/** * Convenience method to set resourceIds and authorities on this request by * inheriting from a ClientDetails object. * * @param clientDetails */ public void setResourceIdsAndAuthoritiesFromClientDetails(ClientDetails clientDetails) { setResourceIds(clientDetails.getResourceIds()); setAuthorities(clientDetails.getAuthorities()); }
@Test(expected = InvalidRequestException.class) public void testApproveWithModifiedResourceIds() { AuthorizationRequest authorizationRequest = getAuthorizationRequest( "foo", "http://anywhere.com", "state-1234", "read", Collections.singleton("code")); model.put("authorizationRequest", authorizationRequest); model.put("org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.ORIGINAL_AUTHORIZATION_REQUEST", uaaAuthorizationEndpoint.unmodifiableMap(authorizationRequest)); authorizationRequest.setResourceIds(Collections.singleton("resource-other")); // Modify authorization request Map<String, String> approvalParameters = new HashMap<>(); approvalParameters.put("user_oauth_approval", "true"); uaaAuthorizationEndpoint.approveOrDeny(approvalParameters, model, sessionStatus, principal); }
private TokenRequest getRefreshTokenRequest(Map<String, String> requestParameters) { AuthorizationRequest refreshAuthorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); refreshAuthorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); refreshAuthorizationRequest.setRequestParameters(requestParameters); Map<String, String> refreshAzParameters = new HashMap<>(refreshAuthorizationRequest.getRequestParameters()); refreshAzParameters.put(GRANT_TYPE, GRANT_TYPE_REFRESH_TOKEN); refreshAuthorizationRequest.setRequestParameters(refreshAzParameters); return tokenSupport.requestFactory.createTokenRequest(refreshAuthorizationRequest, "refresh_token"); }
private OAuth2AccessToken performPasswordGrant(String tokenFormat) { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_PASSWORD); azParameters.put(REQUEST_TOKEN_FORMAT, tokenFormat); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); return tokenServices.createAccessToken(authentication); }
@Test public void testCreateOpaqueAccessTokenForAClient() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.clientScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(REQUEST_TOKEN_FORMAT, OPAQUE.getStringValue()); azParameters.put(GRANT_TYPE, GRANT_TYPE_CLIENT_CREDENTIALS); authorizationRequest.setRequestParameters(azParameters); OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), null); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); assertTrue("Token is not a composite token", accessToken instanceof CompositeToken); assertThat("Token value should be equal to or lesser than 36 characters", accessToken.getValue().length(), lessThanOrEqualTo(36)); assertThat(accessToken.getRefreshToken(), is(nullValue())); }
@Test public void testCreateAccessWithNonExistingScopes() { List<String> scopesThatDontExist = Arrays.asList("scope1", "scope2"); AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, scopesThatDontExist); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_IMPLICIT); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); this.assertCommonUserAccessTokenProperties(accessToken, CLIENT_ID); assertThat(accessToken, issuerUri(is(ISSUER_URI))); assertThat(accessToken, scope(is(scopesThatDontExist))); assertThat(accessToken, validFor(is(60 * 60 * 12))); assertThat(accessToken.getRefreshToken(), is(nullValue())); this.assertCommonEventProperties(accessToken, tokenSupport.userId, buildJsonString(scopesThatDontExist)); }
@Test public void testCreateAccessTokenImplicitGrant() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_IMPLICIT); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); this.assertCommonUserAccessTokenProperties(accessToken, CLIENT_ID); assertThat(accessToken, issuerUri(is(ISSUER_URI))); assertThat(accessToken, validFor(is(60 * 60 * 12))); assertThat(accessToken.getRefreshToken(), is(nullValue())); this.assertCommonEventProperties(accessToken, tokenSupport.userId, buildJsonString(tokenSupport.requestedAuthScopes)); }
