@Override public ServerAccessToken createAccessToken(final AccessTokenRegistration atr) throws OAuthServiceException { token = new BearerAccessToken(atr.getClient(), 3600L); final List<String> scope = atr.getApprovedScope().isEmpty() ? atr.getRequestedScope() : atr.getApprovedScope(); token.setScopes(convertScopeToPermissions(atr.getClient(), scope)); token.setSubject(atr.getSubject()); token.setGrantType(atr.getGrantType()); return token; }
private void setAtHashAndNonce(IdToken idToken, ServerAccessToken st) { if (idToken.getAccessTokenHash() == null) { Properties props = JwsUtils.loadSignatureOutProperties(false); SignatureAlgorithm sigAlgo = null; if (super.isSignWithClientSecret()) { sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props); } else { sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256); } if (sigAlgo != SignatureAlgorithm.NONE) { String atHash = OidcUtils.calculateAccessTokenHash(st.getTokenKey(), sigAlgo); idToken.setAccessTokenHash(atHash); } } Message m = JAXRSUtils.getCurrentMessage(); if (m != null && m.getExchange().containsKey(OAuthConstants.NONCE)) { idToken.setNonce((String) m.getExchange().get(OAuthConstants.NONCE)); } else if (st.getNonce() != null) { idToken.setNonce(st.getNonce()); } }
protected void saveAccessToken(ServerAccessToken serverToken) { getEntityManager().getTransaction().begin(); List<OAuthPermission> perms = new LinkedList<OAuthPermission>(); for (OAuthPermission perm : serverToken.getScopes()) { OAuthPermission permSaved = getEntityManager().find(OAuthPermission.class, perm.getPermission()); if (permSaved != null) { perms.add(permSaved); } else { getEntityManager().persist(perm); perms.add(perm); } } serverToken.setScopes(perms); UserSubject sub = getEntityManager().find(UserSubject.class, serverToken.getSubject().getLogin()); if (sub == null) { getEntityManager().persist(serverToken.getSubject()); } else { sub = getEntityManager().merge(serverToken.getSubject()); serverToken.setSubject(sub); } getEntityManager().persist(serverToken); getEntityManager().getTransaction().commit(); }
/** * Processes an access token request * * @param params the form parameters representing the access token grant * @return Access Token or the error */ @POST @Consumes("application/x-www-form-urlencoded") @Produces("application/json") public Response handleTokenRequest(MultivaluedMap<String, String> params) { // Make sure the client is authenticated Client client = authenticateClientIfNeeded(params); if (!OAuthUtils.isGrantSupportedForClient( client, isCanSupportPublicClients(), params.getFirst(OAuthConstants.GRANT_TYPE))) { return createErrorResponse(params, OAuthConstants.UNAUTHORIZED_CLIENT); } try { checkAudience(params); } catch (OAuthServiceException ex) { return super.createErrorResponseFromBean(ex.getError()); } // Find the grant handler AccessTokenGrantHandler handler = findGrantHandler(params); if (handler == null) { return createErrorResponse(params, OAuthConstants.UNSUPPORTED_GRANT_TYPE); } // Create the access token ServerAccessToken serverToken = null; try { serverToken = handler.createAccessToken(client, params); } catch (OAuthServiceException ex) { return handleException(ex, OAuthConstants.INVALID_GRANT); } if (serverToken == null) { return createErrorResponse(params, OAuthConstants.INVALID_GRANT); } // Extract the information to be of use for the client ClientAccessToken clientToken = new ClientAccessToken(serverToken.getTokenType(), serverToken.getTokenKey()); clientToken.setRefreshToken(serverToken.getRefreshToken()); if (isWriteOptionalParameters()) { clientToken.setExpiresIn(serverToken.getExpiresIn()); List<OAuthPermission> perms = serverToken.getScopes(); if (!perms.isEmpty()) { clientToken.setApprovedScope(OAuthUtils.convertPermissionsToScope(perms)); } clientToken.setParameters(serverToken.getParameters()); } // Return it to the client return Response.ok(clientToken) .header(HttpHeaders.CACHE_CONTROL, "no-store") .header("Pragma", "no-cache") .build(); }
