use of de.ids_mannheim.korap.oauth2.entity.OAuth2Client in project Kustvakt by KorAP.
the class OltuTokenService method requestAccessTokenWithPassword.
/**
* Third party apps must not be allowed to use password grant.
* MH: password grant is only allowed for trusted clients (korap
* frontend)
*
* According to RFC 6749, client authentication is only required
* for confidential clients and whenever client credentials are
* provided. Moreover, client_id is optional for password grant,
* but without it, the authentication server cannot check the
* client type. To make sure that confidential clients
* authenticate, client_id is made required (similar to
* authorization code grant).
*
* TODO: FORCE client secret
*
* @param clientId
* client_id, required
* @param clientSecret
* client_secret, required if client_secret was issued
* for the client in client registration.
* @param username
* username, required
* @param password
* password, required
* @param scopes
* authorization scopes, optional
* @return an {@link OAuthResponse}
* @throws KustvaktException
* @throws OAuthSystemException
*/
private OAuthResponse requestAccessTokenWithPassword(String clientId, String clientSecret, String username, String password, Set<String> scopes) throws KustvaktException, OAuthSystemException {
OAuth2Client client = clientService.authenticateClient(clientId, clientSecret);
if (!client.isSuper()) {
throw new KustvaktException(StatusCodes.CLIENT_AUTHORIZATION_FAILED, "Password grant is not allowed for third party clients", OAuth2Error.UNAUTHORIZED_CLIENT);
}
if (scopes == null || scopes.isEmpty()) {
scopes = new HashSet<String>(1);
scopes.add("all");
// scopes = config.getDefaultAccessScopes();
}
ZonedDateTime authenticationTime = authenticateUser(username, password, scopes);
Set<AccessScope> accessScopes = scopeService.convertToAccessScope(scopes);
return createsAccessTokenResponse(scopes, accessScopes, clientId, username, authenticationTime, false);
}
use of de.ids_mannheim.korap.oauth2.entity.OAuth2Client in project Kustvakt by KorAP.
the class OltuTokenService method requestAccessTokenWithClientCredentials.
/**
* Clients must authenticate.
* Client credentials grant is limited to native clients.
*
* @param clientId
* client_id parameter, required
* @param clientSecret
* client_secret parameter, required
* @param scopes
* authorization scopes, optional
* @return an {@link OAuthResponse}
* @throws KustvaktException
* @throws OAuthSystemException
*/
protected OAuthResponse requestAccessTokenWithClientCredentials(String clientId, String clientSecret, Set<String> scopes) throws KustvaktException, OAuthSystemException {
if (clientSecret == null || clientSecret.isEmpty()) {
throw new KustvaktException(StatusCodes.CLIENT_AUTHENTICATION_FAILED, "Missing parameters: client_secret", OAuth2Error.INVALID_REQUEST);
}
// OAuth2Client client =
OAuth2Client oAuth2Client = clientService.authenticateClient(clientId, clientSecret);
// if (!client.isNative()) {
// throw new KustvaktException(
// StatusCodes.CLIENT_AUTHENTICATION_FAILED,
// "Client credentials grant is not allowed for third party
// clients",
// OAuth2Error.UNAUTHORIZED_CLIENT);
// }
ZonedDateTime authenticationTime = ZonedDateTime.now(ZoneId.of(Attributes.DEFAULT_TIME_ZONE));
scopes = scopeService.filterScopes(scopes, config.getClientCredentialsScopes());
Set<AccessScope> accessScopes = scopeService.convertToAccessScope(scopes);
return createsAccessTokenResponse(scopes, accessScopes, clientId, null, authenticationTime, clientService.isPublicClient(oAuth2Client));
}
use of de.ids_mannheim.korap.oauth2.entity.OAuth2Client in project Kustvakt by KorAP.
the class OltuTokenService method listUserAccessToken.
