if (client == null || client.getFlow() != Flow.AUTHORIZATION_CODE) {
OAuth2NormalizedResponse resp = new OAuth2NormalizedResponse();
resp.setError(ErrorType.INVALID_CLIENT.toString());
resp.setErrorDescription("Invalid client");
resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
throw new OAuth2Exception(resp);
}
OAuth2Code authCode = service.getAuthorizationCode(
servletRequest.getClientId(), servletRequest.getAuthorizationCode());
if (authCode == null) {
OAuth2NormalizedResponse response = new OAuth2NormalizedResponse();
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
response.setError(ErrorType.INVALID_GRANT.toString());
response.setErrorDescription("Bad authorization code");
response.setBodyReturned(true);
throw new OAuth2Exception(response);
}
if (servletRequest.getRedirectURI() != null
&& !servletRequest.getRedirectURI().equals(authCode.getRedirectURI())) {
OAuth2NormalizedResponse response = new OAuth2NormalizedResponse();
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
response.setError(ErrorType.INVALID_GRANT.toString());
response
.setErrorDescription("The redirect URI does not match the one used in the authorization request");
response.setBodyReturned(true);
throw new OAuth2Exception(response);
}
// ensure authorization code has not already been used
if (authCode.getRelatedAccessToken() != null) {
service.unregisterAccessToken(client.getId(), authCode
.getRelatedAccessToken().getValue());
OAuth2NormalizedResponse response = new OAuth2NormalizedResponse();
response.setStatus(HttpServletResponse.SC_FORBIDDEN);
response.setError(ErrorType.INVALID_GRANT.toString());
response
.setErrorDescription("The authorization code has already been used to generate an access token");
response.setBodyReturned(true);
throw new OAuth2Exception(response);
}
}