private static ServerAccessToken recreateAccessToken( OAuthDataProvider provider, String newTokenKey, String[] parts) { @SuppressWarnings("serial") final ServerAccessToken newToken = new ServerAccessToken( provider.getClient(parts[4]), parts[1], newTokenKey == null ? parts[0] : newTokenKey, Long.valueOf(parts[2]), Long.valueOf(parts[3])) { // }; newToken.setRefreshToken(getStringPart(parts[5])); newToken.setGrantType(getStringPart(parts[6])); newToken.setAudience(getStringPart(parts[7])); newToken.setParameters(parseSimpleMap(parts[8])); // Permissions if (!parts[9].trim().isEmpty()) { List<OAuthPermission> perms = new LinkedList<OAuthPermission>(); String[] allPermParts = parts[9].split("&"); for (int i = 0; i + 4 < allPermParts.length; i = i + 5) { OAuthPermission perm = new OAuthPermission(allPermParts[i], allPermParts[i + 1]); perm.setDefault(Boolean.valueOf(allPermParts[i + 2])); perm.setHttpVerbs(parseSimpleList(allPermParts[i + 3])); perm.setUris(parseSimpleList(allPermParts[i + 4])); perms.add(perm); } newToken.setScopes(perms); } // UserSubject: newToken.setSubject(recreateUserSubject(parts[10])); return newToken; }
@Override public void removeAccessToken(final ServerAccessToken sat) throws OAuthServiceException { if (token != null && token.getTokenKey().equals(sat.getTokenKey())) { token = null; } }
@Override public ServerAccessToken getAccessToken(final String tokenId) throws OAuthServiceException { return token == null || token.getTokenKey().equals(tokenId) ? token : null; }
private static String tokenizeServerToken(ServerAccessToken token) { StringBuilder state = new StringBuilder(); // 0: key state.append(tokenizeString(token.getTokenKey())); // 1: type state.append(SEP); state.append(tokenizeString(token.getTokenType())); // 2: expiresIn state.append(SEP); state.append(token.getExpiresIn()); // 3: issuedAt state.append(SEP); state.append(token.getIssuedAt()); // 4: client id state.append(SEP); state.append(tokenizeString(token.getClient().getClientId())); // 5: refresh token state.append(SEP); state.append(tokenizeString(token.getRefreshToken())); // 6: grant type state.append(SEP); state.append(tokenizeString(token.getGrantType())); // 7: audience state.append(SEP); state.append(tokenizeString(token.getAudience())); // 8: other parameters state.append(SEP); // {key=value, key=value} state.append(token.getParameters().toString()); // 9: permissions state.append(SEP); if (token.getScopes().isEmpty()) { state.append(" "); } else { for (OAuthPermission p : token.getScopes()) { // 9.1 state.append(tokenizeString(p.getPermission())); state.append("."); // 9.2 state.append(tokenizeString(p.getDescription())); state.append("."); // 9.3 state.append(p.isDefault()); state.append("."); // 9.4 state.append(p.getHttpVerbs().toString()); state.append("."); // 9.5 state.append(p.getUris().toString()); } } state.append(SEP); // 10: user subject tokenizeUserSubject(state, token.getSubject()); return state.toString(); }
private String getProcessedIdToken(ServerAccessToken st) { if (userInfoProvider != null) { IdToken idToken = userInfoProvider.getIdToken( st.getClient().getClientId(), st.getSubject(), st.getScopes()); setAtHashAndNonce(idToken, st); return super.processJwt(new JwtToken(idToken), st.getClient()); } else if (st.getSubject().getProperties().containsKey(OidcUtils.ID_TOKEN)) { return st.getSubject().getProperties().get(OidcUtils.ID_TOKEN); } else if (st.getSubject() instanceof OidcUserSubject) { OidcUserSubject sub = (OidcUserSubject) st.getSubject(); IdToken idToken = new IdToken(sub.getIdToken()); idToken.setAudience(st.getClient().getClientId()); idToken.setAuthorizedParty(st.getClient().getClientId()); // if this token was refreshed then the cloned IDToken might need to have its // issuedAt and expiry time properties adjusted if it proves to be necessary setAtHashAndNonce(idToken, st); return super.processJwt(new JwtToken(idToken), st.getClient()); } else { return null; } }