Record access token scope in the grant response

Author: sberyozkin

extensions/oidc-db-token-state-manager/deployment/src/main/java/io/quarkus/oidc/db/token/state/manager/OidcDbTokenStateManagerProcessor.java

@@ -44,29 +44,31 @@ SyntheticBeanBuildItem produceDbTokenStateManagerBean(OidcDbTokenStateManagerRec
         final String[] queryParamPlaceholders;
         switch (sqlClientBuildItem.reactiveClient) {
             case REACTIVE_PG_CLIENT:
-                queryParamPlaceholders = new String[] { "$1", "$2", "$3", "$4", "$5", "$6" };
+                queryParamPlaceholders = new String[] { "$1", "$2", "$3", "$4", "$5", "$6", "$7" };
                 break;
             case REACTIVE_MSSQL_CLIENT:
-                queryParamPlaceholders = new String[] { "@p1", "@p2", "@p3", "@p4", "@p5", "@p6" };
+                queryParamPlaceholders = new String[] { "@p1", "@p2", "@p3", "@p4", "@p5", "@p6", "@p7" };
                 break;
             case REACTIVE_MYSQL_CLIENT:
             case REACTIVE_DB2_CLIENT:
             case REACTIVE_ORACLE_CLIENT:
-                queryParamPlaceholders = new String[] { "?", "?", "?", "?", "?", "?" };
+                queryParamPlaceholders = new String[] { "?", "?", "?", "?", "?", "?", "?" };
                 break;
             default:
                 throw new RuntimeException("Unknown Reactive Sql Client " + sqlClientBuildItem.reactiveClient);
         }
         String deleteStatement = format("DELETE FROM oidc_db_token_state_manager WHERE id = %s", queryParamPlaceholders[0]);
         String getQuery = format(
-                "SELECT id_token, access_token, refresh_token, access_token_expires_in FROM oidc_db_token_state_manager WHERE "
+                "SELECT id_token, access_token, refresh_token, access_token_expires_in, access_token_scope FROM oidc_db_token_state_manager WHERE "
                         +
                         "id = %s",
                 queryParamPlaceholders[0]);
         String insertStatement = format("INSERT INTO oidc_db_token_state_manager (id_token, access_token, refresh_token," +
-                " access_token_expires_in, expires_in, id) VALUES (%s, %s, %s, %s, %s, %s)", queryParamPlaceholders[0],
+                " access_token_expires_in, access_token_scope, expires_in, id) VALUES (%s, %s, %s, %s, %s, %s, %s)",
+                queryParamPlaceholders[0],
                 queryParamPlaceholders[1],
-                queryParamPlaceholders[2], queryParamPlaceholders[3], queryParamPlaceholders[4], queryParamPlaceholders[5]);
+                queryParamPlaceholders[2], queryParamPlaceholders[3], queryParamPlaceholders[4], queryParamPlaceholders[5],
+                queryParamPlaceholders[6]);
         return SyntheticBeanBuildItem
                 .configure(OidcDbTokenStateManager.class)
                 .alternative(true)
@@ -119,6 +121,7 @@ SyntheticBeanBuildItem createDbTokenStateInitializerProps(ReactiveSqlClientBuild
                         "access_token VARCHAR, " +
                         "refresh_token VARCHAR, " +
                         "access_token_expires_in BIGINT, " +
+                        "access_token_scope VARCHAR, " +
                         "expires_in BIGINT NOT NULL)";
                 supportsIfTableNotExists = true;
                 break;
@@ -129,6 +132,7 @@ SyntheticBeanBuildItem createDbTokenStateInitializerProps(ReactiveSqlClientBuild
                         + "access_token VARCHAR(5000) NULL, "
                         + "refresh_token VARCHAR(5000) NULL, "
                         + "access_token_expires_in BIGINT NULL, "
+                        + "access_token_scope VARCHAR(100) NULL, "
                         + "expires_in BIGINT NOT NULL, "
                         + "PRIMARY KEY (id))";
                 supportsIfTableNotExists = true;
@@ -140,6 +144,7 @@ SyntheticBeanBuildItem createDbTokenStateInitializerProps(ReactiveSqlClientBuild
                         + "access_token NVARCHAR(MAX), "
                         + "refresh_token NVARCHAR(MAX), "
                         + "access_token_expires_in BIGINT, "
+                        + "access_token_scope NVARCHAR(100), "
                         + "expires_in BIGINT NOT NULL)";
                 supportsIfTableNotExists = false;
                 break;
@@ -150,6 +155,7 @@ SyntheticBeanBuildItem createDbTokenStateInitializerProps(ReactiveSqlClientBuild
                         + "access_token VARCHAR(4000), "
                         + "refresh_token VARCHAR(4000), "
                         + "access_token_expires_in BIGINT, "
+                        + "access_token_scope VARCHAR(100), "
                         + "expires_in BIGINT NOT NULL)";
                 supportsIfTableNotExists = false;
                 break;
@@ -160,6 +166,7 @@ SyntheticBeanBuildItem createDbTokenStateInitializerProps(ReactiveSqlClientBuild
                         + "access_token VARCHAR2(4000), "
                         + "refresh_token VARCHAR2(4000), "
                         + "access_token_expires_in NUMBER, "
+                        + "access_token_scope VARCHAR2(100), "
                         + "expires_in NUMBER NOT NULL, "
                         + "PRIMARY KEY (id))";
                 supportsIfTableNotExists = true;

