Search in sources :

Example 6 with RedirectMismatchException

use of org.springframework.security.oauth2.common.exceptions.RedirectMismatchException in project spring-security-oauth by spring-projects.

the class AuthorizationCodeTokenGranterTests method testAuthorizationRedirectMismatch.

@Test
public void testAuthorizationRedirectMismatch() {
    Map<String, String> initialParameters = new HashMap<String, String>();
    initialParameters.put(OAuth2Utils.REDIRECT_URI, "https://redirectMe");
    //AuthorizationRequest initialRequest = createFromParameters(initialParameters);
    // we fake a valid resolvedRedirectUri because without the client would never come this far
    //initialRequest.setRedirectUri(initialParameters.get(REDIRECT_URI));
    parameters.clear();
    parameters.put(OAuth2Utils.REDIRECT_URI, "https://redirectMe");
    parameters.put(OAuth2Utils.CLIENT_ID, "foo");
    OAuth2Request storedOAuth2Request = RequestTokenFactory.createOAuth2Request(parameters, "foo", null, true, null, null, "https://redirectMe", null, null);
    Authentication userAuthentication = new UsernamePasswordAuthenticationToken("marissa", "koala", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
    String code = authorizationCodeServices.createAuthorizationCode(new OAuth2Authentication(storedOAuth2Request, userAuthentication));
    Map<String, String> authorizationParameters = new HashMap<String, String>();
    authorizationParameters.put("code", code);
    //AuthorizationRequest oAuth2Request = createFromParameters(initialParameters);
    //oAuth2Request.setRequestParameters(authorizationParameters);
    TokenRequest tokenRequest = requestFactory.createTokenRequest(parameters, client);
    tokenRequest.setRequestParameters(authorizationParameters);
    AuthorizationCodeTokenGranter granter = new AuthorizationCodeTokenGranter(providerTokenServices, authorizationCodeServices, clientDetailsService, requestFactory);
    try {
        granter.getOAuth2Authentication(client, tokenRequest);
        fail("RedirectMismatchException because of null redirect_uri in authorizationRequest");
    } catch (RedirectMismatchException e) {
    }
}
Also used : OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) HashMap(java.util.HashMap) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) Authentication(org.springframework.security.core.Authentication) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) TokenRequest(org.springframework.security.oauth2.provider.TokenRequest) RedirectMismatchException(org.springframework.security.oauth2.common.exceptions.RedirectMismatchException) UsernamePasswordAuthenticationToken(org.springframework.security.authentication.UsernamePasswordAuthenticationToken) Test(org.junit.Test)

Example 7 with RedirectMismatchException

use of org.springframework.security.oauth2.common.exceptions.RedirectMismatchException in project ORCID-Source by ORCID.

the class OrcidAuthorizationCodeTokenGranter method getOAuth2Authentication.

