Example 1 with AuthenticationHolderEntity
use of org.mitre.oauth2.model.AuthenticationHolderEntity in project OpenID-Connect-Java-Spring-Server by mitreid-connect.
the class MITREidDataService_1_3 method fixObjectReferences.
private void fixObjectReferences() {
logger.info("Fixing object references...");
for (Long oldRefreshTokenId : maps.getRefreshTokenToClientRefs().keySet()) {
String clientRef = maps.getRefreshTokenToClientRefs().get(oldRefreshTokenId);
ClientDetailsEntity client = clientRepository.getClientByClientId(clientRef);
Long newRefreshTokenId = maps.getRefreshTokenOldToNewIdMap().get(oldRefreshTokenId);
OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenById(newRefreshTokenId);
refreshToken.setClient(client);
tokenRepository.saveRefreshToken(refreshToken);
}
for (Long oldRefreshTokenId : maps.getRefreshTokenToAuthHolderRefs().keySet()) {
Long oldAuthHolderId = maps.getRefreshTokenToAuthHolderRefs().get(oldRefreshTokenId);
Long newAuthHolderId = maps.getAuthHolderOldToNewIdMap().get(oldAuthHolderId);
AuthenticationHolderEntity authHolder = authHolderRepository.getById(newAuthHolderId);
Long newRefreshTokenId = maps.getRefreshTokenOldToNewIdMap().get(oldRefreshTokenId);
OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenById(newRefreshTokenId);
refreshToken.setAuthenticationHolder(authHolder);
tokenRepository.saveRefreshToken(refreshToken);
}
for (Long oldAccessTokenId : maps.getAccessTokenToClientRefs().keySet()) {
String clientRef = maps.getAccessTokenToClientRefs().get(oldAccessTokenId);
ClientDetailsEntity client = clientRepository.getClientByClientId(clientRef);
Long newAccessTokenId = maps.getAccessTokenOldToNewIdMap().get(oldAccessTokenId);
OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenById(newAccessTokenId);
accessToken.setClient(client);
tokenRepository.saveAccessToken(accessToken);
}
for (Long oldAccessTokenId : maps.getAccessTokenToAuthHolderRefs().keySet()) {
Long oldAuthHolderId = maps.getAccessTokenToAuthHolderRefs().get(oldAccessTokenId);
Long newAuthHolderId = maps.getAuthHolderOldToNewIdMap().get(oldAuthHolderId);
AuthenticationHolderEntity authHolder = authHolderRepository.getById(newAuthHolderId);
Long newAccessTokenId = maps.getAccessTokenOldToNewIdMap().get(oldAccessTokenId);
OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenById(newAccessTokenId);
accessToken.setAuthenticationHolder(authHolder);
tokenRepository.saveAccessToken(accessToken);
}
for (Long oldAccessTokenId : maps.getAccessTokenToRefreshTokenRefs().keySet()) {
Long oldRefreshTokenId = maps.getAccessTokenToRefreshTokenRefs().get(oldAccessTokenId);
Long newRefreshTokenId = maps.getRefreshTokenOldToNewIdMap().get(oldRefreshTokenId);
OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenById(newRefreshTokenId);
Long newAccessTokenId = maps.getAccessTokenOldToNewIdMap().get(oldAccessTokenId);
OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenById(newAccessTokenId);
accessToken.setRefreshToken(refreshToken);
tokenRepository.saveAccessToken(accessToken);
}
for (Long oldGrantId : maps.getGrantToAccessTokensRefs().keySet()) {
Set<Long> oldAccessTokenIds = maps.getGrantToAccessTokensRefs().get(oldGrantId);
Long newGrantId = maps.getGrantOldToNewIdMap().get(oldGrantId);
ApprovedSite site = approvedSiteRepository.getById(newGrantId);
for (Long oldTokenId : oldAccessTokenIds) {
Long newTokenId = maps.getAccessTokenOldToNewIdMap().get(oldTokenId);
OAuth2AccessTokenEntity token = tokenRepository.getAccessTokenById(newTokenId);
token.setApprovedSite(site);
tokenRepository.saveAccessToken(token);
}
approvedSiteRepository.save(site);
}
/*
refreshTokenToClientRefs.clear();
refreshTokenToAuthHolderRefs.clear();
accessTokenToClientRefs.clear();
accessTokenToAuthHolderRefs.clear();
accessTokenToRefreshTokenRefs.clear();
refreshTokenOldToNewIdMap.clear();
accessTokenOldToNewIdMap.clear();
grantOldToNewIdMap.clear();
*/
logger.info("Done fixing object references.");
}
Also used :
ClientDetailsEntity(org.mitre.oauth2.model.ClientDetailsEntity)
OAuth2RefreshTokenEntity(org.mitre.oauth2.model.OAuth2RefreshTokenEntity)
ApprovedSite(org.mitre.openid.connect.model.ApprovedSite)
OAuth2AccessTokenEntity(org.mitre.oauth2.model.OAuth2AccessTokenEntity)
AuthenticationHolderEntity(org.mitre.oauth2.model.AuthenticationHolderEntity)
Example 2 with AuthenticationHolderEntity
use of org.mitre.oauth2.model.AuthenticationHolderEntity in project OpenID-Connect-Java-Spring-Server by mitreid-connect.
