public static ClientAccessToken refreshAccessToken(WebClient accessTokenService, Consumer consumer, ClientAccessToken at, String scope, boolean setAuthorizationHeader) throws OAuthServiceException { RefreshTokenGrant grant = new RefreshTokenGrant(at.getRefreshToken(), scope); return getAccessToken(accessTokenService, consumer, grant, null, at.getTokenType(), setAuthorizationHeader); }
protected StringBuilder prepareRedirectResponse(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preAuthorizedToken) { ClientAccessToken clientToken = getClientAccessToken(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken); // return the token by appending it as a fragment parameter to the redirect URI StringBuilder sb = getUriWithFragment(state.getRedirectUri()); sb.append(OAuthConstants.ACCESS_TOKEN).append("=").append(clientToken.getTokenKey()); sb.append("&"); sb.append(OAuthConstants.ACCESS_TOKEN_TYPE).append("=").append(clientToken.getTokenType()); if (isWriteOptionalParameters()) { sb.append("&").append(OAuthConstants.ACCESS_TOKEN_EXPIRES_IN) .append("=").append(clientToken.getExpiresIn()); if (!StringUtils.isEmpty(clientToken.getApprovedScope())) { sb.append("&").append(OAuthConstants.SCOPE).append("=") .append(HttpUtils.queryEncode(clientToken.getApprovedScope())); } for (Map.Entry<String, String> entry : clientToken.getParameters().entrySet()) { sb.append("&").append(entry.getKey()).append("=").append(HttpUtils.queryEncode(entry.getValue())); } } if (clientToken.getRefreshToken() != null) { processRefreshToken(sb, clientToken.getRefreshToken()); } finalizeResponse(sb, state); return sb; }
public static ClientAccessToken refreshAccessToken(WebClient accessTokenService, Consumer consumer, ClientAccessToken at, String scope, boolean setAuthorizationHeader) throws OAuthServiceException { RefreshTokenGrant grant = new RefreshTokenGrant(at.getRefreshToken(), scope); return getAccessToken(accessTokenService, consumer, grant, null, at.getTokenType(), setAuthorizationHeader); }
private void writeAccessToken(ClientAccessToken obj, OutputStream os) throws IOException { StringBuilder sb = new StringBuilder(); sb.append("{"); appendJsonPair(sb, OAuthConstants.ACCESS_TOKEN, obj.getTokenKey()); sb.append(","); appendJsonPair(sb, OAuthConstants.ACCESS_TOKEN_TYPE, obj.getTokenType()); if (obj.getExpiresIn() != -1) { sb.append(","); appendJsonPair(sb, OAuthConstants.ACCESS_TOKEN_EXPIRES_IN, obj.getExpiresIn(), false); } if (obj.getApprovedScope() != null) { sb.append(","); appendJsonPair(sb, OAuthConstants.SCOPE, obj.getApprovedScope()); } if (obj.getRefreshToken() != null) { sb.append(","); appendJsonPair(sb, OAuthConstants.REFRESH_TOKEN, obj.getRefreshToken()); } Map<String, String> parameters = obj.getParameters(); for (Map.Entry<String, String> entry : parameters.entrySet()) { sb.append(","); appendJsonPair(sb, entry.getKey(), entry.getValue()); } sb.append("}"); String result = sb.toString(); os.write(result.getBytes(StandardCharsets.UTF_8)); os.flush(); }
protected StringBuilder prepareRedirectResponse(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preAuthorizedToken) { ClientAccessToken clientToken = getClientAccessToken(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken); // return the token by appending it as a fragment parameter to the redirect URI StringBuilder sb = getUriWithFragment(state.getRedirectUri()); sb.append(OAuthConstants.ACCESS_TOKEN).append("=").append(clientToken.getTokenKey()); sb.append("&"); sb.append(OAuthConstants.ACCESS_TOKEN_TYPE).append("=").append(clientToken.getTokenType()); if (isWriteOptionalParameters()) { sb.append("&").append(OAuthConstants.ACCESS_TOKEN_EXPIRES_IN) .append("=").append(clientToken.getExpiresIn()); if (!StringUtils.isEmpty(clientToken.getApprovedScope())) { sb.append("&").append(OAuthConstants.SCOPE).append("=") .append(HttpUtils.queryEncode(clientToken.getApprovedScope())); } for (Map.Entry<String, String> entry : clientToken.getParameters().entrySet()) { sb.append("&").append(entry.getKey()).append("=").append(HttpUtils.queryEncode(entry.getValue())); } } if (clientToken.getRefreshToken() != null) { processRefreshToken(sb, clientToken.getRefreshToken()); } finalizeResponse(sb, state); return sb; }