@Override
protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
    Map<String, String> parameters = tokenRequest.getRequestParameters();
    String authorizationCode = parameters.get("code");
    String redirectUri = parameters.get(OAuth2Utils.REDIRECT_URI);
    LOGGER.info("Getting OAuth2 authentication: code={}, redirectUri={}, clientId={}, scope={}", new Object[] { authorizationCode, redirectUri, tokenRequest.getClientId(), tokenRequest.getScope() });
    if (authorizationCode == null) {
        throw new OAuth2Exception("An authorization code must be supplied.");
    }
    //Validate the client is active
    ClientDetailsEntity clientDetails = clientDetailsEntityCacheManager.retrieve(tokenRequest.getClientId());
    orcidOAuth2RequestValidator.validateClientIsEnabled(clientDetails);
    //Validate scopes
    OrcidOauth2AuthoriziationCodeDetail codeDetails = orcidOauth2AuthoriziationCodeDetailDao.find(authorizationCode);
    if (codeDetails == null) {
        throw new InvalidGrantException("Invalid authorization code: " + authorizationCode);
    } else {
        // Check auth code expiration
        Date tokenCreationDate = codeDetails.getDateCreated();
        Calendar calendar = Calendar.getInstance();
        calendar.setTime(tokenCreationDate);
        calendar.add(Calendar.MINUTE, authorizationCodeExpiration);
        Date tokenExpirationDate = calendar.getTime();
        if (tokenExpirationDate.before(new Date())) {
            throw new IllegalArgumentException("Authorization code has expired");
        }
        // Check granted scopes
        Set<String> grantedScopes = codeDetails.getScopes();
        Set<String> requestScopes = tokenRequest.getScope();
        for (String requestScope : requestScopes) {
            if (!grantedScopes.contains(requestScope)) {
                throw new InvalidScopeException("Invalid scopes: " + requestScope + " available scopes for this code are: " + grantedScopes);
            }
        }
    }
    //Consume code        
    OAuth2Authentication storedAuth = authorizationCodeServices.consumeAuthorizationCode(authorizationCode);
    if (storedAuth == null) {
        throw new InvalidGrantException("Invalid authorization code: " + authorizationCode);
    }
    OAuth2Request pendingAuthorizationRequest = storedAuth.getOAuth2Request();
    //Regenerate the authorization request but now with the request parameters
    pendingAuthorizationRequest = pendingAuthorizationRequest.createOAuth2Request(parameters);
    LOGGER.info("Found pending authorization request: redirectUri={}, clientId={}, scope={}, is_approved={}", new Object[] { pendingAuthorizationRequest.getRedirectUri(), pendingAuthorizationRequest.getClientId(), pendingAuthorizationRequest.getScope(), pendingAuthorizationRequest.isApproved() });
    // https://jira.springsource.org/browse/SECOAUTH-333
    // This might be null, if the authorization was done without the
    // redirect_uri parameter
    String redirectUriApprovalParameter = pendingAuthorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI);
    if ((redirectUri != null || redirectUriApprovalParameter != null) && !pendingAuthorizationRequest.getRedirectUri().equals(redirectUri)) {
        throw new RedirectMismatchException("Redirect URI mismatch.");
    }
    String pendingClientId = pendingAuthorizationRequest.getClientId();
    String clientId = client.getClientId();
    LOGGER.info("Comparing client ids: pendingClientId={}, authorizationRequest.clientId={}", pendingClientId, clientId);
    if (clientId != null && !clientId.equals(pendingClientId)) {
        // just a sanity check.
        throw new InvalidClientException("Client ID mismatch");
    }
    Authentication userAuth = storedAuth.getUserAuthentication();
    return new OAuth2Authentication(pendingAuthorizationRequest, userAuth);
}
Also used : ClientDetailsEntity(org.orcid.persistence.jpa.entities.ClientDetailsEntity) OrcidOauth2AuthoriziationCodeDetail(org.orcid.persistence.jpa.entities.OrcidOauth2AuthoriziationCodeDetail) Calendar(java.util.Calendar) InvalidGrantException(org.springframework.security.oauth2.common.exceptions.InvalidGrantException) Date(java.util.Date) OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) Authentication(org.springframework.security.core.Authentication) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) RedirectMismatchException(org.springframework.security.oauth2.common.exceptions.RedirectMismatchException) InvalidClientException(org.springframework.security.oauth2.common.exceptions.InvalidClientException) OAuth2Exception(org.springframework.security.oauth2.common.exceptions.OAuth2Exception) InvalidScopeException(org.springframework.security.oauth2.common.exceptions.InvalidScopeException)

Example 8 with RedirectMismatchException

use of org.springframework.security.oauth2.common.exceptions.RedirectMismatchException in project ORCID-Source by ORCID.

the class OauthRegistrationController method registerAndAuthorize.

