Do not create refresh token for client credentials clients

openid-connect-client/pom.xml

@@ -22,7 +22,7 @@
 	<parent>
 		<artifactId>openid-connect-parent</artifactId>
 		<groupId>org.mitre</groupId>
-		<version>1.3.6.cnaf-20240725</version>
+		<version>1.3.6.cnaf-20240927</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>openid-connect-client</artifactId>

openid-connect-common/pom.xml

@@ -22,7 +22,7 @@
 	<parent>
 		<artifactId>openid-connect-parent</artifactId>
 		<groupId>org.mitre</groupId>
-		<version>1.3.6.cnaf-20240725</version>
+		<version>1.3.6.cnaf-20240927</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>openid-connect-common</artifactId>

openid-connect-server/pom.xml

@@ -23,7 +23,7 @@
 	<parent>
 		<groupId>org.mitre</groupId>
 		<artifactId>openid-connect-parent</artifactId>
-		<version>1.3.6.cnaf-20240725</version>
+		<version>1.3.6.cnaf-20240927</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<build>

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -241,9 +241,10 @@ public OAuth2AccessTokenEntity createAccessToken(OAuth2Authentication authentica
 
       token.setAuthenticationHolder(authHolder);
 
-      // attach a refresh token, if this client is allowed to request them and the user gets the
-      // offline scope
-      if (client.isAllowRefresh() && token.getScope().contains(SystemScopeService.OFFLINE_ACCESS)) {
+      // attach a refresh token, if this client is allowed to request them, the user gets the
+      // offline scope and grant type differs from client credentials
+      if (client.isAllowRefresh() && token.getScope().contains(SystemScopeService.OFFLINE_ACCESS)
+          && !request.getGrantType().equals("client_credentials")) {
         OAuth2RefreshTokenEntity savedRefreshToken = createRefreshToken(client, authHolder);
 
         token.setRefreshToken(savedRefreshToken);

openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java

@@ -39,7 +39,9 @@
 import static org.mockito.Mockito.when;
 
 import java.util.Date;
+import java.util.HashMap;
 import java.util.HashSet;
+import java.util.Map;
 import java.util.Set;
 
 import org.junit.Before;
@@ -310,7 +312,9 @@ public void createAccessToken_noRefresh() {
    */
   @Test
   public void createAccessToken_yesRefresh() {
-    OAuth2Request clientAuth = new OAuth2Request(null, clientId, null, true,
+    Map<String, String> requestParameters = new HashMap<String, String>();
+    requestParameters.put("grant_type", "authorization_code");
+    OAuth2Request clientAuth = new OAuth2Request(requestParameters, clientId, null, true,
         newHashSet(SystemScopeService.OFFLINE_ACCESS), null, null, null, null);
     when(authentication.getOAuth2Request()).thenReturn(clientAuth);
     when(client.isAllowRefresh()).thenReturn(true);
@@ -338,6 +342,11 @@ public void createAccessToken_expiration() {
     when(client.getRefreshTokenValiditySeconds()).thenReturn(refreshTokenValiditySeconds);
 
     long start = System.currentTimeMillis();
+    Map<String, String> requestParameters = new HashMap<String, String>();
+    requestParameters.put("grant_type", "authorization_code");
+    OAuth2Request clientAuth =
+        new OAuth2Request(requestParameters, clientId, null, true, scope, null, null, null, null);
+    when(authentication.getOAuth2Request()).thenReturn(clientAuth);
     OAuth2AccessTokenEntity token = service.createAccessToken(authentication);
     long end = System.currentTimeMillis();
 
@@ -357,6 +366,11 @@ public void createAccessToken_expiration() {
 
   @Test
   public void createAccessToken_checkClient() {
+    Map<String, String> requestParameters = new HashMap<String, String>();
+    requestParameters.put("grant_type", "authorization_code");
+    OAuth2Request clientAuth =
+        new OAuth2Request(requestParameters, clientId, null, true, scope, null, null, null, null);
+    when(authentication.getOAuth2Request()).thenReturn(clientAuth);
     OAuth2AccessTokenEntity token = service.createAccessToken(authentication);
 
     verify(scopeService, atLeastOnce()).removeReservedScopes(anySetOf(SystemScope.class));
@@ -366,6 +380,11 @@ public void createAccessToken_checkClient() {
 
   @Test
   public void createAccessToken_checkScopes() {
+    Map<String, String> requestParameters = new HashMap<String, String>();
+    requestParameters.put("grant_type", "authorization_code");
+    OAuth2Request clientAuth =
+        new OAuth2Request(requestParameters, clientId, null, true, scope, null, null, null, null);
+    when(authentication.getOAuth2Request()).thenReturn(clientAuth);
     OAuth2AccessTokenEntity token = service.createAccessToken(authentication);
 
     verify(scopeService, atLeastOnce()).removeReservedScopes(anySetOf(SystemScope.class));
@@ -381,6 +400,11 @@ public void createAccessToken_checkAttachedAuthentication() {
     when(authenticationHolderRepository.save(any(AuthenticationHolderEntity.class)))
       .thenReturn(authHolder);
 
+    Map<String, String> requestParameters = new HashMap<String, String>();
+    requestParameters.put("grant_type", "authorization_code");
+    OAuth2Request clientAuth =
+        new OAuth2Request(requestParameters, clientId, null, true, scope, null, null, null, null);
+    when(authentication.getOAuth2Request()).thenReturn(clientAuth);
     OAuth2AccessTokenEntity token = service.createAccessToken(authentication);
 
     assertThat(token.getAuthenticationHolder().getAuthentication(), equalTo(authentication));

pom.xml

@@ -20,7 +20,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.mitre</groupId>
 	<artifactId>openid-connect-parent</artifactId>
-	<version>1.3.6.cnaf-20240725</version>
+	<version>1.3.6.cnaf-20240927</version>
 	<name>MITREid Connect</name>
 	<packaging>pom</packaging>
 	<parent>