state.append(tokenizeString(client.getClientId())); state.append(SEP); state.append(tokenizeString(client.getClientSecret())); state.append(SEP); state.append(client.isConfidential()); state.append(SEP); state.append(tokenizeString(client.getApplicationName())); state.append(SEP); state.append(tokenizeString(client.getApplicationWebUri())); state.append(SEP); state.append(tokenizeString(client.getApplicationDescription())); state.append(SEP); state.append(tokenizeString(client.getApplicationLogoUri())); state.append(SEP); state.append(client.getApplicationCertificates()); state.append(SEP); state.append(client.getAllowedGrantTypes().toString()); state.append(SEP); state.append(client.getRedirectUris().toString()); state.append(SEP);
private static Client recreateClientInternal(String sequence) { String[] parts = getParts(sequence); Client c = new Client(parts[0], parts[1], Boolean.parseBoolean(parts[2]), getStringPart(parts[3]), getStringPart(parts[4])); c.setApplicationDescription(getStringPart(parts[5])); c.setApplicationLogoUri(getStringPart(parts[6])); c.setApplicationCertificates(parseSimpleList(parts[7])); c.setAllowedGrantTypes(parseSimpleList(parts[8])); c.setRedirectUris(parseSimpleList(parts[9])); c.setRegisteredScopes(parseSimpleList(parts[10])); c.setRegisteredAudiences(parseSimpleList(parts[11])); c.setProperties(parseSimpleMap(parts[12])); c.setSubject(recreateUserSubject(parts[13])); return c; } private static String tokenizeClient(Client client) {
public static boolean isGrantSupportedForClient(Client client, boolean canSupportPublicClients, String grantType) { if (grantType == null || !client.isConfidential() && !canSupportPublicClients) { return false; } List<String> allowedGrants = client.getAllowedGrantTypes(); return allowedGrants.isEmpty() || allowedGrants.contains(grantType); }
protected Client createClientCredentialsClient(String clientId, String password) { if (authenticateUnregisteredClient(clientId, password)) { Client c = new Client(clientId, password, true); c.setAllowedGrantTypes(Collections.singletonList(OAuthConstants.CLIENT_CREDENTIALS_GRANT)); return c; } return null; }
@Override public Void execute(EntityManager em) { if (client.getResourceOwnerSubject() != null) { UserSubject sub = em.find(UserSubject.class, client.getResourceOwnerSubject().getId()); if (sub == null) { em.persist(client.getResourceOwnerSubject()); } else { client.setResourceOwnerSubject(sub); } } boolean clientExists = em.createQuery("SELECT count(client) from Client client " + "where client.clientId = :id", Long.class) .setParameter("id", client.getClientId()) .getSingleResult() > 0; if (clientExists) { em.merge(client); } else { em.persist(client); } return null; } });
Client newClient = new Client(clientId, clientSecret, isConfidential, clientName); newClient.setAllowedGrantTypes(grantTypes); newClient.setTokenEndpointAuthMethod(tokenEndpointAuthMethod); if (OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS.equals(tokenEndpointAuthMethod)) { String subjectDn = (String)request.getProperty(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN); if (subjectDn != null) { newClient.getProperties().put(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN, subjectDn); newClient.getProperties().put(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN, issuerDn); newClient.setRegisteredAt(System.currentTimeMillis() / 1000); newClient.setRedirectUris(redirectUris); newClient.setRegisteredAudiences(resourceUris); newClient.setRegisteredScopes(OAuthUtils.parseScope(scope)); newClient.setApplicationWebUri(clientUri); newClient.setApplicationLogoUri(clientLogoUri); if (sc != null && sc.getUserPrincipal() != null && sc.getUserPrincipal().getName() != null) { UserSubject subject = new UserSubject(sc.getUserPrincipal().getName()); newClient.setResourceOwnerSubject(subject); newClient.setRegisteredDynamically(true);
@Override public void doRemoveClient(Client c) { clientsMap.remove(c.getClientId()); } @Override