public List<OAuth2TokenDto> listUserAccessToken(String username, String superClientId, String superClientSecret, String clientId) throws KustvaktException {
OAuth2Client superClient = clientService.authenticateClient(superClientId, superClientSecret);
if (!superClient.isSuper()) {
throw new KustvaktException(StatusCodes.CLIENT_AUTHORIZATION_FAILED, "Only super client is allowed.", OAuth2Error.UNAUTHORIZED_CLIENT);
}
List<AccessToken> tokens = tokenDao.retrieveAccessTokenByUser(username, clientId);
List<OAuth2TokenDto> dtoList = new ArrayList<>(tokens.size());
for (AccessToken t : tokens) {
OAuth2Client tokenClient = t.getClient();
if (tokenClient.getId().equals(superClient.getId())) {
continue;
}
OAuth2TokenDto dto = new OAuth2TokenDto();
dto.setClientId(tokenClient.getId());
dto.setClientName(tokenClient.getName());
dto.setClientUrl(tokenClient.getUrl());
dto.setClientDescription(tokenClient.getDescription());
DateTimeFormatter f = DateTimeFormatter.ISO_DATE_TIME;
dto.setCreatedDate(t.getCreatedDate().format(f));
long difference = ChronoUnit.SECONDS.between(ZonedDateTime.now(), t.getExpiryDate());
dto.setExpiresIn(difference);
dto.setUserAuthenticationTime(t.getUserAuthenticationTime().format(f));
dto.setToken(t.getToken());
Set<AccessScope> accessScopes = t.getScopes();
Set<String> scopes = new HashSet<>(accessScopes.size());
for (AccessScope s : accessScopes) {
scopes.add(s.getId().toString());
}
dto.setScope(scopes);
dtoList.add(dto);
}
return dtoList;
}
use of de.ids_mannheim.korap.oauth2.entity.OAuth2Client in project Kustvakt by KorAP.
the class OAuth2ClientDao method retrieveUserAuthorizedClients.
public List<OAuth2Client> retrieveUserAuthorizedClients(String username) throws KustvaktException {
ParameterChecker.checkStringValue(username, "username");
CriteriaBuilder builder = entityManager.getCriteriaBuilder();
CriteriaQuery<OAuth2Client> query = builder.createQuery(OAuth2Client.class);
Root<OAuth2Client> client = query.from(OAuth2Client.class);
Join<OAuth2Client, RefreshToken> refreshToken = client.join(OAuth2Client_.refreshTokens);
Predicate condition = builder.and(builder.equal(refreshToken.get(RefreshToken_.userId), username), builder.equal(refreshToken.get(RefreshToken_.isRevoked), false), builder.greaterThan(refreshToken.<ZonedDateTime>get(RefreshToken_.expiryDate), ZonedDateTime.now(ZoneId.of(Attributes.DEFAULT_TIME_ZONE))));
query.select(client);
query.where(condition);
query.distinct(true);
TypedQuery<OAuth2Client> q = entityManager.createQuery(query);
return q.getResultList();
}
use of de.ids_mannheim.korap.oauth2.entity.OAuth2Client in project Kustvakt by KorAP.
the class RefreshTokenDao method retrieveRefreshTokenByUser.
public List<RefreshToken> retrieveRefreshTokenByUser(String username, String clientId) throws KustvaktException {
ParameterChecker.checkStringValue(username, "username");
CriteriaBuilder builder = entityManager.getCriteriaBuilder();
CriteriaQuery<RefreshToken> query = builder.createQuery(RefreshToken.class);
Root<RefreshToken> root = query.from(RefreshToken.class);
root.fetch(RefreshToken_.client);
Predicate condition = builder.and(builder.equal(root.get(RefreshToken_.userId), username), builder.equal(root.get(RefreshToken_.isRevoked), false), builder.greaterThan(root.<ZonedDateTime>get(RefreshToken_.expiryDate), ZonedDateTime.now(ZoneId.of(Attributes.DEFAULT_TIME_ZONE))));
if (clientId != null && !clientId.isEmpty()) {
OAuth2Client client = clientDao.retrieveClientById(clientId);
condition = builder.and(condition, builder.equal(root.get(RefreshToken_.client), client));
}
query.select(root);
query.where(condition);
TypedQuery<RefreshToken> q = entityManager.createQuery(query);
return q.getResultList();
}
Aggregations