throw new BadRequestException();
}
//TODO: additionally we can check that the Principal that got authenticated
// in startAuthorization is the same that got authenticated in completeAuthorization
Client client = getClient(params);
String redirectUri = validateRedirectUri(client, params.getFirst(OAuthConstants.REDIRECT_URI));
// Get the end user decision value
String decision = params.getFirst(OAuthConstants.AUTHORIZATION_DECISION_KEY);
boolean allow = OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(decision);
// Return the error if denied
if (!allow) {
return createErrorResponse(params, redirectUri, OAuthConstants.ACCESS_DENIED);
}
// Check if the end user may have had a chance to down-scope the requested scopes
List<String> requestedScope = OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE));
List<String> approvedScope = new LinkedList<String>();
for (String rScope : requestedScope) {
String param = params.getFirst(rScope + "_status");
if (param != null && OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(param)) {
approvedScope.add(rScope);
}
}
if (!requestedScope.containsAll(approvedScope)
|| !OAuthUtils.validateScopes(requestedScope, client.getRegisteredScopes(),
partialMatchScopeValidation)) {
return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
}
UserSubject userSubject = createUserSubject(securityContext);