Issue in AbstractAuthorizationGrantHandler

[tbaker57]

Description:

Hi there,

I'm trying to follow https://docs.wso2.com/display/AM210/Securing+OAuth+Token+with+HMAC+Validation and am encountering an error with trying to use https://github.com/lahirus/oauth-hmac-extension/blob/master/src/main/java/com/sample/lahiru/wso2/hmac/oauth/OAuthHMACTokenIssuer.java as a alternative token generator.

When the sample OAuthHMACTokenIssuer calls

 public String accessToken(OAuthTokenReqMessageContext tokReqMsgCtx)

the validity period in the tokReqMsgCtx is always -1. I believe this is due to the code https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java#L272

AccessTokenDO newTokenBean = createNewTokenBean(tokReqMsgCtx, oAuthAppBean, existingTokenBean, timestamp,
                validityPeriodInMillis);
setDetailsToMessageContext(tokReqMsgCtx, validityPeriodInMillis, newTokenBean, timestamp);

Here createNewTokenBean has a tokReqMsgCtx with default values (e.g. validityPeriod has not been set yet). Since the validity period is -1, the enhanced token (with expiry timestamp and HMAC field) always fails validation.

I think the solution is to change the order of the calls above so that tokReqMsgCtx has all the details needed to create the access token (with the correct timestamp field).

P.S. The OAuthHMACTokenIssuer sample works fine in the 'implicit grant' case (since it doesn't use the AbstractAuthorizationGrantHandler class) - only the 'authorization code grant' case seems broken.

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues: