use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class AbstractOAuthDataProviderTest method addClient.
protected Client addClient(String clientId, String userLogin) {
Client c = new Client();
c.setRedirectUris(Collections.singletonList("http://client/redirect"));
c.setClientId(clientId);
c.setClientSecret("123");
c.setResourceOwnerSubject(new UserSubject(userLogin));
getProvider().setClient(c);
return c;
}
use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class RedirectionBasedGrantService method startAuthorization.
protected Response startAuthorization(MultivaluedMap<String, String> params, UserSubject userSubject, Client client, String redirectUri) {
// Enforce the client confidentiality requirements
if (!OAuthUtils.isGrantSupportedForClient(client, canSupportPublicClient(client), supportedGrantType)) {
LOG.fine("The grant type is not supported");
return createErrorResponse(params, redirectUri, OAuthConstants.UNAUTHORIZED_CLIENT);
}
// Check response_type
String responseType = params.getFirst(OAuthConstants.RESPONSE_TYPE);
if (responseType == null || !getSupportedResponseTypes().contains(responseType)) {
LOG.fine("The response type is null or not supported");
return createErrorResponse(params, redirectUri, OAuthConstants.UNSUPPORTED_RESPONSE_TYPE);
}
// Get the requested scopes
String providedScope = params.getFirst(OAuthConstants.SCOPE);
final List<String> requestedScope;
final List<OAuthPermission> requestedPermissions;
try {
requestedScope = OAuthUtils.getRequestedScopes(client, providedScope, useAllClientScopes, partialMatchScopeValidation);
requestedPermissions = getDataProvider().convertScopeToPermissions(client, requestedScope);
} catch (OAuthServiceException ex) {
LOG.log(Level.FINE, "Error processing scopes", ex);
return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
}
// Validate the audience
String clientAudience = params.getFirst(OAuthConstants.CLIENT_AUDIENCE);
// in the list of Client audiences set at the Client registration time.
if (!OAuthUtils.validateAudience(clientAudience, client.getRegisteredAudiences())) {
LOG.fine("Error validating audience parameter");
return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_REQUEST);
}
// Request a new grant only if no pre-authorized token is available
ServerAccessToken preAuthorizedToken = null;
if (canAccessTokenBeReturned(responseType)) {
preAuthorizedToken = getDataProvider().getPreauthorizedToken(client, requestedScope, userSubject, supportedGrantType);
}
List<OAuthPermission> alreadyAuthorizedPerms = null;
boolean preAuthorizationComplete = false;
if (preAuthorizedToken != null) {
alreadyAuthorizedPerms = preAuthorizedToken.getScopes();
preAuthorizationComplete = OAuthUtils.convertPermissionsToScopeList(alreadyAuthorizedPerms).containsAll(requestedScope);
}
Response finalResponse;
try {
final boolean authorizationCanBeSkipped = preAuthorizationComplete || canAuthorizationBeSkipped(params, client, userSubject, requestedScope, requestedPermissions);
// Populate the authorization challenge data
OAuthAuthorizationData data = createAuthorizationData(client, params, redirectUri, userSubject, requestedPermissions, alreadyAuthorizedPerms, authorizationCanBeSkipped);
if (authorizationCanBeSkipped) {
getMessageContext().put(AUTHORIZATION_REQUEST_PARAMETERS, params);
List<OAuthPermission> approvedScopes = preAuthorizationComplete ? preAuthorizedToken.getScopes() : requestedPermissions;
finalResponse = createGrant(data, client, requestedScope, OAuthUtils.convertPermissionsToScopeList(approvedScopes), userSubject, preAuthorizedToken);
} else {
if (preAuthorizedToken != null) {
data.setPreauthorizedTokenKey(preAuthorizedToken.getTokenKey());
}
finalResponse = Response.ok(data).build();
}
} catch (OAuthServiceException ex) {
finalResponse = createErrorResponse(params, redirectUri, ex.getError().getError());
}
return finalResponse;
}
use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class RedirectionBasedGrantService method startAuthorization.
