private Collection<GrantedAuthority> getClientPermissions(ClientDetails client) { Collection<GrantedAuthority> clientScopes; clientScopes = new ArrayList<>(); for(String scope : client.getScope()) { clientScopes.add(new XOAuthUserAuthority(scope)); } return clientScopes; }
private String getAutoApproveScopes(ClientDetails clientDetails) { if (clientDetails.isAutoApprove("true")) { return "true"; // all scopes autoapproved } Set<String> scopes = new HashSet<String>(); for (String scope : clientDetails.getScope()) { if (clientDetails.isAutoApprove(scope)) { scopes.add(scope); } } return StringUtils.collectionToCommaDelimitedString(scopes); }
public void validateScope(TokenRequest tokenRequest, ClientDetails client) throws InvalidScopeException { validateScope(tokenRequest.getScope(), client.getScope()); }
public void validateScope(AuthorizationRequest authorizationRequest, ClientDetails client) throws InvalidScopeException { validateScope(authorizationRequest.getScope(), client.getScope()); }
private Set<String> extractScopes(Map<String, String> requestParameters, String clientId) { Set<String> scopes = OAuth2Utils.parseParameterList(requestParameters.get(OAuth2Utils.SCOPE)); ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId); if ((scopes == null || scopes.isEmpty())) { // If no scopes are specified in the incoming data, use the default values registered with the client // (the spec allows us to choose between this option and rejecting the request completely, so we'll take the // least obnoxious choice as a default). scopes = clientDetails.getScope(); } if (checkUserScopes) { scopes = checkUserScopes(scopes, clientDetails); } return scopes; }
private String getAutoApproveScopes(ClientDetails clientDetails) { if (clientDetails.isAutoApprove("true")) { return "true"; // all scopes autoapproved } Set<String> scopes = new HashSet<String>(); for (String scope : clientDetails.getScope()) { if (clientDetails.isAutoApprove(scope)) { scopes.add(scope); } } return collectionToCommaDelimitedString(scopes); }
@Override public void validateScope(AuthorizationRequest authorizationRequest, ClientDetails client) throws InvalidScopeException { validateScope(authorizationRequest.getScope(), client.getScope()); }
@Override public void validateScope(TokenRequest tokenRequest, ClientDetails client) throws InvalidScopeException { validateScope(tokenRequest.getScope(), client.getScope()); }
protected Set<String> extractScopes(Map<String, String> requestParameters, ClientDetails clientDetails) { boolean clientCredentials = GRANT_TYPE_CLIENT_CREDENTIALS.equals(requestParameters.get(GRANT_TYPE)); Set<String> scopes = OAuth2Utils.parseParameterList(requestParameters.get(OAuth2Utils.SCOPE)); if ((scopes == null || scopes.isEmpty())) { // If no scopes are specified in the incoming data, use the default values registered with the client // (the spec allows us to choose between this option and rejecting the request completely, so we'll take the // least obnoxious choice as a default). if (clientCredentials) { Set<String> authorities = new HashSet<>(); for (GrantedAuthority a : clientDetails.getAuthorities()) { authorities.add(a.getAuthority()); } scopes = authorities; } else { scopes = clientDetails.getScope(); } } if (!clientCredentials) { Set<String> userScopes = getUserScopes(); scopes = intersectScopes(scopes, clientDetails.getScope(), userScopes); } return scopes; }
@Override public AuditEvent getAuditEvent() { ClientDetails clientDetails = Optional.ofNullable(getClient()).orElse(nonExistent); Map<String, Object> auditData = new HashMap(); auditData.put("scopes", clientDetails.getScope()); List<String> authorities = clientDetails .getAuthorities() .stream() .map(a -> a.getAuthority()) .collect(Collectors.toList()); auditData.put("authorities", authorities); return createAuditRecord( clientDetails.getClientId(), getAuditEventType(), getOrigin(getPrincipal()), JsonUtils.writeValueAsString(auditData) ); }
/** * Apply UAA rules to validate the requested scopes scope. For client credentials * grants the valid requested scopes are actually in * the authorities of the client. * */ public void validateParameters(Map<String, String> parameters, ClientDetails clientDetails) { if (parameters.containsKey("scope")) { Set<String> validScope = clientDetails.getScope(); if (GRANT_TYPE_CLIENT_CREDENTIALS.equals(parameters.get("grant_type"))) { validScope = AuthorityUtils.authorityListToSet(clientDetails.getAuthorities()); } Set<Pattern> validWildcards = constructWildcards(validScope); Set<String> scopes = OAuth2Utils.parseParameterList(parameters.get("scope")); for (String scope : scopes) { if (!matches(validWildcards, scope)) { throw new InvalidScopeException(scope + " is invalid. Please use a valid scope name in the request"); } } } }
public void validateScope(AuthorizationRequest authorizationRequest, ClientDetails client) throws InvalidScopeException { if (GRANT_TYPE_CLIENT_CREDENTIALS.equalsIgnoreCase(authorizationRequest.getRequestParameters().get(OAuth2Utils.GRANT_TYPE))) { validateScope(authorizationRequest.getScope(), getAuthorities(client.getAuthorities()), false); } else { validateScope(authorizationRequest.getScope(), client.getScope(), true); } }
