/** * Full constructor. */ public AuthorizationRequest(Map<String, String> authorizationParameters, Map<String, String> approvalParameters, String clientId, Set<String> scope, Set<String> resourceIds, Collection<? extends GrantedAuthority> authorities, boolean approved, String state, String redirectUri, Set<String> responseTypes) { setClientId(clientId); setRequestParameters(authorizationParameters); // in case we need to // wrap the collection setScope(scope); // in case we need to parse if (resourceIds != null) { this.resourceIds = new HashSet<String>(resourceIds); } if (authorities != null) { this.authorities = new HashSet<GrantedAuthority>(authorities); } this.approved = approved; this.resourceIds = resourceIds; this.redirectUri = redirectUri; if (responseTypes != null) { this.responseTypes = responseTypes; } this.state = state; }
private AuthorizationRequest constructAuthorizationRequest(String clientId, String grantType, String... scopes) { AuthorizationRequest authorizationRequest = new AuthorizationRequest(clientId, Arrays.asList(scopes)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, grantType); authorizationRequest.setRequestParameters(azParameters); return authorizationRequest; } }
private TokenRequest getRefreshTokenRequest(Map<String, String> requestParameters) { AuthorizationRequest refreshAuthorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); refreshAuthorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); refreshAuthorizationRequest.setRequestParameters(requestParameters); Map<String, String> refreshAzParameters = new HashMap<>(refreshAuthorizationRequest.getRequestParameters()); refreshAzParameters.put(GRANT_TYPE, GRANT_TYPE_REFRESH_TOKEN); refreshAuthorizationRequest.setRequestParameters(refreshAzParameters); return tokenSupport.requestFactory.createTokenRequest(refreshAuthorizationRequest, "refresh_token"); }
private OAuth2AccessToken performPasswordGrant(String tokenFormat) { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_PASSWORD); azParameters.put(REQUEST_TOKEN_FORMAT, tokenFormat); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); return tokenServices.createAccessToken(authentication); }
@Test public void testCreateOpaqueAccessTokenForAClient() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.clientScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(REQUEST_TOKEN_FORMAT, OPAQUE.getStringValue()); azParameters.put(GRANT_TYPE, GRANT_TYPE_CLIENT_CREDENTIALS); authorizationRequest.setRequestParameters(azParameters); OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), null); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); assertTrue("Token is not a composite token", accessToken instanceof CompositeToken); assertThat("Token value should be equal to or lesser than 36 characters", accessToken.getValue().length(), lessThanOrEqualTo(36)); assertThat(accessToken.getRefreshToken(), is(nullValue())); }
@Test public void testValidAuthorities() throws Exception { Map<String, String> azAttributes = new HashMap<>(); azAttributes.put("external_group", "domain\\group1"); azAttributes.put("external_id", "abcd1234"); Map<String, Object> azAuthorities = new HashMap<>(); azAuthorities.put("az_attr", azAttributes); String azAuthoritiesJson = JsonUtils.writeValueAsString(azAuthorities); Map<String, String> requestParameters = new HashMap<>(); requestParameters.put("authorities", azAuthoritiesJson); authorizationRequest.setRequestParameters(requestParameters); authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), UaaAuthenticationTestFactory.getAuthentication(userId, userName, "olds@vmware.com")); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); Claims result = endpoint.checkToken(accessToken.getValue(), Collections.emptyList(), request); assertEquals(result.getAzAttr(),azAttributes); }
@Test public void testEmptyAuthorities() throws Exception { Map<String, String> azAttributes = new HashMap<>(); azAttributes.put("external_group", "domain\\group1"); azAttributes.put("external_id", "abcd1234"); Map<String, Object> azAuthorities = new HashMap<>(); azAuthorities.put("any_attr", azAttributes); String azAuthoritiesJson = JsonUtils.writeValueAsString(azAuthorities); Map<String, String> requestParameters = new HashMap<>(); requestParameters.put("authorities", azAuthoritiesJson); authorizationRequest.setRequestParameters(requestParameters); authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), UaaAuthenticationTestFactory.getAuthentication(userId, userName, "olds@vmware.com")); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); Claims result = endpoint.checkToken(accessToken.getValue(), Collections.emptyList(), request); assertNull(result.getAzAttr()); } }
