Search in sources :

Example 1 with AccessToken

use of info.xiancloud.core.support.authen.AccessToken in project xian by happyyangyuan.

the class ValidateAccessToken method fetchAccessTokenAndReturnScope.

/**
 * query for access token info and put it into originalMap
 * and return the scope of current token.
 *
 * @return the scope of the request.
 * @throws AccessTokenFailure no token string is provided.
 */
private static String fetchAccessTokenAndReturnScope(UnitRequest request) throws AccessTokenFailure /*, UnknownScopeException*/
{
    String ip = request.getContext().getIp();
    if (StringUtil.isEmpty(ip))
        throw new IllegalArgumentException("Client's ip is empty, please check!");
    if (isWhiteIp(ip)) {
        return Scope.api_all;
    }
    String accessToken = request.getContext().getHeader() == null ? null : request.getContext().getHeader().getOrDefault(Constant.XIAN_REQUEST_TOKEN_HEADER, null);
    if (StringUtil.isEmpty(accessToken)) {
        throw new AccessTokenFailure(null);
    } else {
        AccessToken accessTokenObject = forToken(accessToken);
        request.getContext().setAccessToken(accessTokenObject);
        return accessTokenObject.getScope();
    }
}
Also used : AccessToken(info.xiancloud.core.support.authen.AccessToken)

Example 2 with AccessToken

use of info.xiancloud.core.support.authen.AccessToken in project xian by happyyangyuan.

the class RedisDBManager method updateAccessTokenValidStatus.

@Override
public void updateAccessTokenValidStatus(String accessToken, boolean valid) {
    AccessToken updatedTokenObject = CacheObjectUtil.get("at:" + accessToken, AccessToken.class).setValid(valid);
    CacheObjectUtil.set("at:" + accessToken, updatedTokenObject);
}
Also used : AccessToken(info.xiancloud.core.support.authen.AccessToken)

Example 3 with AccessToken

use of info.xiancloud.core.support.authen.AccessToken in project xian by happyyangyuan.

the class Authenticator method isValidToken.

public AccessToken isValidToken(String token) {
    AccessToken accessToken = db.findAccessToken(token);
    LOG.info("token详情:" + accessToken);
    if (accessToken != null && accessToken.isValid()) {
        if (accessToken.tokenExpired()) {
            LOG.info("accessToken 已过期,client_id= " + accessToken.getClientId());
            db.updateAccessTokenValidStatus(accessToken.getToken(), false);
            return null;
        }
        return accessToken;
    }
    return null;
}
Also used : AccessToken(info.xiancloud.core.support.authen.AccessToken)

Example 4 with AccessToken

use of info.xiancloud.core.support.authen.AccessToken in project xian by happyyangyuan.

the class Authenticator method issueAccessToken.

