Examples with OrcidInvalidScopeException - org.orcid.core.exception.OrcidInvalidScopeException

Example 1 with OrcidInvalidScopeException

use of org.orcid.core.exception.OrcidInvalidScopeException in project ORCID-Source by ORCID.

the class InternalClientCredentialEndPointDelegatorImpl method obtainOauth2Token.

@Override
@Transactional
public Response obtainOauth2Token(String authorization, MultivaluedMap<String, String> formParams) {
    String clientId = formParams.getFirst("client_id");
    String scopeList = formParams.getFirst("scope");
    String grantType = formParams.getFirst("grant_type");
    // Verify it is a client_credentials grant type request
    if (!OrcidOauth2Constants.GRANT_TYPE_CLIENT_CREDENTIALS.equals(grantType)) {
        Object[] params = { grantType };
        throw new UnsupportedGrantTypeException(localeManager.resolveMessage("apiError.unsupported_client_type.exception", params));
    }
    Authentication client = getClientAuthentication();
    if (!client.isAuthenticated()) {
        LOGGER.info("Not authenticated for OAuth2: clientId={}, grantType={}, scope={}", new Object[] { clientId, grantType, scopeList });
        throw new InsufficientAuthenticationException(localeManager.resolveMessage("apiError.client_not_authenticated.exception"));
    }
    Set<String> scopes = new HashSet<String>();
    if (StringUtils.isNotEmpty(scopeList)) {
        scopes = OAuth2Utils.parseParameterList(scopeList);
    }
    // Verify it is requesting an internal scope
    HashSet<String> filteredScopes = new HashSet<String>();
    for (String scope : scopes) {
        ScopePathType scopeType = ScopePathType.fromValue(scope);
        if (scopeType.isInternalScope()) {
            filteredScopes.add(scope);
        }
    }
    if (filteredScopes.isEmpty()) {
        String message = localeManager.resolveMessage("apiError.9015.developerMessage", new Object[] {});
        throw new OrcidInvalidScopeException(message);
    }
    OAuth2AccessToken token = generateToken(client, scopes, null, null, grantType, null, null, null, false, 0L);
    return getResponse(token);
}

Also used : ScopePathType(org.orcid.jaxb.model.message.ScopePathType) Authentication(org.springframework.security.core.Authentication) OrcidInvalidScopeException(org.orcid.core.exception.OrcidInvalidScopeException) OAuth2AccessToken(org.springframework.security.oauth2.common.OAuth2AccessToken) InsufficientAuthenticationException(org.springframework.security.authentication.InsufficientAuthenticationException) UnsupportedGrantTypeException(org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException) HashSet(java.util.HashSet) Transactional(org.springframework.transaction.annotation.Transactional)

Example 2 with OrcidInvalidScopeException

use of org.orcid.core.exception.OrcidInvalidScopeException in project ORCID-Source by ORCID.

the class OrcidClientCredentialEndPointDelegatorImpl method obtainOauth2Token.

