if (grant == null) {
return null;
}
// check it has not expired, the client ids are the same
if (OAuthUtils.isExpired(grant.getIssuedAt(), grant.getExpiresIn())) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
if (!grant.getClient().getClientId().equals(client.getClientId())) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
// redirect URIs must match too
String expectedRedirectUri = grant.getRedirectUri();
String providedRedirectUri = params.getFirst(OAuthConstants.REDIRECT_URI);
if (providedRedirectUri != null) {
if (expectedRedirectUri == null || !providedRedirectUri.equals(expectedRedirectUri)) {
throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
}
} else if (expectedRedirectUri == null && !isCanSupportPublicClients()
|| expectedRedirectUri != null
&& (client.getRedirectUris().size() != 1
|| !client.getRedirectUris().contains(expectedRedirectUri))) {
throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
}
String clientCodeVerifier = grant.getClientCodeVerifier();
if (clientCodeVerifier != null) {
String clientCodeChallenge = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER);
if (!compareCodeVerifierWithChallenge(clientCodeVerifier, clientCodeChallenge)) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
}
return doCreateAccessToken(client,
grant.getSubject(),