private Object[] getFieldsForUpdate(ClientDetails clientDetails) {
String json = null;
try {
json = mapper.write(clientDetails.getAdditionalInformation());
} catch (Exception e) {
logger.warn("Could not serialize additional information: " + clientDetails, e);
}
return new Object[] {
clientDetails.getResourceIds() != null
? StringUtils.collectionToCommaDelimitedString(clientDetails.getResourceIds())
: null,
clientDetails.getScope() != null
? StringUtils.collectionToCommaDelimitedString(clientDetails.getScope())
: null,
clientDetails.getAuthorizedGrantTypes() != null
? StringUtils.collectionToCommaDelimitedString(clientDetails.getAuthorizedGrantTypes())
: null,
clientDetails.getRegisteredRedirectUri() != null
? StringUtils.collectionToCommaDelimitedString(clientDetails.getRegisteredRedirectUri())
: null,
clientDetails.getAuthorities() != null
? StringUtils.collectionToCommaDelimitedString(clientDetails.getAuthorities())
: null,
clientDetails.getAccessTokenValiditySeconds(),
clientDetails.getRefreshTokenValiditySeconds(),
json,
getAutoApproveScopes(clientDetails),
clientDetails.getClientId()
};
}
@Override
public AuthorizationRequest createAuthorizationRequest(Map<String, String> parameters) {
String clientId = parameters.get("client_id");
if (clientId == null) {
throw new InvalidClientException("A client id must be provided");
}
ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
String requestNonce = parameters.get("nonce");
// Only process if the user is authenticated. If the user is not authenticated yet, this
// code will be called a second time once the user is redirected from the login page back
// to the auth endpoint.
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
if (requestNonce != null && principal != null && principal instanceof User) {
// Check request nonce for reuse
Collection<Nonce> clientNonces = nonceService.getByClientId(client.getClientId());
for (Nonce nonce : clientNonces) {
String nonceVal = nonce.getValue();
if (nonceVal.equals(requestNonce)) {
throw new NonceReuseException(client.getClientId(), nonce);
}
}
// Store nonce
Nonce nonce = new Nonce();
nonce.setClientId(client.getClientId());
nonce.setValue(requestNonce);
DateTime now = new DateTime(new Date());
nonce.setUseDate(now.toDate());
DateTime expDate = now.plus(nonceStorageDuration);
Date expirationJdkDate = expDate.toDate();
nonce.setExpireDate(expirationJdkDate);
nonceService.save(nonce);
}
Set<String> scopes = OAuth2Utils.parseParameterList(parameters.get("scope"));
if ((scopes == null || scopes.isEmpty())) {
// TODO: do we want to allow default scoping at all?
// If no scopes are specified in the incoming data, it is possible to default to the client's
// registered scopes, but minus the "openid" scope. OpenID Connect requests MUST have the
// "openid" scope.
Set<String> clientScopes = client.getScope();
if (clientScopes.contains("openid")) {
clientScopes.remove("openid");
}
scopes = clientScopes;
}
DefaultAuthorizationRequest request =
new DefaultAuthorizationRequest(
parameters, Collections.<String, String>emptyMap(), clientId, scopes);
request.addClientDetails(client);
return request;
}
private ClientDetails removeSecret(ClientDetails client) {
BaseClientDetails details = new BaseClientDetails();
details.setClientId(client.getClientId());
details.setScope(client.getScope());
details.setResourceIds(client.getResourceIds());
details.setAuthorizedGrantTypes(client.getAuthorizedGrantTypes());
details.setRegisteredRedirectUri(client.getRegisteredRedirectUri());
details.setAuthorities(client.getAuthorities());
details.setAccessTokenValiditySeconds(client.getAccessTokenValiditySeconds());
return details;
}
private String getAutoApproveScopes(ClientDetails clientDetails) {
if (clientDetails.isAutoApprove("true")) {
return "true"; // all scopes autoapproved
}
Set<String> scopes = new HashSet<String>();
for (String scope : clientDetails.getScope()) {
if (clientDetails.isAutoApprove(scope)) {
scopes.add(scope);
}
}
return StringUtils.collectionToCommaDelimitedString(scopes);
}
/**
* Add or remove scopes derived from the current authenticated user's authorities (if any)
*
* @param scopes the initial set of scopes from the client registration
* @param clientDetails
* @param collection the users authorities
* @return modified scopes adapted according to the rules specified
*/
private Set<String> checkUserScopes(
Set<String> scopes,
Collection<? extends GrantedAuthority> authorities,
ClientDetails clientDetails) {
Set<String> result = new LinkedHashSet<String>(scopes);
Set<String> allowed = new LinkedHashSet<String>(AuthorityUtils.authorityListToSet(authorities));
// Add in all default scopes
allowed.addAll(defaultScopes);
// Find intersection of user authorities, default scopes and client
// scopes:
for (Iterator<String> iter = allowed.iterator(); iter.hasNext(); ) {
String scope = iter.next();
if (!clientDetails.getScope().contains(scope)) {
iter.remove();
}
}
// Weed out disallowed scopes:
for (Iterator<String> iter = result.iterator(); iter.hasNext(); ) {
String scope = iter.next();
if (!allowed.contains(scope)) {
iter.remove();
}
}
// Check that a token with empty scope is not going to be granted
if (result.isEmpty() && !clientDetails.getScope().isEmpty()) {
throw new InvalidScopeException(
"Invalid scope (empty) - this user is not allowed any of the requested scopes: "
+ scopes
+ " (either you requested a scope that was not allowed or client '"
+ clientDetails.getClientId()
+ "' is not allowed to act on behalf of this user)",
allowed);
}
return result;
}
@Override
public void validateParameters(Map<String, String> parameters, ClientDetails clientDetails) {
if (parameters.containsKey("scope")) {
if (clientDetails.isScoped()) {
Set<String> validScope = clientDetails.getScope();
for (String scope : OAuth2Utils.parseParameterList(parameters.get("scope"))) {
if (!validScope.contains(scope)) {
throw new InvalidScopeException("Invalid scope: " + scope, validScope);
}
}
}
}
}
/**
* Apply UAA rules to validate the requested scope. For client credentials grants the valid scopes
* are actually in the authorities of the client.
*
* @see
* org.springframework.security.oauth2.provider.endpoint.ParametersValidator#validateParameters(java.util.Map,
* org.springframework.security.oauth2.provider.ClientDetails)
*/
@Override
public void validateParameters(Map<String, String> parameters, ClientDetails clientDetails) {
if (parameters.containsKey("scope")) {
Set<String> validScope = clientDetails.getScope();
if ("client_credentials".equals(parameters.get("grant_type"))) {
validScope = AuthorityUtils.authorityListToSet(clientDetails.getAuthorities());
}
for (String scope : OAuth2Utils.parseParameterList(parameters.get("scope"))) {
if (!validScope.contains(scope)) {
throw new InvalidScopeException(
"Invalid scope: "
+ scope
+ ". Did you know that you can get default scopes by simply sending no value?",
validScope);
}
}
}
}