@Test public void testCreateAccessWithNonExistingScopes() { List<String> scopesThatDontExist = Arrays.asList("scope1", "scope2"); AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, scopesThatDontExist); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_IMPLICIT); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); this.assertCommonUserAccessTokenProperties(accessToken, CLIENT_ID); assertThat(accessToken, issuerUri(is(ISSUER_URI))); assertThat(accessToken, scope(is(scopesThatDontExist))); assertThat(accessToken, validFor(is(60 * 60 * 12))); assertThat(accessToken.getRefreshToken(), is(nullValue())); this.assertCommonEventProperties(accessToken, tokenSupport.userId, buildJsonString(scopesThatDontExist)); }
@Test public void testCreateAccessTokenImplicitGrant() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_IMPLICIT); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); this.assertCommonUserAccessTokenProperties(accessToken, CLIENT_ID); assertThat(accessToken, issuerUri(is(ISSUER_URI))); assertThat(accessToken, validFor(is(60 * 60 * 12))); assertThat(accessToken.getRefreshToken(), is(nullValue())); this.assertCommonEventProperties(accessToken, tokenSupport.userId, buildJsonString(tokenSupport.requestedAuthScopes)); }
@Test public void isOpaqueTokenRequired() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, TokenConstants.GRANT_TYPE_USER_TOKEN); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); assertTrue(tokenServices.isOpaqueTokenRequired(authentication)); }
@Test public void testCreateAccessTokenForAClient() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.clientScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_CLIENT_CREDENTIALS); authorizationRequest.setRequestParameters(azParameters); OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), null); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); assertCommonClientAccessTokenProperties(accessToken); assertThat(accessToken, validFor(is(tokenSupport.accessTokenValidity))); assertThat(accessToken, issuerUri(is(ISSUER_URI))); assertThat(accessToken, zoneId(is(IdentityZoneHolder.get().getId()))); assertThat(accessToken.getRefreshToken(), is(nullValue())); validateExternalAttributes(accessToken); assertCommonEventProperties(accessToken, CLIENT_ID, tokenSupport.expectedJson); }
@Test(expected = InvalidTokenException.class) public void testRefreshTokenAfterApprovalsMissing2() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); AuthorizationRequest refreshAuthorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); refreshAuthorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> refreshAzParameters = new HashMap<>(refreshAuthorizationRequest.getRequestParameters()); refreshAzParameters.put(GRANT_TYPE, GRANT_TYPE_REFRESH_TOKEN); refreshAuthorizationRequest.setRequestParameters(refreshAzParameters); tokenServices.refreshAccessToken(accessToken.getRefreshToken().getValue(), tokenSupport.requestFactory.createTokenRequest(refreshAuthorizationRequest, "refresh_token")); }
@Test public void test_missing_required_user_groups() { tokenSupport.defaultClient.addAdditionalInformation(REQUIRED_USER_GROUPS, Arrays.asList("uaa.admin")); AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_PASSWORD); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); expectedException.expect(InvalidTokenException.class); expectedException.expectMessage("User does not meet the client's required group criteria."); tokenServices.createAccessToken(authentication); }
@Test public void buildRedirectURI_includesSessionStateForPromptEqualsNone() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(); authorizationRequest.setRedirectUri("http://example.com/somepath"); authorizationRequest.setRequestParameters(new HashMap<String, String>() { { put("prompt", "none"); } }); CompositeToken accessToken = new CompositeToken("TOKEN_VALUE+="); UaaPrincipal principal = new UaaPrincipal("userid", "username", "email", "origin", "extid", "zoneid"); UaaAuthenticationDetails details = new UaaAuthenticationDetails(true, "clientid", "origin", "SOMESESSIONID"); Authentication authUser = new UaaAuthentication(principal, Collections.emptyList(), details); when(authorizationCodeServices.createAuthorizationCode(any())).thenReturn("ABCD"); String result = uaaAuthorizationEndpoint.buildRedirectURI(authorizationRequest, accessToken, authUser); assertThat(result, containsString("session_state=opbshash")); }
