@Override public UserDetails loadUserByUsername(String clientId) throws UsernameNotFoundException { try { ClientDetailsEntity client = clientDetailsService.loadClientByClientId(clientId); if (client != null) { String password = Strings.nullToEmpty(client.getClientSecret()); if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets (client.getTokenEndpointAuthMethod() != null && (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) { // Issue a random password each time to prevent password auth from being used (or skipped) // for private key or shared key clients, see #715 password = new BigInteger(512, new SecureRandom()).toString(16); } boolean enabled = true; boolean accountNonExpired = true; boolean credentialsNonExpired = true; boolean accountNonLocked = true; Collection<GrantedAuthority> authorities = new HashSet<>(client.getAuthorities()); authorities.add(ROLE_CLIENT); return new User(clientId, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities); } else { throw new UsernameNotFoundException("Client not found: " + clientId); } } catch (InvalidClientException e) { throw new UsernameNotFoundException("Client not found: " + clientId); } }
@Override public UserDetails loadUserByUsername(String clientId) throws UsernameNotFoundException { try { String decodedClientId = UriUtils.decode(clientId, "UTF-8"); ClientDetailsEntity client = clientDetailsService.loadClientByClientId(decodedClientId); if (client != null) { String encodedPassword = UriUtils.encodePathSegment(Strings.nullToEmpty(client.getClientSecret()), "UTF-8"); if (config.isHeartMode() || // if we're running HEART mode turn off all client secrets (client.getTokenEndpointAuthMethod() != null && (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)))) { // Issue a random password each time to prevent password auth from being used (or skipped) // for private key or shared key clients, see #715 encodedPassword = new BigInteger(512, new SecureRandom()).toString(16); } boolean enabled = true; boolean accountNonExpired = true; boolean credentialsNonExpired = true; boolean accountNonLocked = true; Collection<GrantedAuthority> authorities = new HashSet<>(client.getAuthorities()); authorities.add(ROLE_CLIENT); return new User(decodedClientId, encodedPassword, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities); } else { throw new UsernameNotFoundException("Client not found: " + clientId); } } catch (UnsupportedEncodingException | InvalidClientException e) { throw new UsernameNotFoundException("Client not found: " + clientId); } }
final String clientSecret = client.getClientSecret(); if (SECRET_BASIC.equals(client.getTokenEndpointAuthMethod())){
if (SECRET_BASIC.equals(clientConfig.getTokenEndpointAuthMethod())){ if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) || PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) { JWSAlgorithm alg = clientConfig.getTokenEndpointAuthSigningAlg(); if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) && (JWSAlgorithm.HS256.equals(alg) || JWSAlgorithm.HS384.equals(alg) } else if (PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) {
if (SECRET_BASIC.equals(clientConfig.getTokenEndpointAuthMethod())){ if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) || PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) { JWSAlgorithm alg = clientConfig.getTokenEndpointAuthSigningAlg(); if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) && (alg.equals(JWSAlgorithm.HS256) || alg.equals(JWSAlgorithm.HS384) } else if (PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) {
client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST)) { } else if ((client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) && (alg.equals(JWSAlgorithm.RS256) || alg.equals(JWSAlgorithm.RS384) || alg.equals(JWSAlgorithm.PS384) || alg.equals(JWSAlgorithm.PS512))) || (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT) && (alg.equals(JWSAlgorithm.HS256) || alg.equals(JWSAlgorithm.HS384) if (config.isHeartMode() && !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) { throw new AuthenticationServiceException("[HEART mode] Invalid authentication method");
client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) { } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)) { } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) { throw new IllegalArgumentException("[HEART mode] Authorization code clients must use the private_key authentication method"); if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) { throw new IllegalArgumentException("[HEART mode] Implicit clients must use the none authentication method"); if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) { throw new IllegalArgumentException("[HEART mode] Client credentials clients must use the private_key authentication method");
client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) { } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)) { } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
final String clientSecret = client.getClientSecret(); if (SECRET_BASIC.equals(client.getTokenEndpointAuthMethod())){
if (SECRET_BASIC.equals(clientConfig.getTokenEndpointAuthMethod())){ if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) || PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) { JWSAlgorithm alg = clientConfig.getTokenEndpointAuthSigningAlg(); if (SECRET_JWT.equals(clientConfig.getTokenEndpointAuthMethod()) && (JWSAlgorithm.HS256.equals(alg) || JWSAlgorithm.HS384.equals(alg) } else if (PRIVATE_KEY.equals(clientConfig.getTokenEndpointAuthMethod())) {
client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST)) { } else if ((client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY) && (alg.equals(JWSAlgorithm.RS256) || alg.equals(JWSAlgorithm.RS384) || alg.equals(JWSAlgorithm.PS384) || alg.equals(JWSAlgorithm.PS512))) || (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT) && (alg.equals(JWSAlgorithm.HS256) || alg.equals(JWSAlgorithm.HS384) if (config.isHeartMode() && !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) { throw new AuthenticationServiceException("[HEART mode] Invalid authentication method");
client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) { } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)) { } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) { } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) || client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT)) { } else if (client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) { throw new IllegalArgumentException("[HEART mode] Authorization code clients must use the private_key authentication method"); if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) { throw new IllegalArgumentException("[HEART mode] Implicit clients must use the none authentication method"); if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) { throw new IllegalArgumentException("[HEART mode] Client credentials clients must use the private_key authentication method");
/** * */ @Override @Transient public boolean isSecretRequired() { if (getTokenEndpointAuthMethod() != null && (getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) || getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_POST) || getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_JWT))) { return true; } else { return false; } }