private Object[] getFieldsForUpdate(ClientDetails clientDetails) {
   String json = null;
   try {
     json = mapper.write(clientDetails.getAdditionalInformation());
   } catch (Exception e) {
     logger.warn("Could not serialize additional information: " + clientDetails, e);
   }
   return new Object[] {
     clientDetails.getResourceIds() != null
         ? StringUtils.collectionToCommaDelimitedString(clientDetails.getResourceIds())
         : null,
     clientDetails.getScope() != null
         ? StringUtils.collectionToCommaDelimitedString(clientDetails.getScope())
         : null,
     clientDetails.getAuthorizedGrantTypes() != null
         ? StringUtils.collectionToCommaDelimitedString(clientDetails.getAuthorizedGrantTypes())
         : null,
     clientDetails.getRegisteredRedirectUri() != null
         ? StringUtils.collectionToCommaDelimitedString(clientDetails.getRegisteredRedirectUri())
         : null,
     clientDetails.getAuthorities() != null
         ? StringUtils.collectionToCommaDelimitedString(clientDetails.getAuthorities())
         : null,
     clientDetails.getAccessTokenValiditySeconds(),
     clientDetails.getRefreshTokenValiditySeconds(),
     json,
     getAutoApproveScopes(clientDetails),
     clientDetails.getClientId()
   };
 }
  @Override
  public AuthorizationRequest createAuthorizationRequest(Map<String, String> parameters) {

    String clientId = parameters.get("client_id");
    if (clientId == null) {
      throw new InvalidClientException("A client id must be provided");
    }
    ClientDetails client = clientDetailsService.loadClientByClientId(clientId);

    String requestNonce = parameters.get("nonce");

    // Only process if the user is authenticated. If the user is not authenticated yet, this
    // code will be called a second time once the user is redirected from the login page back
    // to the auth endpoint.
    Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();

    if (requestNonce != null && principal != null && principal instanceof User) {

      // Check request nonce for reuse
      Collection<Nonce> clientNonces = nonceService.getByClientId(client.getClientId());
      for (Nonce nonce : clientNonces) {
        String nonceVal = nonce.getValue();
        if (nonceVal.equals(requestNonce)) {
          throw new NonceReuseException(client.getClientId(), nonce);
        }
      }

      // Store nonce
      Nonce nonce = new Nonce();
      nonce.setClientId(client.getClientId());
      nonce.setValue(requestNonce);
      DateTime now = new DateTime(new Date());
      nonce.setUseDate(now.toDate());
      DateTime expDate = now.plus(nonceStorageDuration);
      Date expirationJdkDate = expDate.toDate();
      nonce.setExpireDate(expirationJdkDate);

      nonceService.save(nonce);
    }

    Set<String> scopes = OAuth2Utils.parseParameterList(parameters.get("scope"));
    if ((scopes == null || scopes.isEmpty())) {
      // TODO: do we want to allow default scoping at all?
      // If no scopes are specified in the incoming data, it is possible to default to the client's
      // registered scopes, but minus the "openid" scope. OpenID Connect requests MUST have the
      // "openid" scope.
      Set<String> clientScopes = client.getScope();
      if (clientScopes.contains("openid")) {
        clientScopes.remove("openid");
      }
      scopes = clientScopes;
    }
    DefaultAuthorizationRequest request =
        new DefaultAuthorizationRequest(
            parameters, Collections.<String, String>emptyMap(), clientId, scopes);
    request.addClientDetails(client);
    return request;
  }
Ejemplo n.º 3
0
 private ClientDetails removeSecret(ClientDetails client) {
   BaseClientDetails details = new BaseClientDetails();
   details.setClientId(client.getClientId());
   details.setScope(client.getScope());
   details.setResourceIds(client.getResourceIds());
   details.setAuthorizedGrantTypes(client.getAuthorizedGrantTypes());
   details.setRegisteredRedirectUri(client.getRegisteredRedirectUri());
   details.setAuthorities(client.getAuthorities());
   details.setAccessTokenValiditySeconds(client.getAccessTokenValiditySeconds());
   return details;
 }
 private String getAutoApproveScopes(ClientDetails clientDetails) {
   if (clientDetails.isAutoApprove("true")) {
     return "true"; // all scopes autoapproved
   }
   Set<String> scopes = new HashSet<String>();
   for (String scope : clientDetails.getScope()) {
     if (clientDetails.isAutoApprove(scope)) {
       scopes.add(scope);
     }
   }
   return StringUtils.collectionToCommaDelimitedString(scopes);
 }
  /**
   * Add or remove scopes derived from the current authenticated user's authorities (if any)
   *
   * @param scopes the initial set of scopes from the client registration
   * @param clientDetails
   * @param collection the users authorities
   * @return modified scopes adapted according to the rules specified
   */
  private Set<String> checkUserScopes(
      Set<String> scopes,
      Collection<? extends GrantedAuthority> authorities,
      ClientDetails clientDetails) {

    Set<String> result = new LinkedHashSet<String>(scopes);
    Set<String> allowed = new LinkedHashSet<String>(AuthorityUtils.authorityListToSet(authorities));

    // Add in all default scopes
    allowed.addAll(defaultScopes);
    // Find intersection of user authorities, default scopes and client
    // scopes:
    for (Iterator<String> iter = allowed.iterator(); iter.hasNext(); ) {
      String scope = iter.next();
      if (!clientDetails.getScope().contains(scope)) {
        iter.remove();
      }
    }

    // Weed out disallowed scopes:
    for (Iterator<String> iter = result.iterator(); iter.hasNext(); ) {
      String scope = iter.next();
      if (!allowed.contains(scope)) {
        iter.remove();
      }
    }

    // Check that a token with empty scope is not going to be granted
    if (result.isEmpty() && !clientDetails.getScope().isEmpty()) {
      throw new InvalidScopeException(
          "Invalid scope (empty) - this user is not allowed any of the requested scopes: "
              + scopes
              + " (either you requested a scope that was not allowed or client '"
              + clientDetails.getClientId()
              + "' is not allowed to act on behalf of this user)",
          allowed);
    }

    return result;
  }
 @Override
 public void validateParameters(Map<String, String> parameters, ClientDetails clientDetails) {
   if (parameters.containsKey("scope")) {
     if (clientDetails.isScoped()) {
       Set<String> validScope = clientDetails.getScope();
       for (String scope : OAuth2Utils.parseParameterList(parameters.get("scope"))) {
         if (!validScope.contains(scope)) {
           throw new InvalidScopeException("Invalid scope: " + scope, validScope);
         }
       }
     }
   }
 }
 /**
  * Apply UAA rules to validate the requested scope. For client credentials grants the valid scopes
  * are actually in the authorities of the client.
  *
  * @see
  *     org.springframework.security.oauth2.provider.endpoint.ParametersValidator#validateParameters(java.util.Map,
  *     org.springframework.security.oauth2.provider.ClientDetails)
  */
 @Override
 public void validateParameters(Map<String, String> parameters, ClientDetails clientDetails) {
   if (parameters.containsKey("scope")) {
     Set<String> validScope = clientDetails.getScope();
     if ("client_credentials".equals(parameters.get("grant_type"))) {
       validScope = AuthorityUtils.authorityListToSet(clientDetails.getAuthorities());
     }
     for (String scope : OAuth2Utils.parseParameterList(parameters.get("scope"))) {
       if (!validScope.contains(scope)) {
         throw new InvalidScopeException(
             "Invalid scope: "
                 + scope
                 + ". Did you know that you can get default scopes by simply sending no value?",
             validScope);
       }
     }
   }
 }