fix(jans-auth-server): when obtain new token using refresh token, check whether scope is null (#3382)

Milton-Ch · web-flow · commit 22743d9fce0c · 2022-12-22T14:22:31.000+02:00
diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenExchangeService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenExchangeService.java
@@ -66,7 +66,8 @@ public class TokenExchangeService {
     private AttributeService attributeService;
 
     public void rotateDeviceSecretOnRefreshToken(HttpServletRequest httpRequest, AuthorizationGrant refreshGrant, String scope) {
-        if (!scope.contains(ScopeConstants.DEVICE_SSO)) {
+        if (StringUtils.isBlank(scope) || !scope.contains(ScopeConstants.DEVICE_SSO)) {
+            log.debug("Skip rotate device secret on refresh token. No device_sso scope.");
             return;
         }
         if (StringUtils.isBlank(refreshGrant.getSessionDn())) {

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,8 @@ public class TokenExchangeService {`
`66`	`66`	`private AttributeService attributeService;`
`67`	`67`
`68`	`68`	`public void rotateDeviceSecretOnRefreshToken(HttpServletRequest httpRequest, AuthorizationGrant refreshGrant, String scope) {`
`69`		`- if (!scope.contains(ScopeConstants.DEVICE_SSO)) {`
	`69`	`+ if (StringUtils.isBlank(scope) \|\| !scope.contains(ScopeConstants.DEVICE_SSO)) {`
	`70`	`+ log.debug("Skip rotate device secret on refresh token. No device_sso scope.");`
`70`	`71`	`return;`
`71`	`72`	`}`
`72`	`73`	`if (StringUtils.isBlank(refreshGrant.getSessionDn())) {`