@Override
 public ClientDetails loadClientByClientId(String clientId) {
   BaseClientDetails clientDetails = new BaseClientDetails();
   clientDetails.setClientId(CLIENT_ID);
   clientDetails.setClientSecret(CLIENT_SECRET);
   clientDetails.setAuthorizedGrantTypes(Arrays.asList(GRANT_TYPES));
   return clientDetails;
 }
  /**
   * Create an authorization request applying various UAA rules to the authorizationParameters and
   * the registered client details.
   *
   * <ul>
   *   <li>For client_credentials grants, the default scopes are the client's granted authorities
   *   <li>For other grant types the default scopes are the registered scopes in the client details
   *   <li>Only scopes in those lists are valid, otherwise there is an exception
   *   <li>If the scopes contain separators then resource ids are extracted as the scope value up to
   *       the last index of the separator
   *   <li>Some scopes can be hard-wired to resource ids (like the open id connect values), in which
   *       case the separator is ignored
   * </ul>
   *
   * @see
   *     org.springframework.security.oauth2.provider.AuthorizationRequestFactory#createAuthorizationRequest(java.util.Map,
   *     java.lang.String, java.lang.String, java.util.Set)
   */
  @Override
  public AuthorizationRequest createAuthorizationRequest(
      Map<String, String> authorizationParameters) {

    String clientId = authorizationParameters.get("client_id");
    BaseClientDetails clientDetails =
        new BaseClientDetails(clientDetailsService.loadClientByClientId(clientId));

    Set<String> scopes = OAuth2Utils.parseParameterList(authorizationParameters.get("scope"));
    String grantType = authorizationParameters.get("grant_type");
    if ((scopes == null || scopes.isEmpty())) {
      if ("client_credentials".equals(grantType)) {
        // The client authorities should be a list of scopes
        scopes = AuthorityUtils.authorityListToSet(clientDetails.getAuthorities());
      } else {
        // The default for a user token is the scopes registered with
        // the client
        scopes = clientDetails.getScope();
      }
    }

    Set<String> scopesFromExternalAuthorities = null;
    if (!"client_credentials".equals(grantType) && securityContextAccessor.isUser()) {
      scopes = checkUserScopes(scopes, securityContextAccessor.getAuthorities(), clientDetails);

      // TODO: will the grantType ever contain client_credentials or
      // authorization_code
      // External Authorities are things like LDAP groups that will be
      // mapped to Oauth scopes
      // Add those scopes to the request. These scopes will not be
      // validated against the scopes
      // registered to a client.
      // These scopes also do not need approval. The fact that they are
      // already in an external
      // group communicates user approval. Denying approval does not mean
      // much
      scopesFromExternalAuthorities =
          findScopesFromAuthorities(authorizationParameters.get("authorities"));
    }

    Set<String> resourceIds = getResourceIds(clientDetails, scopes);
    clientDetails.setResourceIds(resourceIds);
    DefaultAuthorizationRequest request = new DefaultAuthorizationRequest(authorizationParameters);
    if (!scopes.isEmpty()) {
      request.setScope(scopes);
    }
    if (scopesFromExternalAuthorities != null) {
      Map<String, String> existingAuthorizationParameters = new LinkedHashMap<String, String>();
      existingAuthorizationParameters.putAll(request.getAuthorizationParameters());
      existingAuthorizationParameters.put(
          "external_scopes", OAuth2Utils.formatParameterList(scopesFromExternalAuthorities));
      request.setAuthorizationParameters(existingAuthorizationParameters);
    }

    request.addClientDetails(clientDetails);