@Transactional
public Response obtainOauth2Token(String authorization, MultivaluedMap<String, String> formParams) {
    String code = formParams.getFirst("code");
    String clientId = formParams.getFirst(OrcidOauth2Constants.CLIENT_ID_PARAM);
    String state = formParams.getFirst(OrcidOauth2Constants.STATE_PARAM);
    String redirectUri = formParams.getFirst(OrcidOauth2Constants.REDIRECT_URI_PARAM);
    String refreshToken = formParams.getFirst(OrcidOauth2Constants.REFRESH_TOKEN);
    String scopeList = formParams.getFirst(OrcidOauth2Constants.SCOPE_PARAM);
    String grantType = formParams.getFirst(OrcidOauth2Constants.GRANT_TYPE);
    Boolean revokeOld = formParams.containsKey(OrcidOauth2Constants.REVOKE_OLD) ? Boolean.valueOf(formParams.getFirst(OrcidOauth2Constants.REVOKE_OLD)) : true;
    Long expiresIn = calculateExpiresIn(formParams);
    String bearerToken = null;
    Set<String> scopes = new HashSet<String>();
    if (StringUtils.isNotEmpty(scopeList)) {
        scopes = OAuth2Utils.parseParameterList(scopeList);
    }
    if (OrcidOauth2Constants.REFRESH_TOKEN.equals(grantType)) {
        if (!PojoUtil.isEmpty(authorization)) {
            if ((authorization.toLowerCase().startsWith(OAuth2AccessToken.BEARER_TYPE.toLowerCase()))) {
                String authHeaderValue = authorization.substring(OAuth2AccessToken.BEARER_TYPE.length()).trim();
                int commaIndex = authHeaderValue.indexOf(',');
                if (commaIndex > 0) {
                    authHeaderValue = authHeaderValue.substring(0, commaIndex);
                }
                bearerToken = authHeaderValue;
                if (PojoUtil.isEmpty(bearerToken)) {
                    throw new IllegalArgumentException("Refresh token request doesnt include the authorization");
                }
            }
        }
    }
    LOGGER.info("OAuth2 authorization requested: clientId={}, grantType={}, refreshToken={}, code={}, scopes={}, state={}, redirectUri={}", new Object[] { clientId, grantType, refreshToken, code, scopes, state, redirectUri });
    Authentication client = getClientAuthentication();
    if (!client.isAuthenticated()) {
        LOGGER.info("Not authenticated for OAuth2: clientId={}, grantType={}, refreshToken={}, code={}, scopes={}, state={}, redirectUri={}", new Object[] { clientId, grantType, refreshToken, code, scopes, state, redirectUri });
        throw new InsufficientAuthenticationException(localeManager.resolveMessage("apiError.client_not_authenticated.exception"));
    }
    /**
         * Patch, update any orcid-grants scope to funding scope
         * */
    for (String scope : scopes) {
        if (scope.contains("orcid-grants")) {
            String newScope = scope.replace("orcid-grants", "funding");
            LOGGER.info("Client {} provided a grants scope {} which will be updated to {}", new Object[] { clientId, scope, newScope });
            scopes.remove(scope);
            scopes.add(newScope);
        }
    }
    try {
        if (scopes != null) {
            List<String> toRemove = new ArrayList<String>();
            for (String scope : scopes) {
                ScopePathType scopeType = ScopePathType.fromValue(scope);
                if (scopeType.isInternalScope()) {
                    // You should not allow any internal scope here! go away!
                    String message = localeManager.resolveMessage("apiError.9015.developerMessage", new Object[] {});
                    throw new OrcidInvalidScopeException(message);
                } else if (OrcidOauth2Constants.GRANT_TYPE_CLIENT_CREDENTIALS.equals(grantType)) {
                    if (!scopeType.isClientCreditalScope())
                        toRemove.add(scope);
                } else {
                    if (scopeType.isClientCreditalScope())
                        toRemove.add(scope);
                }
            }
            for (String remove : toRemove) {
                scopes.remove(remove);
            }
        }
    } catch (IllegalArgumentException iae) {
        String message = localeManager.resolveMessage("apiError.9015.developerMessage", new Object[] {});
        throw new OrcidInvalidScopeException(message);
    }
    OAuth2AccessToken token = generateToken(client, scopes, code, redirectUri, grantType, refreshToken, state, bearerToken, revokeOld, expiresIn);
    return getResponse(token);
}

Also used : OrcidInvalidScopeException(org.orcid.core.exception.OrcidInvalidScopeException) ArrayList(java.util.ArrayList) InsufficientAuthenticationException(org.springframework.security.authentication.InsufficientAuthenticationException) AbstractEndpoint(org.springframework.security.oauth2.provider.endpoint.AbstractEndpoint) ScopePathType(org.orcid.jaxb.model.message.ScopePathType) Authentication(org.springframework.security.core.Authentication) DefaultOAuth2AccessToken(org.springframework.security.oauth2.common.DefaultOAuth2AccessToken) OAuth2AccessToken(org.springframework.security.oauth2.common.OAuth2AccessToken) HashSet(java.util.HashSet) Transactional(org.springframework.transaction.annotation.Transactional)

Example 3 with OrcidInvalidScopeException

use of org.orcid.core.exception.OrcidInvalidScopeException in project ORCID-Source by ORCID.

the class OAuthErrorUtilsTest method testGetOAuthErrorForOrcidInvalidScopeException.

@Test
public void testGetOAuthErrorForOrcidInvalidScopeException() {
    OAuthError error = OAuthErrorUtils.getOAuthError(new OrcidInvalidScopeException("message here"));
    assertEquals(OAuthError.INVALID_SCOPE, error.getError());
    assertEquals(Status.BAD_REQUEST, error.getResponseStatus());
    assertEquals("message here", error.getErrorDescription());
}

Also used : OrcidInvalidScopeException(org.orcid.core.exception.OrcidInvalidScopeException) Test(org.junit.Test)

Aggregations

OrcidInvalidScopeException (org.orcid.core.exception.OrcidInvalidScopeException)3 HashSet (java.util.HashSet)2 ScopePathType (org.orcid.jaxb.model.message.ScopePathType)2 InsufficientAuthenticationException (org.springframework.security.authentication.InsufficientAuthenticationException)2 Authentication (org.springframework.security.core.Authentication)2 OAuth2AccessToken (org.springframework.security.oauth2.common.OAuth2AccessToken)2 Transactional (org.springframework.transaction.annotation.Transactional)2 ArrayList (java.util.ArrayList)1 Test (org.junit.Test)1 DefaultOAuth2AccessToken (org.springframework.security.oauth2.common.DefaultOAuth2AccessToken)1 UnsupportedGrantTypeException (org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException)1 AbstractEndpoint (org.springframework.security.oauth2.provider.endpoint.AbstractEndpoint)1