/** * @return * @see org.mitre.oauth2.model.ClientDetailsEntity#getRedirectUris() */ public Set<String> getRedirectUris() { return client.getRedirectUris(); } /**
/** * Pass-through method to fulfill the ClientDetails interface with a bad name */ @Override @Transient public Set<String> getRegisteredRedirectUri() { return getRedirectUris(); }
private ClientDetailsEntity validateRedirectUris(ClientDetailsEntity newClient) throws ValidationException { // check to make sure this client registered a redirect URI if using a redirect flow if (newClient.getGrantTypes().contains("authorization_code") || newClient.getGrantTypes().contains("implicit")) { if (newClient.getRedirectUris() == null || newClient.getRedirectUris().isEmpty()) { // return an error throw new ValidationException("invalid_redirect_uri", "Clients using a redirect-based grant type must register at least one redirect URI.", HttpStatus.BAD_REQUEST); } for (String uri : newClient.getRedirectUris()) { if (blacklistService.isBlacklisted(uri)) { // return an error throw new ValidationException("invalid_redirect_uri", "Redirect URI is not allowed: " + uri, HttpStatus.BAD_REQUEST); } if (uri.contains("#")) { // if it contains the hash symbol then it has a fragment, which isn't allowed throw new ValidationException("invalid_redirect_uri", "Redirect URI can not have a fragment", HttpStatus.BAD_REQUEST); } } } return newClient; }
if (client.getRedirectUris().isEmpty()) { throw new IllegalArgumentException("[HEART mode] Authorization code clients must register at least one redirect URI"); if (client.getRedirectUris().isEmpty()) { throw new IllegalArgumentException("[HEART mode] Implicit clients must register at least one redirect URI"); if (!client.getRedirectUris().isEmpty()) { throw new IllegalArgumentException("[HEART mode] Client credentials clients must not register a redirect URI"); if (client.getRedirectUris() != null && !client.getRedirectUris().isEmpty()) { boolean localhost = false; boolean remoteHttps = false; boolean customScheme = false; for (String uri : client.getRedirectUris()) { UriComponents components = UriComponentsBuilder.fromUriString(uri).build(); if (components.getScheme() == null) {
@Override public String getIdentifier(UserInfo userInfo, ClientDetailsEntity client) { String sectorIdentifier = null; if (!Strings.isNullOrEmpty(client.getSectorIdentifierUri())) { UriComponents uri = UriComponentsBuilder.fromUriString(client.getSectorIdentifierUri()).build(); sectorIdentifier = uri.getHost(); // calculate based on the host component only } else { Set<String> redirectUris = client.getRedirectUris(); UriComponents uri = UriComponentsBuilder.fromUriString(Iterables.getOnlyElement(redirectUris)).build(); sectorIdentifier = uri.getHost(); // calculate based on the host of the only redirect URI } if (sectorIdentifier != null) { // if there's a sector identifier, use that for the lookup PairwiseIdentifier pairwise = pairwiseIdentifierRepository.getBySectorIdentifier(userInfo.getSub(), sectorIdentifier); if (pairwise == null) { // we don't have an identifier, need to make and save one pairwise = new PairwiseIdentifier(); pairwise.setIdentifier(UUID.randomUUID().toString()); pairwise.setUserSub(userInfo.getSub()); pairwise.setSectorIdentifier(sectorIdentifier); pairwiseIdentifierRepository.save(pairwise); } return pairwise.getIdentifier(); } else { return null; } }
writer.name(DEVICE_CODE_VALIDITY_SECONDS).value(client.getDeviceCodeValiditySeconds()); writer.name(REDIRECT_URIS); writeNullSafeArray(writer, client.getRedirectUris()); writer.name(CLAIMS_REDIRECT_URIS); writeNullSafeArray(writer, client.getClaimsRedirectUris());
@PostConstruct public void bootstrap() { if (definedClients == null || definedClients.isEmpty()) { log.info("No OIDC clients are defined in the application context configuration."); return; } for (final ClientDetailsEntity client : definedClients) { try { log.debug("Attempting to save/update client id [{}] in the repository with redirectUris [{}]", client.getClientId(), client.getRedirectUris()); this.clientRepository.saveClient(client); log.info("Updated client id [{}] in the repository successfully", client.getClientId()); } catch (final Exception e) { log.warn("Could not update client id [{}] in the repository", client.getClientId(), e); } } } }
