Map<String, Object> unmodifiableMap(AuthorizationRequest authorizationRequest) { Map<String, Object> authorizationRequestMap = new HashMap<String, Object>(); authorizationRequestMap.put(OAuth2Utils.CLIENT_ID, authorizationRequest.getClientId()); authorizationRequestMap.put(OAuth2Utils.STATE, authorizationRequest.getState()); authorizationRequestMap.put(OAuth2Utils.REDIRECT_URI, authorizationRequest.getRedirectUri()); if (authorizationRequest.getResponseTypes() != null) { authorizationRequestMap.put(OAuth2Utils.RESPONSE_TYPE, Collections.unmodifiableSet(new HashSet<String>(authorizationRequest.getResponseTypes()))); } if (authorizationRequest.getScope() != null) { authorizationRequestMap.put(OAuth2Utils.SCOPE, Collections.unmodifiableSet(new HashSet<String>(authorizationRequest.getScope()))); } authorizationRequestMap.put("approved", authorizationRequest.isApproved()); if (authorizationRequest.getResourceIds() != null) { authorizationRequestMap.put("resourceIds", Collections.unmodifiableSet(new HashSet<String>(authorizationRequest.getResourceIds()))); } if (authorizationRequest.getAuthorities() != null) { authorizationRequestMap.put("authorities", Collections.unmodifiableSet(new HashSet<GrantedAuthority>(authorizationRequest.getAuthorities()))); } return Collections.unmodifiableMap(authorizationRequestMap); }
Authentication userAuthentication) { Set<String> requestedScopes = authorizationRequest.getScope(); Set<String> approvedScopes = new HashSet<String>(); Set<Approval> approvals = new HashSet<Approval>(); Map<String, String> approvalParameters = authorizationRequest.getApprovalParameters(); for (String requestedScope : requestedScopes) { String approvalParameter = scopePrefix + requestedScope; if ("true".equals(value) || value.startsWith("approve")) { approvedScopes.add(requestedScope); approvals.add(new Approval(userAuthentication.getName(), authorizationRequest.getClientId(), requestedScope, expiry, ApprovalStatus.APPROVED)); approvals.add(new Approval(userAuthentication.getName(), authorizationRequest.getClientId(), requestedScope, expiry, ApprovalStatus.DENIED)); authorizationRequest.setScope(approvedScopes); if (approvedScopes.isEmpty() && !requestedScopes.isEmpty()) { approved = false; approved = true; authorizationRequest.setApproved(approved); return authorizationRequest;
private TokenRequest getRefreshTokenRequest(Map<String, String> requestParameters) { AuthorizationRequest refreshAuthorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); refreshAuthorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); refreshAuthorizationRequest.setRequestParameters(requestParameters); Map<String, String> refreshAzParameters = new HashMap<>(refreshAuthorizationRequest.getRequestParameters()); refreshAzParameters.put(GRANT_TYPE, GRANT_TYPE_REFRESH_TOKEN); refreshAuthorizationRequest.setRequestParameters(refreshAzParameters); return tokenSupport.requestFactory.createTokenRequest(refreshAuthorizationRequest, "refresh_token"); }
public OAuth2Request createOAuth2Request() { return new OAuth2Request(getRequestParameters(), getClientId(), getAuthorities(), isApproved(), getScope(), getResourceIds(), getRedirectUri(), getResponseTypes(), getExtensions()); }
public TokenRequest createTokenRequest(AuthorizationRequest authorizationRequest, String grantType) { TokenRequest tokenRequest = new TokenRequest(authorizationRequest.getRequestParameters(), authorizationRequest.getClientId(), authorizationRequest.getScope(), grantType); return tokenRequest; }
@Override public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) { Map<String, String> approvalParameters = authorizationRequest.getApprovalParameters(); String flag = approvalParameters.get(approvalParameter); boolean approved = flag != null && flag.toLowerCase().equals("true"); authorizationRequest.setApproved(approved); return authorizationRequest; }
if (request.getClientId() == null) { request.setClientId(signedJwt.getJWTClaimsSet().getStringClaim(CLIENT_ID)); ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId()); throw new InvalidClientException("Client not found: " + request.getClientId()); if (request.getClientId() == null) { request.setClientId(plainJwt.getJWTClaimsSet().getStringClaim(CLIENT_ID)); ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId()); throw new InvalidClientException("Client not found: " + request.getClientId()); if (request.getClientId() == null) { request.setClientId(encryptedJWT.getJWTClaimsSet().getStringClaim(CLIENT_ID)); ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId()); throw new InvalidClientException("Client not found: " + request.getClientId()); if (!responseTypes.equals(request.getResponseTypes())) { logger.info("Mismatch between request object and regular parameter for response_type, using request object"); request.setResponseTypes(responseTypes); if (!redirectUri.equals(request.getRedirectUri())) { logger.info("Mismatch between request object and regular parameter for redirect_uri, using request object");
