protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) { Map<String, String> params = tokenRequest.getRequestParameters(); String username = params.containsKey("username") ? params.get("username") : "guest"; List<GrantedAuthority> authorities = params.containsKey("authorities") ? AuthorityUtils .createAuthorityList(OAuth2Utils.parseParameterList(params.get("authorities")).toArray(new String[0])) : AuthorityUtils.NO_AUTHORITIES; Authentication user = new UsernamePasswordAuthenticationToken(username, "N/A", authorities); OAuth2Authentication authentication = new OAuth2Authentication(tokenRequest.createOAuth2Request(client), user); return authentication; } }
@Override public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) { TokenRequest adjusted = new TokenRequest(tokenRequest.getRequestParameters(), tokenRequest.getClientId(), tokenRequest.getScope(), tokenRequest.getGrantType()); return super.grant(grantType, adjusted); }
public ImplicitTokenRequest(TokenRequest tokenRequest, OAuth2Request oauth2Request) { super(tokenRequest.getRequestParameters(), tokenRequest.getClientId(), tokenRequest.getScope(), tokenRequest.getGrantType()); this.oauth2Request = oauth2Request; }
public OAuth2Request createOAuth2Request(ClientDetails client) { Map<String, String> requestParameters = getRequestParameters(); HashMap<String, String> modifiable = new HashMap<String, String>(requestParameters); // Remove password if present to prevent leaks modifiable.remove("password"); modifiable.remove("client_secret"); // Add grant type so it can be retrieved from OAuth2Request modifiable.put("grant_type", grantType); return new OAuth2Request(modifiable, client.getClientId(), client.getAuthorities(), true, this.getScope(), client.getResourceIds(), null, null, null); }
@Before public void createTokenStore() throws Exception { jdbcTemplate.update("delete from oauth_code"); List<GrantedAuthority> userAuthorities = Arrays.<GrantedAuthority>asList(new SimpleGrantedAuthority("openid")); store = new UaaTokenStore(dataSource); legacyCodeServices = new JdbcAuthorizationCodeServices(dataSource); BaseClientDetails client = new BaseClientDetails("clientid", null, "openid","client_credentials,password", "oauth.login", null); Map<String,String> parameters = new HashMap<>(); parameters.put(OAuth2Utils.CLIENT_ID, client.getClientId()); TokenRequest clientRequest = new TokenRequest(new HashMap<>(parameters), client.getClientId(), UaaStringUtils.getStringsFromAuthorities(client.getAuthorities()), "client_credentials"); clientAuthentication = new OAuth2Authentication(clientRequest.createOAuth2Request(client), null); parameters.put("scope","openid"); parameters.put("grant_type","password"); UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(principal,null,userAuthorities); clientRequest = new TokenRequest(new HashMap<>(parameters), client.getClientId(), client.getScope(), "password"); usernamePasswordAuthentication = new OAuth2Authentication(clientRequest.createOAuth2Request(client), usernamePasswordAuthenticationToken); MockHttpServletRequest request = new MockHttpServletRequest(); request.setRemoteAddr("127.0.0.1"); UaaAuthentication authentication = new UaaAuthentication(principal, userAuthorities, new UaaAuthenticationDetails(request)); uaaAuthentication = new OAuth2Authentication(clientRequest.createOAuth2Request(client), authentication); }
@Override protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) { Map<String, String> parameters = tokenRequest.getRequestParameters(); String authorizationCode = parameters.get("code"); String redirectUri = parameters.get(OAuth2Utils.REDIRECT_URI); String clientId = tokenRequest.getClientId(); if (clientId != null && !clientId.equals(pendingClientId)) {
@Override protected OAuth2AccessToken getAccessToken(ClientDetails client, TokenRequest tokenRequest) { String refreshToken = tokenRequest.getRequestParameters().get("refresh_token"); return getTokenServices().refreshAccessToken(refreshToken, tokenRequest); }
