@Override
public ServerAccessToken createAccessToken(final AccessTokenRegistration atr)
throws OAuthServiceException {
token = new BearerAccessToken(atr.getClient(), 3600L);
final List<String> scope =
atr.getApprovedScope().isEmpty() ? atr.getRequestedScope() : atr.getApprovedScope();
token.setScopes(convertScopeToPermissions(atr.getClient(), scope));
token.setSubject(atr.getSubject());
token.setGrantType(atr.getGrantType());
return token;
}
private void setAtHashAndNonce(IdToken idToken, ServerAccessToken st) {
if (idToken.getAccessTokenHash() == null) {
Properties props = JwsUtils.loadSignatureOutProperties(false);
SignatureAlgorithm sigAlgo = null;
if (super.isSignWithClientSecret()) {
sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props);
} else {
sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256);
}
if (sigAlgo != SignatureAlgorithm.NONE) {
String atHash = OidcUtils.calculateAccessTokenHash(st.getTokenKey(), sigAlgo);
idToken.setAccessTokenHash(atHash);
}
}
Message m = JAXRSUtils.getCurrentMessage();
if (m != null && m.getExchange().containsKey(OAuthConstants.NONCE)) {
idToken.setNonce((String) m.getExchange().get(OAuthConstants.NONCE));
} else if (st.getNonce() != null) {
idToken.setNonce(st.getNonce());
}
}
protected void saveAccessToken(ServerAccessToken serverToken) {
getEntityManager().getTransaction().begin();
List<OAuthPermission> perms = new LinkedList<OAuthPermission>();
for (OAuthPermission perm : serverToken.getScopes()) {
OAuthPermission permSaved =
getEntityManager().find(OAuthPermission.class, perm.getPermission());
if (permSaved != null) {
perms.add(permSaved);
} else {
getEntityManager().persist(perm);
perms.add(perm);
}
}
serverToken.setScopes(perms);
UserSubject sub =
getEntityManager().find(UserSubject.class, serverToken.getSubject().getLogin());
if (sub == null) {
getEntityManager().persist(serverToken.getSubject());
} else {
sub = getEntityManager().merge(serverToken.getSubject());
serverToken.setSubject(sub);
}
getEntityManager().persist(serverToken);
getEntityManager().getTransaction().commit();
}
/**
* Processes an access token request
*
* @param params the form parameters representing the access token grant
* @return Access Token or the error
*/
@POST
@Consumes("application/x-www-form-urlencoded")
@Produces("application/json")
public Response handleTokenRequest(MultivaluedMap<String, String> params) {
// Make sure the client is authenticated
Client client = authenticateClientIfNeeded(params);
if (!OAuthUtils.isGrantSupportedForClient(
client, isCanSupportPublicClients(), params.getFirst(OAuthConstants.GRANT_TYPE))) {
return createErrorResponse(params, OAuthConstants.UNAUTHORIZED_CLIENT);
}
try {
checkAudience(params);
} catch (OAuthServiceException ex) {
return super.createErrorResponseFromBean(ex.getError());
}
// Find the grant handler
AccessTokenGrantHandler handler = findGrantHandler(params);
if (handler == null) {
return createErrorResponse(params, OAuthConstants.UNSUPPORTED_GRANT_TYPE);
}
// Create the access token
ServerAccessToken serverToken = null;
try {
serverToken = handler.createAccessToken(client, params);
} catch (OAuthServiceException ex) {
return handleException(ex, OAuthConstants.INVALID_GRANT);
}
if (serverToken == null) {
return createErrorResponse(params, OAuthConstants.INVALID_GRANT);
}
// Extract the information to be of use for the client
ClientAccessToken clientToken =
new ClientAccessToken(serverToken.getTokenType(), serverToken.getTokenKey());
clientToken.setRefreshToken(serverToken.getRefreshToken());
if (isWriteOptionalParameters()) {
clientToken.setExpiresIn(serverToken.getExpiresIn());
List<OAuthPermission> perms = serverToken.getScopes();
if (!perms.isEmpty()) {
clientToken.setApprovedScope(OAuthUtils.convertPermissionsToScope(perms));
}
clientToken.setParameters(serverToken.getParameters());
}
// Return it to the client
return Response.ok(clientToken)
.header(HttpHeaders.CACHE_CONTROL, "no-store")
.header("Pragma", "no-cache")
