state.append(ModelEncryptionSupport.tokenizeString(secData.getClientId())); state.append(ModelEncryptionSupport.SEP); state.append(ModelEncryptionSupport.tokenizeString(secData.getAudience())); state.append(ModelEncryptionSupport.SEP); state.append(ModelEncryptionSupport.tokenizeString(secData.getClientCodeChallenge())); state.append(ModelEncryptionSupport.SEP); state.append(ModelEncryptionSupport.tokenizeString(secData.getState())); state.append(ModelEncryptionSupport.SEP); state.append(ModelEncryptionSupport.tokenizeString(secData.getProposedScope())); state.append(ModelEncryptionSupport.SEP); state.append(ModelEncryptionSupport.tokenizeString(secData.getRedirectUri())); state.append(ModelEncryptionSupport.SEP); state.append(ModelEncryptionSupport.tokenizeString(secData.getNonce())); state.append(ModelEncryptionSupport.SEP); state.append(ModelEncryptionSupport.tokenizeString(secData.getResponseType())); state.append(ModelEncryptionSupport.SEP); state.append(secData.getExtraProperties().toString());
protected OAuthRedirectionState recreateRedirectionStateFromParams(MultivaluedMap<String, String> params) { OAuthRedirectionState state = new OAuthRedirectionState(); state.setClientId(params.getFirst(OAuthConstants.CLIENT_ID)); state.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI)); state.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); state.setProposedScope(params.getFirst(OAuthConstants.SCOPE)); state.setState(params.getFirst(OAuthConstants.STATE)); state.setNonce(params.getFirst(OAuthConstants.NONCE)); state.setResponseType(params.getFirst(OAuthConstants.RESPONSE_TYPE)); return state; } protected void personalizeData(OAuthAuthorizationData data, UserSubject userSubject) {
protected void finalizeResponse(StringBuilder sb, OAuthRedirectionState state) { if (state.getState() != null) { sb.append("&"); String stateParam = state.getState(); sb.append(OAuthConstants.STATE).append("=").append(HttpUtils.urlEncode(stateParam)); } if (reportClientId) { sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(state.getClientId()); } }
protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preauthorizedToken) { AuthorizationCodeRegistration codeReg = new AuthorizationCodeRegistration(); codeReg.setPreauthorizedTokenAvailable(preauthorizedToken != null); codeReg.setClient(client); codeReg.setRedirectUri(state.getRedirectUri()); codeReg.setRequestedScope(requestedScope); codeReg.setResponseType(state.getResponseType()); codeReg.setApprovedScope(getApprovedScope(requestedScope, approvedScope)); codeReg.setSubject(userSubject); codeReg.setAudience(state.getAudience()); codeReg.setNonce(state.getNonce()); codeReg.setClientCodeChallenge(state.getClientCodeChallenge()); codeReg.getExtraProperties().putAll(state.getExtraProperties()); return codeReg; } protected String processCodeGrant(Client client, String code, UserSubject endUser) {
@Override protected AbstractFormImplicitResponse prepareFormResponse(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preAuthorizedToken) { if (canAccessTokenBeReturned(state.getResponseType())) { return super.prepareFormResponse(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken); } // id_token response type processing String idToken = getProcessedIdToken(state, userSubject, getApprovedScope(requestedScope, approvedScope)); FormIdTokenResponse response = new FormIdTokenResponse(); response.setIdToken(idToken); response.setResponseType(state.getResponseType()); response.setRedirectUri(state.getRedirectUri()); response.setState(state.getState()); return response; }
protected AccessTokenRegistration createTokenRegistration(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject) { AccessTokenRegistration reg = new AccessTokenRegistration(); reg.setClient(client); reg.setGrantType(super.getSupportedGrantType()); reg.setResponseType(state.getResponseType()); reg.setSubject(userSubject); reg.setRequestedScope(requestedScope); reg.setApprovedScope(getApprovedScope(requestedScope, approvedScope)); reg.setAudiences(Collections.singletonList(state.getAudience())); reg.setNonce(state.getNonce()); reg.getExtraProperties().putAll(state.getExtraProperties()); return reg; } protected void finalizeResponse(StringBuilder sb, OAuthRedirectionState state) {
