use of org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState in project cxf by apache.
the class AuthorizationCodeGrantService method createCodeRegistration.
protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preauthorizedToken) {
AuthorizationCodeRegistration codeReg = new AuthorizationCodeRegistration();
codeReg.setPreauthorizedTokenAvailable(preauthorizedToken != null);
codeReg.setClient(client);
codeReg.setRedirectUri(state.getRedirectUri());
codeReg.setRequestedScope(requestedScope);
codeReg.setResponseType(state.getResponseType());
codeReg.setApprovedScope(getApprovedScope(requestedScope, approvedScope));
codeReg.setSubject(userSubject);
codeReg.setAudience(state.getAudience());
codeReg.setNonce(state.getNonce());
codeReg.setClientCodeChallenge(state.getClientCodeChallenge());
codeReg.getExtraProperties().putAll(state.getExtraProperties());
return codeReg;
}
use of org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState in project cxf by apache.
the class AuthorizationCodeGrantService method getGrantRepresentation.
public ServerAuthorizationCodeGrant getGrantRepresentation(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preauthorizedToken) {
AuthorizationCodeRegistration codeReg = createCodeRegistration(state, client, requestedScope, approvedScope, userSubject, preauthorizedToken);
ServerAuthorizationCodeGrant grant = ((AuthorizationCodeDataProvider) getDataProvider()).createCodeGrant(codeReg);
if (grant.getExpiresIn() > RECOMMENDED_CODE_EXPIRY_TIME_SECS) {
LOG.warning("Code expiry time exceeds 10 minutes");
}
return grant;
}
use of org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState in project cxf by apache.
the class RedirectionBasedGrantService method completeAuthorization.
/**
* Completes the authorization process
*/
protected Response completeAuthorization(MultivaluedMap<String, String> params) {
// Make sure the end user has authenticated, check if HTTPS is used
SecurityContext securityContext = getAndValidateSecurityContext(params);
UserSubject userSubject = createUserSubject(securityContext, params);
// Make sure the session is valid
String sessionTokenParamName = params.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN_PARAM_NAME);
if (sessionTokenParamName == null) {
sessionTokenParamName = OAuthConstants.SESSION_AUTHENTICITY_TOKEN;
}
String sessionToken = params.getFirst(sessionTokenParamName);
if (sessionToken == null || !compareRequestAndSessionTokens(sessionToken, params, userSubject)) {
throw ExceptionUtils.toBadRequestException(null, null);
}
OAuthRedirectionState state = recreateRedirectionStateFromSession(userSubject, sessionToken);
if (state == null) {
state = recreateRedirectionStateFromParams(params);
}
Client client = getClient(state.getClientId(), params);
String redirectUri = validateRedirectUri(client, state.getRedirectUri());
// Get the end user decision value
String decision = params.getFirst(OAuthConstants.AUTHORIZATION_DECISION_KEY);
boolean allow = OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(decision);
// Return the error if denied
if (!allow) {
return createErrorResponse(params, redirectUri, OAuthConstants.ACCESS_DENIED);
}
// Check if the end user may have had a chance to down-scope the requested scopes
List<String> requestedScope = OAuthUtils.parseScope(state.getProposedScope());
List<String> approvedScope = new LinkedList<String>();
for (String rScope : requestedScope) {
String param = params.getFirst(rScope + "_status");
if (param != null && OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(param)) {
approvedScope.add(rScope);
}
}
if (!requestedScope.containsAll(approvedScope) || !OAuthUtils.validateScopes(requestedScope, client.getRegisteredScopes(), partialMatchScopeValidation)) {
return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
}
getMessageContext().put(AUTHORIZATION_REQUEST_PARAMETERS, params);
String preAuthorizedTokenKey = params.getFirst(PREAUTHORIZED_TOKEN_KEY);
if (preAuthorizedTokenKey != null && isRevokePreauthorizedTokenOnApproval()) {
getDataProvider().revokeToken(client, preAuthorizedTokenKey, OAuthConstants.ACCESS_TOKEN);
}
// Request a new grant
return createGrant(state, client, requestedScope, approvedScope, userSubject, null);
}
use of org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState in project cxf by apache.
the class OidcAuthorizationCodeService method recreateRedirectionStateFromParams.
@Override
protected OAuthRedirectionState recreateRedirectionStateFromParams(MultivaluedMap<String, String> params) {
OAuthRedirectionState state = super.recreateRedirectionStateFromParams(params);
OidcUtils.setStateClaimsProperty(state, params);
return state;
}
use of org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState in project cxf by apache.
the class OidcHybridService method prepareRedirectResponse.
@Override
protected StringBuilder prepareRedirectResponse(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preAuthorizedToken) {
ServerAuthorizationCodeGrant codeGrant = prepareHybrideCode(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken);
StringBuilder sb = super.prepareRedirectResponse(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken);
if (codeGrant != null) {
sb.append("&");
sb.append(OAuthConstants.AUTHORIZATION_CODE_VALUE).append("=").append(codeGrant.getCode());
}
return sb;
}
Aggregations