/** * Create an authorization request applying various UAA rules to the authorizationParameters and * the registered client details. * * <ul> * <li>For client_credentials grants, the default scopes are the client's granted authorities * <li>For other grant types the default scopes are the registered scopes in the client details * <li>Only scopes in those lists are valid, otherwise there is an exception * <li>If the scopes contain separators then resource ids are extracted as the scope value up to * the last index of the separator * <li>Some scopes can be hard-wired to resource ids (like the open id connect values), in which * case the separator is ignored * </ul> * * @see * org.springframework.security.oauth2.provider.AuthorizationRequestFactory#createAuthorizationRequest(java.util.Map, * java.lang.String, java.lang.String, java.util.Set) */ @Override public AuthorizationRequest createAuthorizationRequest( Map<String, String> authorizationParameters) { String clientId = authorizationParameters.get("client_id"); BaseClientDetails clientDetails = new BaseClientDetails(clientDetailsService.loadClientByClientId(clientId)); Set<String> scopes = OAuth2Utils.parseParameterList(authorizationParameters.get("scope")); String grantType = authorizationParameters.get("grant_type"); if ((scopes == null || scopes.isEmpty())) { if ("client_credentials".equals(grantType)) { // The client authorities should be a list of scopes scopes = AuthorityUtils.authorityListToSet(clientDetails.getAuthorities()); } else { // The default for a user token is the scopes registered with // the client scopes = clientDetails.getScope(); } } Set<String> scopesFromExternalAuthorities = null; if (!"client_credentials".equals(grantType) && securityContextAccessor.isUser()) { scopes = checkUserScopes(scopes, securityContextAccessor.getAuthorities(), clientDetails); // TODO: will the grantType ever contain client_credentials or // authorization_code // External Authorities are things like LDAP groups that will be // mapped to Oauth scopes // Add those scopes to the request. These scopes will not be // validated against the scopes // registered to a client. // These scopes also do not need approval. The fact that they are // already in an external // group communicates user approval. Denying approval does not mean // much scopesFromExternalAuthorities = findScopesFromAuthorities(authorizationParameters.get("authorities")); } Set<String> resourceIds = getResourceIds(clientDetails, scopes); clientDetails.setResourceIds(resourceIds); DefaultAuthorizationRequest request = new DefaultAuthorizationRequest(authorizationParameters); if (!scopes.isEmpty()) { request.setScope(scopes); } if (scopesFromExternalAuthorities != null) { Map<String, String> existingAuthorizationParameters = new LinkedHashMap<String, String>(); existingAuthorizationParameters.putAll(request.getAuthorizationParameters()); existingAuthorizationParameters.put( "external_scopes", OAuth2Utils.formatParameterList(scopesFromExternalAuthorities)); request.setAuthorizationParameters(existingAuthorizationParameters); } request.addClientDetails(clientDetails); return request; }
/** * @param formParams * @return */ @POST @Path(OAUTH_TOKEN) @Produces(value = {MediaType.APPLICATION_JSON}) @Consumes(MediaType.APPLICATION_FORM_URLENCODED) public Response obtainOauth2TokenPost( @FormParam("grant_type") String grantType, MultivaluedMap<String, String> formParams) { String clientId = formParams.getFirst("client_id"); String clientSecret = formParams.getFirst("client_secret"); String code = formParams.getFirst("code"); String state = formParams.getFirst("state"); String redirectUri = formParams.getFirst("redirect_uri"); String resourceId = formParams.getFirst("resource_id"); String refreshToken = formParams.getFirst("refresh_token"); String scopeList = formParams.getFirst("scope"); Set<String> scopes = new HashSet<String>(); if (StringUtils.isNotEmpty(scopeList)) { scopes = OAuth2Utils.parseParameterList(scopeList); } return orcidClientCredentialEndPointDelegator.obtainOauth2Token( clientId, clientSecret, refreshToken, grantType, code, scopes, state, redirectUri, resourceId); }