/**
* Starts the authorization process
*/
protected Response startAuthorization(MultivaluedMap<String, String> params) {
UserSubject userSubject = null;
SecurityContext securityContext = (SecurityContext) getMessageContext().get(SecurityContext.class.getName());
if (securityContext != null && securityContext.getUserPrincipal() != null) {
// Create a UserSubject representing the end user, if we have already authenticated
userSubject = createUserSubject(securityContext, params);
}
checkTransportSecurity();
Client client = getClient(params.getFirst(OAuthConstants.CLIENT_ID), params);
if (authorizationFilter != null) {
params = authorizationFilter.process(params, userSubject, client);
}
// Validate the provided request URI, if any, against the ones Client provided
// during the registration
String redirectUri = validateRedirectUri(client, params.getFirst(OAuthConstants.REDIRECT_URI));
return startAuthorization(params, userSubject, client, redirectUri);
}
use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class RedirectionBasedGrantService method completeAuthorization.
/**
* Completes the authorization process
*/
protected Response completeAuthorization(MultivaluedMap<String, String> params) {
// Make sure the end user has authenticated, check if HTTPS is used
SecurityContext securityContext = getAndValidateSecurityContext(params);
UserSubject userSubject = createUserSubject(securityContext, params);
// Make sure the session is valid
String sessionTokenParamName = params.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN_PARAM_NAME);
if (sessionTokenParamName == null) {
sessionTokenParamName = OAuthConstants.SESSION_AUTHENTICITY_TOKEN;
}
String sessionToken = params.getFirst(sessionTokenParamName);
if (sessionToken == null || !compareRequestAndSessionTokens(sessionToken, params, userSubject)) {
throw ExceptionUtils.toBadRequestException(null, null);
}
OAuthRedirectionState state = recreateRedirectionStateFromSession(userSubject, sessionToken);
if (state == null) {
state = recreateRedirectionStateFromParams(params);
}
Client client = getClient(state.getClientId(), params);
String redirectUri = validateRedirectUri(client, state.getRedirectUri());
// Get the end user decision value
String decision = params.getFirst(OAuthConstants.AUTHORIZATION_DECISION_KEY);
boolean allow = OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(decision);
// Return the error if denied
if (!allow) {
return createErrorResponse(params, redirectUri, OAuthConstants.ACCESS_DENIED);
}
// Check if the end user may have had a chance to down-scope the requested scopes
List<String> requestedScope = OAuthUtils.parseScope(state.getProposedScope());
List<String> approvedScope = new LinkedList<>();
for (String rScope : requestedScope) {
String param = params.getFirst(rScope + "_status");
if (OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(param)) {
approvedScope.add(rScope);
}
}
if (!OAuthUtils.validateScopes(requestedScope, client.getRegisteredScopes(), partialMatchScopeValidation)) {
return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
}
getMessageContext().put(AUTHORIZATION_REQUEST_PARAMETERS, params);
String preAuthorizedTokenKey = params.getFirst(PREAUTHORIZED_TOKEN_KEY);
if (preAuthorizedTokenKey != null && isRevokePreauthorizedTokenOnApproval()) {
getDataProvider().revokeToken(client, preAuthorizedTokenKey, OAuthConstants.ACCESS_TOKEN);
}
// Request a new grant
return createGrant(state, client, requestedScope, approvedScope, userSubject, null);
}
use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class JCacheCodeDataProviderTest method testAddGetDeleteCodeGrants2.
@Ignore
@Test
public void testAddGetDeleteCodeGrants2() {
Client c = addClient("111", "bob");
AuthorizationCodeRegistration atr = new AuthorizationCodeRegistration();
atr.setClient(c);
atr.setApprovedScope(Collections.singletonList("a"));
atr.setSubject(c.getResourceOwnerSubject());
provider.createCodeGrant(atr);
List<ServerAuthorizationCodeGrant> grants = provider.getCodeGrants(c, c.getResourceOwnerSubject());
assertNotNull(grants);
assertEquals(1, grants.size());
provider.removeClient(c.getClientId());
grants = provider.getCodeGrants(c, c.getResourceOwnerSubject());
assertNotNull(grants);
assertEquals(0, grants.size());
}
Aggregations