extensions/oidc-db-token-state-manager/deployment/src/test/java/io/quarkus/oidc/db/token/state/manager/AbstractDbTokenStateManagerTest.java

@@ -70,7 +70,8 @@ public void testCodeFlow() throws IOException {
 
             textPage = loginForm.getButtonByName("login").click();
 
-            assertEquals("alice, access token: true, access_token_expires_in: true, refresh_token: true",
+            assertEquals(
+                    "alice, access token: true, access_token_expires_in: true, access_token_scope: true, refresh_token: true",
                     textPage.getContent());
 
             assertTokenStateCount(1);

extensions/oidc-db-token-state-manager/deployment/src/test/java/io/quarkus/oidc/db/token/state/manager/OidcDbTokenStateManagerEntity.java

@@ -24,6 +24,9 @@ public class OidcDbTokenStateManagerEntity {
     @Column(name = "access_token_expires_in")
     Long accessTokenExpiresIn;
 
+    @Column(name = "access_token_scope", length = 100)
+    String accessTokenScope;
+
     @Column(name = "expires_in")
     Long expiresIn;
 }

extensions/oidc-db-token-state-manager/deployment/src/test/java/io/quarkus/oidc/db/token/state/manager/ProtectedResource.java

@@ -28,6 +28,7 @@ public String getName() {
         return idToken.getName()
                 + ", access token: " + (tokens.getAccessToken() != null)
                 + ", access_token_expires_in: " + (tokens.getAccessTokenExpiresIn() != null)
+                + ", access_token_scope: " + (tokens.getAccessTokenScope() != null)
                 + ", refresh_token: " + (tokens.getRefreshToken() != null);
 
     }

extensions/oidc-db-token-state-manager/runtime/src/main/java/io/quarkus/oidc/db/token/state/manager/runtime/OidcDbTokenStateManager.java

@@ -31,6 +31,7 @@ public class OidcDbTokenStateManager implements TokenStateManager {
     private static final String ID_TOKEN_COLUMN = "id_token";
     private static final String ACCESS_TOKEN_COLUMN = "access_token";
     private static final String ACCESS_TOKEN_EXPIRES_IN_COLUMN = "access_token_expires_in";
+    private static final String ACCESS_TOKEN_SCOPE_COLUMN = "access_token_scope";
     private static final String REFRESH_TOKEN_COLUMN = "refresh_token";
 
     private final String insertStatement;
@@ -61,6 +62,7 @@ public Uni<String> createTokenState(RoutingContext event, OidcTenantConfig oidcC
                                         .execute(
                                                 Tuple.of(tokens.getIdToken(), tokens.getAccessToken(),
                                                         tokens.getRefreshToken(), tokens.getAccessTokenExpiresIn(),
+                                                        tokens.getAccessTokenScope(),
                                                         expiresIn(event), id)))
                                 .toCompletionStage())
                 .onFailure().transform(new Function<Throwable, Throwable>() {
@@ -110,7 +112,8 @@ public Uni<? extends AuthorizationCodeTokens> apply(RowSet<Row> rows) {
                                                 firstRow.getString(ID_TOKEN_COLUMN),
                                                 firstRow.getString(ACCESS_TOKEN_COLUMN),
                                                 firstRow.getString(REFRESH_TOKEN_COLUMN),
-                                                firstRow.getLong(ACCESS_TOKEN_EXPIRES_IN_COLUMN)));
+                                                firstRow.getLong(ACCESS_TOKEN_EXPIRES_IN_COLUMN),
+                                                firstRow.getString(ACCESS_TOKEN_SCOPE_COLUMN)));
                             }
                         }
                         return Uni.createFrom().failure(new AuthenticationCompletionException(FAILED_TO_ACQUIRE_TOKEN));

