private void setAuthorization( TokenGrantInfo tokenGrantInfo, HttpServletRequest request, HttpServletResponse response) throws OAuthProblemException { isAuthorized = false; checkTokenCurrentAndNotExpired(tokenGrantInfo); OAuth2RSEndpoint requestEndpoint = findEndpointForRequest(request); if (grantScopeMatchesRequest(tokenGrantInfo, requestEndpoint)) { log.info("Verified token " + tokenGrantInfo.getAccessToken()); isAuthorized = true; // If client has no refresh token and token is within the threshold time of expiring, push out // expiry time if ((!tokenGrantInfo.getHasRefreshToken()) && tokenCloseToExpiring(tokenGrantInfo) && response != null) { log.info("Requesting token expiry time be extended"); Optional<AccessTokenExpiryInfo> newExpiryInfo = authService.extendAccessTokenExpirySeconds(tokenGrantInfo.getAccessToken()); if (newExpiryInfo.isPresent()) { Map<String, Object> entries = Maps.newHashMap(); String accessTimeRemaining = newExpiryInfo.get().getAccessTokenTimeRemaining(); entries.put(OAuth.OAUTH_EXPIRES_IN, accessTimeRemaining); log.info("Token will now expire in " + accessTimeRemaining + " seconds"); response.setHeader(OAuth.HeaderType.AUTHORIZATION, OAuthUtils.encodeOAuthHeader(entries)); } } return; } log.info("Could not find grant scope matching request"); throw OAuthProblemException.error(OAuthError.ResourceResponse.INSUFFICIENT_SCOPE); }
public OAuth2RSDecision( String realm, String token, HttpServletRequest request, HttpServletResponse response) throws OAuthProblemException { token = trimAccessToken(token); log.info("Processing decision on access token " + token); Optional<TokenGrantInfo> tokenGrantInfoFound; authService = getAuthService(); tokenGrantInfoFound = authService.getTokenGrantInfoByAccessToken(token); if (tokenGrantInfoFound.isPresent()) { log.info("Found match for token " + token); TokenGrantInfo tokenGrantInfo = tokenGrantInfoFound.get(); this.oAuthClient = new OAuth2RSClient(tokenGrantInfo.getGrantClientIdentifier()); this.principal = new OAuth2RSPrincipal( tokenGrantInfo.getGrantUserPrimaryIdentifier() != null ? tokenGrantInfo.getGrantUserPrimaryIdentifier() : tokenGrantInfo.getGrantUsername()); setAuthorization(tokenGrantInfo, request, response); } else { log.info("Invalid token " + token); this.isAuthorized = false; this.oAuthClient = getDefaultClient(); this.principal = getDefaultPrincipal(request); throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_TOKEN); } }
private void checkTokenCurrentAndNotExpired(TokenGrantInfo tokenGrantInfo) throws OAuthProblemException { Optional<DateTime> expiryDate = getTokenExpiryDate(tokenGrantInfo); if ((expiryDate.isPresent() && expiryDate.get().isBeforeNow()) || (!tokenGrantInfo.getGrantCurrent())) { log.warning("Attempt to use expired or superseded token " + tokenGrantInfo.getAccessToken()); throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_TOKEN); } }
private Optional<DateTime> getTokenExpiryDate(TokenGrantInfo tokenGrantInfo) throws OAuthProblemException { if (!tokenGrantInfo.getAccessTokenExpires()) { // Token does not expire if (tokenGrantInfo.getGrantClientTokensMustExpire()) { throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_TOKEN); } return Optional.absent(); } int expirySeconds; try { expirySeconds = Integer.parseInt(tokenGrantInfo.getAccessTokenExpiry()); } catch (NumberFormatException e) { log.warning("NumberFormatException during token check: " + e); throw OAuthProblemException.error(OAuthError.ResourceResponse.INVALID_TOKEN); } return Optional.of( new DateTime(tokenGrantInfo.getGrantTimeStamp()).plusSeconds(Math.abs(expirySeconds))); }
private boolean grantScopeMatchesRequest( TokenGrantInfo tokenGrantInfo, OAuth2RSEndpoint requestEndpoint) throws OAuthProblemException { Set<String> grantScopes = tokenGrantInfo.getGrantScopeNames(); if (grantScopes.isEmpty()) { log.severe("No scopes associated with token grant"); throw OAuthProblemException.error(SERVER_ERROR); } for (String scopeName : grantScopes) { Set<OAuth2RSEndpoint> scopeEndpoints = authService.getEndpointsForScopeName(scopeName); if (scopeEndpoints == null) { log.severe("No endpoints associated with scope"); throw OAuthProblemException.error(SERVER_ERROR); } for (OAuth2RSEndpoint scopeEndpoint : scopeEndpoints) { if (requestEndpoint.equals(scopeEndpoint)) { log.info( "Endpoint " + requestEndpoint.getEndpointUrl() + " matches grant scope " + scopeName); return true; } } } return false; }