use of org.springframework.security.oauth2.common.exceptions.RedirectMismatchException in project spring-security-oauth by spring-projects.
the class AuthorizationCodeTokenGranterTests method testAuthorizationRedirectMismatch.
@Test
public void testAuthorizationRedirectMismatch() {
Map<String, String> initialParameters = new HashMap<String, String>();
initialParameters.put(OAuth2Utils.REDIRECT_URI, "https://redirectMe");
//AuthorizationRequest initialRequest = createFromParameters(initialParameters);
// we fake a valid resolvedRedirectUri because without the client would never come this far
//initialRequest.setRedirectUri(initialParameters.get(REDIRECT_URI));
parameters.clear();
parameters.put(OAuth2Utils.REDIRECT_URI, "https://redirectMe");
parameters.put(OAuth2Utils.CLIENT_ID, "foo");
OAuth2Request storedOAuth2Request = RequestTokenFactory.createOAuth2Request(parameters, "foo", null, true, null, null, "https://redirectMe", null, null);
Authentication userAuthentication = new UsernamePasswordAuthenticationToken("marissa", "koala", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
String code = authorizationCodeServices.createAuthorizationCode(new OAuth2Authentication(storedOAuth2Request, userAuthentication));
Map<String, String> authorizationParameters = new HashMap<String, String>();
authorizationParameters.put("code", code);
//AuthorizationRequest oAuth2Request = createFromParameters(initialParameters);
//oAuth2Request.setRequestParameters(authorizationParameters);
TokenRequest tokenRequest = requestFactory.createTokenRequest(parameters, client);
tokenRequest.setRequestParameters(authorizationParameters);
AuthorizationCodeTokenGranter granter = new AuthorizationCodeTokenGranter(providerTokenServices, authorizationCodeServices, clientDetailsService, requestFactory);
try {
granter.getOAuth2Authentication(client, tokenRequest);
fail("RedirectMismatchException because of null redirect_uri in authorizationRequest");
} catch (RedirectMismatchException e) {
}
}
use of org.springframework.security.oauth2.common.exceptions.RedirectMismatchException in project ORCID-Source by ORCID.
the class OrcidAuthorizationCodeTokenGranter method getOAuth2Authentication.
@Override
protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
Map<String, String> parameters = tokenRequest.getRequestParameters();
String authorizationCode = parameters.get("code");
String redirectUri = parameters.get(OAuth2Utils.REDIRECT_URI);
LOGGER.info("Getting OAuth2 authentication: code={}, redirectUri={}, clientId={}, scope={}", new Object[] { authorizationCode, redirectUri, tokenRequest.getClientId(), tokenRequest.getScope() });
if (authorizationCode == null) {
throw new OAuth2Exception("An authorization code must be supplied.");
}
//Validate the client is active
ClientDetailsEntity clientDetails = clientDetailsEntityCacheManager.retrieve(tokenRequest.getClientId());
orcidOAuth2RequestValidator.validateClientIsEnabled(clientDetails);
//Validate scopes
OrcidOauth2AuthoriziationCodeDetail codeDetails = orcidOauth2AuthoriziationCodeDetailDao.find(authorizationCode);
if (codeDetails == null) {
throw new InvalidGrantException("Invalid authorization code: " + authorizationCode);
} else {
// Check auth code expiration
Date tokenCreationDate = codeDetails.getDateCreated();
Calendar calendar = Calendar.getInstance();
calendar.setTime(tokenCreationDate);
calendar.add(Calendar.MINUTE, authorizationCodeExpiration);
Date tokenExpirationDate = calendar.getTime();
if (tokenExpirationDate.before(new Date())) {
throw new IllegalArgumentException("Authorization code has expired");
}
// Check granted scopes
Set<String> grantedScopes = codeDetails.getScopes();
Set<String> requestScopes = tokenRequest.getScope();
for (String requestScope : requestScopes) {
if (!grantedScopes.contains(requestScope)) {
throw new InvalidScopeException("Invalid scopes: " + requestScope + " available scopes for this code are: " + grantedScopes);
}
}
}
//Consume code
OAuth2Authentication storedAuth = authorizationCodeServices.consumeAuthorizationCode(authorizationCode);
if (storedAuth == null) {
throw new InvalidGrantException("Invalid authorization code: " + authorizationCode);
}
OAuth2Request pendingAuthorizationRequest = storedAuth.getOAuth2Request();
//Regenerate the authorization request but now with the request parameters
pendingAuthorizationRequest = pendingAuthorizationRequest.createOAuth2Request(parameters);
LOGGER.info("Found pending authorization request: redirectUri={}, clientId={}, scope={}, is_approved={}", new Object[] { pendingAuthorizationRequest.getRedirectUri(), pendingAuthorizationRequest.getClientId(), pendingAuthorizationRequest.getScope(), pendingAuthorizationRequest.isApproved() });
// https://jira.springsource.org/browse/SECOAUTH-333
// This might be null, if the authorization was done without the
// redirect_uri parameter
String redirectUriApprovalParameter = pendingAuthorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI);
if ((redirectUri != null || redirectUriApprovalParameter != null) && !pendingAuthorizationRequest.getRedirectUri().equals(redirectUri)) {
throw new RedirectMismatchException("Redirect URI mismatch.");
}
String pendingClientId = pendingAuthorizationRequest.getClientId();
String clientId = client.getClientId();
LOGGER.info("Comparing client ids: pendingClientId={}, authorizationRequest.clientId={}", pendingClientId, clientId);
if (clientId != null && !clientId.equals(pendingClientId)) {
// just a sanity check.
