.model.HttpRequestHeader;
 import org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder;
 import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 
-import java.net.HttpCookie;
 import java.util.Optional;
 
 import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.HttpHeaders;
 
-import static org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants.COMMONAUTH_COOKIE;
 import static org.wso2.carbon.identity.oauth.common.OAuthConstants.GrantTypes.AUTHORIZATION_CODE;
 import static org.wso2.carbon.identity.oauth.common.OAuthConstants.GrantTypes.REFRESH_TOKEN;
 
@@ -92,38 +86,12 @@ private boolean isValidTokenBinding(OAuth2AccessTokenReqDTO oAuth2AccessTokenReq
 
         if (REFRESH_TOKEN.equals(oAuth2AccessTokenReqDTO.getGrantType())) {
 
-            HttpRequestHeader[] httpRequestHeaders = oAuth2AccessTokenReqDTO.getHttpRequestHeaders();
-            if (ArrayUtils.isEmpty(httpRequestHeaders)) {
-                return false;
-            }
-
-            for (HttpRequestHeader httpRequestHeader : httpRequestHeaders) {
-                if (HttpHeaders.COOKIE.equalsIgnoreCase(httpRequestHeader.getName())) {
-                    if (ArrayUtils.isEmpty(httpRequestHeader.getValue())) {
-                        return false;
-                    }
-
-                    String[] cookies = httpRequestHeader.getValue()[0].split(";");
-                    String cookiePrefix = cookieName + "=";
-                    for (String cookie : cookies) {
-                        if (StringUtils.isNotBlank(cookie) && cookie.trim().startsWith(cookiePrefix) &&
-                                HttpCookie.parse(cookie).get(0) != null) {
-                            String cookieValue = HttpCookie.parse(cookie).get(0).getValue();
-                            if (StringUtils.isNotBlank(cookieValue)) {
-                                String tokenBindingValue;
-                                if (COMMONAUTH_COOKIE.equals(cookieName)) {
-                                    // For sso-session binding,token binding value will be the session context id.
-                                    tokenBindingValue = DigestUtils.sha256Hex(cookieValue);
-                                } else {
-                                    tokenBindingValue = cookieValue;
-                                }
-                                String receivedBindingReference =
-                                        OAuth2Util.getTokenBindingReference(tokenBindingValue);
-                                return bindingReference.equals(receivedBindingReference);
-                            }
-                        }
-                    }
-                }
+            Optional<String> tokenBindingValueOptional = OAuth2Util.getTokenBindingValue(oAuth2AccessTokenReqDTO,
+                    cookieName);
+            if (tokenBindingValueOptional.isPresent()) {
+                String tokenBindingValue = tokenBindingValueOptional.get();
+                String receivedBindingReference = OAuth2Util.getTokenBindingReference(tokenBindingValue);
+                return bindingReference.equals(receivedBindingReference);
             }
 
             return false;

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/bindings/impl/SSOSessionBasedTokenBinder.java

@@ -1,7 +1,7 @@
 /*
- * Copyright (c) 2019, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2019-2025, WSO2 LLC. (http://www.wso2.com).
  *
- * WSO2 Inc. licenses this file to you under the Apache License,
+ * WSO2 LLC. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License.
  * You may obtain a copy of the License at
@@ -30,6 +30,7 @@
 import org.wso2.carbon.identity.oauth.common.OAuthConstants;
 import org.wso2.carbon.identity.oauth2.OAuth2Constants;
 import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
+import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
 
 import java.util.Arrays;
 import java.util.Collections;
@@ -128,20 +129,7 @@ public boolean isValidTokenBinding(Object request, String bindingReference) {
 
         try {
             String sessionIdentifier = getTokenBindingValue((HttpServletRequest) request);
-            if (StringUtils.isBlank(sessionIdentifier)) {
-                if (log.isDebugEnabled()) {
-                    log.debug("CommonAuthId cookie is not found in the request.");
-                }
-                return false;
-            }
-            /* Retrieve session context information using sessionIdentifier in order to check the validity of
-            commonAuthId cookie.*/
-            SessionContext sessionContext = FrameworkUtils.getSessionContextFromCache(sessionIdentifier);
-            if (sessionContext == null) {
-                if (log.isDebugEnabled()) {
-                    log.debug("Session context is not found corresponding to the session identifier: " +
-                            sessionIdentifier);
-                }
+            if (!isSSOSessionValid(sessionIdentifier)) {
                 return false;
             }
         } catch (OAuthSystemException e) {
@@ -154,6 +142,36 @@ public boolean isValidTokenBinding(Object request, String bindingReference) {
     @Override
     public boolean isValidTokenBinding(OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO, String bindingReference) {
 
