Updated OAuth2 refresh token request to create a new refresh token.

Change-Id: Ia08d037193c796d549a4434c3ac5bdf66f362cd8
diff --git a/core/pom.xml b/core/pom.xml
index 253b616..f5cfa3e 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -60,9 +60,20 @@
 
 			<!-- build tests jar, so extensions can use fastjerseytest class to build 
 				rest tests -->
-			<!-- <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-source-plugin</artifactId> 
-				<version>3.0.1</version> <executions> <execution> <id>attach-sources</id> 
-				<goals> <goal>jar</goal> </goals> </execution> </executions> </plugin> -->
+			<!-- <plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-jar-plugin</artifactId>
+				<version>3.0.2</version>
+				<executions>
+					<execution>
+						<phase>package</phase>
+						<goals>
+							<goal>test-jar</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin> -->
+			
 			<!-- Generate source jar -->
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
diff --git a/full/Changes b/full/Changes
index 647f863..b8d1645 100644
--- a/full/Changes
+++ b/full/Changes
@@ -1,6 +1,9 @@
 # version 0.61.4
 14/11/2018
    - Integrated lite and full services and controllers in core (margaretha)
+21/11/2018
+   - Updated OAuth2 refresh token request to create a new refresh token and 
+     revoke the old one per request (margaretha)   
    
 # version 0.61.3
 17/10/2018
diff --git a/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuTokenService.java b/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuTokenService.java
index e73421b..6bf3b39 100644
--- a/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuTokenService.java
+++ b/full/src/main/java/de/ids_mannheim/korap/oauth2/oltu/service/OltuTokenService.java
@@ -25,7 +25,6 @@
 import de.ids_mannheim.korap.oauth2.dao.AccessTokenDao;
 import de.ids_mannheim.korap.oauth2.dao.RefreshTokenDao;
 import de.ids_mannheim.korap.oauth2.entity.AccessScope;
-import de.ids_mannheim.korap.oauth2.entity.AccessScope;
 import de.ids_mannheim.korap.oauth2.entity.AccessToken;
 import de.ids_mannheim.korap.oauth2.entity.Authorization;
 import de.ids_mannheim.korap.oauth2.entity.OAuth2Client;
@@ -80,14 +79,16 @@
 
     /**
      * Revokes all access token associated with the given refresh
-     * token, and creates a new access token with the given refresh
-     * token and scopes. Thus, at one point of time, there is only one
-     * active access token associated with a refresh token.
+     * token, and creates a new access token and a new refresh
+     * token with the same scopes. Thus, at one point of time,
+     * there is only one active access token associated with
+     * a refresh token.
      * 
      * Client authentication is done using the given client
      * credentials.
      * 
-     * TODO: should create a new refresh token when the old refresh token is used
+     * TODO: should create a new refresh token when the old refresh
+     * token is used
      * 
      * @param refreshTokenStr
      * @param scopes
@@ -139,11 +140,23 @@
         if (scopes != null && !scopes.isEmpty()) {
             requestedScopes =
                     scopeService.verifyRefreshScope(scopes, requestedScopes);
+            scopes = scopeService
+                    .convertAccessScopesToStringSet(requestedScopes);
         }
 
+        // revoke the refresh token and all access tokens associated
+        // to it
+        revokeRefreshToken(refreshTokenStr);
+
         return createsAccessTokenResponse(scopes, requestedScopes, clientId,
                 refreshToken.getUserId(),
-                refreshToken.getUserAuthenticationTime(), refreshToken);
+                refreshToken.getUserAuthenticationTime());
+
+        // without new refresh token
+        // return createsAccessTokenResponse(scopes, requestedScopes,
+        // clientId,
+        // refreshToken.getUserId(),
+        // refreshToken.getUserAuthenticationTime(), refreshToken);
     }
 
