From 023cf8a1a1cf5ece4e0780fccd62b3acbefa768c Mon Sep 17 00:00:00 2001 From: YuriyZ Date: Tue, 12 Jul 2022 13:23:26 +0300 Subject: [PATCH] feat(jans-auth-server): jwt "exp" must consider "keyRegenerationInterval" #1233 --- .../common/AbstractAuthorizationGrant.java | 32 +++++++++++++------ .../as/server/service/KeyGeneratorTimer.java | 4 +++ 2 files changed, 26 insertions(+), 10 deletions(-) diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AbstractAuthorizationGrant.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AbstractAuthorizationGrant.java index e445c56f697..13dbcb704e0 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AbstractAuthorizationGrant.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AbstractAuthorizationGrant.java @@ -14,20 +14,16 @@ import io.jans.as.server.model.authorize.JwtAuthorizationRequest; import io.jans.as.server.model.authorize.ScopeChecker; import io.jans.as.server.model.ldap.TokenEntity; +import io.jans.as.server.service.KeyGeneratorTimer; import io.jans.as.server.service.external.ExternalUpdateTokenService; import io.jans.as.server.service.external.context.ExternalUpdateTokenContext; import io.jans.as.server.util.TokenHashUtil; +import jakarta.inject.Inject; import org.apache.commons.lang3.StringUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import jakarta.inject.Inject; -import java.util.ArrayList; -import java.util.Collection; -import java.util.Date; -import java.util.List; -import java.util.Set; -import java.util.UUID; +import java.util.*; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; import java.util.concurrent.CopyOnWriteArraySet; @@ -52,6 +48,9 @@ public abstract class AbstractAuthorizationGrant implements IAuthorizationGrant @Inject protected ScopeChecker scopeChecker; + @Inject + private KeyGeneratorTimer keyGeneratorTimer; + private User user; private AuthorizationGrantType authorizationGrantType; private Client client; @@ -290,8 +289,7 @@ public String checkScopesPolicy(String requestedScopes) { return grantedScopesSb.toString().trim(); } - @Override - public AccessToken createAccessToken(ExecutionContext executionContext) { + public int getAccessTokenLifetimeInSeconds(ExecutionContext executionContext) { int lifetime = appConfiguration.getAccessTokenLifetime(); // Jans Auth #830 Client-specific access token expiration if (client != null && client.getAccessTokenLifetime() != null && client.getAccessTokenLifetime() > 0) { @@ -304,7 +302,21 @@ public AccessToken createAccessToken(ExecutionContext executionContext) { log.trace("Override access token lifetime with value from script: {}", lifetimeFromScript); } - AccessToken accessToken = new AccessToken(lifetime); + if (client.isAccessTokenAsJwt() && appConfiguration.getKeyRegenerationEnabled()) { + int intervalInSeconds = appConfiguration.getKeyRegenerationInterval() * 3600; + int timePassedInSeconds = (int) ((System.currentTimeMillis() - keyGeneratorTimer.getLastFinishedTime()) / 1000); + final int recalculcatedLifetime = intervalInSeconds - timePassedInSeconds; + if (recalculcatedLifetime > 0) { + log.trace("Override access token lifetime based on key lifetime: {}", recalculcatedLifetime); + lifetime = recalculcatedLifetime; + } + } + return lifetime; + } + + @Override + public AccessToken createAccessToken(ExecutionContext executionContext) { + AccessToken accessToken = new AccessToken(getAccessTokenLifetimeInSeconds(executionContext)); accessToken.setSessionDn(getSessionDn()); accessToken.setX5ts256(CertUtils.confirmationMethodHashS256(executionContext.getCertAsPem())); diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/service/KeyGeneratorTimer.java b/jans-auth-server/server/src/main/java/io/jans/as/server/service/KeyGeneratorTimer.java index 665557e9d6b..49366468546 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/service/KeyGeneratorTimer.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/service/KeyGeneratorTimer.java @@ -69,6 +69,10 @@ public class KeyGeneratorTimer { private AtomicBoolean isActive; private long lastFinishedTime; + public long getLastFinishedTime() { + return lastFinishedTime; + } + public void initTimer() { log.debug("Initializing Key Generator Timer"); this.isActive = new AtomicBoolean(false);