the class MITREidDataService_1_0 method fixObjectReferences.
private void fixObjectReferences() {
for (Long oldRefreshTokenId : maps.getRefreshTokenToClientRefs().keySet()) {
String clientRef = maps.getRefreshTokenToClientRefs().get(oldRefreshTokenId);
ClientDetailsEntity client = clientRepository.getClientByClientId(clientRef);
Long newRefreshTokenId = maps.getRefreshTokenOldToNewIdMap().get(oldRefreshTokenId);
OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenById(newRefreshTokenId);
refreshToken.setClient(client);
tokenRepository.saveRefreshToken(refreshToken);
}
for (Long oldRefreshTokenId : maps.getRefreshTokenToAuthHolderRefs().keySet()) {
Long oldAuthHolderId = maps.getRefreshTokenToAuthHolderRefs().get(oldRefreshTokenId);
Long newAuthHolderId = maps.getAuthHolderOldToNewIdMap().get(oldAuthHolderId);
AuthenticationHolderEntity authHolder = authHolderRepository.getById(newAuthHolderId);
Long newRefreshTokenId = maps.getRefreshTokenOldToNewIdMap().get(oldRefreshTokenId);
OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenById(newRefreshTokenId);
refreshToken.setAuthenticationHolder(authHolder);
tokenRepository.saveRefreshToken(refreshToken);
}
for (Long oldAccessTokenId : maps.getAccessTokenToClientRefs().keySet()) {
String clientRef = maps.getAccessTokenToClientRefs().get(oldAccessTokenId);
ClientDetailsEntity client = clientRepository.getClientByClientId(clientRef);
Long newAccessTokenId = maps.getAccessTokenOldToNewIdMap().get(oldAccessTokenId);
OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenById(newAccessTokenId);
accessToken.setClient(client);
tokenRepository.saveAccessToken(accessToken);
}
for (Long oldAccessTokenId : maps.getAccessTokenToAuthHolderRefs().keySet()) {
Long oldAuthHolderId = maps.getAccessTokenToAuthHolderRefs().get(oldAccessTokenId);
Long newAuthHolderId = maps.getAuthHolderOldToNewIdMap().get(oldAuthHolderId);
AuthenticationHolderEntity authHolder = authHolderRepository.getById(newAuthHolderId);
Long newAccessTokenId = maps.getAccessTokenOldToNewIdMap().get(oldAccessTokenId);
OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenById(newAccessTokenId);
accessToken.setAuthenticationHolder(authHolder);
tokenRepository.saveAccessToken(accessToken);
}
maps.getAccessTokenToAuthHolderRefs().clear();
for (Long oldAccessTokenId : maps.getAccessTokenToRefreshTokenRefs().keySet()) {
Long oldRefreshTokenId = maps.getAccessTokenToRefreshTokenRefs().get(oldAccessTokenId);
Long newRefreshTokenId = maps.getRefreshTokenOldToNewIdMap().get(oldRefreshTokenId);
OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenById(newRefreshTokenId);
Long newAccessTokenId = maps.getAccessTokenOldToNewIdMap().get(oldAccessTokenId);
OAuth2AccessTokenEntity accessToken = tokenRepository.getAccessTokenById(newAccessTokenId);
accessToken.setRefreshToken(refreshToken);
tokenRepository.saveAccessToken(accessToken);
}
for (Long oldGrantId : maps.getGrantToAccessTokensRefs().keySet()) {
Set<Long> oldAccessTokenIds = maps.getGrantToAccessTokensRefs().get(oldGrantId);
Long newGrantId = maps.getGrantOldToNewIdMap().get(oldGrantId);
ApprovedSite site = approvedSiteRepository.getById(newGrantId);
for (Long oldTokenId : oldAccessTokenIds) {
