public OAuth2Authentication consumeAuthorizationCode(String code) throws InvalidGrantException { OAuth2Authentication auth = this.remove(code); if (auth == null) { throw new InvalidGrantException("Invalid authorization code: " + code); } return auth; }
@SuppressWarnings("unchecked") protected Authentication validateRequest(TokenRequest request) { // things to validate if(request == null || request.getRequestParameters() == null) { throw new InvalidGrantException("Missing token request object"); } if(request.getRequestParameters().get("grant_type") == null) { throw new InvalidGrantException("Missing grant type"); } if(!GRANT_TYPE_SAML2_BEARER.equals(request.getRequestParameters().get("grant_type"))) { throw new InvalidGrantException("Invalid grant type"); } // parse the XML to Assertion if (new DefaultSecurityContextAccessor().isUser()) { return SecurityContextHolder.getContext().getAuthentication(); } throw new InvalidGrantException("User authentication not found"); }
protected Authentication validateRequest(TokenRequest request) { if (new DefaultSecurityContextAccessor().isUser()) { if( request == null || request.getRequestParameters() == null || request.getRequestParameters().isEmpty()) { throw new InvalidGrantException("Missing token request object"); } if(request.getRequestParameters().get("grant_type") == null) { throw new InvalidGrantException("Missing grant type"); } if(!GRANT_TYPE_JWT_BEARER.equals(request.getRequestParameters().get("grant_type"))) { throw new InvalidGrantException("Invalid grant type"); } } else { throw new InvalidGrantException("User authentication not found"); } return SecurityContextHolder.getContext().getAuthentication(); }
public String resolveRedirect(String requestedRedirect, ClientDetails client) throws OAuth2Exception { Set<String> authorizedGrantTypes = client.getAuthorizedGrantTypes(); if (authorizedGrantTypes.isEmpty()) { throw new InvalidGrantException("A client must have at least one authorized grant type."); } if (!containsRedirectGrantType(authorizedGrantTypes)) { throw new InvalidGrantException( "A redirect_uri can only be used by implicit or authorization_code grant types."); } Set<String> registeredRedirectUris = client.getRegisteredRedirectUri(); if (registeredRedirectUris == null || registeredRedirectUris.isEmpty()) { throw new InvalidRequestException("At least one redirect_uri must be registered with the client."); } return obtainMatchingRedirect(registeredRedirectUris, requestedRedirect); }
@Override protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) { Map<String, String> parameters = new LinkedHashMap<String, String>(tokenRequest.getRequestParameters()); String username = parameters.get("username"); String password = parameters.get("password"); // Protect from downstream leaks of password parameters.remove("password"); Authentication userAuth = new UsernamePasswordAuthenticationToken(username, password); ((AbstractAuthenticationToken) userAuth).setDetails(parameters); try { userAuth = authenticationManager.authenticate(userAuth); } catch (AccountStatusException ase) { //covers expired, locked, disabled cases (mentioned in section 5.2, draft 31) throw new InvalidGrantException(ase.getMessage()); } catch (BadCredentialsException e) { // If the username/password are wrong the spec says we should send 400/invalid grant throw new InvalidGrantException(e.getMessage()); } if (userAuth == null || !userAuth.isAuthenticated()) { throw new InvalidGrantException("Could not authenticate user: " + username); } OAuth2Request storedOAuth2Request = getRequestFactory().createOAuth2Request(client, tokenRequest); return new OAuth2Authentication(storedOAuth2Request, userAuth); } }
ex = new InvalidGrantException(errorMessage);
@Override public OAuth2Authentication consumeAuthorizationCode(String code) throws InvalidGrantException { performExpirationClean(); JdbcTemplate template = new JdbcTemplate(dataSource); try { TokenCode tokenCode = (TokenCode) template.queryForObject(SQL_SELECT_STATEMENT, rowMapper, code); if (tokenCode != null) { try { if (tokenCode.isExpired()) { logger.debug("[oauth_code] Found code, but it expired:"+tokenCode); throw new InvalidGrantException("Authorization code expired: " + code); } else if (tokenCode.getExpiresAt() == 0) { return SerializationUtils.deserialize(tokenCode.getAuthentication()); } else { return deserializeOauth2Authentication(tokenCode.getAuthentication()); } } finally { template.update(SQL_DELETE_STATEMENT, code); } } }catch (EmptyResultDataAccessException x) { } throw new InvalidGrantException("Invalid authorization code: " + code); }
return new InvalidGrantException(errorMessage);
ex = new InvalidGrantException(errorMessage);
/** * Consume a given authorization code. * Match the provided string to an AuthorizationCodeEntity. If one is found, return * the authentication associated with the code. If one is not found, throw an * InvalidGrantException. * * @param code the authorization code * @return the authentication that made the original request * @throws InvalidGrantException, if an AuthorizationCodeEntity is not found with the given value */ @Override public OAuth2Authentication consumeAuthorizationCode(String code) throws InvalidGrantException { AuthorizationCodeEntity result = repository.getByCode(code); if (result == null) { throw new InvalidGrantException("JpaAuthorizationCodeRepository: no authorization code found for value " + code); } OAuth2Authentication auth = result.getAuthenticationHolder().getAuthentication(); repository.remove(result); return auth; }
