Polish gh-1152

jgrandja · jgrandja · commit 64ddcfc3ec4a · 2023-05-09T09:42:28.000-04:00
diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthenticationProviderUtils.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthenticationProviderUtils.java
@@ -17,7 +17,6 @@
 
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.OAuth2RefreshToken;
@@ -56,25 +55,6 @@ static <T extends OAuth2Token> OAuth2Authorization invalidate(
 						(metadata) ->
 								metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true));
 
-		if (OAuth2AuthorizationCode.class.isAssignableFrom(token.getClass())) {
-			OAuth2Authorization.Token<OAuth2AccessToken> accessToken = authorization.getAccessToken();
-			if (accessToken != null && !accessToken.isInvalidated()) {
-				authorizationBuilder.token(
-						accessToken.getToken(),
-						(metadata) ->
-								metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true));
-			}
-
-			OAuth2Authorization.Token<OAuth2RefreshToken> refreshToken = authorization.getRefreshToken();
-			if (refreshToken != null && !refreshToken.isInvalidated()) {
-				authorizationBuilder.token(
-						refreshToken.getToken(),
-						(metadata) ->
-								metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true));
-			}
-
-		}
-
 		if (OAuth2RefreshToken.class.isAssignableFrom(token.getClass())) {
 			authorizationBuilder.token(
 					authorization.getAccessToken().getToken(),
diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java
@@ -150,10 +150,16 @@ public Authentication authenticate(Authentication authentication) throws Authent
 
 		if (!authorizationCode.isActive()) {
 			if (authorizationCode.isInvalidated()) {
-				authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, authorizationCode.getToken());
-				this.authorizationService.save(authorization);
-				if (this.logger.isWarnEnabled()) {
-					this.logger.warn(LogMessage.format("Invalidated authorization tokens previously issued based on the authorization code"));
+				OAuth2Token token = authorization.getRefreshToken() != null ?
+						authorization.getRefreshToken().getToken() :
+						authorization.getAccessToken().getToken();
+				if (token != null) {
+					// Invalidate the access (and refresh) token as the client is attempting to use the authorization code more than once
+					authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, token);
+					this.authorizationService.save(authorization);
+					if (this.logger.isWarnEnabled()) {
+						this.logger.warn(LogMessage.format("Invalidated authorization token(s) previously issued to registered client '%s'", registeredClient.getId()));
+					}
 				}
 			}
 			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
@@ -176,12 +182,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 				.authorizationGrant(authorizationCodeAuthentication);
 		// @formatter:on
 
-		// @formatter:off
-		OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization)
-				// Invalidate the authorization code as it can only be used once
-				.token(authorizationCode.getToken(), metadata ->
-						metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true));
-		// @formatter:on
+		OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization);
 
 		// ----- Access token -----
 		OAuth2TokenContext tokenContext = tokenContextBuilder.tokenType(OAuth2TokenType.ACCESS_TOKEN).build();
@@ -262,6 +263,9 @@ public Authentication authenticate(Authentication authentication) throws Authent
 
 		authorization = authorizationBuilder.build();
 
+		// Invalidate the authorization code as it can only be used once
+		authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, authorizationCode.getToken());
+
 		this.authorizationService.save(authorization);
 
 		if (this.logger.isTraceEnabled()) {
@@ -314,4 +318,5 @@ private SessionInformation getSessionInformation(Authentication principal) {
 		}
 		return sessionInformation;
 	}
+
 }