@RequestMapping(value = "/oauth/custom/registerConfirm.json", method = RequestMethod.POST)
@ResponseBody
public RequestInfoForm registerAndAuthorize(HttpServletRequest request, HttpServletResponse response, @RequestBody OauthRegistrationForm form) {
    RequestInfoForm requestInfoForm = (RequestInfoForm) request.getSession().getAttribute(REQUEST_INFO_FORM);
    if (form.getApproved()) {
        boolean usedCaptcha = false;
        // block google.
        if (form.getGrecaptchaWidgetId().getValue() != null) {
            // to the login page
            if (request.getSession().getAttribute(RegistrationController.GRECAPTCHA_SESSION_ATTRIBUTE_NAME) == null || PojoUtil.isEmpty(form.getGrecaptcha()) || !form.getGrecaptcha().getValue().equals(request.getSession().getAttribute(RegistrationController.GRECAPTCHA_SESSION_ATTRIBUTE_NAME))) {
                String redirectUri = this.getBaseUri() + REDIRECT_URI_ERROR;
                // Set the client id
                redirectUri = redirectUri.replace("{0}", requestInfoForm.getClientId());
                // Set the response type if needed
                if (!PojoUtil.isEmpty(requestInfoForm.getResponseType()))
                    redirectUri += "&response_type=" + requestInfoForm.getResponseType();
                // Set the redirect uri
                if (!PojoUtil.isEmpty(requestInfoForm.getRedirectUrl()))
                    redirectUri += "&redirect_uri=" + requestInfoForm.getRedirectUrl();
                // remove email access scope if present but not granted
                if (requestInfoForm.containsEmailReadPrivateScope() && !form.isEmailAccessAllowed()) {
                    requestInfoForm.removeEmailReadPrivateScope();
                }
                // Set the scope param
                if (!PojoUtil.isEmpty(requestInfoForm.getScopesAsString()))
                    redirectUri += "&scope=" + requestInfoForm.getScopesAsString();
                // Copy the state param if present
                if (!PojoUtil.isEmpty(requestInfoForm.getStateParam()))
                    redirectUri += "&state=" + requestInfoForm.getStateParam();
                requestInfoForm.setRedirectUrl(redirectUri);
                SavedRequest savedRequest = new HttpSessionRequestCache().getRequest(request, response);
                if (savedRequest != null)
                    LOGGER.info("OauthConfirmAccessController original request: " + savedRequest.getRedirectUrl());
                LOGGER.info("OauthConfirmAccessController form.getRedirectUri being sent to client browser: " + requestInfoForm.getRedirectUrl());
                return requestInfoForm;
            }
            usedCaptcha = true;
        }
        // Remove the session hash if needed
        if (request.getSession().getAttribute(RegistrationController.GRECAPTCHA_SESSION_ATTRIBUTE_NAME) != null) {
            request.getSession().removeAttribute(RegistrationController.GRECAPTCHA_SESSION_ATTRIBUTE_NAME);
        }
        //Strip any html code from names before validating them
        if (!PojoUtil.isEmpty(form.getFamilyNames())) {
            form.getFamilyNames().setValue(OrcidStringUtils.stripHtml(form.getFamilyNames().getValue()));
        }
        if (!PojoUtil.isEmpty(form.getGivenNames())) {
            form.getGivenNames().setValue(OrcidStringUtils.stripHtml(form.getGivenNames().getValue()));
        }
        // Check there are no errors
        registrationController.validateRegistrationFields(request, form);
        if (form.getErrors().isEmpty()) {
            // Register user
            try {
                // Locale
                Locale locale = RequestContextUtils.getLocale(request);
                // Ip
                String ip = OrcidRequestUtil.getIpAddress(request);
                registrationController.createMinimalRegistration(request, form, usedCaptcha, locale, ip);
            } catch (Exception e) {
                requestInfoForm.getErrors().add(getMessage("register.error.generalError"));
                return requestInfoForm;
            }
            // Authenticate user
            String email = form.getEmail().getValue();
            String password = form.getPassword().getValue();
            Authentication auth = authenticateUser(request, email, password);
            // Create authorization params
            SimpleSessionStatus status = new SimpleSessionStatus();
            Map<String, Object> model = new HashMap<String, Object>();
            Map<String, String> params = new HashMap<String, String>();
            Map<String, String> approvalParams = new HashMap<String, String>();
            fillOauthParams(requestInfoForm, params, approvalParams, form.getPersistentTokenEnabled(), form.isEmailAccessAllowed());
            // Authorize
            try {
                authorizationEndpoint.authorize(model, params, status, auth);
            } catch (RedirectMismatchException rUriError) {
                String redirectUri = this.getBaseUri() + REDIRECT_URI_ERROR;
                // Set the client id
                redirectUri = redirectUri.replace("{0}", requestInfoForm.getClientId());
                // Set the response type if needed
                if (!PojoUtil.isEmpty(requestInfoForm.getResponseType()))
                    redirectUri += "&response_type=" + requestInfoForm.getResponseType();
                // Set the redirect uri
                if (!PojoUtil.isEmpty(requestInfoForm.getRedirectUrl()))
                    redirectUri += "&redirect_uri=" + requestInfoForm.getRedirectUrl();
                // Set the scope param
                if (!PojoUtil.isEmpty(requestInfoForm.getScopesAsString()))
                    redirectUri += "&scope=" + requestInfoForm.getScopesAsString();
                // Copy the state param if present
                if (!PojoUtil.isEmpty(requestInfoForm.getStateParam()))
                    redirectUri += "&state=" + requestInfoForm.getStateParam();
                requestInfoForm.setRedirectUrl(redirectUri);
                LOGGER.info("OauthRegisterController being sent to client browser: " + requestInfoForm.getRedirectUrl());
                return requestInfoForm;
            }
            // Approve
            RedirectView view = (RedirectView) authorizationEndpoint.approveOrDeny(approvalParams, model, status, auth);
            requestInfoForm.setRedirectUrl(view.getUrl());
        }
    } else {
        requestInfoForm.setRedirectUrl(buildDenyRedirectUri(requestInfoForm.getRedirectUrl(), requestInfoForm.getStateParam()));
    }
    if (new HttpSessionRequestCache().getRequest(request, response) != null)
        new HttpSessionRequestCache().removeRequest(request, response);
    LOGGER.info("OauthConfirmAccessController form.getRedirectUri being sent to client browser: " + requestInfoForm.getRedirectUrl());
    return requestInfoForm;
}
Also used : Locale(java.util.Locale) HashMap(java.util.HashMap) HttpSessionRequestCache(org.springframework.security.web.savedrequest.HttpSessionRequestCache) RedirectMismatchException(org.springframework.security.oauth2.common.exceptions.RedirectMismatchException) Authentication(org.springframework.security.core.Authentication) RedirectMismatchException(org.springframework.security.oauth2.common.exceptions.RedirectMismatchException) RedirectView(org.springframework.web.servlet.view.RedirectView) RequestInfoForm(org.orcid.pojo.ajaxForm.RequestInfoForm) SavedRequest(org.springframework.security.web.savedrequest.SavedRequest) SimpleSessionStatus(org.springframework.web.bind.support.SimpleSessionStatus) RequestMapping(org.springframework.web.bind.annotation.RequestMapping) ResponseBody(org.springframework.web.bind.annotation.ResponseBody)

