public void validateScope(AuthorizationRequest authorizationRequest, ClientDetails client) throws InvalidScopeException { validateScope(authorizationRequest.getScope(), client.getScope()); }
@Override public Map<String, Object> getUserApprovalRequest(AuthorizationRequest authorizationRequest, Authentication userAuthentication) { Map<String, Object> model = new HashMap<String, Object>(); model.putAll(authorizationRequest.getRequestParameters()); Map<String, String> scopes = new LinkedHashMap<String, String>(); for (String scope : authorizationRequest.getScope()) { scopes.put(scopePrefix + scope, "false"); } for (Approval approval : approvalStore.getApprovals(userAuthentication.getName(), authorizationRequest.getClientId())) { if (authorizationRequest.getScope().contains(approval.getScope())) { scopes.put(scopePrefix + approval.getScope(), approval.getStatus() == ApprovalStatus.APPROVED ? "true" : "false"); } } model.put("scopes", scopes); return model; } }
Map<String, Object> unmodifiableMap(AuthorizationRequest authorizationRequest) { Map<String, Object> authorizationRequestMap = new HashMap<String, Object>(); authorizationRequestMap.put(OAuth2Utils.CLIENT_ID, authorizationRequest.getClientId()); authorizationRequestMap.put(OAuth2Utils.STATE, authorizationRequest.getState()); authorizationRequestMap.put(OAuth2Utils.REDIRECT_URI, authorizationRequest.getRedirectUri()); if (authorizationRequest.getResponseTypes() != null) { authorizationRequestMap.put(OAuth2Utils.RESPONSE_TYPE, Collections.unmodifiableSet(new HashSet<String>(authorizationRequest.getResponseTypes()))); } if (authorizationRequest.getScope() != null) { authorizationRequestMap.put(OAuth2Utils.SCOPE, Collections.unmodifiableSet(new HashSet<String>(authorizationRequest.getScope()))); } authorizationRequestMap.put("approved", authorizationRequest.isApproved()); if (authorizationRequest.getResourceIds() != null) { authorizationRequestMap.put("resourceIds", Collections.unmodifiableSet(new HashSet<String>(authorizationRequest.getResourceIds()))); } if (authorizationRequest.getAuthorities() != null) { authorizationRequestMap.put("authorities", Collections.unmodifiableSet(new HashSet<GrantedAuthority>(authorizationRequest.getAuthorities()))); } return Collections.unmodifiableMap(authorizationRequestMap); }
@Override public void validateScope(AuthorizationRequest authorizationRequest, ClientDetails client) throws InvalidScopeException { validateScope(authorizationRequest.getScope(), client.getScope()); }
public TokenRequest createTokenRequest(AuthorizationRequest authorizationRequest, String grantType) { TokenRequest tokenRequest = new TokenRequest(authorizationRequest.getRequestParameters(), authorizationRequest.getClientId(), authorizationRequest.getScope(), grantType); return tokenRequest; }
public void validateScope(AuthorizationRequest authorizationRequest, ClientDetails client) throws InvalidScopeException { if (GRANT_TYPE_CLIENT_CREDENTIALS.equalsIgnoreCase(authorizationRequest.getRequestParameters().get(OAuth2Utils.GRANT_TYPE))) { validateScope(authorizationRequest.getScope(), getAuthorities(client.getAuthorities()), false); } else { validateScope(authorizationRequest.getScope(), client.getScope(), true); } }
authorizationRequest.getScope(), originalAuthorizationRequest.get(OAuth2Utils.SCOPE))) { return true;
