
Examples of


        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if (client == null) {
          throw new InvalidClientException("Client not found: " + request.getClientId());

        JWSAlgorithm alg = signedJwt.getHeader().getAlgorithm();

        if (client.getRequestObjectSigningAlg() == null ||
            !client.getRequestObjectSigningAlg().equals(alg)) {
          throw new InvalidClientException("Client's registered request object signing algorithm (" + client.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + alg.getName() + ")");

        if (alg.equals(JWSAlgorithm.RS256)
            || alg.equals(JWSAlgorithm.RS384)
            || alg.equals(JWSAlgorithm.RS512)) {

          // it's RSA, need to find the JWK URI and fetch the key

          if (client.getJwksUri() == null) {
            throw new InvalidClientException("Client must have a JWKS URI registered to use signed request objects.");

          // check JWT signature
          JwtSigningAndValidationService validator = validators.getValidator(client.getJwksUri());

          if (validator == null) {
            throw new InvalidClientException("Unable to create signature validator for client's JWKS URI: " + client.getJwksUri());

          if (!validator.validateSignature(signedJwt)) {
            throw new InvalidClientException("Signature did not validate for presented JWT request object.");
        } else if (alg.equals(JWSAlgorithm.HS256)
            || alg.equals(JWSAlgorithm.HS384)
            || alg.equals(JWSAlgorithm.HS512)) {

          // it's HMAC, we need to make a validator based on the client secret

          JwtSigningAndValidationService validator = symmetricCacheService.getSymmetricValidtor(client);

          if (validator == null) {
            throw new InvalidClientException("Unable to create signature validator for client's secret: " + client.getClientSecret());

          if (!validator.validateSignature(signedJwt)) {
            throw new InvalidClientException("Signature did not validate for presented JWT request object.");


      } else if (jwt instanceof PlainJWT) {
        PlainJWT plainJwt = (PlainJWT)jwt;

        // need to check clientId first so that we can load the client to check other fields
        if (request.getClientId() == null) {

        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if (client == null) {
          throw new InvalidClientException("Client not found: " + request.getClientId());

        if (client.getRequestObjectSigningAlg() == null) {
          throw new InvalidClientException("Client is not registered for unsigned request objects (no request_object_signing_alg registered)");
        } else if (!client.getRequestObjectSigningAlg().equals(Algorithm.NONE)) {
          throw new InvalidClientException("Client is not registered for unsigned request objects (request_object_signing_alg is " + client.getRequestObjectSigningAlg() +")");

        // if we got here, we're OK, keep processing

      } else if (jwt instanceof EncryptedJWT) {

        EncryptedJWT encryptedJWT = (EncryptedJWT)jwt;

        // decrypt the jwt if we can


        // TODO: what if the content is a signed JWT? (#525)

        if (!encryptedJWT.getState().equals(State.DECRYPTED)) {
          throw new InvalidClientException("Unable to decrypt the request object");

        // need to check clientId first so that we can load the client to check other fields
        if (request.getClientId() == null) {

        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if (client == null) {
          throw new InvalidClientException("Client not found: " + request.getClientId());


    OAuth2AccessTokenEntity incomingToken = tokenServices.readAccessToken(incomingTokenValue);

    if (incomingToken.getScope().contains(SystemScopeService.ID_TOKEN_SCOPE)) {

      if (!client.getClientId().equals(tokenRequest.getClientId())) {
        throw new InvalidClientException("Not the right client for this token");

      // it's an ID token, process it accordingly

      try {

        JWSAlgorithm alg = jws.getHeader().getAlgorithm();

        if (client.getTokenEndpointAuthSigningAlg() != null &&
            !client.getTokenEndpointAuthSigningAlg().equals(alg)) {
          throw new InvalidClientException("Client's registered request object signing algorithm (" + client.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + alg.getName() + ")");

        if (client.getTokenEndpointAuthMethod() == null ||
            client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE) ||
            client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) ||

      OAuth2Request clientAuth = authentication.getOAuth2Request();

      ClientDetailsEntity client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());

      if (client == null) {
        throw new InvalidClientException("Client not found: " + clientAuth.getClientId());

      OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity();//accessTokenFactory.createNewAccessToken();

      // attach the client

    AuthenticationHolderEntity authHolder = refreshToken.getAuthenticationHolder();

    //Make sure this client allows access token refreshing
    if (!client.isAllowRefresh()) {
      throw new InvalidClientException("Client does not allow refreshing access token!");

    // clear out any access tokens
    // TODO: make this a configurable option

  public ClientDetailsEntity loadClientByClientId(String clientId) throws OAuth2Exception, InvalidClientException, IllegalArgumentException {
    if (!Strings.isNullOrEmpty(clientId)) {
      ClientDetailsEntity client = clientRepository.getClientByClientId(clientId);
      if (client == null) {
        throw new InvalidClientException("Client with id " + clientId + " was not found");
      else {
        return client;

  public void deleteClient(ClientDetailsEntity client) throws InvalidClientException {

    if (clientRepository.getById(client.getId()) == null) {
      throw new InvalidClientException("Client with id " + client.getClientId() + " was not found");

    // clean out any tokens that this client had issued

    query.setParameter("code", code);

    AuthorizationCodeEntity result = JpaUtil.getSingleResult(query.getResultList());

    if (result == null) {
      throw new InvalidGrantException("JpaAuthorizationCodeRepository: no authorization code found for value " + code);

    OAuth2Authentication authRequest = result.getAuthentication();


  public String resolveRedirect(String requestedRedirect, ClientDetails client) throws OAuth2Exception {

    Set<String> authorizedGrantTypes = client.getAuthorizedGrantTypes();
    if (authorizedGrantTypes.isEmpty()) {
      throw new InvalidGrantException("A client must have at least one authorized grant type.");
    if (!containsRedirectGrantType(authorizedGrantTypes)) {
      throw new InvalidGrantException(
          "A redirect_uri can only be used by implicit or authorization_code grant types.");

    Set<String> redirectUris = client.getRegisteredRedirectUri();

  public String resolveRedirect(String requestedRedirect, ClientDetails client) throws OAuth2Exception {
    String redirect = super.resolveRedirect(requestedRedirect, client);
    if (blacklistService.isBlacklisted(redirect)) {
      // don't let it go through
      throw new InvalidRequestException("The supplied redirect_uri is not allowed on this server.");
    } else {
      // not blacklisted, passed the parent test, we're fine
      return redirect;


Related Classes of

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact