protected void validateGrantType(String grantType, ClientDetails clientDetails) { Collection<String> authorizedGrantTypes = clientDetails.getAuthorizedGrantTypes(); if (authorizedGrantTypes != null && !authorizedGrantTypes.isEmpty() && !authorizedGrantTypes.contains(grantType)) { throw new InvalidClientException("Unauthorized grant type: " + grantType); } }
/** * Is a refresh token supported for this client (or the global setting if * {@link #setClientDetailsService(ClientDetailsService) clientDetailsService} is not set. * * @param clientAuth the current authorization request * @return boolean to indicate if refresh token is supported */ protected boolean isSupportRefreshToken(OAuth2Request clientAuth) { if (clientDetailsService != null) { ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId()); return client.getAuthorizedGrantTypes().contains("refresh_token"); } return this.supportRefreshToken; }
@BeforeEach void setUp() { mockClientDetails = mock(BaseClientDetails.class); when(mockClientDetails.getAuthorizedGrantTypes()).thenReturn(Collections.singleton(GRANT_TYPE_AUTHORIZATION_CODE)); }
public void validateClientRedirectUri(ClientDetails client) { Set<String> uris = client.getRegisteredRedirectUri(); for(String grant_type: Arrays.asList(GRANT_TYPE_AUTHORIZATION_CODE, GRANT_TYPE_IMPLICIT)) { if(client.getAuthorizedGrantTypes().contains(grant_type)) { if (isMissingRedirectUris(uris)) { throw new InvalidClientDetailsException(grant_type + " grant type requires at least one redirect URL."); } for (String uri : uris) { if (!UaaUrlUtils.isValidRegisteredRedirectUrl(uri)) { throw new InvalidClientDetailsException( String.format("One of the redirect_uri is invalid: %s", uri)); } } } } }
public String resolveRedirect(String requestedRedirect, ClientDetails client) throws OAuth2Exception { Set<String> authorizedGrantTypes = client.getAuthorizedGrantTypes(); if (authorizedGrantTypes.isEmpty()) { throw new InvalidGrantException("A client must have at least one authorized grant type."); } if (!containsRedirectGrantType(authorizedGrantTypes)) { throw new InvalidGrantException( "A redirect_uri can only be used by implicit or authorization_code grant types."); } Set<String> registeredRedirectUris = client.getRegisteredRedirectUri(); if (registeredRedirectUris == null || registeredRedirectUris.isEmpty()) { throw new InvalidRequestException("At least one redirect_uri must be registered with the client."); } return obtainMatchingRedirect(registeredRedirectUris, requestedRedirect); }
throw new InvalidClientDetailsException("client_id cannot be blank"); checkRequestedGrantTypes(clientDetails.getAuthorizedGrantTypes()); if (clientDetails.getAuthorizedGrantTypes().contains(GRANT_TYPE_CLIENT_CREDENTIALS) || clientDetails.getAuthorizedGrantTypes().contains(GRANT_TYPE_AUTHORIZATION_CODE) || clientDetails.getAuthorizedGrantTypes().contains(GRANT_TYPE_USER_TOKEN) || clientDetails.getAuthorizedGrantTypes().contains(GRANT_TYPE_REFRESH_TOKEN) || clientDetails.getAuthorizedGrantTypes().contains(GRANT_TYPE_SAML2_BEARER) || clientDetails.getAuthorizedGrantTypes().contains(GRANT_TYPE_JWT_BEARER) || clientDetails.getAuthorizedGrantTypes().contains(GRANT_TYPE_PASSWORD)) { if (StringUtils.isBlank(clientDetails.getClientSecret())) { throw new InvalidClientDetailsException("client_secret cannot be blank");
@Test public void testOverrideClient() throws Exception { ClientMetadataProvisioning clientMetadataProvisioning = mock(ClientMetadataProvisioning.class); bootstrap.setClientMetadataProvisioning(clientMetadataProvisioning); BaseClientDetails foo = new BaseClientDetails("foo", "", "openid", "client_credentials,password", "uaa.none"); foo.setClientSecret("secret"); clientRegistrationService.addClientDetails(foo); reset(clientRegistrationService); Map<String, Object> map = new HashMap<>(); map.put("secret", "bar"); map.put("override", true); map.put("authorized-grant-types", "client_credentials"); bootstrap.setClients(Collections.singletonMap("foo", map)); when(clientMetadataProvisioning.update(any(ClientMetadata.class), anyString())).thenReturn(new ClientMetadata()); doThrow(new ClientAlreadyExistsException("Planned")) .when(clientRegistrationService).addClientDetails(any(ClientDetails.class), anyString()); bootstrap.afterPropertiesSet(); verify(clientRegistrationService, times(1)).addClientDetails(any(ClientDetails.class), anyString()); ArgumentCaptor<ClientDetails> captor = ArgumentCaptor.forClass(ClientDetails.class); verify(clientRegistrationService, times(1)).updateClientDetails(captor.capture(), anyString()); verify(clientRegistrationService, times(1)).updateClientSecret("foo", "bar", IdentityZoneHolder.get().getId()); assertEquals(new HashSet(Arrays.asList("client_credentials")), captor.getValue().getAuthorizedGrantTypes()); }
