public Response validateAccessToken(@QueryParam("access_token") String tokenString) {
if (!checkSsl()) {
return createError("https_required", "HTTPS required", Response.Status.FORBIDDEN);
}
event.event(EventType.VALIDATE_ACCESS_TOKEN);
AccessToken token = null;
try {
token = RSATokenVerifier.verifyToken(tokenString, realm.getPublicKey(), realm.getName());
} catch (Exception e) {
Map<String, String> err = new HashMap<String, String>();
err.put(OAuth2Constants.ERROR, OAuthErrorException.INVALID_GRANT);
err.put(OAuth2Constants.ERROR_DESCRIPTION, "Token invalid");
event.error(Errors.INVALID_TOKEN);
return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(err)
.build();
}
event.user(token.getSubject()).session(token.getSessionState()).detail(Details.VALIDATE_ACCESS_TOKEN, token.getId());
if (token.isExpired()
|| token.getIssuedAt() < realm.getNotBefore()
) {
Map<String, String> err = new HashMap<String, String>();
err.put(OAuth2Constants.ERROR, OAuthErrorException.INVALID_GRANT);
err.put(OAuth2Constants.ERROR_DESCRIPTION, "Token expired");
event.error(Errors.INVALID_TOKEN);
return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(err)
.build();
}
UserModel user = session.users().getUserById(token.getSubject(), realm);
if (user == null) {
Map<String, String> err = new HashMap<String, String>();
err.put(OAuth2Constants.ERROR, OAuthErrorException.INVALID_GRANT);
err.put(OAuth2Constants.ERROR_DESCRIPTION, "User does not exist");
event.error(Errors.USER_NOT_FOUND);
return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(err)
.build();
}
if (!user.isEnabled()) {
Map<String, String> err = new HashMap<String, String>();
err.put(OAuth2Constants.ERROR, OAuthErrorException.INVALID_GRANT);
err.put(OAuth2Constants.ERROR_DESCRIPTION, "User disabled");
event.error(Errors.USER_DISABLED);
return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(err)
.build();
}
UserSessionModel userSession = session.sessions().getUserSession(realm, token.getSessionState());
if (!AuthenticationManager.isSessionValid(realm, userSession)) {
Map<String, String> err = new HashMap<String, String>();
err.put(OAuth2Constants.ERROR, OAuthErrorException.INVALID_GRANT);
err.put(OAuth2Constants.ERROR_DESCRIPTION, "Expired session");
event.error(Errors.USER_SESSION_NOT_FOUND);
return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(err)
.build();
}
ClientModel client = realm.findClient(token.getIssuedFor());
if (client == null) {
Map<String, String> err = new HashMap<String, String>();
err.put(OAuth2Constants.ERROR, OAuthErrorException.INVALID_CLIENT);
err.put(OAuth2Constants.ERROR_DESCRIPTION, "Issued for client no longer exists");
event.error(Errors.CLIENT_NOT_FOUND);
return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(err)
.build();
}
if (token.getIssuedAt() < client.getNotBefore()) {
Map<String, String> err = new HashMap<String, String>();
err.put(OAuth2Constants.ERROR, OAuthErrorException.INVALID_CLIENT);
err.put(OAuth2Constants.ERROR_DESCRIPTION, "Issued for client no longer exists");
event.error(Errors.INVALID_TOKEN);
return Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(err)