private void writeAccessToken(ClientAccessToken obj, OutputStream os) throws IOException { StringBuilder sb = new StringBuilder(); sb.append("{"); appendJsonPair(sb, OAuthConstants.ACCESS_TOKEN, obj.getTokenKey()); sb.append(","); appendJsonPair(sb, OAuthConstants.ACCESS_TOKEN_TYPE, obj.getTokenType()); if (obj.getExpiresIn() != -1) { sb.append(","); appendJsonPair(sb, OAuthConstants.ACCESS_TOKEN_EXPIRES_IN, obj.getExpiresIn(), false); } if (obj.getApprovedScope() != null) { sb.append(","); appendJsonPair(sb, OAuthConstants.SCOPE, obj.getApprovedScope()); } if (obj.getRefreshToken() != null) { sb.append(","); appendJsonPair(sb, OAuthConstants.REFRESH_TOKEN, obj.getRefreshToken()); } Map<String, String> parameters = obj.getParameters(); for (Map.Entry<String, String> entry : parameters.entrySet()) { sb.append(","); appendJsonPair(sb, entry.getKey(), entry.getValue()); } sb.append("}"); String result = sb.toString(); os.write(result.getBytes(StandardCharsets.UTF_8)); os.flush(); }
System.out.println("Refresh Token="+clientToken.getRefreshToken()); System.out.println(""); System.out.println(MessageFormat.format(OAUTH2_0_DOMAIN, clientID, clientSecret, clientToken.getRefreshToken(), accessTokenURL));
private ClientAccessToken refreshAccessTokenIfExpired(ClientAccessToken at) { if (at.getRefreshToken() != null && ((expiryThreshold > 0 && OAuthUtils.isExpired(at.getIssuedAt(), at.getExpiresIn() - expiryThreshold)) || OAuthUtils.isExpired(at.getIssuedAt(), at.getExpiresIn()))) { return OAuthClientUtils.refreshAccessToken(accessTokenServiceClient, consumer, at); } return null; }
private ClientAccessToken refreshAccessTokenIfExpired(ClientAccessToken at) { if (at.getRefreshToken() != null && ((expiryThreshold > 0 && OAuthUtils.isExpired(at.getIssuedAt(), at.getExpiresIn() - expiryThreshold)) || OAuthUtils.isExpired(at.getIssuedAt(), at.getExpiresIn()))) { return OAuthClientUtils.refreshAccessToken(accessTokenServiceClient, consumer, at); } return null; }
private boolean refreshAccessToken(AuthorizationPolicy authPolicy) { ClientAccessToken at = getClientAccessToken(); if (at.getRefreshToken() == null) { return false; } // Client id and secret are needed to refresh the tokens // AuthorizationPolicy can hold them by default, Consumer can also be injected into this supplier // and checked if the policy is null. // Client TLS authentication is also fine as an alternative authentication mechanism, // how can we check here that a 2-way TLS has been set up ? Consumer theConsumer = consumer; if (theConsumer == null && authPolicy != null && authPolicy.getUserName() != null && authPolicy.getPassword() != null) { theConsumer = new Consumer(authPolicy.getUserName(), authPolicy.getPassword()); return false; } if (theConsumer == null) { return false; } // Can WebCient be safely constructed at HttpConduit initialization time ? // If yes then createAccessTokenServiceClient() can be called inside // setAccessTokenServiceUri, though given that the token refreshment would // not be done on every request the current approach is quite reasonable WebClient accessTokenService = createAccessTokenServiceClient(); setClientAccessToken(OAuthClientUtils.refreshAccessToken(accessTokenService, theConsumer, at)); return true; }
@org.junit.Test public void testClientCredentialsGrant() throws Exception { URL busFile = AuthorizationGrantTest.class.getResource("client.xml"); String address = "https://localhost:" + port + "/services/"; WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", busFile.toString()); // Get Access Token client.type("application/x-www-form-urlencoded").accept("application/json"); client.path("token"); Form form = new Form(); form.param("grant_type", "client_credentials"); Response response = client.post(form); ClientAccessToken accessToken = response.readEntity(ClientAccessToken.class); assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); if (isAccessTokenInJWTFormat()) { // We don't have a Subject for the client credential grant, // so validate manually here as opposed to calling validateAccessToken JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(accessToken.getTokenKey()); KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(ClassLoaderUtils.getResourceAsStream("keys/alice.jks", this.getClass()), "password".toCharArray()); Certificate cert = keystore.getCertificate("alice"); assertNotNull(cert); assertTrue(jwtConsumer.verifySignatureWith((X509Certificate)cert, SignatureAlgorithm.RS256)); } }
private boolean refreshAccessToken(AuthorizationPolicy authPolicy) { ClientAccessToken at = getClientAccessToken(); if (at.getRefreshToken() == null) { return false; } // Client id and secret are needed to refresh the tokens // AuthorizationPolicy can hold them by default, Consumer can also be injected into this supplier // and checked if the policy is null. // Client TLS authentication is also fine as an alternative authentication mechanism, // how can we check here that a 2-way TLS has been set up ? Consumer theConsumer = consumer; if (theConsumer == null && authPolicy != null && authPolicy.getUserName() != null && authPolicy.getPassword() != null) { theConsumer = new Consumer(authPolicy.getUserName(), authPolicy.getPassword()); return false; } if (theConsumer == null) { return false; } // Can WebCient be safely constructed at HttpConduit initialization time ? // If yes then createAccessTokenServiceClient() can be called inside // setAccessTokenServiceUri, though given that the token refreshment would // not be done on every request the current approach is quite reasonable WebClient accessTokenService = createAccessTokenServiceClient(); setClientAccessToken(OAuthClientUtils.refreshAccessToken(accessTokenService, theConsumer, at)); return true; }
