Package org.springframework.security.oauth2.provider

Examples of org.springframework.security.oauth2.provider.AuthorizationRequest


        // set the scope of the new access token if requested
        token.setScope(scope);
      } else {
        String errorMsg = "Up-scoping is not allowed.";
        logger.error(errorMsg);
        throw new InvalidScopeException(errorMsg);
      }
    } else {
      // otherwise inherit the scope of the refresh token (if it's there -- this can return a null scope set)
      token.setScope(refreshScopes);
    }
View Full Code Here


  public OAuth2AccessTokenEntity refreshAccessToken(String refreshTokenValue, TokenRequest authRequest) throws AuthenticationException {

    OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenByValue(refreshTokenValue);

    if (refreshToken == null) {
      throw new InvalidTokenException("Invalid refresh token: " + refreshTokenValue);
    }

    ClientDetailsEntity client = refreshToken.getClient();

    AuthenticationHolderEntity authHolder = refreshToken.getAuthenticationHolder();

    //Make sure this client allows access token refreshing
    if (!client.isAllowRefresh()) {
      throw new InvalidClientException("Client does not allow refreshing access token!");
    }

    // clear out any access tokens
    // TODO: make this a configurable option
    tokenRepository.clearAccessTokensForRefreshToken(refreshToken);

    if (refreshToken.isExpired()) {
      tokenRepository.removeRefreshToken(refreshToken);
      throw new InvalidTokenException("Expired refresh token: " + refreshTokenValue);
    }

    // TODO: have the option to recycle the refresh token here, too
    // for now, we just reuse it as long as it's valid, which is the original intent
View Full Code Here

  @Override
  public AuthorizationRequest createAuthorizationRequest(Map<String, String> inputParams) {


    AuthorizationRequest request = new AuthorizationRequest(inputParams, Collections.<String, String> emptyMap(),
        inputParams.get(OAuth2Utils.CLIENT_ID),
        OAuth2Utils.parseParameterList(inputParams.get(OAuth2Utils.SCOPE)), null,
        null, false, inputParams.get(OAuth2Utils.STATE),
        inputParams.get(OAuth2Utils.REDIRECT_URI),
        OAuth2Utils.parseParameterList(inputParams.get(OAuth2Utils.RESPONSE_TYPE)));

    //Add extension parameters to the 'extensions' map

    if (inputParams.containsKey("prompt")) {
      request.getExtensions().put("prompt", inputParams.get("prompt"));
    }
    if (inputParams.containsKey("nonce")) {
      request.getExtensions().put("nonce", inputParams.get("nonce"));
    }

    if (inputParams.containsKey("claims")) {
      JsonObject claimsRequest = parseClaimRequest(inputParams.get("claims"));
      if (claimsRequest != null) {
        request.getExtensions().put("claims", claimsRequest.toString());
      }
    }

    if (inputParams.containsKey("max_age")) {
      request.getExtensions().put("max_age", inputParams.get("max_age"));
    }

    if (inputParams.containsKey("request")) {
      request.getExtensions().put("request", inputParams.get("request"));
      processRequestObject(inputParams.get("request"), request);
    }

    if (request.getClientId() != null) {
      try {
        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if ((request.getScope() == null || request.getScope().isEmpty())) {
          Set<String> clientScopes = client.getScope();
          request.setScope(clientScopes);
        }

        if (request.getExtensions().get("max_age") == null && client.getDefaultMaxAge() != null) {
          request.getExtensions().put("max_age", client.getDefaultMaxAge().toString());
        }
      } catch (OAuth2Exception e) {
        logger.error("Caught OAuth2 exception trying to test client scopes and max age:", e);
      }
    }


    // add CSRF protection to the request on first parse
    String csrf = UUID.randomUUID().toString();
    request.getExtensions().put("csrf", csrf);



    return request;
  }
View Full Code Here

      chain.doFilter(req, res);
      return;
    }

    // we have to create our own auth request in order to get at all the parmeters appropriately
    AuthorizationRequest authRequest = authRequestFactory.createAuthorizationRequest(createRequestMap(request.getParameterMap()));