Map<String, Object> unmodifiableMap(AuthorizationRequest authorizationRequest) { Map<String, Object> authorizationRequestMap = new HashMap<>(); authorizationRequestMap.put(OAuth2Utils.CLIENT_ID, authorizationRequest.getClientId()); authorizationRequestMap.put(OAuth2Utils.STATE, authorizationRequest.getState()); authorizationRequestMap.put(OAuth2Utils.REDIRECT_URI, authorizationRequest.getRedirectUri()); if (authorizationRequest.getResponseTypes() != null) { authorizationRequestMap.put(OAuth2Utils.RESPONSE_TYPE, Collections.unmodifiableSet(new HashSet<>(authorizationRequest.getResponseTypes()))); } if (authorizationRequest.getScope() != null) { authorizationRequestMap.put(OAuth2Utils.SCOPE, Collections.unmodifiableSet(new HashSet<>(authorizationRequest.getScope()))); } authorizationRequestMap.put("approved", authorizationRequest.isApproved()); if (authorizationRequest.getResourceIds() != null) { authorizationRequestMap.put("resourceIds", Collections.unmodifiableSet(new HashSet<>(authorizationRequest.getResourceIds()))); } if (authorizationRequest.getAuthorities() != null) { authorizationRequestMap.put("authorities", Collections.unmodifiableSet(new HashSet<GrantedAuthority>(authorizationRequest.getAuthorities()))); } return authorizationRequestMap; }
Authentication userAuthentication) { Set<String> requestedScopes = authorizationRequest.getScope(); Set<String> approvedScopes = new HashSet<String>(); Set<Approval> approvals = new HashSet<Approval>();
Set<String> scopes = authorizationRequest.getScope(); if (clientDetailsService!=null) { try {
Collection<String> requestedScopes = authorizationRequest.getScope(); Set<String> approvedScopes = new HashSet<String>(); Set<String> validUserApprovedScopes = new HashSet<String>();
Map<String, Object> unmodifiableMap(AuthorizationRequest authorizationRequest) { Map<String, Object> authorizationRequestMap = new HashMap<>(); authorizationRequestMap.put(OAuth2Utils.CLIENT_ID, authorizationRequest.getClientId()); authorizationRequestMap.put(OAuth2Utils.STATE, authorizationRequest.getState()); authorizationRequestMap.put(OAuth2Utils.REDIRECT_URI, authorizationRequest.getRedirectUri()); if (authorizationRequest.getResponseTypes() != null) { authorizationRequestMap.put(OAuth2Utils.RESPONSE_TYPE, Collections.unmodifiableSet(new HashSet<>(authorizationRequest.getResponseTypes()))); } if (authorizationRequest.getScope() != null) { authorizationRequestMap.put(OAuth2Utils.SCOPE, Collections.unmodifiableSet(new HashSet<>(authorizationRequest.getScope()))); } authorizationRequestMap.put("approved", authorizationRequest.isApproved()); if (authorizationRequest.getResourceIds() != null) { authorizationRequestMap.put("resourceIds", Collections.unmodifiableSet(new HashSet<String>(authorizationRequest.getResourceIds()))); } if (authorizationRequest.getAuthorities() != null) { authorizationRequestMap.put("authorities", Collections.unmodifiableSet(new HashSet<GrantedAuthority>(authorizationRequest.getAuthorities()))); } return authorizationRequestMap; } }
public OAuth2Request createOAuth2Request() { return new OAuth2Request(getRequestParameters(), getClientId(), getAuthorities(), isApproved(), getScope(), getResourceIds(), getRedirectUri(), getResponseTypes(), getExtensions()); }
if (clientDetailsService != null) { ClientDetails client = clientDetailsService.loadClientByClientId(clientId, IdentityZoneHolder.get().getId()); Collection<String> requestedScopes = authorizationRequest.getScope(); if (isAutoApprove(client, requestedScopes)) { approved = true;
@Test public void testEmptyScopeOkForClientWithNoScopes() { SecurityContextAccessor securityContextAccessor = new StubSecurityContextAccessor() { @Override public boolean isUser() { return true; } @Override public Collection<? extends GrantedAuthority> getAuthorities() { return AuthorityUtils.commaSeparatedStringToAuthorityList("foo.bar,spam.baz"); } }; factory.setSecurityContextAccessor(securityContextAccessor); client.setScope(StringUtils.commaDelimitedListToSet("")); // empty AuthorizationRequest request = factory.createAuthorizationRequest(parameters); assertEquals(StringUtils.commaDelimitedListToSet(""), new TreeSet<String>(request.getScope())); }
