private void validateScope(Set<String> requestScopes, Set<String> clientScopes) { if (clientScopes != null && !clientScopes.isEmpty()) { for (String scope : requestScopes) { if (!clientScopes.contains(scope)) { throw new InvalidScopeException("Invalid scope: " + scope, clientScopes); } } } if (requestScopes.isEmpty()) { throw new InvalidScopeException("Empty scope (either the client or the user is not allowed the requested scopes)"); } }
public InvalidScopeException(String msg, Set<String> validScope) { this(msg); addAdditionalInformation("scope", OAuth2Utils.formatParameterList(validScope)); }
@Test(expected = InvalidScopeException.class) public void testValidateScopesSomeNotPresent() throws Exception { try { authentication = new OAuth2Authentication(new AuthorizationRequest("client", Arrays.asList("scim.read", "scim.write")).createOAuth2Request(), null); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); endpoint.checkToken(accessToken.getValue(), Arrays.asList("scim.read", "ponies.ride"), request); } catch (InvalidScopeException ex) { assertEquals(missingScopeMessage("ponies.ride"), ex.getMessage()); throw ex; } }
@Test(expected = InvalidScopeException.class) public void testValidateScopesNotPresent() throws Exception { try { authentication = new OAuth2Authentication(new AuthorizationRequest("client", Collections.singleton("scim.read")).createOAuth2Request(), null); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); endpoint.checkToken(accessToken.getValue(), Collections.singletonList("scim.write"), request); } catch (InvalidScopeException ex) { assertEquals(missingScopeMessage("scim.write"), ex.getMessage()); throw ex; } }
private void validateScope(Set<String> requestedScopes, Set<String> clientScopes) throws InvalidScopeException { if (requestedScopes != null && !requestedScopes.isEmpty()) { if (clientScopes != null && !clientScopes.isEmpty()) { if (!scopeService.scopesMatch(clientScopes, requestedScopes)) { throw new InvalidScopeException("Invalid scope; requested:" + requestedScopes, clientScopes); } } } }
@Test(expected = InvalidScopeException.class) public void testValidateScopesMultipleNotPresent() throws Exception { try { authentication = new OAuth2Authentication(new AuthorizationRequest("client", Collections.singletonList("cat.pet")).createOAuth2Request(), null); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); endpoint.checkToken(accessToken.getValue(), Arrays.asList("scim.write", "scim.read"), request); } catch (InvalidScopeException ex) { assertEquals(missingScopeMessage("scim.write", "scim.read"), ex.getMessage()); throw ex; } }
public InvalidScopeException(String msg, Set<String> validScope) { this(msg); addAdditionalInformation("scope", OAuth2Utils.formatParameterList(validScope)); }
private void validateScope(Set<String> requestScopes, Set<String> clientScopes, boolean wildCardsAllowed) { if (clientScopes == null || clientScopes.isEmpty()) { throw new InvalidScopeException("Empty scope (client has no registered scopes)"); } if (wildCardsAllowed) { Set<Pattern> wildcards = UaaStringUtils.constructWildcards(clientScopes); for (String scope : requestScopes) { if (!UaaStringUtils.matches(wildcards, scope)) { throw new InvalidScopeException("Invalid scope: " + scope, clientScopes); } } } else { for (String scope : requestScopes) { if (!clientScopes.contains(scope)) { throw new InvalidScopeException("Invalid scope: " + scope, clientScopes); } } } }
@Override @RequestMapping public ModelAndView authorize(Map<String, Object> model, @RequestParam Map<String, String> requestParameters, SessionStatus sessionStatus, Principal principal) { try { modifyRequestParameters(requestParameters); } catch (InvalidScopeException ise) { String redirectUri = requestParameters.get("redirect_uri"); String redirectUriWithParams = ""; if(redirectUri != null) { redirectUriWithParams = redirectUri; } redirectUriWithParams += "?error=invalid_scope&error_description=" + ise.getMessage(); RedirectView rView = new RedirectView(redirectUriWithParams); ModelAndView error = new ModelAndView(); error.setView(rView); return error; } return super.authorize(model, requestParameters, sessionStatus, principal); }
ex = new InvalidScopeException(errorMessage);
