private void validateScope(Set<String> requestScopes, Set<String> clientScopes) { if (clientScopes != null && !clientScopes.isEmpty()) { for (String scope : requestScopes) { if (!clientScopes.contains(scope)) { throw new InvalidScopeException("Invalid scope: " + scope, clientScopes); } } } if (requestScopes.isEmpty()) { throw new InvalidScopeException("Empty scope (either the client or the user is not allowed the requested scopes)"); } }
private void validateScope(Set<String> requestedScopes, Set<String> clientScopes) throws InvalidScopeException { if (requestedScopes != null && !requestedScopes.isEmpty()) { if (clientScopes != null && !clientScopes.isEmpty()) { if (!scopeService.scopesMatch(clientScopes, requestedScopes)) { throw new InvalidScopeException("Invalid scope; requested:" + requestedScopes, clientScopes); } } } }
private void validateScope(Set<String> requestScopes, Set<String> clientScopes, boolean wildCardsAllowed) { if (clientScopes == null || clientScopes.isEmpty()) { throw new InvalidScopeException("Empty scope (client has no registered scopes)"); } if (wildCardsAllowed) { Set<Pattern> wildcards = UaaStringUtils.constructWildcards(clientScopes); for (String scope : requestScopes) { if (!UaaStringUtils.matches(wildcards, scope)) { throw new InvalidScopeException("Invalid scope: " + scope, clientScopes); } } } else { for (String scope : requestScopes) { if (!clientScopes.contains(scope)) { throw new InvalidScopeException("Invalid scope: " + scope, clientScopes); } } } }
ex = new InvalidScopeException(errorMessage);
/** * Add or remove requested scopes derived from the current authenticated user's * authorities (if any) * * @param requestedScopes the initial set of requested scopes from the client registration * @param clientDetails * @param authorities the users authorities * @return modified requested scopes adapted according to the rules specified */ private Set<String> checkUserScopes(Set<String> requestedScopes, Collection<? extends GrantedAuthority> authorities, ClientDetails clientDetails) { Set<String> allowed = new LinkedHashSet<>(AuthorityUtils.authorityListToSet(authorities)); // Add in all default requestedScopes Collection<String> defaultScopes = IdentityZoneHolder.get().getConfig().getUserConfig().getDefaultGroups(); allowed.addAll(defaultScopes); // Find intersection of user authorities, default requestedScopes and client requestedScopes: Set<String> result = intersectScopes(new LinkedHashSet<>(requestedScopes), clientDetails.getScope(), allowed); // Check that a token with empty scope is not going to be granted if (result.isEmpty() && !clientDetails.getScope().isEmpty()) { logger.warn("The requested scopes are invalid"); throw new InvalidScopeException(requestedScopes + " is invalid. This user is not allowed any of the requested scopes"); } Collection<String> requiredUserGroups = ofNullable((Collection<String>) clientDetails.getAdditionalInformation().get(REQUIRED_USER_GROUPS)).orElse(emptySet()); if (!UaaTokenUtils.hasRequiredUserAuthorities(requiredUserGroups, authorities)) { logger.warn("The requested scopes are invalid"); throw new InvalidScopeException("User does not meet the client's required group criteria."); } return result; }
return new InvalidScopeException(errorMessage);
/** * Apply UAA rules to validate the requested scopes scope. For client credentials * grants the valid requested scopes are actually in * the authorities of the client. * */ public void validateParameters(Map<String, String> parameters, ClientDetails clientDetails) { if (parameters.containsKey("scope")) { Set<String> validScope = clientDetails.getScope(); if (GRANT_TYPE_CLIENT_CREDENTIALS.equals(parameters.get("grant_type"))) { validScope = AuthorityUtils.authorityListToSet(clientDetails.getAuthorities()); } Set<Pattern> validWildcards = constructWildcards(validScope); Set<String> scopes = OAuth2Utils.parseParameterList(parameters.get("scope")); for (String scope : scopes) { if (!matches(validWildcards, scope)) { throw new InvalidScopeException(scope + " is invalid. Please use a valid scope name in the request"); } } } }
throw new InvalidScopeException("Some requested scopes are missing: " + String.join(",", missingScopes));
ex = new InvalidScopeException(errorMessage);