preauthorizedToken); } catch (OAuthServiceException ex) { return createErrorResponse(state.getState(), state.getRedirectUri(), OAuthConstants.ACCESS_DENIED); if (state.getRedirectUri() == null) { OOBAuthorizationResponse bean = new OOBAuthorizationResponse(); bean.setClientId(client.getClientId()); bean.setAuthorizationCode(grantCode); bean.setExpiresIn(grant.getExpiresIn()); bean.setState(state.getState()); bean.setRedirectUri(state.getRedirectUri()); return createHtmlResponse(bean); } else { UriBuilder ub = getRedirectUriBuilder(state.getState(), state.getRedirectUri()); ub.queryParam(OAuthConstants.AUTHORIZATION_CODE_VALUE, grantCode); return Response.seeOther(ub.build()).build();
Client client = getClient(state.getClientId(), params); String redirectUri = validateRedirectUri(client, state.getRedirectUri()); List<String> requestedScope = OAuthUtils.parseScope(state.getProposedScope()); List<String> approvedScope = new LinkedList<>(); for (String rScope : requestedScope) {
@Override protected StringBuilder prepareRedirectResponse(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preAuthorizedToken) { if (canAccessTokenBeReturned(state.getResponseType())) { return super.prepareRedirectResponse(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken); } // id_token response type processing StringBuilder sb = getUriWithFragment(state.getRedirectUri()); String idToken = getProcessedIdToken(state, userSubject, getApprovedScope(requestedScope, approvedScope)); if (idToken != null) { sb.append(OidcUtils.ID_TOKEN).append("=").append(idToken); } finalizeResponse(sb, state); return sb; }
protected boolean isFormResponse(OAuthRedirectionState state) { return OAuthConstants.FORM_RESPONSE_MODE.equals( state.getExtraProperties().get(OAuthConstants.RESPONSE_MODE)); } protected String getSupportedGrantType() {
protected ClientAccessToken getClientAccessToken(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preAuthorizedToken) { ServerAccessToken token = null; if (preAuthorizedToken == null) { AccessTokenRegistration reg = createTokenRegistration(state, client, requestedScope, approvedScope, userSubject); token = getDataProvider().createAccessToken(reg); } else { token = preAuthorizedToken; if (state.getNonce() != null) { JAXRSUtils.getCurrentMessage().getExchange().put(OAuthConstants.NONCE, state.getNonce()); } } ClientAccessToken clientToken = OAuthUtils.toClientAccessToken(token, isWriteOptionalParameters()); processClientAccessToken(clientToken, token); return clientToken; }
protected ServerAuthorizationCodeGrant prepareHybrideCode(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preAuthorizedToken) { ServerAuthorizationCodeGrant codeGrant = null; if (state.getResponseType() != null && state.getResponseType().startsWith(OAuthConstants.CODE_RESPONSE_TYPE)) { codeGrant = codeService.getGrantRepresentation( state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken); JAXRSUtils.getCurrentMessage().getExchange().put(OAuthConstants.AUTHORIZATION_CODE_VALUE, codeGrant.getCode()); } return codeGrant; }
private String getProcessedIdToken(OAuthRedirectionState state, UserSubject subject, List<String> scopes) { if (subject.getProperties().containsKey(OidcUtils.ID_TOKEN)) { return subject.getProperties().get(OidcUtils.ID_TOKEN); } else if (idTokenProvider != null) { IdToken idToken = idTokenProvider.getIdToken(state.getClientId(), subject, scopes); return processIdToken(state, idToken); } else if (subject instanceof OidcUserSubject) { OidcUserSubject sub = (OidcUserSubject)subject; IdToken idToken = new IdToken(sub.getIdToken()); idToken.setAudience(state.getClientId()); idToken.setAuthorizedParty(state.getClientId()); return processIdToken(state, idToken); } else { return null; } }
