// 要不要PreApproval??
@Override
public AuthorizationRequest checkForPreApproval(
AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
boolean approved = false;
String clientId = authorizationRequest.getClientId();
Set<String> scopes = authorizationRequest.getScope();
OAuth2Request storedOAuth2Request = requestFactory.createOAuth2Request(authorizationRequest);
OAuth2Authentication authentication =
new OAuth2Authentication(storedOAuth2Request, userAuthentication);
if (logger.isDebugEnabled()) {
StringBuilder builder = new StringBuilder("Looking up existing token for ");
builder.append("client_id=" + clientId);
builder.append(", scope=" + scopes);
builder.append(" and username="******"Existing access token=" + accessToken);
if (accessToken != null && !accessToken.isExpired()) {
logger.debug("User already approved with token=" + accessToken);
approved = true;
} else {
logger.debug("Checking explicit approval");
approved = userAuthentication.isAuthenticated() && approved;
}
authorizationRequest.setApproved(approved);
return authorizationRequest;
}
/**
* Basic implementation just requires the authorization request to be explicitly approved and the
* user to be authenticated.
*
* @param authorizationRequest The authorization request.
* @param userAuthentication the current user authentication
* @return Whether the specified request has been approved by the current user.
*/
public boolean isApproved(
AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
String flag = authorizationRequest.getApprovalParameters().get(approvalParameter);
boolean approved = flag != null && flag.toLowerCase().equals("true");
OAuth2Authentication authentication =
new OAuth2Authentication(authorizationRequest, userAuthentication);
if (logger.isDebugEnabled()) {
StringBuilder builder = new StringBuilder("Looking up existing token for ");
builder.append("client_id=" + authorizationRequest.getClientId());
builder.append(", scope=" + authorizationRequest.getScope());
builder.append(" and username="******"Existing access token=" + accessToken);
if (accessToken != null && !accessToken.isExpired()) {
logger.debug("User already approved with token=" + accessToken);
// A token was already granted and is still valid, so this is already approved
approved = true;
} else {
logger.debug("Checking explicit approval");
approved = userAuthentication.isAuthenticated() && approved;
}
return approved;
}
@Test
public void testOauthClient() throws Exception {
AuthorizationRequest request = new AuthorizationRequest("foo", Collections.singleton("read"));
request.setResourceIdsAndAuthoritiesFromClientDetails(
new BaseClientDetails("foo", "", "", "client_credentials", "ROLE_CLIENT"));
Authentication userAuthentication = null;
OAuth2Request clientAuthentication =
RequestTokenFactory.createOAuth2Request(
request.getRequestParameters(),
request.getClientId(),
request.getAuthorities(),
request.isApproved(),
request.getScope(),
request.getResourceIds(),
request.getRedirectUri(),
request.getResponseTypes(),
request.getExtensions());
OAuth2Authentication oAuth2Authentication =
new OAuth2Authentication(clientAuthentication, userAuthentication);
MethodInvocation invocation =
new SimpleMethodInvocation(this, ReflectionUtils.findMethod(getClass(), "testOauthClient"));
EvaluationContext context = handler.createEvaluationContext(oAuth2Authentication, invocation);
Expression expression =
handler.getExpressionParser().parseExpression("#oauth2.clientHasAnyRole('ROLE_CLIENT')");
assertTrue((Boolean) expression.getValue(context));
}
@RequestMapping("/oauth/confirm_access")
public ModelAndView getAccessConfirmation(@ModelAttribute AuthorizationRequest clientAuth)
throws Exception {
ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());
TreeMap<String, Object> model = new TreeMap<String, Object>();
model.put("auth_request", clientAuth);
model.put("client", client);
return new ModelAndView("access_confirmation", model);
}
@RequestMapping("/oauth/confirm_access")
public String confirm(
@ModelAttribute AuthorizationRequest clientAuth,
Map<String, Object> model,
final HttpServletRequest request)
