@Override public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; AuthorizationRequest authorizationRequest = findAuthorizationRequest(request); if (authorizationRequest == null) { response.sendError( HttpServletResponse.SC_BAD_REQUEST, "No valid AbstractAuthenticator.AUTH_STATE on the Request"); } if (initialRequest(request)) { storePrincipal(request, response, authorizationRequest); request.setAttribute(AbstractAuthenticator.RETURN_URI, RETURN_URI); request.setAttribute(AbstractUserConsentHandler.CLIENT, authorizationRequest.getClient()); if (!authorizationRequest.getClient().isSkipConsent()) { userConsentHandler.doFilter(request, response, chain); } else { chain.doFilter(request, response); } } else { /* * Ok, the consentHandler wants to have control again (because he stepped * out) */ userConsentHandler.doFilter(request, response, chain); } }
private AuthorizationRequest clientCredentialToken(AccessTokenRequest accessTokenRequest) { AuthorizationRequest request = new AuthorizationRequest(); request.setClient(accessTokenRequest.getClient()); // We have to construct a AuthenticatedPrincipal on-the-fly as there is only key-secret // authentication request.setPrincipal(new AuthenticatedPrincipal(request.getClient().getClientId())); // Get scopes (either from request or the client's default set) request.setGrantedScopes(accessTokenRequest.getScopeList()); return request; }
private Response sendAuthorizationCodeResponse(AuthorizationRequest authReq) { String uri = authReq.getRedirectUri(); String authorizationCode = getAuthorizationCodeValue(); authReq.setAuthorizationCode(authorizationCode); authorizationRequestRepository.save(authReq); uri = uri + appendQueryMark(uri) + "code=" + authorizationCode + appendStateParameter(authReq); return Response.seeOther(UriBuilder.fromUri(uri).build()) .cacheControl(cacheControlNoStore()) .header("Pragma", "no-cache") .build(); }
private AuthorizationRequest refreshTokenToken(AccessTokenRequest accessTokenRequest) { AccessToken accessToken = accessTokenRepository.findByRefreshToken(accessTokenRequest.getRefreshToken()); if (accessToken == null) { throw new ValidationResponseException(ValidationResponse.INVALID_GRANT_REFRESH_TOKEN); } AuthorizationRequest request = new AuthorizationRequest(); request.setClient(accessToken.getClient()); request.setPrincipal(accessToken.getPrincipal()); request.setGrantedScopes(accessToken.getScopes()); accessTokenRepository.delete(accessToken); return request; }
private AuthorizationRequest authorizationCodeToken(AccessTokenRequest accessTokenRequest) { AuthorizationRequest authReq = authorizationRequestRepository.findByAuthorizationCode(accessTokenRequest.getCode()); if (authReq == null) { throw new ValidationResponseException(ValidationResponse.INVALID_GRANT_AUTHORIZATION_CODE); } String uri = accessTokenRequest.getRedirectUri(); if (!authReq.getRedirectUri().equalsIgnoreCase(uri)) { throw new ValidationResponseException(ValidationResponse.REDIRECT_URI_DIFFERENT); } authorizationRequestRepository.delete(authReq); return authReq; }
private Response doProcess(HttpServletRequest request) { AuthorizationRequest authReq = findAuthorizationRequest(request); if (authReq == null) { return serverError("Not a valid AbstractAuthenticator.AUTH_STATE on the Request"); } processScopes(authReq, request); if (authReq.getResponseType().equals(OAuth2Validator.IMPLICIT_GRANT_RESPONSE_TYPE)) { AccessToken token = createAccessToken(authReq, true); return sendImplicitGrantResponse(authReq, token); } else { return sendAuthorizationCodeResponse(authReq); } }
private AuthorizationRequest passwordToken(AccessTokenRequest accessTokenRequest) { // Authenticate the resource owner AuthenticatedPrincipal principal = resourceOwnerAuthenticator.authenticate( accessTokenRequest.getUsername(), accessTokenRequest.getPassword()); if (principal == null) { throw new ValidationResponseException(ValidationResponse.INVALID_GRANT_PASSWORD); } AuthorizationRequest request = new AuthorizationRequest(); request.setClient(accessTokenRequest.getClient()); request.setPrincipal(principal); request.setGrantedScopes(accessTokenRequest.getScopeList()); return request; }
/* * In the user consent filter the scopes are (possible) set on the Request */ private void processScopes(AuthorizationRequest authReq, HttpServletRequest request) { if (authReq.getClient().isSkipConsent()) { // return the scopes in the authentication request since the requested scopes are stored in // the // authorizationRequest. authReq.setGrantedScopes(authReq.getRequestedScopes()); } else { String[] scopes = (String[]) request.getAttribute(AbstractUserConsentHandler.GRANTED_SCOPES); if (!ArrayUtils.isEmpty(scopes)) { authReq.setGrantedScopes(Arrays.asList(scopes)); } else { authReq.setGrantedScopes(null); } } }
private String appendStateParameter(AuthorizationRequest authReq) { String state = authReq.getState(); try { return StringUtils.isBlank(state) ? "" : "&state=".concat(URLEncoder.encode(state, "UTF-8")); } catch (UnsupportedEncodingException e) { throw new RuntimeException(e); } }
private Response sendImplicitGrantResponse( AuthorizationRequest authReq, AccessToken accessToken) { String uri = authReq.getRedirectUri(); String fragment = String.format( "access_token=%s&token_type=bearer&expires_in=%s&scope=%s", accessToken.getToken(), accessToken.getExpiresIn(), StringUtils.join(authReq.getGrantedScopes(), ',')) + appendStateParameter(authReq); if (authReq.getClient().isIncludePrincipal()) { fragment += String.format("&principal=%s", authReq.getPrincipal().getDisplayName()); } return Response.seeOther(UriBuilder.fromUri(uri).fragment(fragment).build()) .cacheControl(cacheControlNoStore()) .header("Pragma", "no-cache") .build(); }
private AccessToken createAccessToken(AuthorizationRequest request, boolean isImplicitGrant) { Client client = request.getClient(); long expireDuration = client.getExpireDuration(); long expires = (expireDuration == 0L ? 0L : (System.currentTimeMillis() + (1000 * expireDuration))); String refreshToken = (client.isUseRefreshTokens() && !isImplicitGrant) ? getTokenValue(true) : null; AuthenticatedPrincipal principal = request.getPrincipal(); AccessToken token = new AccessToken( getTokenValue(false), principal, client, expires, request.getGrantedScopes(), refreshToken); return accessTokenRepository.save(token); }
private void storePrincipal( HttpServletRequest request, HttpServletResponse response, AuthorizationRequest authorizationRequest) throws IOException { AuthenticatedPrincipal principal = (AuthenticatedPrincipal) request.getAttribute(AbstractAuthenticator.PRINCIPAL); if (principal == null) { response.sendError( HttpServletResponse.SC_BAD_REQUEST, "No valid AbstractAuthenticator.PRINCIPAL on the Request"); } authorizationRequest.setPrincipal(principal); authorizationRequestRepository.save(authorizationRequest); }