extensions/oidc-redis-token-state-manager/deployment/src/test/java/io/quarkus/oidc/redis/token/state/manager/deployment/AbstractRedisTokenStateManagerTest.java

@@ -59,7 +59,8 @@ public void testCodeFlow() throws IOException {
 
             textPage = loginForm.getButtonByName("login").click();
 
-            assertEquals("alice, access token: true, access_token_expires_in: true, refresh_token: true",
+            assertEquals(
+                    "alice, access token: true, access_token_expires_in: true, access_token_scope: true, refresh_token: true",
                     textPage.getContent());
 
             assertTokenStateCount(1);

extensions/oidc-redis-token-state-manager/deployment/src/test/java/io/quarkus/oidc/redis/token/state/manager/deployment/ProtectedResource.java

@@ -28,6 +28,7 @@ public String getName() {
         return idToken.getName()
                 + ", access token: " + (tokens.getAccessToken() != null)
                 + ", access_token_expires_in: " + (tokens.getAccessTokenExpiresIn() != null)
+                + ", access_token_scope: " + (tokens.getAccessTokenScope() != null)
                 + ", refresh_token: " + (tokens.getRefreshToken() != null);
     }
 

extensions/oidc-redis-token-state-manager/runtime/src/main/java/io/quarkus/oidc/redis/token/state/manager/runtime/OidcRedisTokenStateManager.java

@@ -81,15 +81,16 @@ private static Instant expiresAt(RoutingContext event) {
         return Instant.now().plusSeconds(event.<Long> get(SESSION_MAX_AGE_PARAM));
     }
 
-    record AuthorizationCodeTokensRecord(String idToken, String accessToken, String refreshToken, Long accessTokenExpiresIn) {
+    record AuthorizationCodeTokensRecord(String idToken, String accessToken, String refreshToken, Long accessTokenExpiresIn,
+            String accessTokenScope) {
 
         private static AuthorizationCodeTokensRecord of(AuthorizationCodeTokens tokens) {
             return new AuthorizationCodeTokensRecord(tokens.getIdToken(), tokens.getAccessToken(), tokens.getRefreshToken(),
-                    tokens.getAccessTokenExpiresIn());
+                    tokens.getAccessTokenExpiresIn(), tokens.getAccessTokenScope());
         }
 
         private AuthorizationCodeTokens toTokens() {
-            return new AuthorizationCodeTokens(idToken, accessToken, refreshToken, accessTokenExpiresIn);
+            return new AuthorizationCodeTokens(idToken, accessToken, refreshToken, accessTokenExpiresIn, accessTokenScope);
         }
     }
 }

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/AuthorizationCodeTokens.java

@@ -9,6 +9,7 @@ public class AuthorizationCodeTokens {
     private String accessToken;
     private String refreshToken;
     private Long accessTokenExpiresIn;
+    private String accessTokenScope;
 
     public AuthorizationCodeTokens() {
     }
@@ -18,10 +19,16 @@ public AuthorizationCodeTokens(String idToken, String accessToken, String refres
     }
 
     public AuthorizationCodeTokens(String idToken, String accessToken, String refreshToken, Long accessTokenExpiresIn) {
+        this(idToken, accessToken, refreshToken, accessTokenExpiresIn, null);
+    }
+
+    public AuthorizationCodeTokens(String idToken, String accessToken, String refreshToken, Long accessTokenExpiresIn,
+            String accessTokenScope) {
         this.idToken = idToken;
         this.accessToken = accessToken;
         this.refreshToken = refreshToken;
         this.accessTokenExpiresIn = accessTokenExpiresIn;
+        this.accessTokenScope = accessTokenScope;
     }
 