throw new InvalidClientException("Client ID mismatch");
}
Authentication userAuth = storedAuth.getUserAuthentication();
return new OAuth2Authentication(pendingAuthorizationRequest, userAuth);
}
use of org.springframework.security.oauth2.common.exceptions.RedirectMismatchException in project ORCID-Source by ORCID.
the class OauthRegistrationController method registerAndAuthorize.
@RequestMapping(value = "/oauth/custom/registerConfirm.json", method = RequestMethod.POST)
@ResponseBody
public RequestInfoForm registerAndAuthorize(HttpServletRequest request, HttpServletResponse response, @RequestBody OauthRegistrationForm form) {
RequestInfoForm requestInfoForm = (RequestInfoForm) request.getSession().getAttribute(REQUEST_INFO_FORM);
if (form.getApproved()) {
boolean usedCaptcha = false;
// block google.
if (form.getGrecaptchaWidgetId().getValue() != null) {
// to the login page
if (request.getSession().getAttribute(RegistrationController.GRECAPTCHA_SESSION_ATTRIBUTE_NAME) == null || PojoUtil.isEmpty(form.getGrecaptcha()) || !form.getGrecaptcha().getValue().equals(request.getSession().getAttribute(RegistrationController.GRECAPTCHA_SESSION_ATTRIBUTE_NAME))) {
String redirectUri = this.getBaseUri() + REDIRECT_URI_ERROR;
// Set the client id
redirectUri = redirectUri.replace("{0}", requestInfoForm.getClientId());
// Set the response type if needed
if (!PojoUtil.isEmpty(requestInfoForm.getResponseType()))
redirectUri += "&response_type=" + requestInfoForm.getResponseType();
// Set the redirect uri
if (!PojoUtil.isEmpty(requestInfoForm.getRedirectUrl()))
redirectUri += "&redirect_uri=" + requestInfoForm.getRedirectUrl();
// remove email access scope if present but not granted
if (requestInfoForm.containsEmailReadPrivateScope() && !form.isEmailAccessAllowed()) {
requestInfoForm.removeEmailReadPrivateScope();
}
// Set the scope param
if (!PojoUtil.isEmpty(requestInfoForm.getScopesAsString()))
redirectUri += "&scope=" + requestInfoForm.getScopesAsString();
// Copy the state param if present
if (!PojoUtil.isEmpty(requestInfoForm.getStateParam()))
redirectUri += "&state=" + requestInfoForm.getStateParam();
requestInfoForm.setRedirectUrl(redirectUri);
SavedRequest savedRequest = new HttpSessionRequestCache().getRequest(request, response);
if (savedRequest != null)
LOGGER.info("OauthConfirmAccessController original request: " + savedRequest.getRedirectUrl());
LOGGER.info("OauthConfirmAccessController form.getRedirectUri being sent to client browser: " + requestInfoForm.getRedirectUrl());
return requestInfoForm;
}
usedCaptcha = true;
}
// Remove the session hash if needed
if (request.getSession().getAttribute(RegistrationController.GRECAPTCHA_SESSION_ATTRIBUTE_NAME) != null) {
request.getSession().removeAttribute(RegistrationController.GRECAPTCHA_SESSION_ATTRIBUTE_NAME);
}
//Strip any html code from names before validating them
if (!PojoUtil.isEmpty(form.getFamilyNames())) {
form.getFamilyNames().setValue(OrcidStringUtils.stripHtml(form.getFamilyNames().getValue()));
}
if (!PojoUtil.isEmpty(form.getGivenNames())) {
form.getGivenNames().setValue(OrcidStringUtils.stripHtml(form.getGivenNames().getValue()));
}
// Check there are no errors
registrationController.validateRegistrationFields(request, form);
if (form.getErrors().isEmpty()) {
// Register user
try {
// Locale
Locale locale = RequestContextUtils.getLocale(request);
// Ip