public void validateScope(TokenRequest tokenRequest, ClientDetails client) throws InvalidScopeException { if (GRANT_TYPE_CLIENT_CREDENTIALS.equalsIgnoreCase(tokenRequest.getGrantType())) { validateScope(tokenRequest.getScope(), getAuthorities(client.getAuthorities()), false); } else if (GRANT_TYPE_USER_TOKEN.equalsIgnoreCase(tokenRequest.getGrantType())) { client = clientDetailsService.loadClientByClientId(tokenRequest.getRequestParameters().get(CLIENT_ID), IdentityZoneHolder.get().getId()); validateScope(tokenRequest.getScope(), client.getScope(), true); } else { validateScope(tokenRequest.getScope(), client.getScope(), true); } }
private void checkClientDetails(OAuth2Authentication auth) { if (clientDetailsService != null) { ClientDetails client; try { client = clientDetailsService.loadClientByClientId(auth.getOAuth2Request().getClientId()); } catch (ClientRegistrationException e) { throw new OAuth2AccessDeniedException("Invalid token contains invalid client id"); } Set<String> allowed = client.getScope(); for (String scope : auth.getOAuth2Request().getScope()) { if (!allowed.contains(scope)) { throw new OAuth2AccessDeniedException( "Invalid token contains disallowed scope (" + scope + ") for this client"); } } } }
@Override protected void setUp() throws Exception { super.setUp(); authenticationManager = new ScopeAuthenticationManager(); authenticationManager.setThrowOnNotAuthenticated(true); authenticationManager.setRequiredScopes(Collections.singletonList("oauth.login")); clientCredentials = new HashMap<>(); clientCredentials.put("client_id","login"); clientCredentials.put("grant_type","client_credentials"); clientCredentials.put("scope","oauth.login oauth.approval"); ClientDetails loginClient = mock(ClientDetails.class); when(loginClient.getScope()).thenReturn(new HashSet<>(Arrays.asList("oauth.login","oauth.approval"))); ClientDetailsService service = mock(ClientDetailsService.class); when(service.loadClientByClientId("login")).thenReturn(loginClient); AuthorizationRequest authorizationRequest = new DefaultOAuth2RequestFactory(service).createAuthorizationRequest(clientCredentials); authorizationRequest.setApproved(true); request = authorizationRequest.createOAuth2Request(); }
@Override public ClientDetails validate(ClientDetails clientDetails, Mode mode) throws InvalidClientDetailsException { if (Mode.CREATE.equals(mode) || Mode.MODIFY.equals(mode)) { for (String scope : clientDetails.getScope()) { if (uaaScopes.isUaaScope(scope)) { throw new InvalidClientDetailsException(scope+" is a restricted scope."); } } for (GrantedAuthority authority : clientDetails.getAuthorities()) { if (uaaScopes.isUaaScope(authority)) { throw new InvalidClientDetailsException(authority.getAuthority()+" is a restricted authority."); } } } return clientDetails; } }
private Object[] getFieldsForUpdate(ClientDetails clientDetails) { String json = null; try { json = mapper.write(clientDetails.getAdditionalInformation()); } catch (Exception e) { logger.warn("Could not serialize additional information: " + clientDetails, e); } return new Object[] { clientDetails.getResourceIds() != null ? StringUtils.collectionToCommaDelimitedString(clientDetails .getResourceIds()) : null, clientDetails.getScope() != null ? StringUtils.collectionToCommaDelimitedString(clientDetails .getScope()) : null, clientDetails.getAuthorizedGrantTypes() != null ? StringUtils .collectionToCommaDelimitedString(clientDetails.getAuthorizedGrantTypes()) : null, clientDetails.getRegisteredRedirectUri() != null ? StringUtils .collectionToCommaDelimitedString(clientDetails.getRegisteredRedirectUri()) : null, clientDetails.getAuthorities() != null ? StringUtils.collectionToCommaDelimitedString(clientDetails .getAuthorities()) : null, clientDetails.getAccessTokenValiditySeconds(), clientDetails.getRefreshTokenValiditySeconds(), json, getAutoApproveScopes(clientDetails), clientDetails.getClientId() }; }
public BaseClientDetails(ClientDetails prototype) { this(); setAccessTokenValiditySeconds(prototype.getAccessTokenValiditySeconds()); setRefreshTokenValiditySeconds(prototype .getRefreshTokenValiditySeconds()); setAuthorities(prototype.getAuthorities()); setAuthorizedGrantTypes(prototype.getAuthorizedGrantTypes()); setClientId(prototype.getClientId()); setClientSecret(prototype.getClientSecret()); setRegisteredRedirectUri(prototype.getRegisteredRedirectUri()); setScope(prototype.getScope()); setResourceIds(prototype.getResourceIds()); }
@Test public void testCreateLimitedClient() { BaseClientDetails clientDetails = new BaseClientDetails("valid-client", null, "openid", "authorization_code,password", "uaa.resource"); clientDetails.setClientSecret("secret"); clientDetails.addAdditionalInformation(ALLOWED_PROVIDERS, Collections.singletonList(OriginKeys.UAA)); ClientDetails validatedClientDetails = zoneEndpointsClientDetailsValidator.validate(clientDetails, Mode.CREATE); assertEquals(clientDetails.getClientId(), validatedClientDetails.getClientId()); assertEquals(clientDetails.getScope(), validatedClientDetails.getScope()); assertEquals(clientDetails.getAuthorizedGrantTypes(), validatedClientDetails.getAuthorizedGrantTypes()); assertEquals(clientDetails.getAuthorities(), validatedClientDetails.getAuthorities()); assertEquals(Collections.singleton("none"), validatedClientDetails.getResourceIds()); assertEquals(Collections.singletonList(OriginKeys.UAA), validatedClientDetails.getAdditionalInformation().get(ALLOWED_PROVIDERS)); }