protected ClientRegistration fromClientToClientRegistration(Client c) { ClientRegistration reg = new ClientRegistration(); reg.setClientName(c.getApplicationName()); reg.setGrantTypes(c.getAllowedGrantTypes()); reg.setApplicationType(c.isConfidential() ? "web" : "native"); if (!c.getRedirectUris().isEmpty()) { reg.setRedirectUris(c.getRedirectUris()); if (!c.getRegisteredScopes().isEmpty()) { reg.setScope(OAuthUtils.convertListOfScopesToString(c.getRegisteredScopes())); if (c.getApplicationWebUri() != null) { reg.setClientUri(c.getApplicationWebUri()); if (c.getApplicationLogoUri() != null) { reg.setLogoUri(c.getApplicationLogoUri()); if (!c.getRegisteredAudiences().isEmpty()) { reg.setResourceUris(c.getRegisteredAudiences()); if (c.getTokenEndpointAuthMethod() != null) { reg.setTokenEndpointAuthMethod(c.getTokenEndpointAuthMethod()); if (OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS.equals(c.getTokenEndpointAuthMethod())) { String subjectDn = c.getProperties().get(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN); if (subjectDn != null) { reg.setProperty(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN, subjectDn); String issuerDn = c.getProperties().get(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN); if (issuerDn != null) { reg.setProperty(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN, issuerDn);
Client client = new Client("consumer-id", "this-is-a-secret", true); List<String> redirectUris = new ArrayList<>(); redirectUris.add("http://www.blah.apache.org"); client.setRedirectUris(redirectUris); client.getAllowedGrantTypes().add("authorization_code"); client.getAllowedGrantTypes().add("refresh_token"); client.getAllowedGrantTypes().add("implicit"); client.getAllowedGrantTypes().add("hybrid"); client.getAllowedGrantTypes().add("password"); client.getAllowedGrantTypes().add("client_credentials"); client.getAllowedGrantTypes().add("urn:ietf:params:oauth:grant-type:saml2-bearer"); client.getAllowedGrantTypes().add("urn:ietf:params:oauth:grant-type:jwt-bearer"); client.getRegisteredScopes().add("read_balance"); client.getRegisteredScopes().add("create_balance"); client.getRegisteredScopes().add("read_data"); client.getRegisteredScopes().add("read_book"); client.getRegisteredScopes().add("create_book"); client.getRegisteredScopes().add("create_image"); client.getRegisteredScopes().add("openid"); client = new Client("consumer-id-oidc", "this-is-a-secret", true); client.setRedirectUris(Collections.singletonList("https://localhost:" + servicePort + "/secured/bookstore/books")); client.getAllowedGrantTypes().add("authorization_code"); client.getAllowedGrantTypes().add("refresh_token");
secData.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); secData.setNonce(params.getFirst(OAuthConstants.NONCE)); secData.setClientId(client.getClientId()); secData.setResponseType(params.getFirst(OAuthConstants.RESPONSE_TYPE)); if (requestedPerms != null && !requestedPerms.isEmpty()) { secData.setAlreadyAuthorizedPermissions(alreadyAuthorizedPerms); secData.setHidePreauthorizedScopesInForm(hidePreauthorizedScopesInForm); secData.setApplicationName(client.getApplicationName()); secData.setApplicationWebUri(client.getApplicationWebUri()); secData.setApplicationDescription(client.getApplicationDescription()); secData.setApplicationLogoUri(client.getApplicationLogoUri()); secData.setApplicationCertificates(client.getApplicationCertificates()); Map<String, String> extraProperties = client.getProperties(); secData.setExtraApplicationProperties(extraProperties); secData.setApplicationRegisteredDynamically(client.isRegisteredDynamically()); secData.setSupportSinglePageApplications(supportSinglePageApplications); String replyTo = getMessageContext().getUriInfo()
protected ClientRegistrationResponse fromClientToRegistrationResponse(Client client) { ClientRegistrationResponse response = new ClientRegistrationResponse(); response.setClientId(client.getClientId()); if (client.getClientSecret() != null) { response.setClientSecret(client.getClientSecret()); // TODO: consider making Client secret time limited response.setClientSecretExpiresAt(Long.valueOf(0)); } response.setClientIdIssuedAt(client.getRegisteredAt()); UriBuilder ub = getMessageContext().getUriInfo().getAbsolutePathBuilder(); if (supportRegistrationAccessTokens) { // both registration access token and uri are either included or excluded response.setRegistrationClientUri( ub.path(client.getClientId()).build().toString()); response.setRegistrationAccessToken( client.getProperties().get(ClientRegistrationResponse.REG_ACCESS_TOKEN)); } return response; }
String clientSecret = generateClientSecret(); Client newClient = new Client(clientId, clientSecret, true, appName, appURI); newClient.setApplicationDescription(appDesc); newClient.setApplicationLogoUri(logoURI.toString()); newClient.setRedirectUris(Collections.singletonList(appRedirectURI)); manager.registerClient(newClient); return new ConsumerRegistration(clientId, clientSecret);