Long newTokenId = maps.getAccessTokenOldToNewIdMap().get(oldTokenId);
OAuth2AccessTokenEntity token = tokenRepository.getAccessTokenById(newTokenId);
token.setApprovedSite(site);
tokenRepository.saveAccessToken(token);
}
approvedSiteRepository.save(site);
}
}
Also used :
ClientDetailsEntity(org.mitre.oauth2.model.ClientDetailsEntity)
OAuth2RefreshTokenEntity(org.mitre.oauth2.model.OAuth2RefreshTokenEntity)
ApprovedSite(org.mitre.openid.connect.model.ApprovedSite)
OAuth2AccessTokenEntity(org.mitre.oauth2.model.OAuth2AccessTokenEntity)
AuthenticationHolderEntity(org.mitre.oauth2.model.AuthenticationHolderEntity)
Example 3 with AuthenticationHolderEntity
use of org.mitre.oauth2.model.AuthenticationHolderEntity in project OpenID-Connect-Java-Spring-Server by mitreid-connect.
the class MITREidDataService_1_2 method readAuthenticationHolders.
/**
* @param reader
* @throws IOException
*/
private void readAuthenticationHolders(JsonReader reader) throws IOException {
reader.beginArray();
while (reader.hasNext()) {
AuthenticationHolderEntity ahe = new AuthenticationHolderEntity();
reader.beginObject();
Long currentId = null;
while (reader.hasNext()) {
switch(reader.peek()) {
case END_OBJECT:
continue;
case NAME:
String name = reader.nextName();
if (reader.peek() == JsonToken.NULL) {
reader.skipValue();
} else if (name.equals(ID)) {
currentId = reader.nextLong();
} else if (name.equals(REQUEST_PARAMETERS)) {
ahe.setRequestParameters(readMap(reader));
} else if (name.equals(CLIENT_ID)) {
ahe.setClientId(reader.nextString());
} else if (name.equals(SCOPE)) {
ahe.setScope(readSet(reader));
} else if (name.equals(RESOURCE_IDS)) {
ahe.setResourceIds(readSet(reader));
} else if (name.equals(AUTHORITIES)) {
Set<String> authorityStrs = readSet(reader);
Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
for (String s : authorityStrs) {
GrantedAuthority ga = new SimpleGrantedAuthority(s);
authorities.add(ga);
}
ahe.setAuthorities(authorities);
} else if (name.equals(APPROVED)) {
ahe.setApproved(reader.nextBoolean());
} else if (name.equals(REDIRECT_URI)) {
ahe.setRedirectUri(reader.nextString());
} else if (name.equals(RESPONSE_TYPES)) {
ahe.setResponseTypes(readSet(reader));
} else if (name.equals(EXTENSIONS)) {
ahe.setExtensions(readMap(reader));
} else if (name.equals(SAVED_USER_AUTHENTICATION)) {
ahe.setUserAuth(readSavedUserAuthentication(reader));
} else {
logger.debug("Found unexpected entry");
reader.skipValue();
}
break;
default:
logger.debug("Found unexpected entry");
reader.skipValue();
continue;
}
}
reader.endObject();
Long newId = authHolderRepository.save(ahe).getId();
maps.getAuthHolderOldToNewIdMap().put(currentId, newId);
logger.debug("Read authentication holder {}", currentId);
}
reader.endArray();
logger.info("Done reading authentication holders");
}
Also used :
SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority)
SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority)
GrantedAuthority(org.springframework.security.core.GrantedAuthority)
AuthenticationHolderEntity(org.mitre.oauth2.model.AuthenticationHolderEntity)
HashSet(java.util.HashSet)
Example 4 with AuthenticationHolderEntity
use of org.mitre.oauth2.model.AuthenticationHolderEntity in project OpenID-Connect-Java-Spring-Server by mitreid-connect.