throws Exception {
if (clientAuth == null) {
model.put(
"error",
"No authorizatioun request is present, so we cannot confirm access (we don't know what you are asking for).");
// response.sendError(HttpServletResponse.SC_BAD_REQUEST);
} else {
ClientDetails client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());
model.put("auth_request", clientAuth);
model.put("client", client);
model.put(
"message",
"To confirm or deny access POST to the following locations with the parameters requested.");
Map<String, Object> options =
new HashMap<String, Object>() {
{
put(
"confirm",
new HashMap<String, String>() {
{
put("location", getLocation(request, "oauth/authorize"));
put("path", getPath(request, "oauth/authorize"));
put("key", "user_oauth_approval");
put("value", "true");
}
});
put(
"deny",
new HashMap<String, String>() {
{
put("location", getLocation(request, "oauth/authorize"));
put("path", getPath(request, "oauth/authorize"));
put("key", "user_oauth_approval");
put("value", "false");
}
});
}
};
model.put("options", options);
}
return "access_confirmation";
}
/**
* Basic access confirmation controller for OAuth2
*
* @param model Model objects to be passed to the view
* @param principal The principal user making the auth request
* @return A ModelAndView for the access_confirmation page
*/
@RequestMapping("/api/oauth/confirm_access")
public ModelAndView getAccessConfirmation(Map<String, Object> model, Principal principal) {
// get the authorization request from the model
AuthorizationRequest clientAuth = (AuthorizationRequest) model.remove("authorizationRequest");
logger.trace(
"Token request recieved from " + clientAuth.getClientId() + " for " + principal.getName());
// get a list of the scopes from the request
Set<String> scopes = clientAuth.getScope();
String join = Joiner.on(" & ").join(scopes);
// add necessary information to the model
model.put("auth_request", clientAuth);
model.put("scopes", join);
model.put("principal", principal);
return new ModelAndView("oauth/access_confirmation", model);
}
public OAuth2AccessToken refreshAccessToken(
String refreshTokenValue, AuthorizationRequest request) throws AuthenticationException {
if (!supportRefreshToken) {
throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
}
OAuth2RefreshToken refreshToken = tokenStore.readRefreshToken(refreshTokenValue);
if (refreshToken == null) {
throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
}
OAuth2Authentication authentication =
tokenStore.readAuthenticationForRefreshToken(refreshToken);
String clientId = authentication.getOAuth2Request().getClientId();
if (clientId == null || !clientId.equals(request.getClientId())) {
throw new InvalidGrantException("Wrong client for this refresh token: " + refreshTokenValue);
}
// clear out any access tokens already associated with the refresh
// token.
tokenStore.removeAccessTokenUsingRefreshToken(refreshToken);
if (isExpired(refreshToken)) {
tokenStore.removeRefreshToken(refreshToken);
throw new InvalidTokenException("Invalid refresh token (expired): " + refreshToken);
}
authentication = createRefreshedAuthentication(authentication, request.getScope());
if (!reuseRefreshToken) {
tokenStore.removeRefreshToken(refreshToken);
refreshToken = createRefreshToken(authentication);
}
OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
tokenStore.storeAccessToken(accessToken, authentication);
if (!reuseRefreshToken) {
tokenStore.storeRefreshToken(refreshToken, authentication);
}
return accessToken;
}
@Override
public String retrieveSourceOrcid() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication == null) {
return null;
}
// API
if (OAuth2Authentication.class.isAssignableFrom(authentication.getClass())) {
AuthorizationRequest authorizationRequest =
((OAuth2Authentication) authentication).getAuthorizationRequest();
return authorizationRequest.getClientId();
}
// Delegation mode
String realUserIfInDelegationMode = getRealUserIfInDelegationMode(authentication);
if (realUserIfInDelegationMode != null) {
return realUserIfInDelegationMode;
}
// Normal web user
return retrieveEffectiveOrcid(authentication);
}