public OAuthDataProviderImpl() throws Exception { Client client1 = new Client("CN=whateverhost.com,OU=Morpit,O=ApacheTest,L=Syracuse,C=US", null, true, null, null); client1.getAllowedGrantTypes().add("custom_grant"); registerCert(client1); this.setClient(client1); Client client2 = new Client("bound", null, true, null, null); client2.getProperties().put(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN, "CN=whateverhost.com,OU=Morpit,O=ApacheTest,L=Syracuse,C=US"); client2.getAllowedGrantTypes().add("custom_grant"); this.setClient(client2); Client client3 = new Client("unbound", null, true, null, null); this.setClient(client3); }
protected void checkCertificateBinding(Client client, TLSSessionInfo tlsSessionInfo) { String subjectDn = client.getProperties().get(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN); if (subjectDn == null && client.getApplicationCertificates().isEmpty()) { LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the TLS certificate"); reportInvalidClient(); } X509Certificate cert = OAuthUtils.getRootTLSCertificate(tlsSessionInfo); if (subjectDn != null && !subjectDn.equals(OAuthUtils.getSubjectDnFromTLSCertificates(cert))) { LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the TLS certificate"); reportInvalidClient(); } String issuerDn = client.getProperties().get(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN); if (issuerDn != null && !issuerDn.equals(OAuthUtils.getIssuerDnFromTLSCertificates(cert))) { LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the TLS certificate"); reportInvalidClient(); } if (!client.getApplicationCertificates().isEmpty()) { compareTlsCertificates(tlsSessionInfo, client.getApplicationCertificates()); } OAuthUtils.setCertificateThumbprintConfirmation(getMessageContext(), cert); }
public AccessTokenValidation(ServerAccessToken token) { this.clientId = token.getClient().getClientId(); this.clientSubject = token.getClient().getSubject(); this.isClientConfidential = token.getClient().isConfidential(); this.clientIpAddress = token.getClient().getClientIpAddress(); this.tokenKey = token.getTokenKey(); this.tokenType = token.getTokenType(); this.tokenGrantType = token.getGrantType(); this.tokenIssuedAt = token.getIssuedAt(); this.tokenLifetime = token.getExpiresIn(); this.tokenNotBefore = token.getNotBefore(); this.tokenIssuer = token.getIssuer(); this.tokenSubject = token.getSubject(); this.tokenScopes = token.getScopes(); this.audiences = token.getAudiences(); this.clientCodeVerifier = token.getClientCodeVerifier(); this.extraProps.putAll(token.getExtraProperties()); }
protected String createRegAccessToken(Client client) { String regAccessToken = OAuthUtils.generateRandomTokenKey(); client.getProperties().put(ClientRegistrationResponse.REG_ACCESS_TOKEN, regAccessToken); return regAccessToken; } protected void checkRegistrationAccessToken(Client c, String accessToken) {
@POST @Consumes(MediaType.APPLICATION_FORM_URLENCODED) @Path("/") public ConsumerRegistration registerForm(@FormParam("appName") String appName, @FormParam("appURI") String appURI, @FormParam("appRedirectURI") String appRedirectURI) { String clientId = generateClientId(appName, appURI); String clientSecret = generateClientSecret(); Client newClient = new Client(clientId, clientSecret, true, appName, appURI); newClient.setRedirectUris(Collections.singletonList(appRedirectURI)); manager.registerClient(newClient); return new ConsumerRegistration(clientId, clientSecret); }
@Override public Client getClient(String clientId) { Client c = super.getClient(clientId); if (c == null) { String clientSecret = super.getCurrentClientSecret(); if (externalClients.contains(clientId + ":" + clientSecret)) { c = new Client(clientId, clientSecret, true); c.setTokenEndpointAuthMethod(OAuthConstants.TOKEN_ENDPOINT_AUTH_BASIC); } } return c; }
protected Client getAndValidateClientFromIdAndSecret(String clientId, String providedClientSecret, MultivaluedMap<String, String> params) { Client client = getClient(clientId, providedClientSecret, params); if (!client.getClientId().equals(clientId)) { reportInvalidClient(); } if (!client.isConfidential() || !isConfidenatialClientSecretValid(client, providedClientSecret)) { reportInvalidClient(); } return client; } protected boolean isConfidenatialClientSecretValid(Client client, String providedClientSecret) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); if (!grant.getClient().getClientId().equals(client.getClientId())) { throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); && (client.getRedirectUris().size() != 1 || !client.getRedirectUris().contains(expectedRedirectUri))) { throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);