the class DefaultOIDCTokenService method createAssociatedToken.
private OAuth2AccessTokenEntity createAssociatedToken(ClientDetailsEntity client, Set<String> scope) {
// revoke any previous tokens that might exist, just to be sure
OAuth2AccessTokenEntity oldToken = tokenService.getRegistrationAccessTokenForClient(client);
if (oldToken != null) {
tokenService.revokeAccessToken(oldToken);
}
// create a new token
Map<String, String> authorizationParameters = Maps.newHashMap();
OAuth2Request clientAuth = new OAuth2Request(authorizationParameters, client.getClientId(), Sets.newHashSet(new SimpleGrantedAuthority("ROLE_CLIENT")), true, scope, null, null, null, null);
OAuth2Authentication authentication = new OAuth2Authentication(clientAuth, null);
OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity();
token.setClient(client);
token.setScope(scope);
AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity();
authHolder.setAuthentication(authentication);
authHolder = authenticationHolderRepository.save(authHolder);
token.setAuthenticationHolder(authHolder);
JWTClaimsSet claims = new JWTClaimsSet.Builder().audience(Lists.newArrayList(client.getClientId())).issuer(configBean.getIssuer()).issueTime(new Date()).expirationTime(token.getExpiration()).jwtID(// set a random NONCE in the middle of it
UUID.randomUUID().toString()).build();
JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
JWSHeader header = new JWSHeader(signingAlg, null, null, null, null, null, null, null, null, null, jwtService.getDefaultSignerKeyId(), null, null);
SignedJWT signed = new SignedJWT(header, claims);
jwtService.signJwt(signed);
token.setJwt(signed);
return token;
}
Also used :
SignedJWT(com.nimbusds.jwt.SignedJWT)
JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm)
Date(java.util.Date)
SimpleGrantedAuthority(org.springframework.security.core.authority.SimpleGrantedAuthority)
OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication)
OAuth2AccessTokenEntity(org.mitre.oauth2.model.OAuth2AccessTokenEntity)
AuthenticationHolderEntity(org.mitre.oauth2.model.AuthenticationHolderEntity)
JWSHeader(com.nimbusds.jose.JWSHeader)
Example 5 with AuthenticationHolderEntity
use of org.mitre.oauth2.model.AuthenticationHolderEntity in project OpenID-Connect-Java-Spring-Server by mitreid-connect.
the class DefaultOAuth2ProviderTokenService method refreshAccessToken.
@Override
@Transactional(value = "defaultTransactionManager")
public OAuth2AccessTokenEntity refreshAccessToken(String refreshTokenValue, TokenRequest authRequest) throws AuthenticationException {
if (Strings.isNullOrEmpty(refreshTokenValue)) {
// throw an invalid token exception if there's no refresh token value at all
throw new InvalidTokenException("Invalid refresh token: " + refreshTokenValue);
}
OAuth2RefreshTokenEntity refreshToken = clearExpiredRefreshToken(tokenRepository.getRefreshTokenByValue(refreshTokenValue));
if (refreshToken == null) {
// throw an invalid token exception if we couldn't find the token
throw new InvalidTokenException("Invalid refresh token: " + refreshTokenValue);
}
ClientDetailsEntity client = refreshToken.getClient();
AuthenticationHolderEntity authHolder = refreshToken.getAuthenticationHolder();
// make sure that the client requesting the token is the one who owns the refresh token
ClientDetailsEntity requestingClient = clientDetailsService.loadClientByClientId(authRequest.getClientId());
if (!client.getClientId().equals(requestingClient.getClientId())) {
tokenRepository.removeRefreshToken(refreshToken);
throw new InvalidClientException("Client does not own the presented refresh token");
}
// Make sure this client allows access token refreshing
if (!client.isAllowRefresh()) {
throw new InvalidClientException("Client does not allow refreshing access token!");
}
// clear out any access tokens
if (client.isClearAccessTokensOnRefresh()) {
tokenRepository.clearAccessTokensForRefreshToken(refreshToken);
}
if (refreshToken.isExpired()) {
tokenRepository.removeRefreshToken(refreshToken);