@Override public AuthorizationRequest createAuthorizationRequest(Map<String, String> parameters) { String clientId = parameters.get("client_id"); if (clientId == null) { throw new InvalidClientException("A client id must be provided"); } ClientDetails client = clientDetailsService.loadClientByClientId(clientId); String requestNonce = parameters.get("nonce"); // Only process if the user is authenticated. If the user is not authenticated yet, this // code will be called a second time once the user is redirected from the login page back // to the auth endpoint. Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); if (requestNonce != null && principal != null && principal instanceof User) { // Check request nonce for reuse Collection<Nonce> clientNonces = nonceService.getByClientId(client.getClientId()); for (Nonce nonce : clientNonces) { String nonceVal = nonce.getValue(); if (nonceVal.equals(requestNonce)) { throw new NonceReuseException(client.getClientId(), nonce); } } // Store nonce Nonce nonce = new Nonce(); nonce.setClientId(client.getClientId()); nonce.setValue(requestNonce); DateTime now = new DateTime(new Date()); nonce.setUseDate(now.toDate()); DateTime expDate = now.plus(nonceStorageDuration); Date expirationJdkDate = expDate.toDate(); nonce.setExpireDate(expirationJdkDate); nonceService.save(nonce); } Set<String> scopes = OAuth2Utils.parseParameterList(parameters.get("scope")); if ((scopes == null || scopes.isEmpty())) { // TODO: do we want to allow default scoping at all? // If no scopes are specified in the incoming data, it is possible to default to the client's // registered scopes, but minus the "openid" scope. OpenID Connect requests MUST have the // "openid" scope. Set<String> clientScopes = client.getScope(); if (clientScopes.contains("openid")) { clientScopes.remove("openid"); } scopes = clientScopes; } DefaultAuthorizationRequest request = new DefaultAuthorizationRequest( parameters, Collections.<String, String>emptyMap(), clientId, scopes); request.addClientDetails(client); return request; }
@Override public void validateParameters(Map<String, String> parameters, ClientDetails clientDetails) { if (parameters.containsKey("scope")) { if (clientDetails.isScoped()) { Set<String> validScope = clientDetails.getScope(); for (String scope : OAuth2Utils.parseParameterList(parameters.get("scope"))) { if (!validScope.contains(scope)) { throw new InvalidScopeException("Invalid scope: " + scope, validScope); } } } } }
private String appendAccessToken( AuthorizationRequest authorizationRequest, OAuth2AccessToken accessToken) { Map<String, Object> vars = new LinkedHashMap<String, Object>(); Map<String, String> keys = new HashMap<String, String>(); if (accessToken == null) { throw new InvalidRequestException("An implicit grant could not be made"); } vars.put("access_token", accessToken.getValue()); vars.put("token_type", accessToken.getTokenType()); String state = authorizationRequest.getState(); if (state != null) { vars.put("state", state); } Date expiration = accessToken.getExpiration(); if (expiration != null) { long expires_in = (expiration.getTime() - System.currentTimeMillis()) / 1000; vars.put("expires_in", expires_in); } String originalScope = authorizationRequest.getRequestParameters().get(OAuth2Utils.SCOPE); if (originalScope == null || !OAuth2Utils.parseParameterList(originalScope).equals(accessToken.getScope())) { vars.put("scope", OAuth2Utils.formatParameterList(accessToken.getScope())); } Map<String, Object> additionalInformation = accessToken.getAdditionalInformation(); for (String key : additionalInformation.keySet()) { Object value = additionalInformation.get(key); if (value != null) { keys.put("extra_" + key, key); vars.put("extra_" + key, value); } } // Do not include the refresh token (even if there is one) return append(authorizationRequest.getRedirectUri(), vars, keys, true); }
/* (non-Javadoc) * @see org.mitre.oauth2.introspectingfilter.IntrospectionAuthorityGranter#getAuthorities(net.minidev.json.JSONObject) */ @Override public List<GrantedAuthority> getAuthorities(JsonObject introspectionResponse) { List<GrantedAuthority> auth = new ArrayList<>(getAuthorities()); if (introspectionResponse.has("scope") && introspectionResponse.get("scope").isJsonPrimitive()) { String scopeString = introspectionResponse.get("scope").getAsString(); Set<String> scopes = OAuth2Utils.parseParameterList(scopeString); for (String scope : scopes) { auth.add(new SimpleGrantedAuthority("OAUTH_SCOPE_" + scope)); } } return auth; }
/** * Apply UAA rules to validate the requested scope. For client credentials grants the valid scopes * are actually in the authorities of the client. * * @see * org.springframework.security.oauth2.provider.endpoint.ParametersValidator#validateParameters(java.util.Map, * org.springframework.security.oauth2.provider.ClientDetails) */ @Override public void validateParameters(Map<String, String> parameters, ClientDetails clientDetails) { if (parameters.containsKey("scope")) { Set<String> validScope = clientDetails.getScope(); if ("client_credentials".equals(parameters.get("grant_type"))) { validScope = AuthorityUtils.authorityListToSet(clientDetails.getAuthorities()); } for (String scope : OAuth2Utils.parseParameterList(parameters.get("scope"))) { if (!validScope.contains(scope)) { throw new InvalidScopeException( "Invalid scope: " + scope + ". Did you know that you can get default scopes by simply sending no value?", validScope); } } } }
private Collection<String> getScope(HttpServletRequest request) { return OAuth2Utils.parseParameterList(request.getParameter("scope")); }