@Test public void testCreateAccessTokenForAClient() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.clientScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_CLIENT_CREDENTIALS); authorizationRequest.setRequestParameters(azParameters); OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), null); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); assertCommonClientAccessTokenProperties(accessToken); assertThat(accessToken, validFor(is(tokenSupport.accessTokenValidity))); assertThat(accessToken, issuerUri(is(ISSUER_URI))); assertThat(accessToken, zoneId(is(IdentityZoneHolder.get().getId()))); assertThat(accessToken.getRefreshToken(), is(nullValue())); validateExternalAttributes(accessToken); assertCommonEventProperties(accessToken, CLIENT_ID, tokenSupport.expectedJson); }
@Test(expected = InvalidTokenException.class) public void testRefreshTokenAfterApprovalsMissing2() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); AuthorizationRequest refreshAuthorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); refreshAuthorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> refreshAzParameters = new HashMap<>(refreshAuthorizationRequest.getRequestParameters()); refreshAzParameters.put(GRANT_TYPE, GRANT_TYPE_REFRESH_TOKEN); refreshAuthorizationRequest.setRequestParameters(refreshAzParameters); tokenServices.refreshAccessToken(accessToken.getRefreshToken().getValue(), tokenSupport.requestFactory.createTokenRequest(refreshAuthorizationRequest, "refresh_token")); }
@Test public void test_missing_required_user_groups() { tokenSupport.defaultClient.addAdditionalInformation(REQUIRED_USER_GROUPS, Arrays.asList("uaa.admin")); AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_PASSWORD); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); expectedException.expect(InvalidTokenException.class); expectedException.expectMessage("User does not meet the client's required group criteria."); tokenServices.createAccessToken(authentication); }
@Test public void testChangedExpiryForTokens() { BaseClientDetails clientDetails = cloneClient(tokenSupport.defaultClient); clientDetails.setAccessTokenValiditySeconds(3600); clientDetails.setRefreshTokenValiditySeconds(36000); tokenSupport.clientDetailsService.setClientDetailsStore( IdentityZoneHolder.get().getId(), Collections.singletonMap(CLIENT_ID, clientDetails) ); AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); assertThat(accessToken, validFor(is(3600))); assertThat(accessToken.getRefreshToken(), is(not(nullValue()))); assertThat(accessToken.getRefreshToken(), OAuth2RefreshTokenMatchers.validFor(is(36000))); }
@Test public void testClientWildcard() throws Exception { BaseClientDetails client = new BaseClientDetails("client", "zones", "zones.*.admin", "authorization_code, password", "scim.read, scim.write", "http://localhost:8080/uaa"); client.setAutoApproveScopes(Arrays.asList("zones.*.admin")); Map<String, BaseClientDetails> clientDetailsStore = Collections.singletonMap("client", client); clientDetailsService.setClientDetailsStore(IdentityZoneHolder.get().getId(), clientDetailsStore); tokenServices.setClientDetailsService(clientDetailsService); authorizationRequest = new AuthorizationRequest("client", Collections.singleton("zones.myzone.admin")); authorizationRequest.setResourceIds(new HashSet<>(Arrays.asList("client", "zones"))); authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), UaaAuthenticationTestFactory.getAuthentication(userId, userName, "olds@vmware.com")); endpoint.checkToken(tokenServices.createAccessToken(authentication).getValue(), Collections.emptyList(), request); }
@Test public void testCreateAccessTokenOnlyForClientWithoutRefreshToken() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID_NO_REFRESH_TOKEN_GRANT, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); validateAccessTokenOnly(accessToken, CLIENT_ID_NO_REFRESH_TOKEN_GRANT); assertNull(accessToken.getRefreshToken()); }
@Test public void testCreateAccessTokenAuthcodeGrant() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE); authorizationRequest.setRequestParameters(azParameters); authorizationRequest.setResponseTypes(Sets.newHashSet("id_token")); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); Approval approval = new Approval() .setUserId(tokenSupport.userId) .setClientId(CLIENT_ID) .setScope(OPENID) .setExpiresAt(new Date()) .setStatus(ApprovalStatus.APPROVED); tokenSupport.approvalStore.addApproval(approval, IdentityZone.getUaa().getId()); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); CompositeToken castAccessToken = (CompositeToken) accessToken; assertThat(castAccessToken.getIdTokenValue(), is(notNullValue())); validateAccessAndRefreshToken(accessToken); }