    ClientDetailsEntity client = null;

    try {
      client = clientService.loadClientByClientId(authRequest.getClientId());
    } catch (InvalidClientException e) {
      // no need to worry about this here, it would be caught elsewhere
    } catch (IllegalArgumentException e) {
      // no need to worry about this here, it would be caught elsewhere
    }

    if (authRequest.getExtensions().get("prompt") != null) {
      // we have a "prompt" parameter
      String prompt = (String)authRequest.getExtensions().get("prompt");
      List<String> prompts = Splitter.on(" ").splitToList(Strings.nullToEmpty(prompt));

      if (prompts.contains("none")) {
        logger.info("Client requested no prompt");
        // see if the user's logged in
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();

        if (auth != null) {
          // user's been logged in already (by session management)
          // we're OK, continue without prompting
          chain.doFilter(req, res);
        } else {
          // user hasn't been logged in, we need to "return an error"
          logger.info("User not logged in, no prompt requested, returning 403 from filter");
          response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
          return;
        }
      } else if (prompts.contains("login")) {

        // first see if the user's already been prompted in this session
        HttpSession session = request.getSession();
        if (session.getAttribute(PROMPTED) == null) {
          // user hasn't been PROMPTED yet, we need to check

          session.setAttribute(PROMPT_REQUESTED, Boolean.TRUE);

          // see if the user's logged in
          Authentication auth = SecurityContextHolder.getContext().getAuthentication();
          if (auth != null) {
            // user's been logged in already (by session management)
            // log them out and continue
            SecurityContextHolder.getContext().setAuthentication(null);
            chain.doFilter(req, res);
          } else {
            // user hasn't been logged in yet, we can keep going since we'll get there
            chain.doFilter(req, res);
          }
        } else {
          // user has been PROMPTED, we're fine

          // but first, undo the prompt tag
          session.removeAttribute(PROMPTED);
          chain.doFilter(req, res);
        }
      } else {
        // prompt parameter is a value we don't care about, not our business
        chain.doFilter(req, res);
      }

    } else if (authRequest.getExtensions().get("max_age") != null ||
        (client != null && client.getDefaultMaxAge() != null)) {

      // default to the client's stored value, check the string parameter
      Integer max = (client != null ? client.getDefaultMaxAge() : null);
      String maxAge = (String) authRequest.getExtensions().get("max_age");
      if (maxAge != null) {
        max = Integer.parseInt(maxAge);
      }

      if (max != null) {
View Full Code Here

              "No client authentication found. Remember to put a filter upstream of the TokenEndpointAuthenticationFilter.");
        }
       
        Map<String, String> map = getSingleValueMap(request);
        map.put(OAuth2Utils.CLIENT_ID, clientAuth.getName());
        AuthorizationRequest authorizationRequest = oAuth2RequestFactory.createAuthorizationRequest(map);

        authorizationRequest.setScope(getScope(request));
        if (clientAuth.isAuthenticated()) {
          // Ensure the OAuth2Authentication is authenticated
          authorizationRequest.setApproved(true);
        }

        OAuth2Request storedOAuth2Request = oAuth2RequestFactory.createOAuth2Request(authorizationRequest);
       
        SecurityContextHolder.getContext().setAuthentication(
View Full Code Here

    Set<String> responseTypes = OAuth2Utils.parseParameterList(authorizationParameters
        .get(OAuth2Utils.RESPONSE_TYPE));

    Set<String> scopes = extractScopes(authorizationParameters, clientId);
   
    AuthorizationRequest request = new AuthorizationRequest(authorizationParameters,
        Collections.<String, String> emptyMap(), clientId, scopes, null, null, false, state, redirectUri,
        responseTypes);

    ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);   
    request.setResourceIdsAndAuthoritiesFromClientDetails(clientDetails);

    return request;

  }
View Full Code Here

      SessionStatus sessionStatus, Principal principal) {

    // Pull out the authorization request first, using the OAuth2RequestFactory. All further logic should
    // query off of the authorization request instead of referring back to the parameters map. The contents of the
    // parameters map will be stored without change in the AuthorizationRequest object once it is created.
    AuthorizationRequest authorizationRequest = getOAuth2RequestFactory().createAuthorizationRequest(parameters);

    Set<String> responseTypes = authorizationRequest.getResponseTypes();

    if (!responseTypes.contains("token") && !responseTypes.contains("code")) {
      throw new UnsupportedResponseTypeException("Unsupported response types: " + responseTypes);
    }

    if (authorizationRequest.getClientId() == null) {
      throw new InvalidClientException("A client id must be provided");
    }

    try {

      if (!(principal instanceof Authentication) || !((Authentication) principal).isAuthenticated()) {
        throw new InsufficientAuthenticationException(
            "User must be authenticated with Spring Security before authorization can be completed.");
      }

