@Override public AuthorizationRequest createAuthorizationRequest(Map<String, String> parameters) { String clientId = parameters.get("client_id"); if (clientId == null) { throw new InvalidClientException("A client id must be provided"); } ClientDetails client = clientDetailsService.loadClientByClientId(clientId); String requestNonce = parameters.get("nonce"); // Only process if the user is authenticated. If the user is not authenticated yet, this // code will be called a second time once the user is redirected from the login page back // to the auth endpoint. Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); if (requestNonce != null && principal != null && principal instanceof User) { // Check request nonce for reuse Collection<Nonce> clientNonces = nonceService.getByClientId(client.getClientId()); for (Nonce nonce : clientNonces) { String nonceVal = nonce.getValue(); if (nonceVal.equals(requestNonce)) { throw new NonceReuseException(client.getClientId(), nonce); } } // Store nonce Nonce nonce = new Nonce(); nonce.setClientId(client.getClientId()); nonce.setValue(requestNonce); DateTime now = new DateTime(new Date()); nonce.setUseDate(now.toDate()); DateTime expDate = now.plus(nonceStorageDuration); Date expirationJdkDate = expDate.toDate(); nonce.setExpireDate(expirationJdkDate); nonceService.save(nonce); } Set<String> scopes = OAuth2Utils.parseParameterList(parameters.get("scope")); if ((scopes == null || scopes.isEmpty())) { // TODO: do we want to allow default scoping at all? // If no scopes are specified in the incoming data, it is possible to default to the client's // registered scopes, but minus the "openid" scope. OpenID Connect requests MUST have the // "openid" scope. Set<String> clientScopes = client.getScope(); if (clientScopes.contains("openid")) { clientScopes.remove("openid"); } scopes = clientScopes; } DefaultAuthorizationRequest request = new DefaultAuthorizationRequest( parameters, Collections.<String, String>emptyMap(), clientId, scopes); request.addClientDetails(client); return request; }