@Test public void testOverrideClientWithEmptySecret() throws Exception { ClientMetadataProvisioning clientMetadataProvisioning = mock(ClientMetadataProvisioning.class); bootstrap.setClientMetadataProvisioning(clientMetadataProvisioning); BaseClientDetails foo = new BaseClientDetails("foo", "", "openid", "client_credentials,password", "uaa.none"); foo.setClientSecret("secret"); clientRegistrationService.addClientDetails(foo); reset(clientRegistrationService); Map<String, Object> map = new HashMap<>(); map.put("secret", null); map.put("override", true); map.put("authorized-grant-types", "client_credentials"); bootstrap.setClients(Collections.singletonMap("foo", map)); when(clientMetadataProvisioning.update(any(ClientMetadata.class), anyString())).thenReturn(new ClientMetadata()); doThrow(new ClientAlreadyExistsException("Planned")) .when(clientRegistrationService).addClientDetails(any(ClientDetails.class), anyString()); bootstrap.afterPropertiesSet(); verify(clientRegistrationService, times(1)).addClientDetails(any(ClientDetails.class), anyString()); ArgumentCaptor<ClientDetails> captor = ArgumentCaptor.forClass(ClientDetails.class); verify(clientRegistrationService, times(1)).updateClientDetails(captor.capture(), anyString()); verify(clientRegistrationService, times(1)).updateClientSecret("foo", "", IdentityZoneHolder.get().getId()); assertEquals(new HashSet(Arrays.asList("client_credentials")), captor.getValue().getAuthorizedGrantTypes()); }
private Object[] getFieldsForUpdate(ClientDetails clientDetails) { String json = null; try { json = mapper.write(clientDetails.getAdditionalInformation()); } catch (Exception e) { logger.warn("Could not serialize additional information: " + clientDetails, e); } return new Object[] { clientDetails.getResourceIds() != null ? StringUtils.collectionToCommaDelimitedString(clientDetails .getResourceIds()) : null, clientDetails.getScope() != null ? StringUtils.collectionToCommaDelimitedString(clientDetails .getScope()) : null, clientDetails.getAuthorizedGrantTypes() != null ? StringUtils .collectionToCommaDelimitedString(clientDetails.getAuthorizedGrantTypes()) : null, clientDetails.getRegisteredRedirectUri() != null ? StringUtils .collectionToCommaDelimitedString(clientDetails.getRegisteredRedirectUri()) : null, clientDetails.getAuthorities() != null ? StringUtils.collectionToCommaDelimitedString(clientDetails .getAuthorities()) : null, clientDetails.getAccessTokenValiditySeconds(), clientDetails.getRefreshTokenValiditySeconds(), json, getAutoApproveScopes(clientDetails), clientDetails.getClientId() }; }
private Object[] getFieldsForUpdate(ClientDetails clientDetails, String zoneId) { Map<String, Object> additionalInformation = new HashMap(clientDetails.getAdditionalInformation()); Collection<String> requiredGroups = (Collection<String>) additionalInformation.remove(REQUIRED_USER_GROUPS); String json; try { json = JsonUtils.writeValueAsString(additionalInformation); } catch (Exception e) { logger.warn("Could not serialize additional information: " + clientDetails, e); throw new InvalidDataAccessResourceUsageException("Could not serialize additional information:"+clientDetails.getClientId(), e); } return new Object[] { collectionToString(clientDetails.getResourceIds()), collectionToString(clientDetails.getScope()), collectionToString(clientDetails.getAuthorizedGrantTypes()), collectionToString(clientDetails.getRegisteredRedirectUri()), collectionToString(clientDetails.getAuthorities()), clientDetails.getAccessTokenValiditySeconds(), clientDetails.getRefreshTokenValiditySeconds(), json, getAutoApproveScopes(clientDetails), new Timestamp(System.currentTimeMillis()), collectionToString(requiredGroups), clientDetails.getClientId(), zoneId }; }
authTypes+=",refresh_token"; assertSet(authTypes, Collections.emptySet(), created.getAuthorizedGrantTypes(), String.class);