@Test public void testCreateAccessTokenPasswordGrant() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_PASSWORD); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); validateAccessAndRefreshToken(accessToken); tokenServices.loadAuthentication(accessToken.getValue()); //ensure that we can load without user_name claim tokenServices.setExcludedClaims(new HashSet(Arrays.asList(ClaimConstants.AUTHORITIES, ClaimConstants.USER_NAME, ClaimConstants.EMAIL))); accessToken = tokenServices.createAccessToken(authentication); assertNotNull(tokenServices.loadAuthentication(accessToken.getValue()).getUserAuthentication()); }
@Test public void testCreateAccessTokenAuthcodeGrantSwitchedPrimaryKey() { String originalPrimaryKeyId = tokenSupport.tokenPolicy.getActiveKeyId(); try { tokenSupport.tokenPolicy.setActiveKeyId("otherKey"); AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); validateAccessAndRefreshToken(accessToken); } finally { tokenSupport.tokenPolicy.setActiveKeyId(originalPrimaryKeyId); } }
@Test public void testLoadAuthenticationForAClient() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_CLIENT_CREDENTIALS); authorizationRequest.setRequestParameters(azParameters); OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), null); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); OAuth2Authentication loadedAuthentication = tokenServices.loadAuthentication(accessToken.getValue()); assertThat("Client authorities match.", loadedAuthentication.getAuthorities(), containsInAnyOrder(AuthorityUtils.commaSeparatedStringToAuthorityList(CLIENT_AUTHORITIES).toArray()) ); assertEquals(CLIENT_ID, loadedAuthentication.getName()); assertEquals(CLIENT_ID, loadedAuthentication.getPrincipal()); assertNull(loadedAuthentication.getDetails()); assertNull(loadedAuthentication.getUserAuthentication()); }
@Test public void loadAuthentication_when_given_an_opaque_refreshToken_should_throw_exception() { tokenSupport.defaultClient.setAutoApproveScopes(singleton("true")); AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE); azParameters.put(REQUEST_TOKEN_FORMAT, OPAQUE.getStringValue()); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken compositeToken = tokenServices.createAccessToken(authentication); String refreshTokenValue = tokenProvisioning.retrieve(compositeToken.getRefreshToken().getValue(), IdentityZoneHolder.get().getId()).getValue(); expectedException.expect(InvalidTokenException.class); expectedException.expectMessage("The token does not bear a \"scope\" claim."); tokenServices.loadAuthentication(refreshTokenValue); }
@Test public void loadAuthentication_when_given_an_refresh_jwt_should_throw_exception() { IdentityZoneHolder.get().getConfig().getTokenPolicy().setJwtRevocable(true); tokenSupport.defaultClient.setAutoApproveScopes(singleton("true")); AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE); azParameters.put(REQUEST_TOKEN_FORMAT, JWT.getStringValue()); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken compositeToken = tokenServices.createAccessToken(authentication); TokenValidation refreshToken = tokenSupport.tokenValidationService.validateToken(compositeToken.getRefreshToken().getValue(), false); String refreshTokenValue = tokenProvisioning.retrieve(refreshToken.getClaims().get("jti").toString(), IdentityZoneHolder.get().getId()).getValue(); expectedException.expect(InvalidTokenException.class); expectedException.expectMessage("The token does not bear a \"scope\" claim."); tokenServices.loadAuthentication(refreshTokenValue); }
@Test public void testLoadAuthenticationForAUser() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); OAuth2Authentication loadedAuthentication = tokenServices.loadAuthentication(accessToken.getValue()); assertEquals(USER_AUTHORITIES, loadedAuthentication.getAuthorities()); assertEquals(tokenSupport.username, loadedAuthentication.getName()); UaaPrincipal uaaPrincipal = (UaaPrincipal) tokenSupport.defaultUserAuthentication.getPrincipal(); assertEquals(uaaPrincipal, loadedAuthentication.getPrincipal()); assertNull(loadedAuthentication.getDetails()); Authentication userAuth = loadedAuthentication.getUserAuthentication(); assertEquals(tokenSupport.username, userAuth.getName()); assertEquals(uaaPrincipal, userAuth.getPrincipal()); assertTrue(userAuth.isAuthenticated()); }