@Test public void constructorWhenAllParametersProvidedAndValidThenCreated() { OidcUserRequest userRequest = new OidcUserRequest( this.clientRegistration, this.accessToken, this.idToken, this.additionalParameters); assertThat(userRequest.getClientRegistration()).isEqualTo(this.clientRegistration); assertThat(userRequest.getAccessToken()).isEqualTo(this.accessToken); assertThat(userRequest.getIdToken()).isEqualTo(this.idToken); assertThat(userRequest.getAdditionalParameters()).containsAllEntriesOf(this.additionalParameters); } }
private boolean shouldRetrieveUserInfo(OidcUserRequest userRequest) { // Auto-disabled if UserInfo Endpoint URI is not provided if (StringUtils.isEmpty(userRequest.getClientRegistration().getProviderDetails() .getUserInfoEndpoint().getUri())) { return false; } // The Claims requested by the profile, email, address, and phone scope values // are returned from the UserInfo Endpoint (as described in Section 5.3.2), // when a response_type value is used that results in an Access Token being issued. // However, when no Access Token is issued, which is the case for the response_type=id_token, // the resulting Claims are returned in the ID Token. // The Authorization Code Grant Flow, which is response_type=code, results in an Access Token being issued. if (AuthorizationGrantType.AUTHORIZATION_CODE.equals( userRequest.getClientRegistration().getAuthorizationGrantType())) { // Return true if there is at least one match between the authorized scope(s) and UserInfo scope(s) return CollectionUtils.containsAny(userRequest.getAccessToken().getScopes(), this.userInfoScopes); } return false; }
.containsAny(userRequest.getAccessToken().getScopes(), userRequest.getClientRegistration().getScopes());
Jwt token = parseJwt(userRequest.getAccessToken().getTokenValue());
@Override public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException { OidcUser user = super.loadUser(userRequest); // Only post process requests from the "Okta" reg if (!"Okta".equals(userRequest.getClientRegistration().getClientName())) { return user; } // start with authorities from super Set<GrantedAuthority> authorities = new HashSet<>(user.getAuthorities()); // add 'SCOPE_' authorities authorities.addAll(TokenUtil.tokenScopesToAuthorities(userRequest.getAccessToken())); // add any authorities extracted from the 'group' claim authorities.addAll(TokenUtil.tokenClaimsToAuthorities(user.getAttributes(), groupClaim)); String userNameAttributeName = userRequest.getClientRegistration() .getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName(); return StringUtils.hasText(userNameAttributeName) ? new DefaultOidcUser(authorities, user.getIdToken(), user.getUserInfo(), userNameAttributeName) : new DefaultOidcUser(authorities, user.getIdToken(), user.getUserInfo()); } }
private boolean shouldRetrieveUserInfo(OidcUserRequest userRequest) { // Auto-disabled if UserInfo Endpoint URI is not provided if (StringUtils.isEmpty(userRequest.getClientRegistration().getProviderDetails() .getUserInfoEndpoint().getUri())) { return false; } // The Claims requested by the profile, email, address, and phone scope values // are returned from the UserInfo Endpoint (as described in Section 5.3.2), // when a response_type value is used that results in an Access Token being issued. // However, when no Access Token is issued, which is the case for the response_type=id_token, // the resulting Claims are returned in the ID Token. // The Authorization Code Grant Flow, which is response_type=code, results in an Access Token being issued. if (AuthorizationGrantType.AUTHORIZATION_CODE.equals( userRequest.getClientRegistration().getAuthorizationGrantType())) { // Return true if there is at least one match between the authorized scope(s) and UserInfo scope(s) return CollectionUtils.containsAny(userRequest.getAccessToken().getScopes(), this.userInfoScopes); } return false; }
.containsAny(userRequest.getAccessToken().getScopes(), userRequest.getClientRegistration().getScopes());