Example 11 with ServerAccessToken
use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project cxf by apache.
the class AbstractOAuthDataProviderTest method testAddGetDeleteAccessToken2.
@Test
public void testAddGetDeleteAccessToken2() {
Client c = addClient("102", "bob");
AccessTokenRegistration atr = new AccessTokenRegistration();
atr.setClient(c);
atr.setApprovedScope(Collections.singletonList("a"));
atr.setSubject(c.getResourceOwnerSubject());
getProvider().createAccessToken(atr);
List<ServerAccessToken> tokens = getProvider().getAccessTokens(c, null);
assertNotNull(tokens);
assertEquals(1, tokens.size());
validateAccessToken(tokens.get(0));
getProvider().removeClient(c.getClientId());
tokens = getProvider().getAccessTokens(c, null);
assertNotNull(tokens);
assertEquals(0, tokens.size());
}
Also used :
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
Client(org.apache.cxf.rs.security.oauth2.common.Client)
AccessTokenRegistration(org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration)
Test(org.junit.Test)
Example 12 with ServerAccessToken
use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project cxf by apache.
the class AbstractOAuthDataProviderTest method testAddGetDeleteAccessTokenWithNullSubject.
@Test
public void testAddGetDeleteAccessTokenWithNullSubject() {
Client c = addClient("102", "bob");
AccessTokenRegistration atr = new AccessTokenRegistration();
atr.setClient(c);
atr.setApprovedScope(Collections.singletonList("a"));
atr.setSubject(null);
getProvider().createAccessToken(atr);
List<ServerAccessToken> tokens = getProvider().getAccessTokens(c, null);
assertNotNull(tokens);
assertEquals(1, tokens.size());
validateAccessToken(tokens.get(0));
getProvider().removeClient(c.getClientId());
tokens = getProvider().getAccessTokens(c, null);
assertNotNull(tokens);
assertEquals(0, tokens.size());
}
Also used :
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
Client(org.apache.cxf.rs.security.oauth2.common.Client)
AccessTokenRegistration(org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration)
Test(org.junit.Test)
Example 13 with ServerAccessToken
use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project cxf by apache.
the class RedirectionBasedGrantService method startAuthorization.
protected Response startAuthorization(MultivaluedMap<String, String> params, UserSubject userSubject, Client client, String redirectUri) {
// Enforce the client confidentiality requirements
if (!OAuthUtils.isGrantSupportedForClient(client, canSupportPublicClient(client), supportedGrantType)) {
LOG.fine("The grant type is not supported");
return createErrorResponse(params, redirectUri, OAuthConstants.UNAUTHORIZED_CLIENT);
}
// Check response_type
String responseType = params.getFirst(OAuthConstants.RESPONSE_TYPE);
if (responseType == null || !getSupportedResponseTypes().contains(responseType)) {
LOG.fine("The response type is null or not supported");
return createErrorResponse(params, redirectUri, OAuthConstants.UNSUPPORTED_RESPONSE_TYPE);
}
// Get the requested scopes
String providedScope = params.getFirst(OAuthConstants.SCOPE);
final List<String> requestedScope;
final List<OAuthPermission> requestedPermissions;
try {
requestedScope = OAuthUtils.getRequestedScopes(client, providedScope, useAllClientScopes, partialMatchScopeValidation);
requestedPermissions = getDataProvider().convertScopeToPermissions(client, requestedScope);
} catch (OAuthServiceException ex) {
LOG.log(Level.FINE, "Error processing scopes", ex);
return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
}
// Validate the audience
String clientAudience = params.getFirst(OAuthConstants.CLIENT_AUDIENCE);
// in the list of Client audiences set at the Client registration time.
if (!OAuthUtils.validateAudience(clientAudience, client.getRegisteredAudiences())) {
LOG.fine("Error validating audience parameter");
return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_REQUEST);
}
// Request a new grant only if no pre-authorized token is available
ServerAccessToken preAuthorizedToken = null;
if (canAccessTokenBeReturned(responseType)) {
preAuthorizedToken = getDataProvider().getPreauthorizedToken(client, requestedScope, userSubject, supportedGrantType);
}
List<OAuthPermission> alreadyAuthorizedPerms = null;
boolean preAuthorizationComplete = false;
if (preAuthorizedToken != null) {
alreadyAuthorizedPerms = preAuthorizedToken.getScopes();
preAuthorizationComplete = OAuthUtils.convertPermissionsToScopeList(alreadyAuthorizedPerms).containsAll(requestedScope);
}
Response finalResponse;
try {
final boolean authorizationCanBeSkipped = preAuthorizationComplete || canAuthorizationBeSkipped(params, client, userSubject, requestedScope, requestedPermissions);
// Populate the authorization challenge data
OAuthAuthorizationData data = createAuthorizationData(client, params, redirectUri, userSubject, requestedPermissions, alreadyAuthorizedPerms, authorizationCanBeSkipped);
if (authorizationCanBeSkipped) {
getMessageContext().put(AUTHORIZATION_REQUEST_PARAMETERS, params);
List<OAuthPermission> approvedScopes = preAuthorizationComplete ? preAuthorizedToken.getScopes() : requestedPermissions;
finalResponse = createGrant(data, client, requestedScope, OAuthUtils.convertPermissionsToScopeList(approvedScopes), userSubject, preAuthorizedToken);
} else {
if (preAuthorizedToken != null) {
data.setPreauthorizedTokenKey(preAuthorizedToken.getTokenKey());
}
finalResponse = Response.ok(data).build();
}
} catch (OAuthServiceException ex) {
finalResponse = createErrorResponse(params, redirectUri, ex.getError().getError());
}
return finalResponse;
}
Also used :
Response(javax.ws.rs.core.Response)
OAuthPermission(org.apache.cxf.rs.security.oauth2.common.OAuthPermission)
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
OAuthAuthorizationData(org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData)
Example 14 with ServerAccessToken
use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project cxf by apache.
the class TokenIntrospectionService method getTokenIntrospection.