     /**
@@ -97,4 +104,22 @@ public Long getAccessTokenExpiresIn() {
     public void setAccessTokenExpiresIn(Long accessTokenExpiresIn) {
         this.accessTokenExpiresIn = accessTokenExpiresIn;
     }
+
+    /**
+     * Get the access token scope.
+     *
+     * @return access token scope.
+     */
+    public String getAccessTokenScope() {
+        return accessTokenScope;
+    }
+
+    /**
+     * Set the access token scope.
+     *
+     * @param accessTokenScope access token scope.
+     */
+    public void setAccessTokenScope(String accessTokenScope) {
+        this.accessTokenScope = accessTokenScope;
+    }
 }

extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/DefaultTokenStateManager.java

@@ -1,5 +1,7 @@
 package io.quarkus.oidc.runtime;
 
+import java.nio.charset.StandardCharsets;
+
 import jakarta.enterprise.context.ApplicationScoped;
 
 import org.jboss.logging.Logger;
@@ -8,6 +10,7 @@
 import io.quarkus.oidc.OidcRequestContext;
 import io.quarkus.oidc.OidcTenantConfig;
 import io.quarkus.oidc.TokenStateManager;
+import io.quarkus.oidc.common.runtime.OidcCommonUtils;
 import io.quarkus.oidc.runtime.OidcTenantConfig.TokenStateManager.Strategy;
 import io.quarkus.security.AuthenticationFailedException;
 import io.smallrye.jwt.algorithm.KeyEncryptionAlgorithm;
@@ -41,16 +44,21 @@ public Uni<String> createTokenState(RoutingContext routingContext, OidcTenantCon
                         .append(CodeAuthenticationMechanism.COOKIE_DELIM)
                         .append(tokens.getAccessTokenExpiresIn() != null ? tokens.getAccessTokenExpiresIn() : "")
                         .append(CodeAuthenticationMechanism.COOKIE_DELIM)
+                        .append(tokens.getAccessTokenScope() != null ? encodeScopes(oidcConfig, tokens.getAccessTokenScope())
+                                : "")
+                        .append(CodeAuthenticationMechanism.COOKIE_DELIM)
                         .append(tokens.getRefreshToken());
             } else if (oidcConfig.tokenStateManager().strategy() == Strategy.ID_REFRESH_TOKENS) {
                 // But sometimes the access token is not required.
                 // For example, when the Quarkus endpoint does not need to use it to access another service.
-                // Skip access token and access token expiry, add refresh token
+                // Skip access token, access token expiry, access token scope, add refresh token
                 sb.append(CodeAuthenticationMechanism.COOKIE_DELIM)
                         .append("")
                         .append(CodeAuthenticationMechanism.COOKIE_DELIM)
                         .append("")
                         .append(CodeAuthenticationMechanism.COOKIE_DELIM)
+                        .append("")
+                        .append(CodeAuthenticationMechanism.COOKIE_DELIM)
                         .append(tokens.getRefreshToken());
             }
 
@@ -71,7 +79,9 @@ public Uni<String> createTokenState(RoutingContext routingContext, OidcTenantCon
                 // Add access token and its expires_in property
                 sb.append(tokens.getAccessToken())
                         .append(CodeAuthenticationMechanism.COOKIE_DELIM)
-                        .append(tokens.getAccessTokenExpiresIn() != null ? tokens.getAccessTokenExpiresIn() : "");
+                        .append(tokens.getAccessTokenExpiresIn() != null ? tokens.getAccessTokenExpiresIn() : "")
+                        .append(CodeAuthenticationMechanism.COOKIE_DELIM)
+                        .append(tokens.getAccessTokenScope() != null ? tokens.getAccessTokenScope() : "");
 
                 // Encrypt access token and create a `q_session_at` cookie.
                 CodeAuthenticationMechanism.createCookie(routingContext,
@@ -111,6 +121,7 @@ public Uni<AuthorizationCodeTokens> getTokens(RoutingContext routingContext, Oid
         String idToken = null;
         String accessToken = null;
         Long accessTokenExpiresIn = null;
+        String accessTokenScope = null;
         String refreshToken = null;
 
         if (!oidcConfig.tokenStateManager().splitTokens()) {
@@ -122,15 +133,14 @@ public Uni<AuthorizationCodeTokens> getTokens(RoutingContext routingContext, Oid
 
             try {
                 idToken = tokens[0];
-                accessToken = null;
-                refreshToken = null;
 