/** * Add or remove requested scopes derived from the current authenticated user's * authorities (if any) * * @param requestedScopes the initial set of requested scopes from the client registration * @param clientDetails * @param authorities the users authorities * @return modified requested scopes adapted according to the rules specified */ private Set<String> checkUserScopes(Set<String> requestedScopes, Collection<? extends GrantedAuthority> authorities, ClientDetails clientDetails) { Set<String> allowed = new LinkedHashSet<>(AuthorityUtils.authorityListToSet(authorities)); // Add in all default requestedScopes Collection<String> defaultScopes = IdentityZoneHolder.get().getConfig().getUserConfig().getDefaultGroups(); allowed.addAll(defaultScopes); // Find intersection of user authorities, default requestedScopes and client requestedScopes: Set<String> result = intersectScopes(new LinkedHashSet<>(requestedScopes), clientDetails.getScope(), allowed); // Check that a token with empty scope is not going to be granted if (result.isEmpty() && !clientDetails.getScope().isEmpty()) { logger.warn("The requested scopes are invalid"); throw new InvalidScopeException(requestedScopes + " is invalid. This user is not allowed any of the requested scopes"); } Collection<String> requiredUserGroups = ofNullable((Collection<String>) clientDetails.getAdditionalInformation().get(REQUIRED_USER_GROUPS)).orElse(emptySet()); if (!UaaTokenUtils.hasRequiredUserAuthorities(requiredUserGroups, authorities)) { logger.warn("The requested scopes are invalid"); throw new InvalidScopeException("User does not meet the client's required group criteria."); } return result; }
return new InvalidScopeException(errorMessage);
/** * Apply UAA rules to validate the requested scopes scope. For client credentials * grants the valid requested scopes are actually in * the authorities of the client. * */ public void validateParameters(Map<String, String> parameters, ClientDetails clientDetails) { if (parameters.containsKey("scope")) { Set<String> validScope = clientDetails.getScope(); if (GRANT_TYPE_CLIENT_CREDENTIALS.equals(parameters.get("grant_type"))) { validScope = AuthorityUtils.authorityListToSet(clientDetails.getAuthorities()); } Set<Pattern> validWildcards = constructWildcards(validScope); Set<String> scopes = OAuth2Utils.parseParameterList(parameters.get("scope")); for (String scope : scopes) { if (!matches(validWildcards, scope)) { throw new InvalidScopeException(scope + " is invalid. Please use a valid scope name in the request"); } } } }
throw new InvalidScopeException("Some requested scopes are missing: " + String.join(",", missingScopes));
ex = new InvalidScopeException(errorMessage);
/** * Create a refreshed authentication. * * @param authentication The authentication. * @param request The scope for the refreshed token. * @return The refreshed authentication. * @throws InvalidScopeException If the scope requested is invalid or wider than the original scope. */ private OAuth2Authentication createRefreshedAuthentication(OAuth2Authentication authentication, TokenRequest request) { OAuth2Authentication narrowed = authentication; Set<String> scope = request.getScope(); OAuth2Request clientAuth = authentication.getOAuth2Request().refresh(request); if (scope != null && !scope.isEmpty()) { Set<String> originalScope = clientAuth.getScope(); if (originalScope == null || !originalScope.containsAll(scope)) { throw new InvalidScopeException("Unable to narrow the scope of the client authentication to " + scope + ".", originalScope); } else { clientAuth = clientAuth.narrowScope(scope); } } narrowed = new OAuth2Authentication(clientAuth, authentication.getUserAuthentication()); return narrowed; }
throw new InvalidScopeException("Invalid scope requested in chained request", approvedScopes);
throw new InvalidScopeException( "Unable to narrow the scope of the client authentication to " + requestedScopes + ".", new HashSet<>(tokenScopes)
new InvalidScopeException("The requested scopes are invalid. Please use valid scope names in the request."), false), false, true, false);
String errorMsg = "Up-scoping is not allowed."; logger.error(errorMsg); throw new InvalidScopeException(errorMsg);