Search in sources :

Example 6 with OAuth2Client

use of de.ids_mannheim.korap.oauth2.entity.OAuth2Client in project Kustvakt by KorAP.

the class OltuTokenService method requestAccessTokenWithPassword.

/**
 * Third party apps must not be allowed to use password grant.
 * MH: password grant is only allowed for trusted clients (korap
 * frontend)
 *
 * According to RFC 6749, client authentication is only required
 * for confidential clients and whenever client credentials are
 * provided. Moreover, client_id is optional for password grant,
 * but without it, the authentication server cannot check the
 * client type. To make sure that confidential clients
 * authenticate, client_id is made required (similar to
 * authorization code grant).
 *
 * TODO: FORCE client secret
 *
 * @param clientId
 *            client_id, required
 * @param clientSecret
 *            client_secret, required if client_secret was issued
 *            for the client in client registration.
 * @param username
 *            username, required
 * @param password
 *            password, required
 * @param scopes
 *            authorization scopes, optional
 * @return an {@link OAuthResponse}
 * @throws KustvaktException
 * @throws OAuthSystemException
 */
private OAuthResponse requestAccessTokenWithPassword(String clientId, String clientSecret, String username, String password, Set<String> scopes) throws KustvaktException, OAuthSystemException {
    OAuth2Client client = clientService.authenticateClient(clientId, clientSecret);
    if (!client.isSuper()) {
        throw new KustvaktException(StatusCodes.CLIENT_AUTHORIZATION_FAILED, "Password grant is not allowed for third party clients", OAuth2Error.UNAUTHORIZED_CLIENT);
    }
    if (scopes == null || scopes.isEmpty()) {
        scopes = new HashSet<String>(1);
        scopes.add("all");
    // scopes = config.getDefaultAccessScopes();
    }
    ZonedDateTime authenticationTime = authenticateUser(username, password, scopes);
    Set<AccessScope> accessScopes = scopeService.convertToAccessScope(scopes);
    return createsAccessTokenResponse(scopes, accessScopes, clientId, username, authenticationTime, false);
}
Also used : KustvaktException(de.ids_mannheim.korap.exceptions.KustvaktException) ZonedDateTime(java.time.ZonedDateTime) OAuth2Client(de.ids_mannheim.korap.oauth2.entity.OAuth2Client) AccessScope(de.ids_mannheim.korap.oauth2.entity.AccessScope)

Example 7 with OAuth2Client

use of de.ids_mannheim.korap.oauth2.entity.OAuth2Client in project Kustvakt by KorAP.

the class OltuTokenService method requestAccessTokenWithClientCredentials.

/**
 * Clients must authenticate.
 * Client credentials grant is limited to native clients.
 *
 * @param clientId
 *            client_id parameter, required
 * @param clientSecret
 *            client_secret parameter, required
 * @param scopes
 *            authorization scopes, optional
 * @return an {@link OAuthResponse}
 * @throws KustvaktException
 * @throws OAuthSystemException
 */
protected OAuthResponse requestAccessTokenWithClientCredentials(String clientId, String clientSecret, Set<String> scopes) throws KustvaktException, OAuthSystemException {
    if (clientSecret == null || clientSecret.isEmpty()) {
        throw new KustvaktException(StatusCodes.CLIENT_AUTHENTICATION_FAILED, "Missing parameters: client_secret", OAuth2Error.INVALID_REQUEST);
    }
    // OAuth2Client client =
    OAuth2Client oAuth2Client = clientService.authenticateClient(clientId, clientSecret);
    // if (!client.isNative()) {
    // throw new KustvaktException(
    // StatusCodes.CLIENT_AUTHENTICATION_FAILED,
    // "Client credentials grant is not allowed for third party
    // clients",
    // OAuth2Error.UNAUTHORIZED_CLIENT);
    // }
    ZonedDateTime authenticationTime = ZonedDateTime.now(ZoneId.of(Attributes.DEFAULT_TIME_ZONE));
    scopes = scopeService.filterScopes(scopes, config.getClientCredentialsScopes());
    Set<AccessScope> accessScopes = scopeService.convertToAccessScope(scopes);
    return createsAccessTokenResponse(scopes, accessScopes, clientId, null, authenticationTime, clientService.isPublicClient(oAuth2Client));
}
Also used : KustvaktException(de.ids_mannheim.korap.exceptions.KustvaktException) ZonedDateTime(java.time.ZonedDateTime) OAuth2Client(de.ids_mannheim.korap.oauth2.entity.OAuth2Client) AccessScope(de.ids_mannheim.korap.oauth2.entity.AccessScope)