public TokenRequest createTokenRequest(Map<String, String> requestParameters, ClientDetails authenticatedClient) { String clientId = requestParameters.get(OAuth2Utils.CLIENT_ID); if (clientId == null) { // if the clientId wasn't passed in in the map, we add pull it from the authenticated client object clientId = authenticatedClient.getClientId(); } else { // otherwise, make sure that they match if (!clientId.equals(authenticatedClient.getClientId())) { throw new InvalidClientException("Given client ID does not match authenticated client"); } } String grantType = requestParameters.get(OAuth2Utils.GRANT_TYPE); Set<String> scopes = extractScopes(requestParameters, clientId); TokenRequest tokenRequest = new TokenRequest(requestParameters, clientId, scopes, grantType); return tokenRequest; }
Set<String> requestedScopes = request.getScope().isEmpty() ? Sets.newHashSet(tokenScopes) : request.getScope(); Map<String, String> requestParams = request.getRequestParameters(); String requestedTokenFormat = requestParams.get(REQUEST_TOKEN_FORMAT); String requestedClientId = request.getClientId();
public OAuth2Request createOAuth2Request(ClientDetails client, TokenRequest tokenRequest) { return tokenRequest.createOAuth2Request(client); }
if (!clientId.equals(tokenRequest.getClientId())) { oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient); if (!StringUtils.hasText(tokenRequest.getGrantType())) { throw new InvalidRequestException("Missing grant type"); if (tokenRequest.getGrantType().equals("implicit")) { throw new InvalidGrantException("Implicit grant type not supported from token endpoint"); if (!tokenRequest.getScope().isEmpty()) { logger.debug("Clearing scope of incoming token request"); tokenRequest.setScope(Collections.<String> emptySet()); tokenRequest.setScope(OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.SCOPE))); OAuth2AccessToken token = getTokenGranter().grant(tokenRequest.getGrantType(), tokenRequest); if (token == null) { throw new UnsupportedGrantTypeException("Unsupported grant type: " + tokenRequest.getGrantType());
@Override protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException { String incomingTokenValue = tokenRequest.getRequestParameters().get("token"); OAuth2AccessTokenEntity incomingToken = tokenServices.readAccessToken(incomingTokenValue); Set<String> requestedScopes = tokenRequest.getScope(); tokenRequest.setScope(approvedScopes); } else { tokenRequest.setScope(Sets.intersection(requestedScopes, approvedScopes));
public void validateScope(TokenRequest tokenRequest, ClientDetails client) throws InvalidScopeException { if (GRANT_TYPE_CLIENT_CREDENTIALS.equalsIgnoreCase(tokenRequest.getGrantType())) { validateScope(tokenRequest.getScope(), getAuthorities(client.getAuthorities()), false); } else if (GRANT_TYPE_USER_TOKEN.equalsIgnoreCase(tokenRequest.getGrantType())) { client = clientDetailsService.loadClientByClientId(tokenRequest.getRequestParameters().get(CLIENT_ID), IdentityZoneHolder.get().getId()); validateScope(tokenRequest.getScope(), client.getScope(), true); } else { validateScope(tokenRequest.getScope(), client.getScope(), true); } }
ClientDetailsEntity requestingClient = clientDetailsService.loadClientByClientId(authRequest.getClientId()); if (!client.getClientId().equals(requestingClient.getClientId())) { tokenRepository.removeRefreshToken(refreshToken); Set<String> scopeRequested = authRequest.getScope() == null ? new HashSet<String>() : new HashSet<>(authRequest.getScope()); Set<SystemScope> scope = scopeService.fromStrings(scopeRequested);
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) { if (!this.grantType.equals(grantType)) { return null; } String clientId = tokenRequest.getClientId(); ClientDetails client = clientDetailsService.loadClientByClientId(clientId); validateGrantType(grantType, client); if (logger.isDebugEnabled()) { logger.debug("Getting access token for: " + clientId); } return getAccessToken(client, tokenRequest); }
