diff --git a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml
index e40c8515c6..d8d1f32dad 100644
--- a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml
+++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml
@@ -34,6 +34,10 @@
http://wso2.org
+
+ org.wso2.carbon.devicemgt
+ org.wso2.carbon.identity.authenticator.backend.oauth
+
commons-codec.wso2
commons-codec
@@ -87,13 +91,17 @@
org.wso2.carbon.device.mgt.oauth.extensions.*
+ org.wso2.carbon.identity.authenticator.backend.oauth.*,
org.wso2.carbon.identity.oauth2.grant.jwt;version="${carbon.identity.jwt.grant.version.range}",
+ org.apache.commons.lang.StringUtils,
org.apache.commons.logging,
org.osgi.service.component,
org.wso2.carbon.identity.application.common.model;version="${carbon.identity.framework.version.range}",
+ org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;version="${carbon.identity.framework.version.range}",
org.wso2.carbon.user.api,
org.wso2.carbon.user.core.service,
org.wso2.carbon.user.core.tenant,
+ org.wso2.carbon.user.core.util,
org.json.simple,
javax.cache,
org.wso2.carbon.identity.core.util;version="${carbon.identity.framework.version.range}",
diff --git a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/AccessTokenGrantHandler.java b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/AccessTokenGrantHandler.java
new file mode 100644
index 0000000000..d1a718c24d
--- /dev/null
+++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/AccessTokenGrantHandler.java
@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
+import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
+import org.wso2.carbon.identity.application.common.model.ServiceProvider;
+import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuth2TokenValidator;
+import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidationResponse;
+import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidatorFactory;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
+import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
+import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
+import org.wso2.carbon.identity.oauth2.model.RequestParameter;
+import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
+import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler;
+import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
+import org.wso2.carbon.user.core.util.UserCoreUtil;
+import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
+import java.rmi.RemoteException;
+
+/**
+ * This allows user to generate a new access token using an existing access token.
+ */
+@SuppressWarnings("unused")
+public class AccessTokenGrantHandler extends AbstractAuthorizationGrantHandler {
+ private static Log log = LogFactory.getLog(AccessTokenGrantHandler.class);
+ private static final String TENANT_DOMAIN_KEY = "tenantDomain";
+
+ private OAuth2TokenValidator tokenValidator;
+ public static final String TOKEN_GRANT_PARAM = "admin_access_token";
+
+ public AccessTokenGrantHandler() {
+ try {
+ tokenValidator = OAuthValidatorFactory.getValidator();
+ } catch (IllegalArgumentException e) {
+ log.error("Failed to initialise Authenticator", e);
+ }
+ }
+
+ @Override
+ public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception {
+ if (!super.validateGrant(tokReqMsgCtx)) {
+ return false;
+ } else {
+ OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO = tokReqMsgCtx.getOauth2AccessTokenReqDTO();
+ String username = null;
+ String userTenantDomain = null;
+ String clientId = oAuth2AccessTokenReqDTO.getClientId();
+ String spTenantDomain = null;
+ OAuthValidationResponse response;
+ ServiceProvider serviceProvider;
+ boolean authStatus = false;
+
+ String accessToken = null;
+ RequestParameter[] parameters = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getRequestParameters();
+
+ for (RequestParameter parameter : parameters) {
+ if (TOKEN_GRANT_PARAM.equals(parameter.getKey())) {
+ if (parameter.getValue() != null && parameter.getValue().length > 0) {
+ accessToken = parameter.getValue()[0];
+ }
+ }
+ }
+
+ if (accessToken != null && !accessToken.isEmpty()) {
+ try {
+ response = tokenValidator.validateToken(accessToken);
+ } catch (RemoteException e) {
+ log.error("Failed to validate the OAuth token provided.", e);
+ return false;
+ }
+ if (response != null && response.isValid()) {
+ authStatus = true;
+ username = response.getUserName();
+ userTenantDomain = MultitenantUtils.getTenantDomain(username);
+ spTenantDomain = response.getTenantDomain();
+ }
+ }
+
+ try {
+ serviceProvider = OAuth2ServiceComponentHolder.getApplicationMgtService()
+ .getServiceProviderByClientId(clientId, "oauth2", spTenantDomain);
+ } catch (IdentityApplicationManagementException var15) {
+ throw new IdentityOAuth2Exception("Error occurred while retrieving OAuth2 application data for client id "
+ + clientId, var15);
+ }
+
+ if (!serviceProvider.isSaasApp() && !userTenantDomain.equals(spTenantDomain)) {
+ if (log.isDebugEnabled()) {
+ log.debug("Non-SaaS service provider tenant domain is not same as user tenant domain; "
+ + spTenantDomain + " != " + userTenantDomain);
+ }
+
+ return false;
+ } else {
+ String tenantAwareUserName = MultitenantUtils.getTenantAwareUsername(username);
+ username = tenantAwareUserName + "@" + userTenantDomain;
+ if (authStatus) {
+ if (!username.contains("/") && StringUtils.isNotBlank(UserCoreUtil.getDomainFromThreadLocal())) {
+ username = UserCoreUtil.getDomainFromThreadLocal() + "/" + username;
+ }
+
+ AuthenticatedUser user = OAuth2Util.getUserFromUserName(username);
+ user.setAuthenticatedSubjectIdentifier(user.toString());
+ tokReqMsgCtx.setAuthorizedUser(user);
+ tokReqMsgCtx.setScope(oAuth2AccessTokenReqDTO.getScope());
+ return authStatus;
+ } else {
+ throw new IdentityOAuth2Exception("Authentication failed for " + username);
+ }
+ }
+ }
+ }
+}
diff --git a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/AccessTokenGrantValidator.java b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/AccessTokenGrantValidator.java
new file mode 100644
index 0000000000..c3f323df4d
--- /dev/null
+++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/AccessTokenGrantValidator.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.device.mgt.oauth.extensions.validators;
+
+import org.apache.oltu.oauth2.common.validators.AbstractValidator;
+import org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant.AccessTokenGrantHandler;
+
+import javax.servlet.http.HttpServletRequest;
+
+@SuppressWarnings("unused")
+public class AccessTokenGrantValidator extends AbstractValidator {
+
+ public AccessTokenGrantValidator() {
+ requiredParams.add(AccessTokenGrantHandler.TOKEN_GRANT_PARAM);
+ }
+
+}
diff --git a/components/identity-extensions/pom.xml b/components/identity-extensions/pom.xml
index eb21ecb2ea..ce9eee400b 100644
--- a/components/identity-extensions/pom.xml
+++ b/components/identity-extensions/pom.xml
@@ -34,10 +34,10 @@
http://wso2.org
+ org.wso2.carbon.identity.authenticator.backend.oauth
org.wso2.carbon.device.mgt.oauth.extensions
org.wso2.carbon.identity.jwt.client.extension
dynamic-client-registration
- org.wso2.carbon.identity.authenticator.backend.oauth