Example 8 with OAuth2Client

use of de.ids_mannheim.korap.oauth2.entity.OAuth2Client in project Kustvakt by KorAP.

the class OltuTokenService method listUserAccessToken.

public List<OAuth2TokenDto> listUserAccessToken(String username, String superClientId, String superClientSecret, String clientId) throws KustvaktException {
    OAuth2Client superClient = clientService.authenticateClient(superClientId, superClientSecret);
    if (!superClient.isSuper()) {
        throw new KustvaktException(StatusCodes.CLIENT_AUTHORIZATION_FAILED, "Only super client is allowed.", OAuth2Error.UNAUTHORIZED_CLIENT);
    }
    List<AccessToken> tokens = tokenDao.retrieveAccessTokenByUser(username, clientId);
    List<OAuth2TokenDto> dtoList = new ArrayList<>(tokens.size());
    for (AccessToken t : tokens) {
        OAuth2Client tokenClient = t.getClient();
        if (tokenClient.getId().equals(superClient.getId())) {
            continue;
        }
        OAuth2TokenDto dto = new OAuth2TokenDto();
        dto.setClientId(tokenClient.getId());
        dto.setClientName(tokenClient.getName());
        dto.setClientUrl(tokenClient.getUrl());
        dto.setClientDescription(tokenClient.getDescription());
        DateTimeFormatter f = DateTimeFormatter.ISO_DATE_TIME;
        dto.setCreatedDate(t.getCreatedDate().format(f));
        long difference = ChronoUnit.SECONDS.between(ZonedDateTime.now(), t.getExpiryDate());
        dto.setExpiresIn(difference);
        dto.setUserAuthenticationTime(t.getUserAuthenticationTime().format(f));
        dto.setToken(t.getToken());
        Set<AccessScope> accessScopes = t.getScopes();
        Set<String> scopes = new HashSet<>(accessScopes.size());
        for (AccessScope s : accessScopes) {
            scopes.add(s.getId().toString());
        }
        dto.setScope(scopes);
        dtoList.add(dto);
    }
    return dtoList;
}
Also used : KustvaktException(de.ids_mannheim.korap.exceptions.KustvaktException) OAuth2Client(de.ids_mannheim.korap.oauth2.entity.OAuth2Client) ArrayList(java.util.ArrayList) OAuth2TokenDto(de.ids_mannheim.korap.oauth2.dto.OAuth2TokenDto) AccessToken(de.ids_mannheim.korap.oauth2.entity.AccessToken) DateTimeFormatter(java.time.format.DateTimeFormatter) AccessScope(de.ids_mannheim.korap.oauth2.entity.AccessScope) HashSet(java.util.HashSet)

Example 9 with OAuth2Client

use of de.ids_mannheim.korap.oauth2.entity.OAuth2Client in project Kustvakt by KorAP.

the class OAuth2ClientDao method retrieveUserAuthorizedClients.