-        return isValidTokenBinding(oAuth2AccessTokenReqDTO, bindingReference, COMMONAUTH_COOKIE);
+        Optional<String> sessionIdentifier =
+                OAuth2Util.getTokenBindingValue(oAuth2AccessTokenReqDTO, COMMONAUTH_COOKIE);
+        if (isSSOSessionValid(sessionIdentifier.orElse(null))) {
+            return isValidTokenBinding(oAuth2AccessTokenReqDTO, bindingReference, COMMONAUTH_COOKIE);
+        }
+        return false;
+    }
+
+    /**
+     * Check whether the session identified by the session identifier is valid.
+     *
+     * @param sessionIdentifier Session identifier.
+     * @return True if the session is valid.
+     */
+    private boolean isSSOSessionValid(String sessionIdentifier) {
+
+        if (StringUtils.isBlank(sessionIdentifier)) {
+            if (log.isDebugEnabled()) {
+                log.debug("Invalid session identifier. CommonAuthId cookie is not found in the request.");
+            }
+            return false;
+        }
+        SessionContext sessionContext = FrameworkUtils.getSessionContextFromCache(sessionIdentifier);
+        if (sessionContext == null) {
+            if (log.isDebugEnabled()) {
+                log.debug("Session context is not found corresponding to the session identifier: " +
+                        sessionIdentifier);
+            }
+            return false;
+        }
+        return true;
     }
 }

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/RefreshGrantHandler.java

@@ -56,6 +56,7 @@
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2ServerException;
+import org.wso2.carbon.identity.oauth2.OAuth2Constants;
 import org.wso2.carbon.identity.oauth2.ResponseHeader;
 import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
 import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
@@ -118,7 +119,20 @@ public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx)
                 .validateRefreshToken(tokReqMsgCtx);
 
         validateRefreshTokenInRequest(tokenReq, validationBean);
-        validateTokenBindingReference(tokenReq, validationBean);
+
+        TokenBinding tokenBinding = null;
+        if (StringUtils.isNotBlank(validationBean.getTokenBindingReference()) && !NONE
+                .equals(validationBean.getTokenBindingReference())) {
+            Optional<TokenBinding> tokenBindingOptional = OAuthTokenPersistenceFactory.getInstance()
+                    .getTokenBindingMgtDAO()
+                    .getTokenBindingByBindingRef(validationBean.getTokenId(),
+                            validationBean.getTokenBindingReference());
+            if (tokenBindingOptional.isPresent()) {
+                tokenBinding = tokenBindingOptional.get();
+                tokReqMsgCtx.setTokenBinding(tokenBinding);
+            }
+        }
+        validateTokenBindingReference(tokenReq, validationBean, tokenBinding);
         validateAuthenticatedUser(validationBean, tokReqMsgCtx);
 
         if (log.isDebugEnabled()) {
@@ -276,14 +290,6 @@ private void setPropertiesForTokenGeneration(OAuthTokenReqMessageContext tokReqM
         tokReqMsgCtx.setScope(validationBean.getScope());
         tokReqMsgCtx.getOauth2AccessTokenReqDTO().setAccessTokenExtendedAttributes(
                 validationBean.getAccessTokenExtendedAttributes());
-        if (StringUtils.isNotBlank(validationBean.getTokenBindingReference()) && !NONE
-                .equals(validationBean.getTokenBindingReference())) {
-            Optional<TokenBinding> tokenBindingOptional = OAuthTokenPersistenceFactory.getInstance()
-                    .getTokenBindingMgtDAO()
-                    .getTokenBindingByBindingRef(validationBean.getTokenId(),
-                            validationBean.getTokenBindingReference());
-            tokenBindingOptional.ifPresent(tokReqMsgCtx::setTokenBinding);
-        }
         // Store the old access token as a OAuthTokenReqMessageContext property, this is already
         // a preprocessed token.
         tokReqMsgCtx.addProperty(PREV_ACCESS_TOKEN, validationBean);
@@ -959,11 +965,11 @@ private boolean isRenewRefreshToken(String renewRefreshToken) {
     }
 
     private void validateTokenBindingReference(OAuth2AccessTokenReqDTO tokenReqDTO,
-                                               RefreshTokenValidationDataDO validationDataDO)
+                                               RefreshTokenValidationDataDO validationDataDO,
+                                               TokenBinding tokenBinding)
             throws IdentityOAuth2Exception {
 
-        if (StringUtils.isBlank(validationDataDO.getTokenBindingReference()) || NONE
-                .equals(validationDataDO.getTokenBindingReference())) {
+        if (tokenBinding == null) {
             return;
         }
 
@@ -979,6 +985,18 @@ private void validateTokenBindingReference(OAuth2AccessTokenReqDTO tokenReqDTO,
             return;
         }
 
+        // Validate SSO session bound token.
+        if (OAuth2Constants.TokenBinderType.SSO_SESSION_BASED_TOKEN_BINDER.equals(oAuthAppDO.getTokenBindingType())) {
+            if (!OAuth2Util.isTokenBoundToActiveSSOSession(tokenBinding, validationDataDO.getAccessToken(), oAuthAppDO,
+                    validationDataDO.getAuthorizedUser())) {
+                if (log.isDebugEnabled()) {
+                    log.debug("Token is not bound to an active SSO session.");
+                }                
+                throw new IdentityOAuth2Exception("Token binding validation failed. Token is not bound to an" +
+                        "active SSO session.");
+            }
+        }
+
         Optional<TokenBinder> tokenBinderOptional = OAuth2ServiceComponentHolder.getInstance()
                 .getTokenBinder(oAuthAppDO.getTokenBindingType());
         if (!tokenBinderOptional.isPresent()) {