@Test public void testCreateAccessTokenOnlyForClientWithoutRefreshToken() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID_NO_REFRESH_TOKEN_GRANT, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); validateAccessTokenOnly(accessToken, CLIENT_ID_NO_REFRESH_TOKEN_GRANT); assertNull(accessToken.getRefreshToken()); }
@Test public void createRefreshToken_JwtDoesNotContainScopeClaim() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); Map<String, String> authzParameters = new HashMap<>(authorizationRequest.getRequestParameters()); authzParameters.put(GRANT_TYPE, GRANT_TYPE_PASSWORD); authzParameters.put(REQUEST_TOKEN_FORMAT, JWT.toString()); authorizationRequest.setRequestParameters(authzParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); String refreshTokenString = accessToken.getRefreshToken().getValue(); assertNotNull(refreshTokenString); Claims refreshTokenClaims = getClaimsFromTokenString(refreshTokenString); assertNotNull(refreshTokenClaims); assertNull(refreshTokenClaims.getScope()); // matcher below can't match list against set assertThat(refreshTokenClaims.getGrantedScopes(), containsInAnyOrder(accessToken.getScope().toArray())); }
@Test public void testCreateAccessTokenPasswordGrant() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_PASSWORD); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); validateAccessAndRefreshToken(accessToken); tokenServices.loadAuthentication(accessToken.getValue()); //ensure that we can load without user_name claim tokenServices.setExcludedClaims(new HashSet(Arrays.asList(ClaimConstants.AUTHORITIES, ClaimConstants.USER_NAME, ClaimConstants.EMAIL))); accessToken = tokenServices.createAccessToken(authentication); assertNotNull(tokenServices.loadAuthentication(accessToken.getValue()).getUserAuthentication()); }
@Test public void testCreateAccessTokenAuthcodeGrantSwitchedPrimaryKey() { String originalPrimaryKeyId = tokenSupport.tokenPolicy.getActiveKeyId(); try { tokenSupport.tokenPolicy.setActiveKeyId("otherKey"); AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); validateAccessAndRefreshToken(accessToken); } finally { tokenSupport.tokenPolicy.setActiveKeyId(originalPrimaryKeyId); } }
@Test public void testLoadAuthenticationForAClient() { AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_CLIENT_CREDENTIALS); authorizationRequest.setRequestParameters(azParameters); OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), null); OAuth2AccessToken accessToken = tokenServices.createAccessToken(authentication); OAuth2Authentication loadedAuthentication = tokenServices.loadAuthentication(accessToken.getValue()); assertThat("Client authorities match.", loadedAuthentication.getAuthorities(), containsInAnyOrder(AuthorityUtils.commaSeparatedStringToAuthorityList(CLIENT_AUTHORITIES).toArray()) ); assertEquals(CLIENT_ID, loadedAuthentication.getName()); assertEquals(CLIENT_ID, loadedAuthentication.getPrincipal()); assertNull(loadedAuthentication.getDetails()); assertNull(loadedAuthentication.getUserAuthentication()); }
@Test public void loadAuthentication_when_given_an_opaque_refreshToken_should_throw_exception() { tokenSupport.defaultClient.setAutoApproveScopes(singleton("true")); AuthorizationRequest authorizationRequest = new AuthorizationRequest(CLIENT_ID, tokenSupport.requestedAuthScopes); authorizationRequest.setResourceIds(new HashSet<>(tokenSupport.resourceIds)); Map<String, String> azParameters = new HashMap<>(authorizationRequest.getRequestParameters()); azParameters.put(GRANT_TYPE, GRANT_TYPE_AUTHORIZATION_CODE); azParameters.put(REQUEST_TOKEN_FORMAT, OPAQUE.getStringValue()); authorizationRequest.setRequestParameters(azParameters); Authentication userAuthentication = tokenSupport.defaultUserAuthentication; OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication); OAuth2AccessToken compositeToken = tokenServices.createAccessToken(authentication); String refreshTokenValue = tokenProvisioning.retrieve(compositeToken.getRefreshToken().getValue(), IdentityZoneHolder.get().getId()).getValue(); expectedException.expect(InvalidTokenException.class); expectedException.expectMessage("The token does not bear a \"scope\" claim."); tokenServices.loadAuthentication(refreshTokenValue); }