Examples of org.springframework.security.oauth2.common.exceptions.InvalidScopeException

• org.springframework.security.oauth2.common.exceptions.InvalidTokenException
  Exception representing an invalid scope in a token or authorization request (i.e. from an Authorization Server). Note that this is not the same as an access denied exception if the scope presented to a Resource Server is insufficient. The spec in this case mandates a 400 status code. @author Ryan Heaton @author Dave Syer

  private void validateScope(Set<String> requestScopes, Set<String> clientScopes) {

    if (clientScopes != null && !clientScopes.isEmpty()) {
      for (String scope : requestScopes) {
        if (!clientScopes.contains(scope)) {
          throw new InvalidScopeException("Invalid scope: " + scope, clientScopes);
        }
      }
    }

    if (requestScopes.isEmpty()) {
      throw new InvalidScopeException("Empty scope (either the client or the user is not allowed the requested scopes)");
    }
  }

    OAuth2Authentication narrowed = authentication;
    if (scope != null && !scope.isEmpty()) {
      OAuth2Request clientAuth = authentication.getOAuth2Request();
      Set<String> originalScope = clientAuth.getScope();
      if (originalScope == null || !originalScope.containsAll(scope)) {
        throw new InvalidScopeException("Unable to narrow the scope of the client authentication to " + scope
            + ".", originalScope);
      }
      else {
        narrowed = new OAuth2Authentication(clientAuth.narrowScope(scope),
            authentication.getUserAuthentication());

    assertEquals(expected, getOutput());
  }

  @Test
  public void writeInvalidScope() throws Exception {
    OAuth2Exception oauthException = new InvalidScopeException(DETAILS);
    String expected = createResponse(oauthException.getOAuth2ErrorCode());
    converter.write(oauthException, contentType, outputMessage);
    assertEquals(expected, getOutput());
  }

  @Test
  public void readInvalidScope() throws Exception {
    String accessToken = createResponse(OAuth2Exception.INVALID_SCOPE);
    when(inputMessage.getBody()).thenReturn(createInputStream(accessToken));
    @SuppressWarnings("unused")
    InvalidScopeException result = (InvalidScopeException) converter.read(OAuth2Exception.class, inputMessage);
  }

  }

  @Test
  public void readValueInvalidScope() throws Exception {
    String accessToken = createResponse(OAuth2Exception.INVALID_SCOPE);
    InvalidScopeException result = (InvalidScopeException) mapper.readValue(accessToken, OAuth2Exception.class);
    assertEquals(DETAILS,result.getMessage());
    assertEquals(null,result.getAdditionalInformation());
  }

    assertEquals(expected,mapper.writeValueAsString(oauthException));
  }

  @Test
  public void writeValueAsStringInvalidScope() throws Exception {
    oauthException = new InvalidScopeException(DETAILS);
    String expected = createResponse(oauthException.getOAuth2ErrorCode());
    assertEquals(expected,mapper.writeValueAsString(oauthException));
  }

  }

  @Test
  public void readValueInvalidScope() throws Exception {
    String accessToken = createResponse(OAuth2Exception.INVALID_SCOPE);
    InvalidScopeException result = (InvalidScopeException) mapper.readValue(accessToken, OAuth2Exception.class);
    assertEquals(DETAILS,result.getMessage());
    assertEquals(null,result.getAdditionalInformation());
  }

      }
    });
    endpoint.setAuthorizationCodeServices(new StubAuthorizationCodeServices() {
      @Override
      public String createAuthorizationCode(OAuth2Authentication authentication) {
        throw new InvalidScopeException("FOO");
      }
    });
    ModelAndView result = endpoint.authorize(
        model,
        getAuthorizationRequest("foo", "http://anywhere.com", "mystate", "myscope",

  public OAuth2AccessTokenEntity refreshAccessToken(String refreshTokenValue, TokenRequest authRequest) throws AuthenticationException {

    OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenByValue(refreshTokenValue);

    if (refreshToken == null) {
      throw new InvalidTokenException("Invalid refresh token: " + refreshTokenValue);
    }

    ClientDetailsEntity client = refreshToken.getClient();

    AuthenticationHolderEntity authHolder = refreshToken.getAuthenticationHolder();

    //Make sure this client allows access token refreshing
    if (!client.isAllowRefresh()) {
      throw new InvalidClientException("Client does not allow refreshing access token!");
    }

    // clear out any access tokens
    // TODO: make this a configurable option
    tokenRepository.clearAccessTokensForRefreshToken(refreshToken);

    if (refreshToken.isExpired()) {
      tokenRepository.removeRefreshToken(refreshToken);
      throw new InvalidTokenException("Expired refresh token: " + refreshTokenValue);
    }

    // TODO: have the option to recycle the refresh token here, too
    // for now, we just reuse it as long as it's valid, which is the original intent

  public OAuth2Authentication loadAuthentication(String accessTokenValue) throws AuthenticationException {

    OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenByValue(accessTokenValue);

    if (accessToken == null) {
      throw new InvalidTokenException("Invalid access token: " + accessTokenValue);
    }

    if (accessToken.isExpired()) {
      //tokenRepository.removeAccessToken(accessToken);
      revokeAccessToken(accessToken);
      throw new InvalidTokenException("Expired access token: " + accessTokenValue);
    }

    return accessToken.getAuthenticationHolder().getAuthentication();
  }