public List<OAuth2Client> retrieveUserAuthorizedClients(String username) throws KustvaktException {
    ParameterChecker.checkStringValue(username, "username");
    CriteriaBuilder builder = entityManager.getCriteriaBuilder();
    CriteriaQuery<OAuth2Client> query = builder.createQuery(OAuth2Client.class);
    Root<OAuth2Client> client = query.from(OAuth2Client.class);
    Join<OAuth2Client, RefreshToken> refreshToken = client.join(OAuth2Client_.refreshTokens);
    Predicate condition = builder.and(builder.equal(refreshToken.get(RefreshToken_.userId), username), builder.equal(refreshToken.get(RefreshToken_.isRevoked), false), builder.greaterThan(refreshToken.<ZonedDateTime>get(RefreshToken_.expiryDate), ZonedDateTime.now(ZoneId.of(Attributes.DEFAULT_TIME_ZONE))));
    query.select(client);
    query.where(condition);
    query.distinct(true);
    TypedQuery<OAuth2Client> q = entityManager.createQuery(query);
    return q.getResultList();
}
Also used : CriteriaBuilder(javax.persistence.criteria.CriteriaBuilder) RefreshToken(de.ids_mannheim.korap.oauth2.entity.RefreshToken) ZonedDateTime(java.time.ZonedDateTime) OAuth2Client(de.ids_mannheim.korap.oauth2.entity.OAuth2Client) Predicate(javax.persistence.criteria.Predicate)

Example 10 with OAuth2Client

use of de.ids_mannheim.korap.oauth2.entity.OAuth2Client in project Kustvakt by KorAP.

the class RefreshTokenDao method retrieveRefreshTokenByUser.

public List<RefreshToken> retrieveRefreshTokenByUser(String username, String clientId) throws KustvaktException {
    ParameterChecker.checkStringValue(username, "username");
    CriteriaBuilder builder = entityManager.getCriteriaBuilder();
    CriteriaQuery<RefreshToken> query = builder.createQuery(RefreshToken.class);
    Root<RefreshToken> root = query.from(RefreshToken.class);
    root.fetch(RefreshToken_.client);
    Predicate condition = builder.and(builder.equal(root.get(RefreshToken_.userId), username), builder.equal(root.get(RefreshToken_.isRevoked), false), builder.greaterThan(root.<ZonedDateTime>get(RefreshToken_.expiryDate), ZonedDateTime.now(ZoneId.of(Attributes.DEFAULT_TIME_ZONE))));
    if (clientId != null && !clientId.isEmpty()) {
        OAuth2Client client = clientDao.retrieveClientById(clientId);
        condition = builder.and(condition, builder.equal(root.get(RefreshToken_.client), client));
    }
    query.select(root);
    query.where(condition);
    TypedQuery<RefreshToken> q = entityManager.createQuery(query);
    return q.getResultList();
}
Also used : CriteriaBuilder(javax.persistence.criteria.CriteriaBuilder) RefreshToken(de.ids_mannheim.korap.oauth2.entity.RefreshToken) ZonedDateTime(java.time.ZonedDateTime) OAuth2Client(de.ids_mannheim.korap.oauth2.entity.OAuth2Client) Predicate(javax.persistence.criteria.Predicate)

Aggregations

OAuth2Client (de.ids_mannheim.korap.oauth2.entity.OAuth2Client)29 KustvaktException (de.ids_mannheim.korap.exceptions.KustvaktException)17 ZonedDateTime (java.time.ZonedDateTime)9 RefreshToken (de.ids_mannheim.korap.oauth2.entity.RefreshToken)8 CriteriaBuilder (javax.persistence.criteria.CriteriaBuilder)8 AccessToken (de.ids_mannheim.korap.oauth2.entity.AccessToken)7 AccessScope (de.ids_mannheim.korap.oauth2.entity.AccessScope)6 Predicate (javax.persistence.criteria.Predicate)6 ArrayList (java.util.ArrayList)4 HashSet (java.util.HashSet)3 Scope (com.nimbusds.oauth2.sdk.Scope)2 OAuth2TokenDto (de.ids_mannheim.korap.oauth2.dto.OAuth2TokenDto)2 URI (java.net.URI)2 URISyntaxException (java.net.URISyntaxException)2 DateTimeFormatter (java.time.format.DateTimeFormatter)2 NoResultException (javax.persistence.NoResultException)2 ResponseType (com.nimbusds.oauth2.sdk.ResponseType)1 AccessToken (com.nimbusds.oauth2.sdk.token.AccessToken)1 BearerAccessToken (com.nimbusds.oauth2.sdk.token.BearerAccessToken)1 RefreshToken (com.nimbusds.oauth2.sdk.token.RefreshToken)1