private ClientDetailsEntity validateRedirectUris(ClientDetailsEntity newClient) throws ValidationException { // check to make sure this client registered a redirect URI if using a redirect flow if (newClient.getGrantTypes().contains("authorization_code") || newClient.getGrantTypes().contains("implicit")) { if (newClient.getRedirectUris() == null || newClient.getRedirectUris().isEmpty()) { // return an error throw new ValidationException("invalid_redirect_uri", "Clients using a redirect-based grant type must register at least one redirect URI.", HttpStatus.BAD_REQUEST); } for (String uri : newClient.getRedirectUris()) { if (blacklistService.isBlacklisted(uri)) { // return an error throw new ValidationException("invalid_redirect_uri", "Redirect URI is not allowed: " + uri, HttpStatus.BAD_REQUEST); } if (uri.contains("#")) { // if it contains the hash symbol then it has a fragment, which isn't allowed throw new ValidationException("invalid_redirect_uri", "Redirect URI can not have a fragment", HttpStatus.BAD_REQUEST); } } } return newClient; }
/** * Ensure redirect uri is authorized. * * @param authorizationRequest the authorization request * @param client the client */ private static void ensureRedirectUriIsAuthorized(final AuthorizationRequest authorizationRequest, final ClientDetailsEntity client) { if (!Strings.isNullOrEmpty(authorizationRequest.getRedirectUri())) { boolean found = false; final Iterator<String> it = client.getRedirectUris().iterator(); while (!found && it.hasNext()) { found = it.next().equals(authorizationRequest.getRedirectUri()); } if (!found) { throw new OIDCException("Redirect uri in the authorization request " + authorizationRequest.getRedirectUri() + " is not registered for client " + client.getClientId()); } } }
if (client.getRedirectUris().isEmpty()) { throw new IllegalArgumentException("[HEART mode] Authorization code clients must register at least one redirect URI"); if (client.getRedirectUris().isEmpty()) { throw new IllegalArgumentException("[HEART mode] Implicit clients must register at least one redirect URI"); if (!client.getRedirectUris().isEmpty()) { throw new IllegalArgumentException("[HEART mode] Client credentials clients must not register a redirect URI"); if (client.getRedirectUris() != null && !client.getRedirectUris().isEmpty()) { boolean localhost = false; boolean remoteHttps = false; boolean customScheme = false; for (String uri : client.getRedirectUris()) { UriComponents components = UriComponentsBuilder.fromUriString(uri).build(); if (components.getScheme() == null) {
@Override public String getIdentifier(UserInfo userInfo, ClientDetailsEntity client) { String sectorIdentifier = null; if (!Strings.isNullOrEmpty(client.getSectorIdentifierUri())) { UriComponents uri = UriComponentsBuilder.fromUriString(client.getSectorIdentifierUri()).build(); sectorIdentifier = uri.getHost(); // calculate based on the host component only } else { Set<String> redirectUris = client.getRedirectUris(); UriComponents uri = UriComponentsBuilder.fromUriString(Iterables.getOnlyElement(redirectUris)).build(); sectorIdentifier = uri.getHost(); // calculate based on the host of the only redirect URI } if (sectorIdentifier != null) { // if there's a sector identifier, use that for the lookup PairwiseIdentifier pairwise = pairwiseIdentifierRepository.getBySectorIdentifier(userInfo.getSub(), sectorIdentifier); if (pairwise == null) { // we don't have an identifier, need to make and save one pairwise = new PairwiseIdentifier(); pairwise.setIdentifier(UUID.randomUUID().toString()); pairwise.setUserSub(userInfo.getSub()); pairwise.setSectorIdentifier(sectorIdentifier); pairwiseIdentifierRepository.save(pairwise); } return pairwise.getIdentifier(); } else { return null; } }
writer.name(DEVICE_CODE_VALIDITY_SECONDS).value(client.getDeviceCodeValiditySeconds()); writer.name(REDIRECT_URIS); writeNullSafeArray(writer, client.getRedirectUris()); writer.name(CLAIMS_REDIRECT_URIS); writeNullSafeArray(writer, client.getClaimsRedirectUris());