Examples of org.springframework.security.oauth2.provider.approval.TokenApprovalStore

• org.springframework.security.oauth2.common.exceptions.InvalidClientException
  An {@link ApprovalStore} that works with an existing {@link TokenStore}, extracting implicit {@link Approval Approvals} from the content of tokens already in the store. Useful interface so that users can list and revokeapprovals even if they are not really represented in such a way internally. For full fine-grained control of user approvals don't use a TokenStore at all, and don't use this ApprovalStore with Approval-based {@link AuthorizationServerTokenServices} implementations. @author Dave Syer

        return false;
      }
      // create an OAuth2Authentication
      OAuth2Authentication auth = new OAuth2Authentication(createStoredRequest(tokenResponse), createAuthentication(tokenResponse));
      // create an OAuth2AccessToken
      OAuth2AccessToken token = createAccessToken(tokenResponse, accessToken);

      if (token.getExpiration().after(new Date())) {
        // Store them in the cache
        authCache.put(accessToken, new TokenCacheObject(token, auth));

        return true;
      }

//    String userJson = getRestTemplate().getForObject(getUrl("/v2/users/{guid}"), String.class, user);
//    Map<String, Object> userInfo = (Map<String, Object>) JsonUtil.convertJsonToMap(userJson);
//    return userInfo();
    //TODO: remove this temporary hack once the /v2/users/ uri can be accessed by mere mortals
    String userJson = "{}";
    OAuth2AccessToken accessToken = oauthClient.getToken();
    if (accessToken != null) {
      String tokenString = accessToken.getValue();
      int x = tokenString.indexOf('.');
      int y = tokenString.indexOf('.', x + 1);
      String encodedString = tokenString.substring(x + 1, y);
      try {
        byte[] decodedBytes = new sun.misc.BASE64Decoder().decodeBuffer(encodedString);

   * Retrieve Token from ~/.cf/tokens.yml
   *
   * @return token (String)
   */
  protected OAuth2AccessToken retrieveToken() throws MojoExecutionException {
    final OAuth2AccessToken token = tokensFile.retrieveToken(getTarget());

    if (token == null) {
      throw new MojoExecutionException(String.format("Can not authenticate to target '%s'. " +
          "Configure a username and password, or use the login goal.", getTarget().toString()));
    }

    super.execute();
  }

  @Override
  protected void doExecute() throws MojoExecutionException {
    final OAuth2AccessToken token = getClient().login();
    final CloudInfo cloudInfo = getClient().getCloudInfo();
    final CloudSpace space = getCurrentSpace();

    tokensFile.saveToken(getTarget(), token, cloudInfo, space);

    return token;
  }

  public String getAuthorizationHeader() {
    OAuth2AccessToken accessToken = getToken();
    if (accessToken != null) {
      return accessToken.getTokenType() + " " + accessToken.getValue();
    }
    return null;
  }

    this.allowRefresh = allowRefresh;
  }

  @Override
  public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
    OAuth2AccessToken token = super.grant(grantType, tokenRequest);
    if (token != null) {
      DefaultOAuth2AccessToken norefresh = new DefaultOAuth2AccessToken(token);
      // The spec says that client credentials should not be allowed to get a refresh token
      if (!allowRefresh) {
        norefresh.setRefreshToken(null);

      builder.append(", scope=" + scopes);
      builder.append(" and username=" + userAuthentication.getName());
      logger.debug(builder.toString());
    }

    OAuth2AccessToken accessToken = tokenStore.getAccessToken(authentication);
    logger.debug("Existing access token=" + accessToken);
    if (accessToken != null && !accessToken.isExpired()) {
      logger.debug("User already approved with token=" + accessToken);
      // A token was already granted and is still valid, so this is already approved
      approved = true;
    }
    else {

        }

        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if (client == null) {
          throw new InvalidClientException("Client not found: " + request.getClientId());
        }