                 if (oidcConfig.tokenStateManager().strategy() == Strategy.KEEP_ALL_TOKENS) {
                     accessToken = tokens[1];
                     accessTokenExpiresIn = tokens[2].isEmpty() ? null : parseAccessTokenExpiresIn(tokens[2]);
-                    refreshToken = tokens[3];
+                    accessTokenScope = tokens[3].isEmpty() ? null : tokens[3];
+                    refreshToken = tokens[4];
                 } else if (oidcConfig.tokenStateManager().strategy() == Strategy.ID_REFRESH_TOKENS) {
-                    refreshToken = tokens[3];
+                    refreshToken = tokens[4];
                 }
             } catch (ArrayIndexOutOfBoundsException ex) {
                 final String error = "Session cookie is malformed";
@@ -142,8 +152,6 @@ public Uni<AuthorizationCodeTokens> getTokens(RoutingContext routingContext, Oid
         } else {
             // Decrypt ID token from the q_session cookie
             idToken = decryptToken(tokenState, routingContext, oidcConfig);
-            accessToken = null;
-            refreshToken = null;
 
             if (oidcConfig.tokenStateManager().strategy() == Strategy.KEEP_ALL_TOKENS) {
                 Cookie atCookie = getAccessTokenCookie(routingContext, oidcConfig);
@@ -155,6 +163,10 @@ public Uni<AuthorizationCodeTokens> getTokens(RoutingContext routingContext, Oid
                     try {
                         accessTokenExpiresIn = accessTokenData[1].isEmpty() ? null
                                 : parseAccessTokenExpiresIn(accessTokenData[1]);
+                        if (accessTokenData.length == 3) {
+                            accessTokenScope = accessTokenData[2].isEmpty() ? null
+                                    : decodeScopes(oidcConfig, accessTokenData[2]);
+                        }
                     } catch (ArrayIndexOutOfBoundsException ex) {
                         final String error = "Session cookie is malformed";
                         LOG.debug(ex);
@@ -176,7 +188,8 @@ public Uni<AuthorizationCodeTokens> getTokens(RoutingContext routingContext, Oid
                 }
             }
         }
-        return Uni.createFrom().item(new AuthorizationCodeTokens(idToken, accessToken, refreshToken, accessTokenExpiresIn));
+        return Uni.createFrom()
+                .item(new AuthorizationCodeTokens(idToken, accessToken, refreshToken, accessTokenExpiresIn, accessTokenScope));
     }
 
     @Override
@@ -222,7 +235,7 @@ private static String getRefreshTokenCookieName(OidcTenantConfig oidcConfig) {
         return OidcUtils.SESSION_RT_COOKIE_NAME + cookieSuffix;
     }
 
-    private String encryptToken(String token, RoutingContext context, OidcTenantConfig oidcConfig) {
+    private static String encryptToken(String token, RoutingContext context, OidcTenantConfig oidcConfig) {
         if (oidcConfig.tokenStateManager().encryptionRequired()) {
             TenantConfigContext configContext = context.get(TenantConfigContext.class.getName());
             try {
@@ -236,7 +249,7 @@ private String encryptToken(String token, RoutingContext context, OidcTenantConf
         return token;
     }
 
-    private String decryptToken(String token, RoutingContext context, OidcTenantConfig oidcConfig) {
+    private static String decryptToken(String token, RoutingContext context, OidcTenantConfig oidcConfig) {
         if (oidcConfig.tokenStateManager().encryptionRequired()) {
             TenantConfigContext configContext = context.get(TenantConfigContext.class.getName());
             try {
@@ -249,4 +262,18 @@ private String decryptToken(String token, RoutingContext context, OidcTenantConf
         }
         return token;
     }
+
+    private static String encodeScopes(OidcTenantConfig oidcConfig, String accessTokenScope) {
+        if (oidcConfig.tokenStateManager().encryptionRequired()) {
+            return accessTokenScope;
+        }
+        return OidcCommonUtils.base64UrlEncode(accessTokenScope.getBytes(StandardCharsets.UTF_8));
+    }
+
+    private static String decodeScopes(OidcTenantConfig oidcConfig, String accessTokenScope) {
+        if (oidcConfig.tokenStateManager().encryptionRequired()) {
+            return accessTokenScope;
+        }
+        return OidcCommonUtils.base64UrlDecode(accessTokenScope);
+    }
 }