private Builder(AuthorizationGrantType authorizationGrantType) { Assert.notNull(authorizationGrantType, "authorizationGrantType cannot be null"); this.authorizationGrantType = authorizationGrantType; if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationGrantType)) { this.responseType = OAuth2AuthorizationResponseType.CODE; } else if (AuthorizationGrantType.IMPLICIT.equals(authorizationGrantType)) { this.responseType = OAuth2AuthorizationResponseType.TOKEN; } }
private void validateAuthorizationCodeGrantType() { Assert.isTrue(AuthorizationGrantType.AUTHORIZATION_CODE.equals(this.authorizationGrantType), () -> "authorizationGrantType must be " + AuthorizationGrantType.AUTHORIZATION_CODE.getValue()); Assert.hasText(this.registrationId, "registrationId cannot be empty"); Assert.hasText(this.clientId, "clientId cannot be empty"); Assert.hasText(this.redirectUriTemplate, "redirectUriTemplate cannot be empty"); Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty"); Assert.hasText(this.tokenUri, "tokenUri cannot be empty"); }
/** * Constructs an {@code OAuth2ClientCredentialsGrantRequest} using the provided parameters. * * @param clientRegistration the client registration */ public OAuth2ClientCredentialsGrantRequest(ClientRegistration clientRegistration) { super(AuthorizationGrantType.CLIENT_CREDENTIALS); Assert.notNull(clientRegistration, "clientRegistration cannot be null"); Assert.isTrue(AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType()), "clientRegistration.authorizationGrantType must be AuthorizationGrantType.CLIENT_CREDENTIALS"); this.clientRegistration = clientRegistration; }
private void validateImplicitGrantType() { Assert.isTrue(AuthorizationGrantType.IMPLICIT.equals(this.authorizationGrantType), () -> "authorizationGrantType must be " + AuthorizationGrantType.IMPLICIT.getValue()); Assert.hasText(this.registrationId, "registrationId cannot be empty"); Assert.hasText(this.clientId, "clientId cannot be empty"); Assert.hasText(this.redirectUriTemplate, "redirectUriTemplate cannot be empty"); Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty"); }
private void validateClientCredentialsGrantType() { Assert.isTrue(AuthorizationGrantType.CLIENT_CREDENTIALS.equals(this.authorizationGrantType), () -> "authorizationGrantType must be " + AuthorizationGrantType.CLIENT_CREDENTIALS.getValue()); Assert.hasText(this.registrationId, "registrationId cannot be empty"); Assert.hasText(this.clientId, "clientId cannot be empty"); Assert.hasText(this.tokenUri, "tokenUri cannot be empty"); }
private boolean isClientCredentialsGrantType(ClientRegistration clientRegistration) { return AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType()); }
private boolean isClientCredentialsGrantType(ClientRegistration clientRegistration) { return AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType()); }
/** * Builds a new {@link OAuth2AuthorizationRequest}. * * @return a {@link OAuth2AuthorizationRequest} */ public OAuth2AuthorizationRequest build() { Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty"); Assert.hasText(this.clientId, "clientId cannot be empty"); if (AuthorizationGrantType.IMPLICIT.equals(this.authorizationGrantType)) { Assert.hasText(this.redirectUri, "redirectUri cannot be empty"); } OAuth2AuthorizationRequest authorizationRequest = new OAuth2AuthorizationRequest(); authorizationRequest.authorizationUri = this.authorizationUri; authorizationRequest.authorizationGrantType = this.authorizationGrantType; authorizationRequest.responseType = this.responseType; authorizationRequest.clientId = this.clientId; authorizationRequest.redirectUri = this.redirectUri; authorizationRequest.state = this.state; authorizationRequest.scopes = Collections.unmodifiableSet( CollectionUtils.isEmpty(this.scopes) ? Collections.emptySet() : new LinkedHashSet<>(this.scopes)); authorizationRequest.additionalParameters = Collections.unmodifiableMap( CollectionUtils.isEmpty(this.additionalParameters) ? Collections.emptyMap() : new LinkedHashMap<>(this.additionalParameters)); authorizationRequest.authorizationRequestUri = StringUtils.hasText(this.authorizationRequestUri) ? this.authorizationRequestUri : this.buildAuthorizationRequestUri(); return authorizationRequest; }
/** * Builds a new {@link ClientRegistration}. * * @return a {@link ClientRegistration} */ public ClientRegistration build() { Assert.notNull(this.authorizationGrantType, "authorizationGrantType cannot be null"); if (AuthorizationGrantType.CLIENT_CREDENTIALS.equals(this.authorizationGrantType)) { this.validateClientCredentialsGrantType(); } else if (AuthorizationGrantType.IMPLICIT.equals(this.authorizationGrantType)) { this.validateImplicitGrantType(); } else { this.validateAuthorizationCodeGrantType(); } this.validateScopes(); return this.create(); }
private Mono<OAuth2AuthorizedClient> authorizedClientNotLoaded(String clientRegistrationId, Authentication authentication, ServerWebExchange exchange) { return this.clientRegistrationRepository.findByRegistrationId(clientRegistrationId) .switchIfEmpty(Mono.error(() -> new IllegalArgumentException("Client Registration with id " + clientRegistrationId + " was not found"))) .flatMap(clientRegistration -> { if (AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType())) { return clientCredentials(clientRegistration, authentication, exchange); } return Mono.error(() -> new ClientAuthorizationRequiredException(clientRegistrationId)); }); }