String ip = OrcidRequestUtil.getIpAddress(request);
registrationController.createMinimalRegistration(request, form, usedCaptcha, locale, ip);
} catch (Exception e) {
requestInfoForm.getErrors().add(getMessage("register.error.generalError"));
return requestInfoForm;
}
// Authenticate user
String email = form.getEmail().getValue();
String password = form.getPassword().getValue();
Authentication auth = authenticateUser(request, email, password);
// Create authorization params
SimpleSessionStatus status = new SimpleSessionStatus();
Map<String, Object> model = new HashMap<String, Object>();
Map<String, String> params = new HashMap<String, String>();
Map<String, String> approvalParams = new HashMap<String, String>();
fillOauthParams(requestInfoForm, params, approvalParams, form.getPersistentTokenEnabled(), form.isEmailAccessAllowed());
// Authorize
try {
authorizationEndpoint.authorize(model, params, status, auth);
} catch (RedirectMismatchException rUriError) {
String redirectUri = this.getBaseUri() + REDIRECT_URI_ERROR;
// Set the client id
redirectUri = redirectUri.replace("{0}", requestInfoForm.getClientId());
// Set the response type if needed
if (!PojoUtil.isEmpty(requestInfoForm.getResponseType()))
redirectUri += "&response_type=" + requestInfoForm.getResponseType();
// Set the redirect uri
if (!PojoUtil.isEmpty(requestInfoForm.getRedirectUrl()))
redirectUri += "&redirect_uri=" + requestInfoForm.getRedirectUrl();
// Set the scope param
if (!PojoUtil.isEmpty(requestInfoForm.getScopesAsString()))
redirectUri += "&scope=" + requestInfoForm.getScopesAsString();
// Copy the state param if present
if (!PojoUtil.isEmpty(requestInfoForm.getStateParam()))
redirectUri += "&state=" + requestInfoForm.getStateParam();
requestInfoForm.setRedirectUrl(redirectUri);
LOGGER.info("OauthRegisterController being sent to client browser: " + requestInfoForm.getRedirectUrl());
return requestInfoForm;
}
// Approve
RedirectView view = (RedirectView) authorizationEndpoint.approveOrDeny(approvalParams, model, status, auth);
requestInfoForm.setRedirectUrl(view.getUrl());
}
} else {
requestInfoForm.setRedirectUrl(buildDenyRedirectUri(requestInfoForm.getRedirectUrl(), requestInfoForm.getStateParam()));
}
if (new HttpSessionRequestCache().getRequest(request, response) != null)
new HttpSessionRequestCache().removeRequest(request, response);
LOGGER.info("OauthConfirmAccessController form.getRedirectUri being sent to client browser: " + requestInfoForm.getRedirectUrl());
return requestInfoForm;
}
use of org.springframework.security.oauth2.common.exceptions.RedirectMismatchException in project spring-security-oauth by spring-projects.
the class AbstractAuthorizationCodeProviderTests method testWrongRedirectUri.
@Test
@OAuth2ContextConfiguration(resource = MyTrustedClient.class, initialize = false)
public void testWrongRedirectUri() throws Exception {
approveAccessTokenGrant("http://anywhere", true);
AccessTokenRequest request = context.getAccessTokenRequest();
// The redirect is stored in the preserved state...
context.getOAuth2ClientContext().setPreservedState(request.getStateKey(), "http://nowhere");
// Finally everything is in place for the grant to happen...
try {
assertNotNull(context.getAccessToken());
fail("Expected RedirectMismatchException");
} catch (RedirectMismatchException e) {
// expected
}
assertEquals(HttpStatus.BAD_REQUEST, tokenEndpointResponse.getStatusCode());
}
Aggregations