protected StringBuilder prepareRedirectResponse(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preAuthorizedToken) { ClientAccessToken clientToken = getClientAccessToken(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken); // return the token by appending it as a fragment parameter to the redirect URI StringBuilder sb = getUriWithFragment(state.getRedirectUri()); sb.append(OAuthConstants.ACCESS_TOKEN).append("=").append(clientToken.getTokenKey()); sb.append("&"); sb.append(OAuthConstants.ACCESS_TOKEN_TYPE).append("=").append(clientToken.getTokenType()); if (isWriteOptionalParameters()) { sb.append("&").append(OAuthConstants.ACCESS_TOKEN_EXPIRES_IN) .append("=").append(clientToken.getExpiresIn()); if (!StringUtils.isEmpty(clientToken.getApprovedScope())) { sb.append("&").append(OAuthConstants.SCOPE).append("=") .append(HttpUtils.queryEncode(clientToken.getApprovedScope())); } for (Map.Entry<String, String> entry : clientToken.getParameters().entrySet()) { sb.append("&").append(entry.getKey()).append("=").append(HttpUtils.queryEncode(entry.getValue())); } } if (clientToken.getRefreshToken() != null) { processRefreshToken(sb, clientToken.getRefreshToken()); } finalizeResponse(sb, state); return sb; }
protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preauthorizedToken) { AuthorizationCodeRegistration codeReg = new AuthorizationCodeRegistration(); codeReg.setPreauthorizedTokenAvailable(preauthorizedToken != null); codeReg.setClient(client); codeReg.setRedirectUri(state.getRedirectUri()); codeReg.setRequestedScope(requestedScope); codeReg.setResponseType(state.getResponseType()); codeReg.setApprovedScope(getApprovedScope(requestedScope, approvedScope)); codeReg.setSubject(userSubject); codeReg.setAudience(state.getAudience()); codeReg.setNonce(state.getNonce()); codeReg.setClientCodeChallenge(state.getClientCodeChallenge()); codeReg.getExtraProperties().putAll(state.getExtraProperties()); return codeReg; } protected String processCodeGrant(Client client, String code, UserSubject endUser) {
@Override protected AbstractFormImplicitResponse prepareFormResponse(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preAuthorizedToken) { if (canAccessTokenBeReturned(state.getResponseType())) { return super.prepareFormResponse(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken); } // id_token response type processing String idToken = getProcessedIdToken(state, userSubject, getApprovedScope(requestedScope, approvedScope)); FormIdTokenResponse response = new FormIdTokenResponse(); response.setIdToken(idToken); response.setResponseType(state.getResponseType()); response.setRedirectUri(state.getRedirectUri()); response.setState(state.getState()); return response; }
protected AccessTokenRegistration createTokenRegistration(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject) { AccessTokenRegistration reg = new AccessTokenRegistration(); reg.setClient(client); reg.setGrantType(super.getSupportedGrantType()); reg.setResponseType(state.getResponseType()); reg.setSubject(userSubject); reg.setRequestedScope(requestedScope); reg.setApprovedScope(getApprovedScope(requestedScope, approvedScope)); reg.setAudiences(Collections.singletonList(state.getAudience())); reg.setNonce(state.getNonce()); reg.getExtraProperties().putAll(state.getExtraProperties()); return reg; } protected void finalizeResponse(StringBuilder sb, OAuthRedirectionState state) {
preauthorizedToken); } catch (OAuthServiceException ex) { return createErrorResponse(state.getState(), state.getRedirectUri(), OAuthConstants.ACCESS_DENIED); if (state.getRedirectUri() == null) { OOBAuthorizationResponse bean = new OOBAuthorizationResponse(); bean.setClientId(client.getClientId()); bean.setAuthorizationCode(grantCode); bean.setExpiresIn(grant.getExpiresIn()); bean.setState(state.getState()); bean.setRedirectUri(state.getRedirectUri()); return createHtmlResponse(bean); } else { UriBuilder ub = getRedirectUriBuilder(state.getState(), state.getRedirectUri()); ub.queryParam(OAuthConstants.AUTHORIZATION_CODE_VALUE, grantCode); return Response.seeOther(ub.build()).build();
Client client = getClient(state.getClientId(), params); String redirectUri = validateRedirectUri(client, state.getRedirectUri()); List<String> requestedScope = OAuthUtils.parseScope(state.getProposedScope()); List<String> approvedScope = new LinkedList<>(); for (String rScope : requestedScope) {
protected void finalizeResponse(StringBuilder sb, OAuthRedirectionState state) { if (state.getState() != null) { sb.append("&"); String stateParam = state.getState(); sb.append(OAuthConstants.STATE).append("=").append(HttpUtils.urlEncode(stateParam)); } if (reportClientId) { sb.append("&").append(OAuthConstants.CLIENT_ID).append("=").append(state.getClientId()); } }