@Test public void testOpenidScopeIncludeIsAResourceId() { SecurityContextAccessor securityContextAccessor = new StubSecurityContextAccessor() { @Override public boolean isUser() { return true; } @Override public Collection<? extends GrantedAuthority> getAuthorities() { return AuthorityUtils.commaSeparatedStringToAuthorityList("foo.bar,spam.baz"); } }; parameters.put("scope", "openid foo.bar"); IdentityZoneHolder.get().getConfig().getUserConfig().setDefaultGroups(Arrays.asList("openid")); factory.setSecurityContextAccessor(securityContextAccessor); client.setScope(StringUtils.commaDelimitedListToSet("openid,foo.bar")); AuthorizationRequest request = factory.createAuthorizationRequest(parameters); assertEquals(StringUtils.commaDelimitedListToSet("openid,foo.bar"), new TreeSet<String>(request.getScope())); assertEquals(StringUtils.commaDelimitedListToSet("openid,foo"), new TreeSet<String>(request.getResourceIds())); }
@Test public void testScopeIncludesAuthoritiesForUser() { SecurityContextAccessor securityContextAccessor = new StubSecurityContextAccessor() { @Override public boolean isUser() { return true; } @Override public Collection<? extends GrantedAuthority> getAuthorities() { return AuthorityUtils.commaSeparatedStringToAuthorityList("foo.bar,spam.baz"); } }; factory.setSecurityContextAccessor(securityContextAccessor); client.setScope(StringUtils.commaDelimitedListToSet("one,two,foo.bar")); AuthorizationRequest request = factory.createAuthorizationRequest(parameters); assertEquals(StringUtils.commaDelimitedListToSet("foo.bar"), new TreeSet<String>(request.getScope())); factory.validateParameters(request.getRequestParameters(), client); }
@Test public void testWildcardScopesIncludesAuthoritiesForUser() { SecurityContextAccessor securityContextAccessor = new StubSecurityContextAccessor() { @Override public boolean isUser() { return true; } @Override public Collection<? extends GrantedAuthority> getAuthorities() { return AuthorityUtils.commaSeparatedStringToAuthorityList( "space.1.developer,space.2.developer,space.1.admin" ); } }; factory.setSecurityContextAccessor(securityContextAccessor); client.setScope(StringUtils.commaDelimitedListToSet("space.*.developer")); AuthorizationRequest request = factory.createAuthorizationRequest(parameters); assertEquals(StringUtils.commaDelimitedListToSet("space.1.developer,space.2.developer"), new TreeSet<String>(request.getScope())); factory.validateParameters(request.getRequestParameters(), client); }
@Test public void testNoRequestedScopesButSomeApprovedScopes() { AuthorizationRequest request = new AuthorizationRequest("foo", new HashSet<String>()); request.setApproved(false); long theFuture = System.currentTimeMillis() + (86400 * 7 * 1000); Date nextWeek = new Date(theFuture); approvalStore.addApproval(new Approval() .setUserId(userAuthentication.getId()) .setClientId("foo") .setScope("cloud_controller.read") .setExpiresAt(nextWeek) .setStatus(APPROVED), IdentityZoneHolder.get().getId()); approvalStore.addApproval(new Approval() .setUserId(userAuthentication.getId()) .setClientId("foo") .setScope("cloud_controller.write") .setExpiresAt(nextWeek) .setStatus(DENIED), IdentityZoneHolder.get().getId()); // The request is approved because the user has not requested any scopes assertTrue(handler.isApproved(request, userAuthentication)); assertEquals(0, request.getScope().size()); }
assertEquals(new HashSet<>(Arrays.asList(new String[]{"openid"})), request.getScope());