Set<String> responseTypes = authorizationRequest.getResponseTypes(); if (authorizationRequest.getClientId() == null) { throw new InvalidClientException("A client id must be provided"); ClientDetails client = getClientDetailsService().loadClientByClientId(authorizationRequest.getClientId()); String redirectUriParameter = authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI); String resolvedRedirect = redirectResolver.resolveRedirect(redirectUriParameter, client); if (!StringUtils.hasText(resolvedRedirect)) { "A redirectUri must be either supplied or preconfigured in the ClientDetails"); authorizationRequest.setRedirectUri(resolvedRedirect); authorizationRequest.setApproved(approved); if (authorizationRequest.isApproved()) { if (responseTypes.contains("token")) { return getImplicitGrantResponse(authorizationRequest);
if (!Strings.isNullOrEmpty(authRequest.getClientId())) { client = clientService.loadClientByClientId(authRequest.getClientId()); String loginHint = loginHintExtracter.extractHint((String) authRequest.getExtensions().get(LOGIN_HINT)); if (!Strings.isNullOrEmpty(loginHint)) { session.setAttribute(LOGIN_HINT, loginHint); if (authRequest.getExtensions().get(PROMPT) != null) { String prompt = (String)authRequest.getExtensions().get(PROMPT); List<String> prompts = Splitter.on(PROMPT_SEPARATOR).splitToList(Strings.nullToEmpty(prompt)); logger.info("Client requested no prompt"); if (client != null && authRequest.getRedirectUri() != null) { String url = redirectResolver.resolveRedirect(authRequest.getRedirectUri(), client); if (!Strings.isNullOrEmpty(authRequest.getState())) { uriBuilder.addParameter(STATE, authRequest.getState()); // copy the state parameter if one was given } else if (authRequest.getExtensions().get(MAX_AGE) != null || (client != null && client.getDefaultMaxAge() != null)) { String maxAge = (String) authRequest.getExtensions().get(MAX_AGE); if (maxAge != null) { max = Integer.parseInt(maxAge);
@Override public String toString() { return MoreObjects.toStringHelper(this) .add("authorizationRequestClientId", authorizationRequest.getClientId()) .add("authorizationRequestRedirectUri", authorizationRequest.getRedirectUri()) .add("authorizationRequestRequestParameters", authorizationRequest.getRequestParameters()) .add("authorizationRequestExtensions", authorizationRequest.getExtensions().values()) .add("authorizationRequestScope", authorizationRequest.getScope()) .add("authorizationRequestState", authorizationRequest.getState()) .add("authorizationRequestResponseTypes", authorizationRequest.getResponseTypes()) .toString(); }
String clientId = authorizationRequest.getClientId(); Set<String> scopes = authorizationRequest.getScope(); if (clientDetailsService!=null) { try { authorizationRequest.setApproved(true); return authorizationRequest; authorizationRequest.setApproved(approved);
String clientId = authorizationRequest.getClientId(); ClientDetails client = clientDetailsService.loadClientByClientId(clientId); if (Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"))) { authorizationRequest.setApproved(true); Map<String,String> approvalParams = authorizationRequest.getApprovalParameters(); authorizationRequest.setScope(allowedScopes); String remember = authorizationRequest.getApprovalParameters().get("remember"); if (!Strings.isNullOrEmpty(remember) && !remember.equals("none")) { authorizationRequest.getExtensions().put(APPROVED_SITE, newSiteId);
Set<String> responseTypes = authorizationRequest.getResponseTypes(); authorizationRequest.setApprovalParameters(approvalParameters); authorizationRequest = userApprovalHandler.updateAfterApproval(authorizationRequest, (Authentication) principal); boolean approved = userApprovalHandler.isApproved(authorizationRequest, (Authentication) principal); authorizationRequest.setApproved(approved); if (authorizationRequest.getRedirectUri() == null) { sessionStatus.setComplete(); throw new InvalidRequestException("Cannot approve request when no redirect URI is provided."); if (!authorizationRequest.isApproved()) { return new RedirectView(getUnsuccessfulRedirect(authorizationRequest, new UserDeniedAuthorizationException("User denied access"), responseTypes.contains("token")),
ArrayList<String> scopes = (ArrayList<String>) claims.get(SCOPE); AuthorizationRequest authorizationRequest = new AuthorizationRequest((String) claims.get(CLIENT_ID), scopes); authorizationRequest.setResourceIds(resourceIds); authorizationRequest.setApproved(true); userAuthentication = new UaaAuthentication(principal, UaaAuthority.USER_AUTHORITIES, null); } else { authorizationRequest.setAuthorities(authorities); authorizationRequest.createOAuth2Request(), userAuthentication); authentication.setAuthenticated(true);