throw new InvalidGrantException("Invalid authorization code: " + authorizationCode);
throw new InvalidGrantException("Wrong client for this refresh token: " + clientId);
protected Authentication validateRequest(TokenRequest request) { //things to validate //1. Authentication must exist and be authenticated Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if (authentication == null || !authentication.isAuthenticated() || !(authentication instanceof UaaOauth2Authentication)) { throw new InsufficientAuthenticationException("Invalid authentication object:"+authentication); } UaaOauth2Authentication oauth2Authentication = (UaaOauth2Authentication)authentication; //2. authentication must be a user, and authenticated if (oauth2Authentication.getUserAuthentication() == null || !oauth2Authentication.getUserAuthentication().isAuthenticated()) { throw new InsufficientAuthenticationException("Authentication containing a user is required"); } //3. parameter requesting_client_id must be present if (request.getRequestParameters()==null || request.getRequestParameters().get(USER_TOKEN_REQUESTING_CLIENT_ID)==null) { throw new InvalidGrantException("Parameter "+USER_TOKEN_REQUESTING_CLIENT_ID+" is required."); } //4. grant_type must be user_token if (!TokenConstants.GRANT_TYPE_USER_TOKEN.equals(request.getGrantType())) { throw new InvalidGrantException("Invalid grant type"); } //5. requesting client must have user_token grant type ClientDetails requesting = clientDetailsService.loadClientByClientId(request.getRequestParameters().get(USER_TOKEN_REQUESTING_CLIENT_ID), IdentityZoneHolder.get().getId()); super.validateGrantType(GRANT_TYPE_USER_TOKEN, requesting); //6. receiving client must have refresh_token grant type ClientDetails receiving = clientDetailsService.loadClientByClientId(request.getRequestParameters().get(CLIENT_ID), IdentityZoneHolder.get().getId()); super.validateGrantType(GRANT_TYPE_REFRESH_TOKEN, receiving); return oauth2Authentication.getUserAuthentication(); }
throw new InvalidGrantException("Implicit grant type not supported from token endpoint");
throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue); throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue); throw new InvalidGrantException("Wrong client for this refresh token: " + refreshTokenValue);
@Override protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) { String deviceCode = tokenRequest.getRequestParameters().get("device_code"); // look up the device code and consume it DeviceCode dc = deviceCodeService.findDeviceCode(deviceCode, client); if (dc != null) { // make sure the code hasn't expired yet if (dc.getExpiration() != null && dc.getExpiration().before(new Date())) { deviceCodeService.clearDeviceCode(deviceCode, client); throw new DeviceCodeExpiredException("Device code has expired " + deviceCode); } else if (!dc.isApproved()) { // still waiting for approval throw new AuthorizationPendingException("Authorization pending for code " + deviceCode); } else { // inherit the (approved) scopes from the original request tokenRequest.setScope(dc.getScope()); OAuth2Authentication auth = new OAuth2Authentication(getRequestFactory().createOAuth2Request(client, tokenRequest), dc.getAuthenticationHolder().getUserAuth()); deviceCodeService.clearDeviceCode(deviceCode, client); return auth; } } else { throw new InvalidGrantException("Invalid device code: " + deviceCode); } }
public OAuth2Authentication consumeAuthorizationCode(String code) throws InvalidGrantException { OAuth2Authentication auth = this.remove(code); if (auth == null) { throw new InvalidGrantException("Invalid authorization code: " + code); } return auth; }
private void validateGrantType(String grantType, ClientDetails clientDetails) { Collection<String> authorizedGrantTypes = clientDetails.getAuthorizedGrantTypes(); if (authorizedGrantTypes != null && !authorizedGrantTypes.isEmpty() && !authorizedGrantTypes.contains(grantType)) { throw new InvalidGrantException("Unauthorized grant type: " + grantType); } } }
protected void checkIfTokenIsIssuedToClient(Authentication clientAuth, OAuth2Authentication authToRevoke) { String requestingClientId = clientAuth.getName(); String tokenClientId = authToRevoke.getOAuth2Request().getClientId(); if (!requestingClientId.equals(tokenClientId)) { log.debug("Revoke FAILED: requesting client = {}, token's client = {}", requestingClientId, tokenClientId); throw new InvalidGrantException("Cannot revoke tokens issued to other clients"); } } }
private AuthorizationRequestHolder getAuthorizationRequestHolder(Map<String, String> parameters) { String authorizationCode = parameters.get("code"); if (authorizationCode == null) { throw new OAuth2Exception("An authorization code must be supplied."); } AuthorizationRequestHolder storedAuth = authorizationCodeServices.consumeAuthorizationCode(authorizationCode); if (storedAuth == null) { throw new InvalidGrantException("Invalid authorization code: " + authorizationCode); } return storedAuth; } }