public void validateScope(TokenRequest tokenRequest, ClientDetails client) throws InvalidScopeException { validateScope(tokenRequest.getScope(), client.getScope()); }
@Override protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) { String deviceCode = tokenRequest.getRequestParameters().get("device_code"); // look up the device code and consume it DeviceCode dc = deviceCodeService.findDeviceCode(deviceCode, client); if (dc != null) { // make sure the code hasn't expired yet if (dc.getExpiration() != null && dc.getExpiration().before(new Date())) { deviceCodeService.clearDeviceCode(deviceCode, client); throw new DeviceCodeExpiredException("Device code has expired " + deviceCode); } else if (!dc.isApproved()) { // still waiting for approval throw new AuthorizationPendingException("Authorization pending for code " + deviceCode); } else { // inherit the (approved) scopes from the original request tokenRequest.setScope(dc.getScope()); OAuth2Authentication auth = new OAuth2Authentication(getRequestFactory().createOAuth2Request(client, tokenRequest), dc.getAuthenticationHolder().getUserAuth()); deviceCodeService.clearDeviceCode(deviceCode, client); return auth; } } else { throw new InvalidGrantException("Invalid device code: " + deviceCode); } }
requestFactory = mock(OAuth2RequestFactory.class); granter = spy(new JwtTokenGranter(tokenServices, clientDetailsService, requestFactory)); tokenRequest = new TokenRequest(Collections.emptyMap(), "client_ID", Collections.emptySet(), GRANT_TYPE_JWT_BEARER); requestParameters.put(OAuth2Utils.CLIENT_ID, client.getClientId()); requestParameters.put(GRANT_TYPE, GRANT_TYPE_JWT_BEARER); tokenRequest.setRequestParameters(requestParameters);
protected Authentication validateRequest(TokenRequest request) { //things to validate //1. Authentication must exist and be authenticated Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); if (authentication == null || !authentication.isAuthenticated() || !(authentication instanceof UaaOauth2Authentication)) { throw new InsufficientAuthenticationException("Invalid authentication object:"+authentication); } UaaOauth2Authentication oauth2Authentication = (UaaOauth2Authentication)authentication; //2. authentication must be a user, and authenticated if (oauth2Authentication.getUserAuthentication() == null || !oauth2Authentication.getUserAuthentication().isAuthenticated()) { throw new InsufficientAuthenticationException("Authentication containing a user is required"); } //3. parameter requesting_client_id must be present if (request.getRequestParameters()==null || request.getRequestParameters().get(USER_TOKEN_REQUESTING_CLIENT_ID)==null) { throw new InvalidGrantException("Parameter "+USER_TOKEN_REQUESTING_CLIENT_ID+" is required."); } //4. grant_type must be user_token if (!TokenConstants.GRANT_TYPE_USER_TOKEN.equals(request.getGrantType())) { throw new InvalidGrantException("Invalid grant type"); } //5. requesting client must have user_token grant type ClientDetails requesting = clientDetailsService.loadClientByClientId(request.getRequestParameters().get(USER_TOKEN_REQUESTING_CLIENT_ID), IdentityZoneHolder.get().getId()); super.validateGrantType(GRANT_TYPE_USER_TOKEN, requesting); //6. receiving client must have refresh_token grant type ClientDetails receiving = clientDetailsService.loadClientByClientId(request.getRequestParameters().get(CLIENT_ID), IdentityZoneHolder.get().getId()); super.validateGrantType(GRANT_TYPE_REFRESH_TOKEN, receiving); return oauth2Authentication.getUserAuthentication(); }
TokenRequest tokenRequest = new TokenRequest(MapUtil.newHashMap(), clientId, clientDetails.getScope(), "mobile"); OAuth2Request oAuth2Request = tokenRequest.createOAuth2Request(clientDetails); OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(oAuth2Request, authentication); OAuth2AccessToken oAuth2AccessToken = authorizationServerTokenServices.createAccessToken(oAuth2Authentication);