/**
 * 支持json和form两种表单形式
 */
public AccessToken issueAccessToken(FullHttpRequest req) throws OAuthException {
    TokenRequest tokenRequest = TokenRequest.create(req);
    tokenRequest.validate();
    // check valid client_id, client_secret and status of the client app should be active
    if (!isActiveClient(tokenRequest.getClientId(), tokenRequest.getClientSecret())) {
        throw new OAuthException(ResponseBuilder.INVALID_CLIENT_CREDENTIALS, HttpResponseStatus.BAD_REQUEST);
    }
    AccessToken accessToken = null;
    if (TokenRequest.AUTHORIZATION_CODE.equals(tokenRequest.getGrantType())) {
        AuthCode authCode = findAuthCode(tokenRequest);
        // TODO: REVISIT: Move client_id check to db query
        if (authCode != null) {
            if (!tokenRequest.getClientId().equals(authCode.getClientId())) {
                throw new OAuthException(ResponseBuilder.INVALID_CLIENT_ID, HttpResponseStatus.BAD_REQUEST);
            }
            if (authCode.getRedirectUri() != null && !tokenRequest.getRedirectUri().equals(authCode.getRedirectUri())) {
                throw new OAuthException(ResponseBuilder.INVALID_REDIRECT_URI, HttpResponseStatus.BAD_REQUEST);
            } else {
                // invalidate the auth code
                db.updateAuthCodeValidStatus(authCode.getCode(), false);
                accessToken = new AccessToken(TOKEN_TYPE_BEARER, getExpiresIn(TokenRequest.PASSWORD, authCode.getScope()), authCode.getScope(), getExpiresIn(TokenRequest.REFRESH_TOKEN, authCode.getScope()));
                accessToken.setUserId(authCode.getUserId());
                accessToken.setClientId(authCode.getClientId());
                accessToken.setCodeId(authCode.getId());
                db.storeAccessToken(accessToken);
            }
        } else {
            throw new OAuthException(ResponseBuilder.INVALID_AUTH_CODE, HttpResponseStatus.BAD_REQUEST);
        }
    } else if (TokenRequest.REFRESH_TOKEN.equals(tokenRequest.getGrantType())) {
        accessToken = db.findAccessTokenByRefreshToken(tokenRequest.getRefreshToken(), tokenRequest.getClientId());
        if (accessToken != null) {
            if (!accessToken.refreshTokenExpired()) {
                String validScope;
                if (tokenRequest.getScope() != null) {
                    if (scopeService.scopeAllowed(tokenRequest.getScope(), accessToken.getScope())) {
                        validScope = tokenRequest.getScope();
                    } else {
                        throw new OAuthException(ResponseBuilder.SCOPE_NOK_MESSAGE, HttpResponseStatus.BAD_REQUEST);
                    }
                } else {
                    validScope = accessToken.getScope();
                }
                db.updateAccessTokenValidStatus(accessToken.getToken(), false);
                AccessToken newAccessToken = new AccessToken(TOKEN_TYPE_BEARER, getExpiresIn(TokenRequest.PASSWORD, validScope), validScope, accessToken.getRefreshToken(), accessToken.getRefreshExpiresIn());
                newAccessToken.setUserId(accessToken.getUserId());
                newAccessToken.setDetails(accessToken.getDetails());
                newAccessToken.setClientId(accessToken.getClientId());
                db.storeAccessToken(newAccessToken);
                db.removeAccessToken(accessToken.getToken());
                return newAccessToken;
            } else {
                db.removeAccessToken(accessToken.getToken());
                throw new OAuthException(ResponseBuilder.INVALID_REFRESH_TOKEN, HttpResponseStatus.BAD_REQUEST);
            }
        } else {
            throw new OAuthException(ResponseBuilder.INVALID_REFRESH_TOKEN, HttpResponseStatus.BAD_REQUEST);
        }
    } else if (TokenRequest.CLIENT_CREDENTIALS.equals(tokenRequest.getGrantType())) {
        ClientCredentials clientCredentials = db.findClientCredentials(tokenRequest.getClientId());
        String scope = scopeService.getValidScopeByScope(tokenRequest.getScope(), clientCredentials.getScope());
        if (scope == null) {
            throw new OAuthException(ResponseBuilder.SCOPE_NOK_MESSAGE, HttpResponseStatus.BAD_REQUEST);
        }
        accessToken = new AccessToken(TOKEN_TYPE_BEARER, getExpiresIn(TokenRequest.CLIENT_CREDENTIALS, scope), scope, false, null);
        accessToken.setClientId(tokenRequest.getClientId());
        Map<String, String> applicationDetails = clientCredentials.getApplicationDetails();
        if ((applicationDetails != null) && (applicationDetails.size() > 0)) {
            // For backward compatibility
            accessToken.setDetails(applicationDetails);
            accessToken.setApplicationDetails(applicationDetails);
        }
        db.storeAccessToken(accessToken);
    } else if (TokenRequest.PASSWORD.equals(tokenRequest.getGrantType())) {
        ClientCredentials clientCredentials = db.findClientCredentials(tokenRequest.getClientId());
        String scope = scopeService.getValidScopeByScope(tokenRequest.getScope(), clientCredentials.getScope());
        if (scope == null) {
            throw new OAuthException(ResponseBuilder.SCOPE_NOK_MESSAGE, HttpResponseStatus.BAD_REQUEST);
        }
        try {
            UserDetails userDetails = authenticateUser(tokenRequest.getUsername(), tokenRequest.getPassword(), req);
            if (userDetails != null && userDetails.getUserId() != null) {
                accessToken = new AccessToken(TOKEN_TYPE_BEARER, getExpiresIn(TokenRequest.PASSWORD, scope), scope, getExpiresIn(TokenRequest.REFRESH_TOKEN, scope));
                accessToken.setUserId(userDetails.getUserId());
                accessToken.setDetails(userDetails.getDetails());
                accessToken.setClientId(tokenRequest.getClientId());
                accessToken.setApplicationDetails(clientCredentials.getApplicationDetails());
                db.storeAccessToken(accessToken);
            } else {
                throw new OAuthException(ResponseBuilder.INVALID_USERNAME_PASSWORD, HttpResponseStatus.UNAUTHORIZED);
            }
        } catch (AuthenticationException e) {
            // for instance, if the user authentication requires more user details as a subsequent step
            if (e.getResponse() != null) {
                String responseContent = ((FullHttpResponse) (e.getResponse())).content().toString(CharsetUtil.UTF_8);
                throw new OAuthException(e, responseContent, e.getResponse().getStatus());
            } else {
                LOG.error("Cannot authenticate user", e);
                // NOSONAR
                throw new OAuthException(e, ResponseBuilder.CANNOT_AUTHENTICATE_USER, HttpResponseStatus.UNAUTHORIZED);
            }
        }
    } else if (tokenRequest.getGrantType().equals(OAuthConfig.getCustomGrantType())) {
        String scope = scopeService.getValidScope(tokenRequest.getScope(), tokenRequest.getClientId());
        if (scope == null) {
            throw new OAuthException(ResponseBuilder.SCOPE_NOK_MESSAGE, HttpResponseStatus.BAD_REQUEST);
        }
        try {
            accessToken = new AccessToken(TOKEN_TYPE_BEARER, getExpiresIn(TokenRequest.PASSWORD, scope), scope, getExpiresIn(TokenRequest.REFRESH_TOKEN, scope));
            accessToken.setClientId(tokenRequest.getClientId());
            UserDetails userDetails = callCustomGrantTypeHandler(req);
            if (userDetails != null && userDetails.getUserId() != null) {
                accessToken.setUserId(userDetails.getUserId());
                accessToken.setDetails(userDetails.getDetails());
            }
            db.storeAccessToken(accessToken);
        } catch (AuthenticationException e) {
            LOG.error("Cannot authenticate user", e);
            throw new OAuthException(e, ResponseBuilder.CANNOT_AUTHENTICATE_USER, HttpResponseStatus.UNAUTHORIZED);
        }
    }
    return accessToken;
}
Also used : UserDetails(com.apifest.oauth20.api.UserDetails) AuthenticationException(com.apifest.oauth20.api.AuthenticationException) AccessToken(info.xiancloud.core.support.authen.AccessToken) TokenRequest(com.apifest.oauth20.bean.token_request.TokenRequest)

