@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
AuthorizationRequest authorizationRequest = findAuthorizationRequest(request);
if (authorizationRequest == null) {
response.sendError(
HttpServletResponse.SC_BAD_REQUEST,
"No valid AbstractAuthenticator.AUTH_STATE on the Request");
}
if (initialRequest(request)) {
storePrincipal(request, response, authorizationRequest);
request.setAttribute(AbstractAuthenticator.RETURN_URI, RETURN_URI);
request.setAttribute(AbstractUserConsentHandler.CLIENT, authorizationRequest.getClient());
if (!authorizationRequest.getClient().isSkipConsent()) {
userConsentHandler.doFilter(request, response, chain);
} else {
chain.doFilter(request, response);
}
} else {
/*
* Ok, the consentHandler wants to have control again (because he stepped
* out)
*/
userConsentHandler.doFilter(request, response, chain);
}
}
private AuthorizationRequest clientCredentialToken(AccessTokenRequest accessTokenRequest) {
AuthorizationRequest request = new AuthorizationRequest();
request.setClient(accessTokenRequest.getClient());
// We have to construct a AuthenticatedPrincipal on-the-fly as there is only key-secret
// authentication
request.setPrincipal(new AuthenticatedPrincipal(request.getClient().getClientId()));
// Get scopes (either from request or the client's default set)
request.setGrantedScopes(accessTokenRequest.getScopeList());
return request;
}
private Response sendAuthorizationCodeResponse(AuthorizationRequest authReq) {
String uri = authReq.getRedirectUri();
String authorizationCode = getAuthorizationCodeValue();
authReq.setAuthorizationCode(authorizationCode);
authorizationRequestRepository.save(authReq);
uri = uri + appendQueryMark(uri) + "code=" + authorizationCode + appendStateParameter(authReq);
return Response.seeOther(UriBuilder.fromUri(uri).build())
.cacheControl(cacheControlNoStore())
.header("Pragma", "no-cache")
.build();
}
private AuthorizationRequest refreshTokenToken(AccessTokenRequest accessTokenRequest) {
AccessToken accessToken =
accessTokenRepository.findByRefreshToken(accessTokenRequest.getRefreshToken());
if (accessToken == null) {
throw new ValidationResponseException(ValidationResponse.INVALID_GRANT_REFRESH_TOKEN);
}
AuthorizationRequest request = new AuthorizationRequest();
request.setClient(accessToken.getClient());
request.setPrincipal(accessToken.getPrincipal());
request.setGrantedScopes(accessToken.getScopes());
accessTokenRepository.delete(accessToken);
return request;
}
private AuthorizationRequest authorizationCodeToken(AccessTokenRequest accessTokenRequest) {
AuthorizationRequest authReq =
authorizationRequestRepository.findByAuthorizationCode(accessTokenRequest.getCode());
if (authReq == null) {
throw new ValidationResponseException(ValidationResponse.INVALID_GRANT_AUTHORIZATION_CODE);
}
String uri = accessTokenRequest.getRedirectUri();
if (!authReq.getRedirectUri().equalsIgnoreCase(uri)) {
throw new ValidationResponseException(ValidationResponse.REDIRECT_URI_DIFFERENT);
}
authorizationRequestRepository.delete(authReq);
return authReq;
}
private Response doProcess(HttpServletRequest request) {
AuthorizationRequest authReq = findAuthorizationRequest(request);
if (authReq == null) {
return serverError("Not a valid AbstractAuthenticator.AUTH_STATE on the Request");
}
processScopes(authReq, request);
if (authReq.getResponseType().equals(OAuth2Validator.IMPLICIT_GRANT_RESPONSE_TYPE)) {
AccessToken token = createAccessToken(authReq, true);
return sendImplicitGrantResponse(authReq, token);
} else {
return sendAuthorizationCodeResponse(authReq);
}
}
private AuthorizationRequest passwordToken(AccessTokenRequest accessTokenRequest) {
// Authenticate the resource owner
AuthenticatedPrincipal principal =
resourceOwnerAuthenticator.authenticate(
accessTokenRequest.getUsername(), accessTokenRequest.getPassword());
if (principal == null) {
throw new ValidationResponseException(ValidationResponse.INVALID_GRANT_PASSWORD);
}
AuthorizationRequest request = new AuthorizationRequest();
request.setClient(accessTokenRequest.getClient());
request.setPrincipal(principal);
request.setGrantedScopes(accessTokenRequest.getScopeList());
return request;
}
/*
* In the user consent filter the scopes are (possible) set on the Request
*/
private void processScopes(AuthorizationRequest authReq, HttpServletRequest request) {
if (authReq.getClient().isSkipConsent()) {
// return the scopes in the authentication request since the requested scopes are stored in
// the
// authorizationRequest.
authReq.setGrantedScopes(authReq.getRequestedScopes());
} else {
String[] scopes = (String[]) request.getAttribute(AbstractUserConsentHandler.GRANTED_SCOPES);
if (!ArrayUtils.isEmpty(scopes)) {
authReq.setGrantedScopes(Arrays.asList(scopes));
} else {
authReq.setGrantedScopes(null);
}
}
}
private String appendStateParameter(AuthorizationRequest authReq) {
String state = authReq.getState();
try {
return StringUtils.isBlank(state) ? "" : "&state=".concat(URLEncoder.encode(state, "UTF-8"));
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
}
private Response sendImplicitGrantResponse(
AuthorizationRequest authReq, AccessToken accessToken) {
String uri = authReq.getRedirectUri();
String fragment =
String.format(
"access_token=%s&token_type=bearer&expires_in=%s&scope=%s",
accessToken.getToken(),
accessToken.getExpiresIn(),
StringUtils.join(authReq.getGrantedScopes(), ','))
+ appendStateParameter(authReq);
if (authReq.getClient().isIncludePrincipal()) {
fragment += String.format("&principal=%s", authReq.getPrincipal().getDisplayName());
}
return Response.seeOther(UriBuilder.fromUri(uri).fragment(fragment).build())
.cacheControl(cacheControlNoStore())
.header("Pragma", "no-cache")
.build();
}
private AccessToken createAccessToken(AuthorizationRequest request, boolean isImplicitGrant) {
Client client = request.getClient();
long expireDuration = client.getExpireDuration();
long expires =
(expireDuration == 0L ? 0L : (System.currentTimeMillis() + (1000 * expireDuration)));
String refreshToken =
(client.isUseRefreshTokens() && !isImplicitGrant) ? getTokenValue(true) : null;
AuthenticatedPrincipal principal = request.getPrincipal();
AccessToken token =
new AccessToken(
getTokenValue(false),
principal,
client,
expires,
request.getGrantedScopes(),
refreshToken);
return accessTokenRepository.save(token);
}
private void storePrincipal(
HttpServletRequest request,
HttpServletResponse response,
AuthorizationRequest authorizationRequest)
throws IOException {
AuthenticatedPrincipal principal =
(AuthenticatedPrincipal) request.getAttribute(AbstractAuthenticator.PRINCIPAL);
if (principal == null) {
response.sendError(
HttpServletResponse.SC_BAD_REQUEST,
"No valid AbstractAuthenticator.PRINCIPAL on the Request");
}
authorizationRequest.setPrincipal(principal);
authorizationRequestRepository.save(authorizationRequest);
}