@Test public void testCreateClientNoSecretForImplicitIsValid() { BaseClientDetails clientDetails = new BaseClientDetails("client", null, "openid", "implicit", "uaa.resource"); clientDetails.addAdditionalInformation(ALLOWED_PROVIDERS, Collections.singletonList(OriginKeys.UAA)); ClientDetails validatedClientDetails = zoneEndpointsClientDetailsValidator.validate(clientDetails, Mode.CREATE); assertEquals(clientDetails.getAuthorizedGrantTypes(), validatedClientDetails.getAuthorizedGrantTypes()); }
details.setAuthorizedGrantTypes(existing.getAuthorizedGrantTypes());
assertEquals("myResource", clientDetails.getResourceIds().iterator() .next()); assertEquals(1, clientDetails.getAuthorizedGrantTypes().size()); assertEquals("myAuthorizedGrantType", clientDetails .getAuthorizedGrantTypes().iterator().next()); assertEquals("myRedirectUri", clientDetails.getRegisteredRedirectUri() .iterator().next());
public BaseClientDetails(ClientDetails prototype) { this(); setAccessTokenValiditySeconds(prototype.getAccessTokenValiditySeconds()); setRefreshTokenValiditySeconds(prototype .getRefreshTokenValiditySeconds()); setAuthorities(prototype.getAuthorities()); setAuthorizedGrantTypes(prototype.getAuthorizedGrantTypes()); setClientId(prototype.getClientId()); setClientSecret(prototype.getClientSecret()); setRegisteredRedirectUri(prototype.getRegisteredRedirectUri()); setScope(prototype.getScope()); setResourceIds(prototype.getResourceIds()); }
assertEquals("myScope1", scope.next()); assertEquals("myScope2", scope.next()); assertEquals(2, clientDetails.getAuthorizedGrantTypes().size()); Iterator<String> grantTypes = clientDetails.getAuthorizedGrantTypes() .iterator(); assertEquals("myAuthorizedGrantType1", grantTypes.next());
@Test public void testCreateLimitedClient() { BaseClientDetails clientDetails = new BaseClientDetails("valid-client", null, "openid", "authorization_code,password", "uaa.resource"); clientDetails.setClientSecret("secret"); clientDetails.addAdditionalInformation(ALLOWED_PROVIDERS, Collections.singletonList(OriginKeys.UAA)); ClientDetails validatedClientDetails = zoneEndpointsClientDetailsValidator.validate(clientDetails, Mode.CREATE); assertEquals(clientDetails.getClientId(), validatedClientDetails.getClientId()); assertEquals(clientDetails.getScope(), validatedClientDetails.getScope()); assertEquals(clientDetails.getAuthorizedGrantTypes(), validatedClientDetails.getAuthorizedGrantTypes()); assertEquals(clientDetails.getAuthorities(), validatedClientDetails.getAuthorities()); assertEquals(Collections.singleton("none"), validatedClientDetails.getResourceIds()); assertEquals(Collections.singletonList(OriginKeys.UAA), validatedClientDetails.getAdditionalInformation().get(ALLOWED_PROVIDERS)); }
@Test public void testLoadingClientIdWithNoDetails() { int rowsInserted = jdbcTemplate.update(INSERT_SQL, "clientIdWithNoDetails", null, null, null, null, null, null, null, null, null, IdentityZoneHolder.get().getId(), new Timestamp(System.currentTimeMillis()), dbRequestedUserGroups ); assertEquals(1, rowsInserted); ClientDetails clientDetails = service .loadClientByClientId("clientIdWithNoDetails"); assertEquals("clientIdWithNoDetails", clientDetails.getClientId()); assertFalse(clientDetails.isSecretRequired()); assertNull(clientDetails.getClientSecret()); assertFalse(clientDetails.isScoped()); assertEquals(0, clientDetails.getScope().size()); assertEquals(2, clientDetails.getAuthorizedGrantTypes().size()); assertNull(clientDetails.getRegisteredRedirectUri()); assertEquals(0, clientDetails.getAuthorities().size()); assertEquals(null, clientDetails.getAccessTokenValiditySeconds()); assertEquals(null, clientDetails.getAccessTokenValiditySeconds()); }
updatedClientDetails.setScope(Arrays.asList("clients.new", "clients.autoapprove")); updatedClientDetails.setAutoApproveScopes(Arrays.asList("clients.autoapprove")); updatedClientDetails.setAuthorizedGrantTypes(createdClientDetails.getAuthorizedGrantTypes()); updatedClientDetails.setRegisteredRedirectUri(Collections.singleton("http://redirect.url"));
protected void validateGrantType(String grantType, ClientDetails clientDetails) { Collection<String> authorizedGrantTypes = clientDetails.getAuthorizedGrantTypes(); if (authorizedGrantTypes != null && !authorizedGrantTypes.isEmpty() && !authorizedGrantTypes.contains(grantType)) { throw new InvalidClientException("Unauthorized grant type: " + grantType); } }