@Override
public ClientDetails loadClientByClientId(String clientId) {
BaseClientDetails clientDetails = new BaseClientDetails();
clientDetails.setClientId(CLIENT_ID);
clientDetails.setClientSecret(CLIENT_SECRET);
clientDetails.setAuthorizedGrantTypes(Arrays.asList(GRANT_TYPES));
return clientDetails;
}
/**
* Create an authorization request applying various UAA rules to the authorizationParameters and
* the registered client details.
*
* <ul>
* <li>For client_credentials grants, the default scopes are the client's granted authorities
* <li>For other grant types the default scopes are the registered scopes in the client details
* <li>Only scopes in those lists are valid, otherwise there is an exception
* <li>If the scopes contain separators then resource ids are extracted as the scope value up to
* the last index of the separator
* <li>Some scopes can be hard-wired to resource ids (like the open id connect values), in which
* case the separator is ignored
* </ul>
*
* @see
* org.springframework.security.oauth2.provider.AuthorizationRequestFactory#createAuthorizationRequest(java.util.Map,
* java.lang.String, java.lang.String, java.util.Set)
*/
@Override
public AuthorizationRequest createAuthorizationRequest(
Map<String, String> authorizationParameters) {
String clientId = authorizationParameters.get("client_id");
BaseClientDetails clientDetails =
new BaseClientDetails(clientDetailsService.loadClientByClientId(clientId));
Set<String> scopes = OAuth2Utils.parseParameterList(authorizationParameters.get("scope"));
String grantType = authorizationParameters.get("grant_type");
if ((scopes == null || scopes.isEmpty())) {
if ("client_credentials".equals(grantType)) {
// The client authorities should be a list of scopes
scopes = AuthorityUtils.authorityListToSet(clientDetails.getAuthorities());
} else {
// The default for a user token is the scopes registered with
// the client
scopes = clientDetails.getScope();
}
}
Set<String> scopesFromExternalAuthorities = null;
if (!"client_credentials".equals(grantType) && securityContextAccessor.isUser()) {
scopes = checkUserScopes(scopes, securityContextAccessor.getAuthorities(), clientDetails);
// TODO: will the grantType ever contain client_credentials or
// authorization_code
// External Authorities are things like LDAP groups that will be
// mapped to Oauth scopes
// Add those scopes to the request. These scopes will not be
// validated against the scopes
// registered to a client.
// These scopes also do not need approval. The fact that they are
// already in an external
// group communicates user approval. Denying approval does not mean
// much
scopesFromExternalAuthorities =
findScopesFromAuthorities(authorizationParameters.get("authorities"));
}
Set<String> resourceIds = getResourceIds(clientDetails, scopes);
clientDetails.setResourceIds(resourceIds);
DefaultAuthorizationRequest request = new DefaultAuthorizationRequest(authorizationParameters);
if (!scopes.isEmpty()) {
request.setScope(scopes);
}
if (scopesFromExternalAuthorities != null) {
Map<String, String> existingAuthorizationParameters = new LinkedHashMap<String, String>();
existingAuthorizationParameters.putAll(request.getAuthorizationParameters());
existingAuthorizationParameters.put(
"external_scopes", OAuth2Utils.formatParameterList(scopesFromExternalAuthorities));
request.setAuthorizationParameters(existingAuthorizationParameters);
}
request.addClientDetails(clientDetails);
return request;
}
private void createAppClient(RestOperations client) {
BaseClientDetails clientDetails =
new BaseClientDetails(
"app",
"none",
"cloud_controller.read,openid,password.write",
"password,authorization_code,refresh_token",
"uaa.resource");
clientDetails.setClientSecret("appclientsecret");
createClient(client, testAccounts.getClientDetails("oauth.clients.app", clientDetails));
}
private void createScimClient(RestOperations client) {
BaseClientDetails clientDetails =
new BaseClientDetails(
"scim",
"none",
"uaa.none",
"client_credentials",
"scim.read,scim.write,password.write");
clientDetails.setClientSecret("scimsecret");
createClient(client, testAccounts.getClientDetails("oauth.clients.scim", clientDetails));
}
@RequestMapping(value = "/oauth/clients/{client}", method = RequestMethod.PUT)
public ResponseEntity<Void> updateClientDetails(
@RequestBody BaseClientDetails details, @PathVariable String client) throws Exception {
validateClient(details, false);
Assert.state(
client.equals(details.getClientId()),
String.format(
"The client id (%s) does not match the URL (%s)", details.getClientId(), client));
clientRegistrationService.updateClientDetails(details);
return new ResponseEntity<Void>(HttpStatus.NO_CONTENT);
}
@Test
public void adminClientIsAdmin() throws Exception {
BaseClientDetails client = new BaseClientDetails();
client.setAuthorities(UaaAuthority.ADMIN_AUTHORITIES);
DefaultAuthorizationRequest authorizationRequest =
new DefaultAuthorizationRequest("admin", null);
authorizationRequest.addClientDetails(client);
SecurityContextHolder.getContext()
.setAuthentication(new OAuth2Authentication(authorizationRequest, null));
assertTrue(new DefaultSecurityContextAccessor().isAdmin());
}
private ClientDetails removeSecret(ClientDetails client) {
BaseClientDetails details = new BaseClientDetails();
details.setClientId(client.getClientId());
details.setScope(client.getScope());
details.setResourceIds(client.getResourceIds());
details.setAuthorizedGrantTypes(client.getAuthorizedGrantTypes());
details.setRegisteredRedirectUri(client.getRegisteredRedirectUri());
details.setAuthorities(client.getAuthorities());
details.setAccessTokenValiditySeconds(client.getAccessTokenValiditySeconds());
return details;
}
@Before
public void createDatasource() {
template = new JdbcTemplate(dataSource);
marissa = userDao.retrieveUserByName("marissa");
dao = new JdbcApprovalStore(template, new SimpleSearchQueryConverter());
endpoints = new ApprovalsAdminEndpoints();
endpoints.setApprovalStore(dao);
endpoints.setUaaUserDatabase(userDao);
InMemoryClientDetailsService clientDetailsService = new InMemoryClientDetailsService();
BaseClientDetails details =
new BaseClientDetails(
"c1",
"scim,clients",
"read,write",
"authorization_code, password, implicit, client_credentials",
"update");
details.addAdditionalInformation("autoapprove", "true");
clientDetailsService.setClientDetailsStore(Collections.singletonMap("c1", details));
endpoints.setClientDetailsService(clientDetailsService);
endpoints.setSecurityContextAccessor(mockSecurityContextAccessor(marissa.getUsername()));
}
public ClientDetails mapRow(ResultSet rs, int rowNum) throws SQLException {
BaseClientDetails details =
new BaseClientDetails(
rs.getString(1),
rs.getString(3),
rs.getString(4),
rs.getString(5),
rs.getString(7),
rs.getString(6));
details.setClientSecret(rs.getString(2));
details.setAccessTokenValiditySeconds(rs.getInt(8));
details.setRefreshTokenValiditySeconds(rs.getInt(9));
String json = rs.getString(10);
if (json != null) {
try {
@SuppressWarnings("unchecked")
Map<String, Object> additionalInformation = mapper.readValue(json, Map.class);
details.setAdditionalInformation(additionalInformation);
} catch (Exception e) {
logger.warn("Could not decode JSON for additional information: " + details, e);
}
}
return details;
}