use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class AuthorizationCodeGrantHandler method doCreateAccessToken.
private ServerAccessToken doCreateAccessToken(Client client, ServerAuthorizationCodeGrant grant, String requestedGrant, String codeVerifier, List<String> audiences) {
if (grant.isPreauthorizedTokenAvailable()) {
ServerAccessToken token = getPreAuthorizedToken(client, grant.getSubject(), requestedGrant, grant.getRequestedScopes(), getAudiences(client, grant.getAudience()));
if (token != null) {
if (grant.getNonce() != null) {
JAXRSUtils.getCurrentMessage().getExchange().put(OAuthConstants.NONCE, grant.getNonce());
}
return token;
}
// creating a completely new token can be wrong - though this needs to be reviewed
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
if (!client.getAllowedGrantTypes().isEmpty() && !client.getAllowedGrantTypes().contains(requestedGrant)) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
// Delegate to the data provider to create the one
AccessTokenRegistration reg = new AccessTokenRegistration();
reg.setGrantCode(grant.getCode());
reg.setClient(client);
reg.setGrantType(requestedGrant);
reg.setSubject(grant.getSubject());
reg.setRequestedScope(grant.getRequestedScopes());
reg.setNonce(grant.getNonce());
if (grant.getApprovedScopes() != null) {
reg.setApprovedScope(grant.getApprovedScopes());
} else {
reg.setApprovedScope(Collections.emptyList());
}
reg.setAudiences(audiences);
reg.setResponseType(grant.getResponseType());
reg.setClientCodeVerifier(codeVerifier);
reg.getExtraProperties().putAll(grant.getExtraProperties());
return getDataProvider().createAccessToken(reg);
}
use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class AuthorizationCodeGrantHandler method createAccessToken.
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params) throws OAuthServiceException {
// Get the grant representation from the provider
String codeValue = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE);
ServerAuthorizationCodeGrant grant = ((AuthorizationCodeDataProvider) getDataProvider()).removeCodeGrant(codeValue);
if (grant == null) {
return null;
}
// check it has not expired, the client ids are the same
if (OAuthUtils.isExpired(grant.getIssuedAt(), grant.getExpiresIn())) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
if (!grant.getClient().getClientId().equals(client.getClientId())) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
// redirect URIs must match too
String expectedRedirectUri = grant.getRedirectUri();
String providedRedirectUri = params.getFirst(OAuthConstants.REDIRECT_URI);
if (providedRedirectUri != null) {
if (!providedRedirectUri.equals(expectedRedirectUri)) {
throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
}
} else if (expectedRedirectUri == null && !isCanSupportPublicClients() || expectedRedirectUri != null && (client.getRedirectUris().size() != 1 || !client.getRedirectUris().contains(expectedRedirectUri))) {
throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
}
String clientCodeVerifier = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER);
String clientCodeChallenge = grant.getClientCodeChallenge();
String clientCodeChallengeMethod = grant.getClientCodeChallengeMethod();
if (!compareCodeVerifierWithChallenge(client, clientCodeVerifier, clientCodeChallenge, clientCodeChallengeMethod)) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
List<String> audiences = getAudiences(client, params, grant.getAudience());
return doCreateAccessToken(client, grant, getSingleGrantType(), clientCodeVerifier, audiences);
}
use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class AuthorizationCodeGrantService method getGrantRepresentation.
public ServerAuthorizationCodeGrant getGrantRepresentation(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preauthorizedToken) {
AuthorizationCodeRegistration codeReg = createCodeRegistration(state, client, requestedScope, approvedScope, userSubject, preauthorizedToken);
ServerAuthorizationCodeGrant grant = ((AuthorizationCodeDataProvider) getDataProvider()).createCodeGrant(codeReg);
if (grant.getExpiresIn() > RECOMMENDED_CODE_EXPIRY_TIME_SECS) {
LOG.warning("Code expiry time exceeds 10 minutes");
}
return grant;
}
use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class AuthorizationCodeGrantService method createCodeRegistration.
protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preauthorizedToken) {
AuthorizationCodeRegistration codeReg = new AuthorizationCodeRegistration();
codeReg.setPreauthorizedTokenAvailable(preauthorizedToken != null);
codeReg.setClient(client);
codeReg.setRedirectUri(state.getRedirectUri());
codeReg.setRequestedScope(requestedScope);
codeReg.setResponseType(state.getResponseType());
codeReg.setApprovedScope(getApprovedScope(requestedScope, approvedScope));
codeReg.setSubject(userSubject);
codeReg.setAudience(state.getAudience());
codeReg.setNonce(state.getNonce());
codeReg.setClientCodeChallenge(state.getClientCodeChallenge());
codeReg.setClientCodeChallengeMethod(state.getClientCodeChallengeMethod());
codeReg.getExtraProperties().putAll(state.getExtraProperties());
return codeReg;
}
use of org.apache.cxf.rs.security.oauth2.common.Client in project cxf by apache.
the class DynamicRegistrationService method readClient.
protected Client readClient(String clientId) {
String accessToken = getRequestAccessToken();
Client c = clientProvider.getClient(clientId);
if (c == null) {
throw ExceptionUtils.toNotAuthorizedException(null, null);
}
checkRegistrationAccessToken(c, accessToken);
return c;
}
Aggregations