    return request;
  }
Beispiel #3
0
 private void createAppClient(RestOperations client) {
   BaseClientDetails clientDetails =
       new BaseClientDetails(
           "app",
           "none",
           "cloud_controller.read,openid,password.write",
           "password,authorization_code,refresh_token",
           "uaa.resource");
   clientDetails.setClientSecret("appclientsecret");
   createClient(client, testAccounts.getClientDetails("oauth.clients.app", clientDetails));
 }
Beispiel #4
0
 private void createScimClient(RestOperations client) {
   BaseClientDetails clientDetails =
       new BaseClientDetails(
           "scim",
           "none",
           "uaa.none",
           "client_credentials",
           "scim.read,scim.write,password.write");
   clientDetails.setClientSecret("scimsecret");
   createClient(client, testAccounts.getClientDetails("oauth.clients.scim", clientDetails));
 }
Beispiel #5
0
 @RequestMapping(value = "/oauth/clients/{client}", method = RequestMethod.PUT)
 public ResponseEntity<Void> updateClientDetails(
     @RequestBody BaseClientDetails details, @PathVariable String client) throws Exception {
   validateClient(details, false);
   Assert.state(
       client.equals(details.getClientId()),
       String.format(
           "The client id (%s) does not match the URL (%s)", details.getClientId(), client));
   clientRegistrationService.updateClientDetails(details);
   return new ResponseEntity<Void>(HttpStatus.NO_CONTENT);
 }
  @Test
  public void adminClientIsAdmin() throws Exception {

    BaseClientDetails client = new BaseClientDetails();
    client.setAuthorities(UaaAuthority.ADMIN_AUTHORITIES);

    DefaultAuthorizationRequest authorizationRequest =
        new DefaultAuthorizationRequest("admin", null);
    authorizationRequest.addClientDetails(client);
    SecurityContextHolder.getContext()
        .setAuthentication(new OAuth2Authentication(authorizationRequest, null));

    assertTrue(new DefaultSecurityContextAccessor().isAdmin());
  }
Beispiel #7
0
 private ClientDetails removeSecret(ClientDetails client) {
   BaseClientDetails details = new BaseClientDetails();
   details.setClientId(client.getClientId());
   details.setScope(client.getScope());
   details.setResourceIds(client.getResourceIds());
   details.setAuthorizedGrantTypes(client.getAuthorizedGrantTypes());
   details.setRegisteredRedirectUri(client.getRegisteredRedirectUri());
   details.setAuthorities(client.getAuthorities());
   details.setAccessTokenValiditySeconds(client.getAccessTokenValiditySeconds());
   return details;
 }
  @Before
  public void createDatasource() {

    template = new JdbcTemplate(dataSource);
    marissa = userDao.retrieveUserByName("marissa");

    dao = new JdbcApprovalStore(template, new SimpleSearchQueryConverter());
    endpoints = new ApprovalsAdminEndpoints();
    endpoints.setApprovalStore(dao);
    endpoints.setUaaUserDatabase(userDao);
    InMemoryClientDetailsService clientDetailsService = new InMemoryClientDetailsService();
    BaseClientDetails details =
        new BaseClientDetails(
            "c1",
            "scim,clients",
            "read,write",
            "authorization_code, password, implicit, client_credentials",
            "update");
    details.addAdditionalInformation("autoapprove", "true");
    clientDetailsService.setClientDetailsStore(Collections.singletonMap("c1", details));
    endpoints.setClientDetailsService(clientDetailsService);

    endpoints.setSecurityContextAccessor(mockSecurityContextAccessor(marissa.getUsername()));
  }
 public ClientDetails mapRow(ResultSet rs, int rowNum) throws SQLException {
   BaseClientDetails details =
       new BaseClientDetails(
           rs.getString(1),
           rs.getString(3),
           rs.getString(4),
           rs.getString(5),
           rs.getString(7),
           rs.getString(6));
   details.setClientSecret(rs.getString(2));
   details.setAccessTokenValiditySeconds(rs.getInt(8));
   details.setRefreshTokenValiditySeconds(rs.getInt(9));
   String json = rs.getString(10);
   if (json != null) {
     try {
       @SuppressWarnings("unchecked")
       Map<String, Object> additionalInformation = mapper.readValue(json, Map.class);
       details.setAdditionalInformation(additionalInformation);
     } catch (Exception e) {
       logger.warn("Could not decode JSON for additional information: " + details, e);
     }
   }
   return details;
 }