throw new InvalidTokenException("Expired refresh token: " + refreshTokenValue);
}
OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity();
// get the stored scopes from the authentication holder's authorization request; these are the scopes associated with the refresh token
Set<String> refreshScopesRequested = new HashSet<>(refreshToken.getAuthenticationHolder().getAuthentication().getOAuth2Request().getScope());
Set<SystemScope> refreshScopes = scopeService.fromStrings(refreshScopesRequested);
// remove any of the special system scopes
refreshScopes = scopeService.removeReservedScopes(refreshScopes);
Set<String> scopeRequested = authRequest.getScope() == null ? new HashSet<String>() : new HashSet<>(authRequest.getScope());
Set<SystemScope> scope = scopeService.fromStrings(scopeRequested);
// remove any of the special system scopes
scope = scopeService.removeReservedScopes(scope);
if (scope != null && !scope.isEmpty()) {
// ensure a proper subset of scopes
if (refreshScopes != null && refreshScopes.containsAll(scope)) {
// set the scope of the new access token if requested
token.setScope(scopeService.toStrings(scope));
} else {
String errorMsg = "Up-scoping is not allowed.";
logger.error(errorMsg);
throw new InvalidScopeException(errorMsg);
}
} else {
// otherwise inherit the scope of the refresh token (if it's there -- this can return a null scope set)
token.setScope(scopeService.toStrings(refreshScopes));
}
token.setClient(client);
if (client.getAccessTokenValiditySeconds() != null) {
Date expiration = new Date(System.currentTimeMillis() + (client.getAccessTokenValiditySeconds() * 1000L));
token.setExpiration(expiration);
}
if (client.isReuseRefreshToken()) {
// if the client re-uses refresh tokens, do that
token.setRefreshToken(refreshToken);
} else {
// otherwise, make a new refresh token
OAuth2RefreshTokenEntity newRefresh = createRefreshToken(client, authHolder);
token.setRefreshToken(newRefresh);
// clean up the old refresh token
tokenRepository.removeRefreshToken(refreshToken);
}
token.setAuthenticationHolder(authHolder);
tokenEnhancer.enhance(token, authHolder.getAuthentication());
tokenRepository.saveAccessToken(token);
return token;
}
Also used :
InvalidTokenException(org.springframework.security.oauth2.common.exceptions.InvalidTokenException)
ClientDetailsEntity(org.mitre.oauth2.model.ClientDetailsEntity)
Date(java.util.Date)
InvalidClientException(org.springframework.security.oauth2.common.exceptions.InvalidClientException)
OAuth2RefreshTokenEntity(org.mitre.oauth2.model.OAuth2RefreshTokenEntity)
OAuth2AccessTokenEntity(org.mitre.oauth2.model.OAuth2AccessTokenEntity)
AuthenticationHolderEntity(org.mitre.oauth2.model.AuthenticationHolderEntity)
SystemScope(org.mitre.oauth2.model.SystemScope)
InvalidScopeException(org.springframework.security.oauth2.common.exceptions.InvalidScopeException)
HashSet(java.util.HashSet)
Transactional(org.springframework.transaction.annotation.Transactional)
Aggregations
AuthenticationHolderEntity (org.mitre.oauth2.model.AuthenticationHolderEntity)42
OAuth2RefreshTokenEntity (org.mitre.oauth2.model.OAuth2RefreshTokenEntity)28
ClientDetailsEntity (org.mitre.oauth2.model.ClientDetailsEntity)27
Test (org.junit.Test)25
OAuth2AccessTokenEntity (org.mitre.oauth2.model.OAuth2AccessTokenEntity)22
Date (java.util.Date)21
Matchers.anyString (org.mockito.Matchers.anyString)19
JsonReader (com.google.gson.stream.JsonReader)16
StringReader (java.io.StringReader)16
HashMap (java.util.HashMap)16
Matchers.anyLong (org.mockito.Matchers.anyLong)16
InvocationOnMock (org.mockito.invocation.InvocationOnMock)16
ApprovedSite (org.mitre.openid.connect.model.ApprovedSite)13
OAuth2Request (org.springframework.security.oauth2.provider.OAuth2Request)13
ArrayList (java.util.ArrayList)12
GrantedAuthority (org.springframework.security.core.GrantedAuthority)12
OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)12
HashSet (java.util.HashSet)11
Authentication (org.springframework.security.core.Authentication)11
SystemScope (org.mitre.oauth2.model.SystemScope)10