     /**
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
index 07d5e5d..674a5e6 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
@@ -222,9 +222,9 @@
 
         node = JsonUtils.readTree(entity);
         assertNotNull(node.at("/access_token").asText());
-        assertEquals(refreshToken, node.at("/refresh_token").asText());
+        assertTrue(!refreshToken.equals(node.at("/refresh_token").asText()));
 
-        testSearchWithOAuth2Token(accessToken);
+        testSearchWithRevokedAccessToken(accessToken);
     }
 
     @Test
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
index f16ec74..945e9d0 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
@@ -2,6 +2,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
 
 import java.net.URI;
 
@@ -175,17 +176,16 @@
                 node.at("/token_type").asText());
         assertNotNull(node.at("/expires_in").asText());
 
-        testRevokeTokenPublicClient(accessToken, publicClientId,
+        testRevokeToken(accessToken, publicClientId,null,
                 "access_token");
 
         testRequestRefreshTokenInvalidScope(publicClientId, refreshToken);
-        testRequestRefreshTokenPublicClient(publicClientId, refreshToken);
         testRequestRefreshTokenInvalidClient(refreshToken);
         testRequestRefreshTokenInvalidRefreshToken(publicClientId);
+        testRequestRefreshTokenPublicClient(publicClientId, refreshToken);
 
-        testRevokeTokenPublicClient(refreshToken, publicClientId,
-                "refresh_token");
-        testRequestRefreshWithRevokedRefreshToken(publicClientId, refreshToken);
+        testRequestRefreshWithRevokedRefreshToken(publicClientId, null,
+                refreshToken);
     }
 
     @Test
@@ -218,6 +218,11 @@
         assertNotNull(node.at("/expires_in").asText());
 
         testRequestTokenWithUsedAuthorization(code);
+        
+        String refreshToken = node.at("/refresh_token").asText();
+        testRevokeToken(refreshToken, confidentialClientId,clientSecret,
+                "refresh_token");
+        testRequestRefreshWithRevokedRefreshToken(confidentialClientId, clientSecret, refreshToken);
     }
 
     private void testRequestTokenWithUsedAuthorization (String code)
@@ -585,6 +590,8 @@
         assertEquals(TokenType.BEARER.toString(),
                 node.at("/token_type").asText());
         assertNotNull(node.at("/expires_in").asText());
+
+        assertTrue(!node.at("/refresh_token").asText().equals(refreshToken));
     }
 
     private void testRequestRefreshTokenInvalidClient (String refreshToken)
@@ -624,11 +631,14 @@
     }
 
     private void testRequestRefreshWithRevokedRefreshToken (String clientId,
-            String refreshToken) throws KustvaktException {
+            String clientSecret, String refreshToken) throws KustvaktException {
         MultivaluedMap<String, String> form = new MultivaluedMapImpl();
         form.add("grant_type", GrantType.REFRESH_TOKEN.toString());
         form.add("client_id", clientId);
         form.add("refresh_token", refreshToken);
+        if (clientSecret!=null){
+            form.add("client_secret", clientSecret);
+        }
 
         ClientResponse response = resource().path(API_VERSION).path("oauth2").path("token")
                 .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
@@ -641,13 +651,16 @@
         assertEquals(OAuth2Error.INVALID_GRANT, node.at("/error").asText());
     }
 
-    private void testRevokeTokenPublicClient (String token, String clientId,
-            String tokenType) {
+    private void testRevokeToken (String token, String clientId,
+            String clientSecret, String tokenType) {
         MultivaluedMap<String, String> form = new MultivaluedMapImpl();
         form.add("token_type", tokenType);
         form.add("token", token);
         form.add("client_id", clientId);
-
+        if (clientSecret!=null){
+            form.add("client_secret", clientSecret);
+        }
+        
         ClientResponse response = resource().path(API_VERSION).path("oauth2").path("revoke")
                 .header(HttpHeaders.CONTENT_TYPE,
                         ContentType.APPLICATION_FORM_URLENCODED)
@@ -655,5 +668,5 @@
 
         assertEquals(Status.OK.getStatusCode(), response.getStatus());
     }
-
+    
 }