try {
OAuthMessage oAuthMessage =
OAuthUtils.getOAuthMessage(mc, request, REQUIRED_PARAMETERS);
new DefaultOAuthValidator().checkSingleParameter(oAuthMessage);
RequestToken token = dataProvider.getRequestToken(oAuthMessage.getToken());
if (token == null) {
throw new OAuthProblemException(OAuth.Problems.TOKEN_REJECTED);
}
String decision = oAuthMessage.getParameter(OAuthConstants.AUTHORIZATION_DECISION_KEY);
OAuthAuthorizationData secData = new OAuthAuthorizationData();
if (!compareRequestSessionTokens(request, oAuthMessage)) {
if (decision != null) {
// this is a user decision request, the session has expired or been possibly hijacked
LOG.warning("Session authenticity token is missing or invalid");
throw new BadRequestException();
}
// assume it is an initial authorization request
addAuthenticityTokenToSession(secData, request);
return Response.ok(
addAdditionalParams(secData, dataProvider, token)).build();
}
boolean allow = OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(decision);
Map<String, String> queryParams = new HashMap<String, String>();
if (allow) {
SecurityContext sc = (SecurityContext)mc.get(SecurityContext.class.getName());
List<String> roleNames = Collections.emptyList();
if (sc instanceof LoginSecurityContext) {
roleNames = new ArrayList<String>();
Set<Principal> roles = ((LoginSecurityContext)sc).getUserRoles();
for (Principal p : roles) {
roleNames.add(p.getName());
}
}
token.setSubject(new UserSubject(sc.getUserPrincipal() == null
? null : sc.getUserPrincipal().getName(), roleNames));
AuthorizationInput input = new AuthorizationInput();
input.setToken(token);
Set<OAuthPermission> approvedScopesSet = new HashSet<OAuthPermission>();
List<OAuthPermission> originalScopes = token.getScopes();
for (OAuthPermission perm : originalScopes) {
String param = oAuthMessage.getParameter(perm.getPermission() + "_status");
if (param != null && OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(param)) {
approvedScopesSet.add(perm);
}
}
List<OAuthPermission> approvedScopes = new LinkedList<OAuthPermission>(approvedScopesSet);
if (approvedScopes.isEmpty()) {
approvedScopes = originalScopes;
} else if (approvedScopes.size() < originalScopes.size()) {
for (OAuthPermission perm : originalScopes) {
if (perm.isDefault() && !approvedScopes.contains(perm)) {
approvedScopes.add(perm);
}
}
}
input.setApprovedScopes(approvedScopes);
String verifier = dataProvider.finalizeAuthorization(input);
queryParams.put(OAuth.OAUTH_VERIFIER, verifier);
} else {
dataProvider.removeToken(token);
}
queryParams.put(OAuth.OAUTH_TOKEN, token.getTokenKey());
if (token.getState() != null) {
queryParams.put(OAuthConstants.X_OAUTH_STATE, token.getState());
}
String callbackValue = getCallbackValue(token);
if (OAuthConstants.OAUTH_CALLBACK_OOB.equals(callbackValue)) {
OOBAuthorizationResponse bean = convertQueryParamsToOOB(queryParams);
return Response.ok().entity(bean).build();