Example 9 with RedirectMismatchException

use of org.springframework.security.oauth2.common.exceptions.RedirectMismatchException in project spring-security-oauth by spring-projects.

the class AbstractAuthorizationCodeProviderTests method testWrongRedirectUri.

@Test
@OAuth2ContextConfiguration(resource = MyTrustedClient.class, initialize = false)
public void testWrongRedirectUri() throws Exception {
    approveAccessTokenGrant("http://anywhere", true);
    AccessTokenRequest request = context.getAccessTokenRequest();
    // The redirect is stored in the preserved state...
    context.getOAuth2ClientContext().setPreservedState(request.getStateKey(), "http://nowhere");
    // Finally everything is in place for the grant to happen...
    try {
        assertNotNull(context.getAccessToken());
        fail("Expected RedirectMismatchException");
    } catch (RedirectMismatchException e) {
    // expected
    }
    assertEquals(HttpStatus.BAD_REQUEST, tokenEndpointResponse.getStatusCode());
}
Also used : RedirectMismatchException(org.springframework.security.oauth2.common.exceptions.RedirectMismatchException) AccessTokenRequest(org.springframework.security.oauth2.client.token.AccessTokenRequest) OAuth2ContextConfiguration(org.springframework.security.oauth2.client.test.OAuth2ContextConfiguration) Test(org.junit.Test)

Aggregations

RedirectMismatchException (org.springframework.security.oauth2.common.exceptions.RedirectMismatchException)9 Authentication (org.springframework.security.core.Authentication)6 HashMap (java.util.HashMap)4 OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)4 Test (org.junit.Test)3 InvalidClientException (org.springframework.security.oauth2.common.exceptions.InvalidClientException)3 OAuth2Request (org.springframework.security.oauth2.provider.OAuth2Request)3 RequestMapping (org.springframework.web.bind.annotation.RequestMapping)3 RedirectView (org.springframework.web.servlet.view.RedirectView)3 RequestInfoForm (org.orcid.pojo.ajaxForm.RequestInfoForm)2 OAuth2ContextConfiguration (org.springframework.security.oauth2.client.test.OAuth2ContextConfiguration)2 AccessTokenRequest (org.springframework.security.oauth2.client.token.AccessTokenRequest)2 InvalidGrantException (org.springframework.security.oauth2.common.exceptions.InvalidGrantException)2 OAuth2Exception (org.springframework.security.oauth2.common.exceptions.OAuth2Exception)2 AuthorizationRequest (org.springframework.security.oauth2.provider.AuthorizationRequest)2 HttpSessionRequestCache (org.springframework.security.web.savedrequest.HttpSessionRequestCache)2 ResponseBody (org.springframework.web.bind.annotation.ResponseBody)2 SimpleSessionStatus (org.springframework.web.bind.support.SimpleSessionStatus)2 ModelAndView (org.springframework.web.servlet.ModelAndView)2 Calendar (java.util.Calendar)1