&& !inMessage.containsKey(OAUTH2_CALL_RETRIED)) { ClientAccessToken accessToken = tokenContext.getToken(); String refreshToken = accessToken.getRefreshToken(); if (refreshToken != null) { accessToken = OAuthClientUtils.refreshAccessToken(accessTokenServiceClient,
&& !inMessage.containsKey(OAUTH2_CALL_RETRIED)) { ClientAccessToken accessToken = tokenContext.getToken(); String refreshToken = accessToken.getRefreshToken(); if (refreshToken != null) { accessToken = OAuthClientUtils.refreshAccessToken(accessTokenServiceClient,
OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); form.param("refresh_token", accessToken.getRefreshToken()); form.param("client_id", "consumer-id"); Response response = client.post(form); assertNotNull(accessToken.getRefreshToken());
OAuth2TestUtils.getAccessTokenWithAuthorizationCode(client, code); assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); form.param("refresh_token", accessToken.getRefreshToken()); form.param("client_id", "consumer-id"); form.param("scope", "read_balance"); assertNotNull(accessToken.getRefreshToken());
assertNotNull(accessToken.getTokenKey()); assertTrue(accessToken.getApprovedScope().contains("openid")); assertNotNull(accessToken.getRefreshToken()); form.param("refresh_token", accessToken.getRefreshToken()); form.param("client_id", "consumer-id"); form.param("scope", "openid"); assertNotNull(accessToken.getRefreshToken()); accessToken.getParameters().get("id_token"); assertNotNull(idToken);
@org.junit.Test public void testSAMLAuthorizationGrant() throws Exception { URL busFile = AuthorizationGrantTest.class.getResource("client.xml"); String address = "https://localhost:" + port + "/services/"; WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString()); // Create the SAML Assertion String assertion = OAuth2TestUtils.createToken(address + "token"); // Get Access Token client.type("application/x-www-form-urlencoded").accept("application/json"); client.path("token"); Form form = new Form(); form.param("grant_type", "urn:ietf:params:oauth:grant-type:saml2-bearer"); form.param("assertion", Base64UrlUtility.encode(assertion)); form.param("client_id", "consumer-id"); Response response = client.post(form); ClientAccessToken accessToken = response.readEntity(ClientAccessToken.class); assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); } }
@org.junit.Test public void testPasswordsCredentialsGrant() throws Exception { URL busFile = AuthorizationGrantTest.class.getResource("client.xml"); String address = "https://localhost:" + port + "/services/"; WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "consumer-id", "this-is-a-secret", busFile.toString()); // Get Access Token client.type("application/x-www-form-urlencoded").accept("application/json"); client.path("token"); Form form = new Form(); form.param("grant_type", "password"); form.param("username", "alice"); form.param("password", "security"); Response response = client.post(form); ClientAccessToken accessToken = response.readEntity(ClientAccessToken.class); assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); } }
@org.junit.Test public void testJWTAuthorizationGrant() throws Exception { URL busFile = AuthorizationGrantTest.class.getResource("client.xml"); String address = "https://localhost:" + port + "/services/"; WebClient client = WebClient.create(address, OAuth2TestUtils.setupProviders(), "alice", "security", busFile.toString()); // Create the JWT Token String token = OAuth2TestUtils.createToken("DoubleItSTSIssuer", "consumer-id", "https://localhost:" + port + "/services/token", true, true); // Get Access Token client.type("application/x-www-form-urlencoded").accept("application/json"); client.path("token"); Form form = new Form(); form.param("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer"); form.param("assertion", token); form.param("client_id", "consumer-id"); Response response = client.post(form); ClientAccessToken accessToken = response.readEntity(ClientAccessToken.class); assertNotNull(accessToken.getTokenKey()); assertNotNull(accessToken.getRefreshToken()); if (isAccessTokenInJWTFormat()) { validateAccessToken(accessToken.getTokenKey()); } }