Example 5 with AccessToken

use of info.xiancloud.core.support.authen.AccessToken in project xian by happyyangyuan.

the class OAuth20Handler method handleTokenValidate.

@DocOAuth20Sub(name = "handleTokenValidate", dec = "验证access_token是否有效", method = "GET", url = "/oauth2.0/tokens/validate", args = { @DocOAuth20SubIn(name = "access_token", dec = "access_token", require = true, type = String.class) })
FullHttpResponse handleTokenValidate(FullHttpRequest req) {
    FullHttpResponse response;
    QueryStringDecoder dec = new QueryStringDecoder(req.uri());
    Map<String, List<String>> params = dec.parameters();
    String tokenParam = QueryParameter.getFirstElement(params, QueryParameter.TOKEN);
    if (tokenParam == null || tokenParam.isEmpty()) {
        response = ResponseBuilder.createBadRequestResponse();
    } else {
        AccessToken token = auth.isValidToken(tokenParam);
        if (token != null) {
            String json = JSON.toJSONString(token);
            LOG.debug(json);
            response = ResponseBuilder.createOkResponse(json);
        } else {
            response = ResponseBuilder.createUnauthorizedResponse();
        }
    }
    return response;
}
Also used : AccessToken(info.xiancloud.core.support.authen.AccessToken) DocOAuth20Sub(info.xiancloud.core.apidoc.annotation.DocOAuth20Sub)

Aggregations

AccessToken (info.xiancloud.core.support.authen.AccessToken)8 OAuthException (com.apifest.oauth20.bean.OAuthException)2 DocOAuth20Sub (info.xiancloud.core.apidoc.annotation.DocOAuth20Sub)2 JSONObject (com.alibaba.fastjson.JSONObject)1 AuthenticationException (com.apifest.oauth20.api.AuthenticationException)1 UserDetails (com.apifest.oauth20.api.UserDetails)1 TokenRequest (com.apifest.oauth20.bean.token_request.TokenRequest)1 ByteBuf (io.netty.buffer.ByteBuf)1 DefaultFullHttpRequest (io.netty.handler.codec.http.DefaultFullHttpRequest)1 FullHttpRequest (io.netty.handler.codec.http.FullHttpRequest)1