@POST
@Produces({ MediaType.APPLICATION_JSON })
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public TokenIntrospection getTokenIntrospection(@Encoded MultivaluedMap<String, String> params) {
checkSecurityContext();
String tokenId = params.getFirst(OAuthConstants.TOKEN_ID);
if (!persistJwtEncoding) {
try {
JoseJwtConsumer theConsumer = jwtTokenConsumer == null ? new JoseJwtConsumer() : jwtTokenConsumer;
JwtToken token = theConsumer.getJwtToken(tokenId);
tokenId = token.getClaims().getTokenId();
} catch (JwtException ex) {
return new TokenIntrospection(false);
}
}
ServerAccessToken at = dataProvider.getAccessToken(tokenId);
if (at == null || OAuthUtils.isExpired(at.getIssuedAt(), at.getExpiresIn())) {
return new TokenIntrospection(false);
}
TokenIntrospection response = new TokenIntrospection(true);
response.setClientId(at.getClient().getClientId());
if (!at.getScopes().isEmpty()) {
response.setScope(OAuthUtils.convertPermissionsToScope(at.getScopes()));
}
UserSubject userSubject = at.getSubject();
if (userSubject != null) {
response.setUsername(at.getSubject().getLogin());
if (userSubject.getId() != null) {
response.setSub(userSubject.getId());
}
}
if (!StringUtils.isEmpty(at.getAudiences())) {
response.setAud(at.getAudiences());
}
if (at.getIssuer() != null) {
response.setIss(at.getIssuer());
}
response.setIat(at.getIssuedAt());
if (at.getExpiresIn() > 0) {
response.setExp(at.getIssuedAt() + at.getExpiresIn());
}
if (at.getNotBefore() > 0) {
response.setNbf(at.getNotBefore());
}
response.setTokenType(at.getTokenType());
if (reportExtraTokenProperties) {
response.getExtensions().putAll(at.getExtraProperties());
}
return response;
}
Also used :
JwtToken(org.apache.cxf.rs.security.jose.jwt.JwtToken)
TokenIntrospection(org.apache.cxf.rs.security.oauth2.common.TokenIntrospection)
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject)
JwtException(org.apache.cxf.rs.security.jose.jwt.JwtException)
JoseJwtConsumer(org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer)
POST(javax.ws.rs.POST)
Produces(javax.ws.rs.Produces)
Consumes(javax.ws.rs.Consumes)
Example 15 with ServerAccessToken
use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project cxf by apache.
the class ModelEncryptionSupport method tokenizeServerToken.
private static String tokenizeServerToken(ServerAccessToken token) {
StringBuilder state = new StringBuilder();
// 0: key
state.append(tokenizeString(token.getTokenKey()));
// 1: type
state.append(SEP);
state.append(tokenizeString(token.getTokenType()));
// 2: expiresIn
state.append(SEP);
state.append(token.getExpiresIn());
// 3: issuedAt
state.append(SEP);
state.append(token.getIssuedAt());
// 4: client id
state.append(SEP);
state.append(tokenizeString(token.getClient().getClientId()));
// 5: refresh token
state.append(SEP);
state.append(tokenizeString(token.getRefreshToken()));
// 6: grant type
state.append(SEP);
state.append(tokenizeString(token.getGrantType()));
// 7: audience
state.append(SEP);
state.append(token.getAudiences().toString());
// 8: other parameters
state.append(SEP);
// {key=value, key=value}
state.append(token.getParameters().toString());
// 9: permissions
state.append(SEP);
if (token.getScopes().isEmpty()) {
state.append(' ');
} else {
for (OAuthPermission p : token.getScopes()) {
// 9.1
state.append(tokenizeString(p.getPermission()));
state.append('.');
// 9.2
state.append(tokenizeString(p.getDescription()));
state.append('.');
// 9.3
state.append(p.isDefaultPermission());
state.append('.');
// 9.4
state.append(p.getHttpVerbs().toString());
state.append('.');
// 9.5
state.append(p.getUris().toString());
}
}
state.append(SEP);
// 10: code verifier
state.append(tokenizeString(token.getClientCodeVerifier()));
state.append(SEP);
// 11: user subject
tokenizeUserSubject(state, token.getSubject());
// 13: extra properties
state.append(SEP);
// {key=value, key=value}
state.append(token.getExtraProperties().toString());
return state.toString();
}
Also used :
OAuthPermission(org.apache.cxf.rs.security.oauth2.common.OAuthPermission)
Aggregations
ServerAccessToken (org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)54
AccessTokenRegistration (org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration)24
Client (org.apache.cxf.rs.security.oauth2.common.Client)24
Test (org.junit.Test)21
OAuthPermission (org.apache.cxf.rs.security.oauth2.common.OAuthPermission)15
RefreshToken (org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken)15
UserSubject (org.apache.cxf.rs.security.oauth2.common.UserSubject)12
OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)11
BearerAccessToken (org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken)7
ClientAccessToken (org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)6
ServerAuthorizationCodeGrant (org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant)6
JoseJwtConsumer (org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer)5
JwtClaims (org.apache.cxf.rs.security.jose.jwt.JwtClaims)5
ArrayList (java.util.ArrayList)4
ByteArrayInputStream (java.io.ByteArrayInputStream)3
LinkedList (java.util.LinkedList)3
Map (java.util.Map)3
JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)3
Ignore (org.junit.Ignore)3
ByteArrayOutputStream (java.io.ByteArrayOutputStream)2