      ClientDetails client = getClientDetailsService().loadClientByClientId(authorizationRequest.getClientId());

      // The resolved redirect URI is either the redirect_uri from the parameters or the one from
      // clientDetails. Either way we need to store it on the AuthorizationRequest.
      String redirectUriParameter = authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI);
      String resolvedRedirect = redirectResolver.resolveRedirect(redirectUriParameter, client);
      if (!StringUtils.hasText(resolvedRedirect)) {
        throw new RedirectMismatchException(
            "A redirectUri must be either supplied or preconfigured in the ClientDetails");
      }
      authorizationRequest.setRedirectUri(resolvedRedirect);

      // We intentionally only validate the parameters requested by the client (ignoring any data that may have
      // been added to the request by the manager).
      oauth2RequestValidator.validateScope(authorizationRequest, client);

      // Some systems may allow for approval decisions to be remembered or approved by default. Check for
      // such logic here, and set the approved flag on the authorization request accordingly.
      authorizationRequest = userApprovalHandler.checkForPreApproval(authorizationRequest,
          (Authentication) principal);
      // TODO: is this call necessary?
      boolean approved = userApprovalHandler.isApproved(authorizationRequest, (Authentication) principal);
      authorizationRequest.setApproved(approved);

      // Validation is all done, so we can check for auto approval...
      if (authorizationRequest.isApproved()) {
        if (responseTypes.contains("token")) {
          return getImplicitGrantResponse(authorizationRequest);
        }
        if (responseTypes.contains("code")) {
          return new ModelAndView(getAuthorizationCodeResponse(authorizationRequest,
View Full Code Here

      sessionStatus.setComplete();
      throw new InsufficientAuthenticationException(
          "User must be authenticated with Spring Security before authorizing an access token.");
    }

    AuthorizationRequest authorizationRequest = (AuthorizationRequest) model.get("authorizationRequest");

    if (authorizationRequest == null) {
      sessionStatus.setComplete();
      throw new InvalidRequestException("Cannot approve uninitialized authorization request.");
    }

    try {
      Set<String> responseTypes = authorizationRequest.getResponseTypes();

      authorizationRequest.setApprovalParameters(approvalParameters);
      authorizationRequest = userApprovalHandler.updateAfterApproval(authorizationRequest,
          (Authentication) principal);
      boolean approved = userApprovalHandler.isApproved(authorizationRequest, (Authentication) principal);
      authorizationRequest.setApproved(approved);

      if (authorizationRequest.getRedirectUri() == null) {
        sessionStatus.setComplete();
        throw new InvalidRequestException("Cannot approve request when no redirect URI is provided.");
      }

      if (!authorizationRequest.isApproved()) {
        return new RedirectView(getUnsuccessfulRedirect(authorizationRequest,
            new UserDeniedAuthorizationException("User denied access"), responseTypes.contains("token")),
            false, true, false);
      }
View Full Code Here

    if (e instanceof ClientAuthenticationException || e instanceof RedirectMismatchException) {
      return new ModelAndView(errorPage, Collections.singletonMap("error", translate.getBody()));
    }

    AuthorizationRequest authorizationRequest = null;
    try {
      authorizationRequest = getAuthorizationRequestForError(webRequest);
      String requestedRedirectParam = authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI);
      String requestedRedirect = redirectResolver.resolveRedirect(requestedRedirectParam,
          getClientDetailsService().loadClientByClientId(authorizationRequest.getClientId()));
      authorizationRequest.setRedirectUri(requestedRedirect);
      String redirect = getUnsuccessfulRedirect(authorizationRequest, translate.getBody(), authorizationRequest
          .getResponseTypes().contains("token"));
      return new ModelAndView(new RedirectView(redirect, false, true, false));
    }
    catch (OAuth2Exception ex) {
      // If an AuthorizationRequest cannot be created from the incoming parameters it must be
View Full Code Here

  }

  private AuthorizationRequest getAuthorizationRequestForError(ServletWebRequest webRequest) {

    // If it's already there then we are in the approveOrDeny phase and we can use the saved request
    AuthorizationRequest authorizationRequest = (AuthorizationRequest) sessionAttributeStore.retrieveAttribute(
        webRequest, "authorizationRequest");
    if (authorizationRequest != null) {
      return authorizationRequest;
    }
View Full Code Here

TOP

Related Classes of org.springframework.security.oauth2.provider.AuthorizationRequest

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.