Authentication authUser) { String requestedRedirect = authorizationRequest.getRedirectUri(); if (accessToken == null) { throw new InvalidRequestException("An implicit grant could not be made"); if (authorizationRequest.getResponseTypes().contains("token")) { url.append("&access_token=").append(encode(accessToken.getValue())); authorizationRequest.getResponseTypes().contains(CompositeToken.ID_TOKEN)) { url.append("&").append(CompositeToken.ID_TOKEN).append("=").append(encode(((CompositeToken) accessToken).getIdTokenValue())); if (authorizationRequest.getResponseTypes().contains("code")) { String code = generateCode(authorizationRequest, authUser); url.append("&code=").append(encode(code)); String state = authorizationRequest.getState(); if (state != null) { url.append("&state=").append(encode(state)); String originalScope = authorizationRequest.getRequestParameters().get(OAuth2Utils.SCOPE); if (originalScope == null || !OAuth2Utils.parseParameterList(originalScope).equals(accessToken.getScope())) { url.append("&" + OAuth2Utils.SCOPE + "=").append(encode(OAuth2Utils.formatParameterList(accessToken.getScope()))); if ("none".equals(authorizationRequest.getRequestParameters().get("prompt"))) { HttpHost httpHost = URIUtils.extractHost(URI.create(requestedRedirect)); String sessionState = openIdSessionStateCalculator.calculate(((UaaPrincipal) authUser.getPrincipal()).getId(), authorizationRequest.getClientId(), httpHost.toURI());
private ModelAndView handleException(Exception e, ServletWebRequest webRequest) throws Exception { ResponseEntity<OAuth2Exception> translate = getExceptionTranslator().translate(e); webRequest.getResponse().setStatus(translate.getStatusCode().value()); if (e instanceof ClientAuthenticationException || e instanceof RedirectMismatchException) { return new ModelAndView(errorPage, Collections.singletonMap("error", translate.getBody())); } AuthorizationRequest authorizationRequest = null; try { authorizationRequest = getAuthorizationRequestForError(webRequest); String requestedRedirectParam = authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI); String requestedRedirect = redirectResolver.resolveRedirect(requestedRedirectParam, getClientDetailsService().loadClientByClientId(authorizationRequest.getClientId())); authorizationRequest.setRedirectUri(requestedRedirect); String redirect = getUnsuccessfulRedirect(authorizationRequest, translate.getBody(), authorizationRequest .getResponseTypes().contains("token")); return new ModelAndView(new RedirectView(redirect, false, true, false)); } catch (OAuth2Exception ex) { // If an AuthorizationRequest cannot be created from the incoming parameters it must be // an error. OAuth2Exception can be handled this way. Other exceptions will generate a standard 500 // response. return new ModelAndView(errorPage, Collections.singletonMap("error", translate.getBody())); } }
@Test public void testNoRequestedScopesButSomeApprovedScopes() { AuthorizationRequest request = new AuthorizationRequest("foo", new HashSet<String>()); request.setApproved(false); long theFuture = System.currentTimeMillis() + (86400 * 7 * 1000); Date nextWeek = new Date(theFuture); approvalStore.addApproval(new Approval() .setUserId(userAuthentication.getId()) .setClientId("foo") .setScope("cloud_controller.read") .setExpiresAt(nextWeek) .setStatus(APPROVED), IdentityZoneHolder.get().getId()); approvalStore.addApproval(new Approval() .setUserId(userAuthentication.getId()) .setClientId("foo") .setScope("cloud_controller.write") .setExpiresAt(nextWeek) .setStatus(DENIED), IdentityZoneHolder.get().getId()); // The request is approved because the user has not requested any scopes assertTrue(handler.isApproved(request, userAuthentication)); assertEquals(0, request.getScope().size()); }
@Test public void testNoScopeApproval() { AuthorizationRequest request = new AuthorizationRequest("testclient", Collections.<String>emptySet()); request.setApproved(true); // The request is approved but does not request any scopes. The user has // also not approved any scopes. Approved. assertTrue(handler.isApproved(request, userAuthentication)); }
return false; if (authorizationRequest.isApproved()) { return true; String clientId = authorizationRequest.getClientId(); boolean approved = false; if (clientDetailsService != null) { ClientDetails client = clientDetailsService.loadClientByClientId(clientId, IdentityZoneHolder.get().getId()); Collection<String> requestedScopes = authorizationRequest.getScope(); if (isAutoApprove(client, requestedScopes)) { approved = true;
private Authentication authenticateAsUserAndReturnOldAuth(String userId) { Authentication authentication = new OAuth2Authentication(new AuthorizationRequest("client", Arrays.asList("read")).createOAuth2Request(), UaaAuthenticationTestFactory.getAuthentication(userId, "joe", "joe@test.org")); Authentication currentAuth = SecurityContextHolder.getContext().getAuthentication(); SecurityContextHolder.getContext().setAuthentication(authentication); return currentAuth; }