.build();
}
private static ServerAccessToken recreateAccessToken(
OAuthDataProvider provider, String newTokenKey, String[] parts) {
@SuppressWarnings("serial")
final ServerAccessToken newToken =
new ServerAccessToken(
provider.getClient(parts[4]),
parts[1],
newTokenKey == null ? parts[0] : newTokenKey,
Long.valueOf(parts[2]),
Long.valueOf(parts[3])) {
//
};
newToken.setRefreshToken(getStringPart(parts[5]));
newToken.setGrantType(getStringPart(parts[6]));
newToken.setAudience(getStringPart(parts[7]));
newToken.setParameters(parseSimpleMap(parts[8]));
// Permissions
if (!parts[9].trim().isEmpty()) {
List<OAuthPermission> perms = new LinkedList<OAuthPermission>();
String[] allPermParts = parts[9].split("&");
for (int i = 0; i + 4 < allPermParts.length; i = i + 5) {
OAuthPermission perm = new OAuthPermission(allPermParts[i], allPermParts[i + 1]);
perm.setDefault(Boolean.valueOf(allPermParts[i + 2]));
perm.setHttpVerbs(parseSimpleList(allPermParts[i + 3]));
perm.setUris(parseSimpleList(allPermParts[i + 4]));
perms.add(perm);
}
newToken.setScopes(perms);
}
// UserSubject:
newToken.setSubject(recreateUserSubject(parts[10]));
return newToken;
}
@Override
public void removeAccessToken(final ServerAccessToken sat) throws OAuthServiceException {
if (token != null && token.getTokenKey().equals(sat.getTokenKey())) {
token = null;
}
}
@Override
public ServerAccessToken getAccessToken(final String tokenId) throws OAuthServiceException {
return token == null || token.getTokenKey().equals(tokenId) ? token : null;
}
private static String tokenizeServerToken(ServerAccessToken token) {
StringBuilder state = new StringBuilder();
// 0: key
state.append(tokenizeString(token.getTokenKey()));
// 1: type
state.append(SEP);
state.append(tokenizeString(token.getTokenType()));
// 2: expiresIn
state.append(SEP);
state.append(token.getExpiresIn());
// 3: issuedAt
state.append(SEP);
state.append(token.getIssuedAt());
// 4: client id
state.append(SEP);
state.append(tokenizeString(token.getClient().getClientId()));
// 5: refresh token
state.append(SEP);
state.append(tokenizeString(token.getRefreshToken()));
// 6: grant type
state.append(SEP);
state.append(tokenizeString(token.getGrantType()));
// 7: audience
state.append(SEP);
state.append(tokenizeString(token.getAudience()));
// 8: other parameters
state.append(SEP);
// {key=value, key=value}
state.append(token.getParameters().toString());
// 9: permissions
state.append(SEP);
if (token.getScopes().isEmpty()) {
state.append(" ");
} else {
for (OAuthPermission p : token.getScopes()) {
// 9.1
state.append(tokenizeString(p.getPermission()));
state.append(".");
// 9.2
state.append(tokenizeString(p.getDescription()));
state.append(".");
// 9.3
state.append(p.isDefault());
state.append(".");
// 9.4
state.append(p.getHttpVerbs().toString());
state.append(".");
// 9.5
state.append(p.getUris().toString());
}
}
state.append(SEP);
// 10: user subject
tokenizeUserSubject(state, token.getSubject());
return state.toString();
}
private String getProcessedIdToken(ServerAccessToken st) {
if (userInfoProvider != null) {
IdToken idToken =
userInfoProvider.getIdToken(
st.getClient().getClientId(), st.getSubject(), st.getScopes());
setAtHashAndNonce(idToken, st);
return super.processJwt(new JwtToken(idToken), st.getClient());
} else if (st.getSubject().getProperties().containsKey(OidcUtils.ID_TOKEN)) {
return st.getSubject().getProperties().get(OidcUtils.ID_TOKEN);
} else if (st.getSubject() instanceof OidcUserSubject) {
OidcUserSubject sub = (OidcUserSubject) st.getSubject();
IdToken idToken = new IdToken(sub.getIdToken());
idToken.setAudience(st.getClient().getClientId());
idToken.setAuthorizedParty(st.getClient().getClientId());
// if this token was refreshed then the cloned IDToken might need to have its
// issuedAt and expiry time properties adjusted if it proves to be necessary
setAtHashAndNonce(idToken, st);
return super.processJwt(new JwtToken(idToken), st.getClient());
} else {
return null;
}
}
