// 要不要PreApproval?? @Override public AuthorizationRequest checkForPreApproval( AuthorizationRequest authorizationRequest, Authentication userAuthentication) { boolean approved = false; String clientId = authorizationRequest.getClientId(); Set<String> scopes = authorizationRequest.getScope(); OAuth2Request storedOAuth2Request = requestFactory.createOAuth2Request(authorizationRequest); OAuth2Authentication authentication = new OAuth2Authentication(storedOAuth2Request, userAuthentication); if (logger.isDebugEnabled()) { StringBuilder builder = new StringBuilder("Looking up existing token for "); builder.append("client_id=" + clientId); builder.append(", scope=" + scopes); builder.append(" and username="******"Existing access token=" + accessToken); if (accessToken != null && !accessToken.isExpired()) { logger.debug("User already approved with token=" + accessToken); approved = true; } else { logger.debug("Checking explicit approval"); approved = userAuthentication.isAuthenticated() && approved; } authorizationRequest.setApproved(approved); return authorizationRequest; }
/** * Basic implementation just requires the authorization request to be explicitly approved and the * user to be authenticated. * * @param authorizationRequest The authorization request. * @param userAuthentication the current user authentication * @return Whether the specified request has been approved by the current user. */ public boolean isApproved( AuthorizationRequest authorizationRequest, Authentication userAuthentication) { String flag = authorizationRequest.getApprovalParameters().get(approvalParameter); boolean approved = flag != null && flag.toLowerCase().equals("true"); OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest, userAuthentication); if (logger.isDebugEnabled()) { StringBuilder builder = new StringBuilder("Looking up existing token for "); builder.append("client_id=" + authorizationRequest.getClientId()); builder.append(", scope=" + authorizationRequest.getScope()); builder.append(" and username="******"Existing access token=" + accessToken); if (accessToken != null && !accessToken.isExpired()) { logger.debug("User already approved with token=" + accessToken); // A token was already granted and is still valid, so this is already approved approved = true; } else { logger.debug("Checking explicit approval"); approved = userAuthentication.isAuthenticated() && approved; } return approved; }
@Test public void testOauthClient() throws Exception { AuthorizationRequest request = new AuthorizationRequest("foo", Collections.singleton("read")); request.setResourceIdsAndAuthoritiesFromClientDetails( new BaseClientDetails("foo", "", "", "client_credentials", "ROLE_CLIENT")); Authentication userAuthentication = null; OAuth2Request clientAuthentication = RequestTokenFactory.createOAuth2Request( request.getRequestParameters(), request.getClientId(), request.getAuthorities(), request.isApproved(), request.getScope(), request.getResourceIds(), request.getRedirectUri(), request.getResponseTypes(), request.getExtensions()); OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(clientAuthentication, userAuthentication); MethodInvocation invocation = new SimpleMethodInvocation(this, ReflectionUtils.findMethod(getClass(), "testOauthClient")); EvaluationContext context = handler.createEvaluationContext(oAuth2Authentication, invocation); Expression expression = handler.getExpressionParser().parseExpression("#oauth2.clientHasAnyRole('ROLE_CLIENT')"); assertTrue((Boolean) expression.getValue(context)); }
@RequestMapping("/oauth/confirm_access") public ModelAndView getAccessConfirmation(@ModelAttribute AuthorizationRequest clientAuth) throws Exception { ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId()); TreeMap<String, Object> model = new TreeMap<String, Object>(); model.put("auth_request", clientAuth); model.put("client", client); return new ModelAndView("access_confirmation", model); }
@RequestMapping("/oauth/confirm_access") public String confirm( @ModelAttribute AuthorizationRequest clientAuth, Map<String, Object> model, final HttpServletRequest request) throws Exception { if (clientAuth == null) { model.put( "error", "No authorizatioun request is present, so we cannot confirm access (we don't know what you are asking for)."); // response.sendError(HttpServletResponse.SC_BAD_REQUEST); } else { ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId()); model.put("auth_request", clientAuth); model.put("client", client); model.put( "message", "To confirm or deny access POST to the following locations with the parameters requested."); Map<String, Object> options = new HashMap<String, Object>() { { put( "confirm", new HashMap<String, String>() { { put("location", getLocation(request, "oauth/authorize")); put("path", getPath(request, "oauth/authorize")); put("key", "user_oauth_approval"); put("value", "true"); } }); put( "deny", new HashMap<String, String>() { { put("location", getLocation(request, "oauth/authorize")); put("path", getPath(request, "oauth/authorize")); put("key", "user_oauth_approval"); put("value", "false"); } }); } }; model.put("options", options); } return "access_confirmation"; }
/** * Basic access confirmation controller for OAuth2 * * @param model Model objects to be passed to the view * @param principal The principal user making the auth request * @return A ModelAndView for the access_confirmation page */ @RequestMapping("/api/oauth/confirm_access") public ModelAndView getAccessConfirmation(Map<String, Object> model, Principal principal) { // get the authorization request from the model AuthorizationRequest clientAuth = (AuthorizationRequest) model.remove("authorizationRequest"); logger.trace( "Token request recieved from " + clientAuth.getClientId() + " for " + principal.getName()); // get a list of the scopes from the request Set<String> scopes = clientAuth.getScope(); String join = Joiner.on(" & ").join(scopes); // add necessary information to the model model.put("auth_request", clientAuth); model.put("scopes", join); model.put("principal", principal); return new ModelAndView("oauth/access_confirmation", model); }
public OAuth2AccessToken refreshAccessToken( String refreshTokenValue, AuthorizationRequest request) throws AuthenticationException { if (!supportRefreshToken) { throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue); } OAuth2RefreshToken refreshToken = tokenStore.readRefreshToken(refreshTokenValue); if (refreshToken == null) { throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue); } OAuth2Authentication authentication = tokenStore.readAuthenticationForRefreshToken(refreshToken); String clientId = authentication.getOAuth2Request().getClientId(); if (clientId == null || !clientId.equals(request.getClientId())) { throw new InvalidGrantException("Wrong client for this refresh token: " + refreshTokenValue); } // clear out any access tokens already associated with the refresh // token. tokenStore.removeAccessTokenUsingRefreshToken(refreshToken); if (isExpired(refreshToken)) { tokenStore.removeRefreshToken(refreshToken); throw new InvalidTokenException("Invalid refresh token (expired): " + refreshToken); } authentication = createRefreshedAuthentication(authentication, request.getScope()); if (!reuseRefreshToken) { tokenStore.removeRefreshToken(refreshToken); refreshToken = createRefreshToken(authentication); } OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken); tokenStore.storeAccessToken(accessToken, authentication); if (!reuseRefreshToken) { tokenStore.storeRefreshToken(refreshToken, authentication); } return accessToken; }
@Override public String retrieveSourceOrcid() { Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if (authentication == null) { return null; } // API if (OAuth2Authentication.class.isAssignableFrom(authentication.getClass())) { AuthorizationRequest authorizationRequest = ((OAuth2Authentication) authentication).getAuthorizationRequest(); return authorizationRequest.getClientId(); } // Delegation mode String realUserIfInDelegationMode = getRealUserIfInDelegationMode(authentication); if (realUserIfInDelegationMode != null) { return realUserIfInDelegationMode; } // Normal web user return retrieveEffectiveOrcid(authentication); }