        JWSAlgorithm alg = signedJwt.getHeader().getAlgorithm();

        if (client.getRequestObjectSigningAlg() == null ||
            !client.getRequestObjectSigningAlg().equals(alg)) {
          throw new InvalidClientException("Client's registered request object signing algorithm (" + client.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + alg.getName() + ")");
        }

        if (alg.equals(JWSAlgorithm.RS256)
            || alg.equals(JWSAlgorithm.RS384)
            || alg.equals(JWSAlgorithm.RS512)) {

          // it's RSA, need to find the JWK URI and fetch the key

          if (client.getJwksUri() == null) {
            throw new InvalidClientException("Client must have a JWKS URI registered to use signed request objects.");
          }

          // check JWT signature
          JwtSigningAndValidationService validator = validators.getValidator(client.getJwksUri());

          if (validator == null) {
            throw new InvalidClientException("Unable to create signature validator for client's JWKS URI: " + client.getJwksUri());
          }

          if (!validator.validateSignature(signedJwt)) {
            throw new InvalidClientException("Signature did not validate for presented JWT request object.");
          }
        } else if (alg.equals(JWSAlgorithm.HS256)
            || alg.equals(JWSAlgorithm.HS384)
            || alg.equals(JWSAlgorithm.HS512)) {

          // it's HMAC, we need to make a validator based on the client secret

          JwtSigningAndValidationService validator = symmetricCacheService.getSymmetricValidtor(client);

          if (validator == null) {
            throw new InvalidClientException("Unable to create signature validator for client's secret: " + client.getClientSecret());
          }

          if (!validator.validateSignature(signedJwt)) {
            throw new InvalidClientException("Signature did not validate for presented JWT request object.");
          }


        }


      } else if (jwt instanceof PlainJWT) {
        PlainJWT plainJwt = (PlainJWT)jwt;

        // need to check clientId first so that we can load the client to check other fields
        if (request.getClientId() == null) {
          request.setClientId(plainJwt.getJWTClaimsSet().getStringClaim("client_id"));
        }

        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if (client == null) {
          throw new InvalidClientException("Client not found: " + request.getClientId());
        }

        if (client.getRequestObjectSigningAlg() == null) {
          throw new InvalidClientException("Client is not registered for unsigned request objects (no request_object_signing_alg registered)");
        } else if (!client.getRequestObjectSigningAlg().equals(Algorithm.NONE)) {
          throw new InvalidClientException("Client is not registered for unsigned request objects (request_object_signing_alg is " + client.getRequestObjectSigningAlg() +")");
        }

        // if we got here, we're OK, keep processing

      } else if (jwt instanceof EncryptedJWT) {

        EncryptedJWT encryptedJWT = (EncryptedJWT)jwt;

        // decrypt the jwt if we can

        encryptionService.decryptJwt(encryptedJWT);

        // TODO: what if the content is a signed JWT? (#525)

        if (!encryptedJWT.getState().equals(State.DECRYPTED)) {
          throw new InvalidClientException("Unable to decrypt the request object");
        }

        // need to check clientId first so that we can load the client to check other fields
        if (request.getClientId() == null) {
          request.setClientId(encryptedJWT.getJWTClaimsSet().getStringClaim("client_id"));
        }

        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if (client == null) {
          throw new InvalidClientException("Client not found: " + request.getClientId());
        }


      }

    OAuth2AccessTokenEntity incomingToken = tokenServices.readAccessToken(incomingTokenValue);

    if (incomingToken.getScope().contains(SystemScopeService.ID_TOKEN_SCOPE)) {

      if (!client.getClientId().equals(tokenRequest.getClientId())) {
        throw new InvalidClientException("Not the right client for this token");
      }

      // it's an ID token, process it accordingly

      try {

        JWSAlgorithm alg = jws.getHeader().getAlgorithm();

        if (client.getTokenEndpointAuthSigningAlg() != null &&
            !client.getTokenEndpointAuthSigningAlg().equals(alg)) {
          throw new InvalidClientException("Client's registered request object signing algorithm (" + client.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + alg.getName() + ")");
        }

        if (client.getTokenEndpointAuthMethod() == null ||
            client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE) ||
            client.getTokenEndpointAuthMethod().equals(AuthMethod.SECRET_BASIC) ||