private void validateClient(ClientDetails client, boolean create) {
final Set<String> VALID_GRANTS =
new HashSet<String>(
Arrays.asList(
"implicit",
"password",
"client_credentials",
"authorization_code",
"refresh_token"));
for (String grant : client.getAuthorizedGrantTypes()) {
if (!VALID_GRANTS.contains(grant)) {
throw new InvalidClientDetailsException(
grant + " is not an allowed grant type. Must be one of: " + VALID_GRANTS.toString());
}
}
if (create) {
// Only check for missing secret if client is being created.
if (client.getAuthorizedGrantTypes().size() == 1
&& client.getAuthorizedGrantTypes().contains("implicit")) {
if (StringUtils.hasText(client.getClientSecret())) {
throw new InvalidClientDetailsException(
"implicit grant does not require a client_secret");
}
} else {
if (!StringUtils.hasText(client.getClientSecret())) {
throw new InvalidClientDetailsException(
"client_secret is required for non-implicit grant types");
}
}
}
}
private Object[] getFieldsForUpdate(ClientDetails clientDetails) {
String json = null;
try {
json = mapper.write(clientDetails.getAdditionalInformation());
} catch (Exception e) {
logger.warn("Could not serialize additional information: " + clientDetails, e);
}
return new Object[] {
clientDetails.getResourceIds() != null
? StringUtils.collectionToCommaDelimitedString(clientDetails.getResourceIds())
: null,
clientDetails.getScope() != null
? StringUtils.collectionToCommaDelimitedString(clientDetails.getScope())
: null,
clientDetails.getAuthorizedGrantTypes() != null
? StringUtils.collectionToCommaDelimitedString(clientDetails.getAuthorizedGrantTypes())
: null,
clientDetails.getRegisteredRedirectUri() != null
? StringUtils.collectionToCommaDelimitedString(clientDetails.getRegisteredRedirectUri())
: null,
clientDetails.getAuthorities() != null
? StringUtils.collectionToCommaDelimitedString(clientDetails.getAuthorities())
: null,
clientDetails.getAccessTokenValiditySeconds(),
clientDetails.getRefreshTokenValiditySeconds(),
json,
getAutoApproveScopes(clientDetails),
clientDetails.getClientId()
};
}
/**
* Is a refresh token supported for this client (or the global setting if {@link
* #setClientDetailsService(ClientDetailsService) clientDetailsService} is not set.
*
* @param authorizationRequest the current authorization request
* @return boolean to indicate if refresh token is supported
*/
protected boolean isSupportRefreshToken(OAuth2Request authorizationRequest) {
if (clientDetailsService != null) {
ClientDetails client =
clientDetailsService.loadClientByClientId(authorizationRequest.getClientId());
return client.getAuthorizedGrantTypes().contains("refresh_token");
}
return this.supportRefreshToken;
}
private ClientDetails removeSecret(ClientDetails client) {
BaseClientDetails details = new BaseClientDetails();
details.setClientId(client.getClientId());
details.setScope(client.getScope());
details.setResourceIds(client.getResourceIds());
details.setAuthorizedGrantTypes(client.getAuthorizedGrantTypes());
details.setRegisteredRedirectUri(client.getRegisteredRedirectUri());
details.setAuthorities(client.getAuthorities());
details.setAccessTokenValiditySeconds(client.getAccessTokenValiditySeconds());
return details;
}
public String resolveRedirect(String requestedRedirect, ClientDetails client)
throws OAuth2Exception {
Set<String> authorizedGrantTypes = client.getAuthorizedGrantTypes();
if (authorizedGrantTypes.isEmpty()) {
throw new InvalidGrantException("A client must have at least one authorized grant type.");
}
if (!containsRedirectGrantType(authorizedGrantTypes)) {
throw new InvalidGrantException(
"A redirect_uri can only be used by implicit or authorization_code grant types.");
}
Set<String> redirectUris = client.getRegisteredRedirectUri();
if (redirectUris != null && !redirectUris.isEmpty()) {
return obtainMatchingRedirect(redirectUris, requestedRedirect);
} else if (StringUtils.hasText(requestedRedirect)) {
return requestedRedirect;
} else {
throw new RedirectMismatchException("A redirect_uri must be supplied.");
}
}
