/**
* Create an authorization request applying various UAA rules to the authorizationParameters and
* the registered client details.
*
* <ul>
* <li>For client_credentials grants, the default scopes are the client's granted authorities
* <li>For other grant types the default scopes are the registered scopes in the client details
* <li>Only scopes in those lists are valid, otherwise there is an exception
* <li>If the scopes contain separators then resource ids are extracted as the scope value up to
* the last index of the separator
* <li>Some scopes can be hard-wired to resource ids (like the open id connect values), in which
* case the separator is ignored
* </ul>
*
* @see
* org.springframework.security.oauth2.provider.AuthorizationRequestFactory#createAuthorizationRequest(java.util.Map,
* java.lang.String, java.lang.String, java.util.Set)
*/
@Override
public AuthorizationRequest createAuthorizationRequest(
Map<String, String> authorizationParameters) {
String clientId = authorizationParameters.get("client_id");
BaseClientDetails clientDetails =
new BaseClientDetails(clientDetailsService.loadClientByClientId(clientId));
Set<String> scopes = OAuth2Utils.parseParameterList(authorizationParameters.get("scope"));
String grantType = authorizationParameters.get("grant_type");
if ((scopes == null || scopes.isEmpty())) {
if ("client_credentials".equals(grantType)) {
// The client authorities should be a list of scopes
scopes = AuthorityUtils.authorityListToSet(clientDetails.getAuthorities());
} else {
// The default for a user token is the scopes registered with
// the client
scopes = clientDetails.getScope();
}
}
Set<String> scopesFromExternalAuthorities = null;
if (!"client_credentials".equals(grantType) && securityContextAccessor.isUser()) {
scopes = checkUserScopes(scopes, securityContextAccessor.getAuthorities(), clientDetails);
// TODO: will the grantType ever contain client_credentials or
// authorization_code
// External Authorities are things like LDAP groups that will be
// mapped to Oauth scopes
// Add those scopes to the request. These scopes will not be
// validated against the scopes
// registered to a client.
// These scopes also do not need approval. The fact that they are
// already in an external
// group communicates user approval. Denying approval does not mean
// much
scopesFromExternalAuthorities =
findScopesFromAuthorities(authorizationParameters.get("authorities"));
}
Set<String> resourceIds = getResourceIds(clientDetails, scopes);
clientDetails.setResourceIds(resourceIds);
DefaultAuthorizationRequest request = new DefaultAuthorizationRequest(authorizationParameters);
if (!scopes.isEmpty()) {
request.setScope(scopes);
}
if (scopesFromExternalAuthorities != null) {
Map<String, String> existingAuthorizationParameters = new LinkedHashMap<String, String>();
existingAuthorizationParameters.putAll(request.getAuthorizationParameters());
existingAuthorizationParameters.put(
"external_scopes", OAuth2Utils.formatParameterList(scopesFromExternalAuthorities));
request.setAuthorizationParameters(existingAuthorizationParameters);
}
request.addClientDetails(clientDetails);
return request;
}
private String appendAccessToken(
AuthorizationRequest authorizationRequest, OAuth2AccessToken accessToken) {
Map<String, Object> vars = new LinkedHashMap<String, Object>();
Map<String, String> keys = new HashMap<String, String>();
if (accessToken == null) {
throw new InvalidRequestException("An implicit grant could not be made");
}
vars.put("access_token", accessToken.getValue());
vars.put("token_type", accessToken.getTokenType());
String state = authorizationRequest.getState();
if (state != null) {
vars.put("state", state);
}
Date expiration = accessToken.getExpiration();
if (expiration != null) {
long expires_in = (expiration.getTime() - System.currentTimeMillis()) / 1000;
vars.put("expires_in", expires_in);
}
String originalScope = authorizationRequest.getRequestParameters().get(OAuth2Utils.SCOPE);
if (originalScope == null
|| !OAuth2Utils.parseParameterList(originalScope).equals(accessToken.getScope())) {
vars.put("scope", OAuth2Utils.formatParameterList(accessToken.getScope()));
}
Map<String, Object> additionalInformation = accessToken.getAdditionalInformation();
for (String key : additionalInformation.keySet()) {
Object value = additionalInformation.get(key);
if (value != null) {
keys.put("extra_" + key, key);
vars.put("extra_" + key, value);
}
}
// Do not include the refresh token (even if there is one)
return append(authorizationRequest.getRedirectUri(), vars, keys, true);
}