private Mono<Void> sendRedirectForAuthorization(ServerWebExchange exchange, OAuth2AuthorizationRequest authorizationRequest) { return Mono.defer(() -> { Mono<Void> saveAuthorizationRequest = Mono.empty(); if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationRequest.getGrantType())) { saveAuthorizationRequest = this.authorizationRequestRepository .saveAuthorizationRequest(authorizationRequest, exchange); } URI redirectUri = UriComponentsBuilder .fromUriString(authorizationRequest.getAuthorizationRequestUri()) .build(true).toUri(); return saveAuthorizationRequest .then(this.authorizationRedirectStrategy.sendRedirect(exchange, redirectUri)); }); } }
private void sendRedirectForAuthorization(HttpServletRequest request, HttpServletResponse response, OAuth2AuthorizationRequest authorizationRequest) throws IOException, ServletException { if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationRequest.getGrantType())) { this.authorizationRequestRepository.saveAuthorizationRequest(authorizationRequest, request, response); } this.authorizationRedirectStrategy.sendRedirect(request, response, authorizationRequest.getAuthorizationRequestUri()); }
private Mono<OAuth2AuthorizedClient> authorizedClientNotLoaded(String clientRegistrationId, Authentication authentication, ServerWebExchange exchange) { return this.clientRegistrationRepository.findByRegistrationId(clientRegistrationId) .switchIfEmpty(Mono.error(() -> new IllegalArgumentException("Client Registration with id " + clientRegistrationId + " was not found"))) .flatMap(clientRegistration -> { if (AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType())) { return clientCredentials(clientRegistration, authentication, exchange); } return Mono.error(() -> new ClientAuthorizationRequiredException(clientRegistrationId)); }); }
if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) { throw new ClientAuthorizationRequiredException(clientRegistrationId); if (AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType())) { HttpServletResponse servletResponse = webRequest.getNativeResponse(HttpServletResponse.class); authorizedClient = this.authorizeClientCredentialsClient(clientRegistration, servletRequest, servletResponse);
private String expandRedirectUri(ServerHttpRequest request, ClientRegistration clientRegistration) { // Supported URI variables -> baseUrl, action, registrationId // Used in -> CommonOAuth2Provider.DEFAULT_REDIRECT_URL = "{baseUrl}/{action}/oauth2/code/{registrationId}" Map<String, String> uriVariables = new HashMap<>(); uriVariables.put("registrationId", clientRegistration.getRegistrationId()); String baseUrl = UriComponentsBuilder.fromHttpRequest(new ServerHttpRequestDecorator(request)) .replacePath(request.getPath().contextPath().value()) .replaceQuery(null) .build() .toUriString(); uriVariables.put("baseUrl", baseUrl); if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) { String loginAction = "login"; uriVariables.put("action", loginAction); } return UriComponentsBuilder.fromUriString(clientRegistration.getRedirectUriTemplate()) .buildAndExpand(uriVariables) .toUriString(); } }
private boolean shouldRetrieveUserInfo(OidcUserRequest userRequest) { // Auto-disabled if UserInfo Endpoint URI is not provided if (StringUtils.isEmpty(userRequest.getClientRegistration().getProviderDetails() .getUserInfoEndpoint().getUri())) { return false; } // The Claims requested by the profile, email, address, and phone scope values // are returned from the UserInfo Endpoint (as described in Section 5.3.2), // when a response_type value is used that results in an Access Token being issued. // However, when no Access Token is issued, which is the case for the response_type=id_token, // the resulting Claims are returned in the ID Token. // The Authorization Code Grant Flow, which is response_type=code, results in an Access Token being issued. if (AuthorizationGrantType.AUTHORIZATION_CODE.equals( userRequest.getClientRegistration().getAuthorizationGrantType())) { // Return true if there is at least one match between the authorized scope(s) and UserInfo scope(s) return CollectionUtils.containsAny(userRequest.getAccessToken().getScopes(), this.userInfoScopes); } return false; }
private OAuth2AuthorizationRequest authorizationRequest(ServerWebExchange exchange, ClientRegistration clientRegistration) { String redirectUriStr = this .expandRedirectUri(exchange.getRequest(), clientRegistration); Map<String, Object> additionalParameters = new HashMap<>(); additionalParameters.put(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId()); OAuth2AuthorizationRequest.Builder builder; if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) { builder = OAuth2AuthorizationRequest.authorizationCode(); } else if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) { builder = OAuth2AuthorizationRequest.implicit(); } else { throw new IllegalArgumentException( "Invalid Authorization Grant Type (" + clientRegistration.getAuthorizationGrantType().getValue() + ") for Client Registration with Id: " + clientRegistration.getRegistrationId()); } return builder .clientId(clientRegistration.getClientId()) .authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri()) .redirectUri(redirectUriStr).scopes(clientRegistration.getScopes()) .state(this.stateGenerator.generateKey()) .additionalParameters(additionalParameters) .build(); }
if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) { builder = OAuth2AuthorizationRequest.authorizationCode(); } else if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) { builder = OAuth2AuthorizationRequest.implicit(); } else {
if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
private void validateClientCredentialsGrantType() { Assert.isTrue(AuthorizationGrantType.CLIENT_CREDENTIALS.equals(this.authorizationGrantType), () -> "authorizationGrantType must be " + AuthorizationGrantType.CLIENT_CREDENTIALS.getValue()); Assert.hasText(this.registrationId, "registrationId cannot be empty"); Assert.hasText(this.clientId, "clientId cannot be empty"); Assert.hasText(this.tokenUri, "tokenUri cannot be empty"); } }