/** * Create a refreshed authentication. * * @param authentication The authentication. * @param request The scope for the refreshed token. * @return The refreshed authentication. * @throws InvalidScopeException If the scope requested is invalid or wider than the original scope. */ private OAuth2Authentication createRefreshedAuthentication(OAuth2Authentication authentication, TokenRequest request) { OAuth2Authentication narrowed = authentication; Set<String> scope = request.getScope(); OAuth2Request clientAuth = authentication.getOAuth2Request().refresh(request); if (scope != null && !scope.isEmpty()) { Set<String> originalScope = clientAuth.getScope(); if (originalScope == null || !originalScope.containsAll(scope)) { throw new InvalidScopeException("Unable to narrow the scope of the client authentication to " + scope + ".", originalScope); } else { clientAuth = clientAuth.narrowScope(scope); } } narrowed = new OAuth2Authentication(clientAuth, authentication.getUserAuthentication()); return narrowed; }
throw new InvalidScopeException("Invalid scope requested in chained request", approvedScopes);
throw new InvalidScopeException( "Unable to narrow the scope of the client authentication to " + requestedScopes + ".", new HashSet<>(tokenScopes)
new InvalidScopeException("The requested scopes are invalid. Please use valid scope names in the request."), false), false, true, false);
String errorMsg = "Up-scoping is not allowed."; logger.error(errorMsg); throw new InvalidScopeException(errorMsg);
private void validateScope(Set<String> requestScopes, Set<String> clientScopes) { if (clientScopes != null && !clientScopes.isEmpty()) { for (String scope : requestScopes) { if (!clientScopes.contains(scope)) { throw new InvalidScopeException("Invalid scope: " + scope, clientScopes); } } } if (requestScopes.isEmpty()) { throw new InvalidScopeException("Empty scope (either the client or the user is not allowed the requested scopes)"); } }
private void validateScope(Set<String> requestedScopes, Set<String> clientScopes) throws InvalidScopeException { if (requestedScopes != null && !requestedScopes.isEmpty()) { if (clientScopes != null && !clientScopes.isEmpty()) { if (!scopeService.scopesMatch(clientScopes, requestedScopes)) { throw new InvalidScopeException("Invalid scope; requested:" + requestedScopes, clientScopes); } } } }
@Override public AuthorizationRequest createAuthorizationRequest(Map<String, String> authorizationParameters) { Set<String> scopes = OAuth2Utils.parseParameterList(authorizationParameters.get(OAuth2Utils.SCOPE)); if ((scopes.isEmpty())) { throw new InvalidScopeException("scope parameter is required"); } return super.createAuthorizationRequest(authorizationParameters); }
@Override public void validateScope(AuthorizationRequest authorizationRequest, ClientDetails client) throws InvalidScopeException { super.validateScope(authorizationRequest, client); if (authorizationRequest.getExtensions().get("invalid_launch") != null) { throw new InvalidScopeException((String)authorizationRequest.getExtensions().get("invalid_launch")); } }
private void validateScope(ClientDetails clientDetails, Set<String> scopes) { if (clientDetails.isScoped()) { Set<String> validScope = clientDetails.getScope(); if (scopes.isEmpty()) { throw new InvalidScopeException("Invalid scope (none)"); } else if (!containsAny(validScope, ScopePathType.ORCID_PROFILE_CREATE, ScopePathType.WEBHOOK, ScopePathType.PREMIUM_NOTIFICATION, ScopePathType.GROUP_ID_RECORD_READ, ScopePathType.GROUP_ID_RECORD_UPDATE) && !scopes.contains(ScopePathType.READ_PUBLIC.value()) && scopes.size() == 1) { throw new InvalidScopeException("Invalid scope" + (scopes != null && scopes.size() > 1 ? "s: " : ": " + "") + OAuth2Utils.formatParameterList(scopes), validScope); } // The Read public does not have to be granted. It's the implied // read level. We let this through, regardless if (scopes.size() == 1 && scopes.iterator().next().equals(ScopePathType.READ_PUBLIC.value())) { return; } for (String scope : scopes) { if (!validScope.contains(scope)) { throw new InvalidScopeException("Invalid scope: " + scope, validScope); } } } }
/** * Create a refreshed authentication. * * @param authentication The authentication. * @param request The scope for the refreshed token. * @return The refreshed authentication. * @throws InvalidScopeException If the scope requested is invalid or wider than the original scope. */ private OAuth2Authentication createRefreshedAuthentication(OAuth2Authentication authentication, TokenRequest request) { OAuth2Authentication narrowed = authentication; Set<String> scope = request.getScope(); OAuth2Request clientAuth = authentication.getOAuth2Request().refresh(request); if (scope != null && !scope.isEmpty()) { Set<String> originalScope = clientAuth.getScope(); if (originalScope == null || !originalScope.containsAll(scope)) { throw new InvalidScopeException("Unable to narrow the scope of the client authentication to " + scope + ".", originalScope); } else { clientAuth = clientAuth.narrowScope(scope); } } narrowed = new OAuth2Authentication(clientAuth, authentication.getUserAuthentication()); return narrowed; }