Examples with OAuth2AuthorizationConsent org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent used on opensource projects

Example 6 with OAuth2AuthorizationConsent

use of org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent in project spring-authorization-server by spring-projects.

the class OAuth2AuthorizationCodeRequestAuthenticationProvider method authenticateAuthorizationConsent.

private Authentication authenticateAuthorizationConsent(Authentication authentication) throws AuthenticationException {
    OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication = (OAuth2AuthorizationCodeRequestAuthenticationToken) authentication;
    OAuth2Authorization authorization = this.authorizationService.findByToken(authorizationCodeRequestAuthentication.getState(), STATE_TOKEN_TYPE);
    if (authorization == null) {
        throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.STATE, authorizationCodeRequestAuthentication, null, null);
    }
    // The 'in-flight' authorization must be associated to the current principal
    Authentication principal = (Authentication) authorizationCodeRequestAuthentication.getPrincipal();
    if (!isPrincipalAuthenticated(principal) || !principal.getName().equals(authorization.getPrincipalName())) {
        throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.STATE, authorizationCodeRequestAuthentication, null, null);
    }
    RegisteredClient registeredClient = this.registeredClientRepository.findByClientId(authorizationCodeRequestAuthentication.getClientId());
    if (registeredClient == null || !registeredClient.getId().equals(authorization.getRegisteredClientId())) {
        throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.CLIENT_ID, authorizationCodeRequestAuthentication, registeredClient);
    }
    OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(OAuth2AuthorizationRequest.class.getName());
    Set<String> requestedScopes = authorizationRequest.getScopes();
    Set<String> authorizedScopes = new HashSet<>(authorizationCodeRequestAuthentication.getScopes());
    if (!requestedScopes.containsAll(authorizedScopes)) {
        throwError(OAuth2ErrorCodes.INVALID_SCOPE, OAuth2ParameterNames.SCOPE, authorizationCodeRequestAuthentication, registeredClient, authorizationRequest);
    }
    OAuth2AuthorizationConsent currentAuthorizationConsent = this.authorizationConsentService.findById(authorization.getRegisteredClientId(), authorization.getPrincipalName());
    Set<String> currentAuthorizedScopes = currentAuthorizationConsent != null ? currentAuthorizationConsent.getScopes() : Collections.emptySet();
    if (!currentAuthorizedScopes.isEmpty()) {
        for (String requestedScope : requestedScopes) {
            if (currentAuthorizedScopes.contains(requestedScope)) {
                authorizedScopes.add(requestedScope);
            }
        }
    }
    if (!authorizedScopes.isEmpty() && requestedScopes.contains(OidcScopes.OPENID)) {
        // 'openid' scope is auto-approved as it does not require consent
        authorizedScopes.add(OidcScopes.OPENID);
    }
    OAuth2AuthorizationConsent.Builder authorizationConsentBuilder;
    if (currentAuthorizationConsent != null) {
        authorizationConsentBuilder = OAuth2AuthorizationConsent.from(currentAuthorizationConsent);
    } else {
        authorizationConsentBuilder = OAuth2AuthorizationConsent.withId(authorization.getRegisteredClientId(), authorization.getPrincipalName());
    }
    authorizedScopes.forEach(authorizationConsentBuilder::scope);
    if (this.authorizationConsentCustomizer != null) {
        // @formatter:off
        OAuth2AuthorizationConsentAuthenticationContext authorizationConsentAuthenticationContext = OAuth2AuthorizationConsentAuthenticationContext.with(authorizationCodeRequestAuthentication).authorizationConsent(authorizationConsentBuilder).registeredClient(registeredClient).authorization(authorization).authorizationRequest(authorizationRequest).build();
        // @formatter:on
        this.authorizationConsentCustomizer.accept(authorizationConsentAuthenticationContext);
    }
    Set<GrantedAuthority> authorities = new HashSet<>();
    authorizationConsentBuilder.authorities(authorities::addAll);
    if (authorities.isEmpty()) {
        // Authorization consent denied (or revoked)
        if (currentAuthorizationConsent != null) {
            this.authorizationConsentService.remove(currentAuthorizationConsent);
        }
        this.authorizationService.remove(authorization);
        throwError(OAuth2ErrorCodes.ACCESS_DENIED, OAuth2ParameterNames.CLIENT_ID, authorizationCodeRequestAuthentication, registeredClient, authorizationRequest);
    }
    OAuth2AuthorizationConsent authorizationConsent = authorizationConsentBuilder.build();
    if (!authorizationConsent.equals(currentAuthorizationConsent)) {
        this.authorizationConsentService.save(authorizationConsent);
    }
    OAuth2AuthorizationCode authorizationCode;
    if (this.authorizationCodeSupplier != null) {
        Instant issuedAt = Instant.now();
        // TODO Allow configuration for authorization code time-to-live
        Instant expiresAt = issuedAt.plus(5, ChronoUnit.MINUTES);
        authorizationCode = new OAuth2AuthorizationCode(this.authorizationCodeSupplier.get(), issuedAt, expiresAt);
    } else {
        OAuth2TokenContext tokenContext = createAuthorizationCodeTokenContext(authorizationCodeRequestAuthentication, registeredClient, authorization, authorizedScopes);
        authorizationCode = this.authorizationCodeGenerator.generate(tokenContext);
        if (authorizationCode == null) {
            OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.SERVER_ERROR, "The token generator failed to generate the authorization code.", ERROR_URI);
            throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
        }
    }
    OAuth2Authorization updatedAuthorization = OAuth2Authorization.from(authorization).token(authorizationCode).attributes(attrs -> {
        attrs.remove(OAuth2ParameterNames.STATE);
        attrs.put(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME, authorizedScopes);
    }).build();
    this.authorizationService.save(updatedAuthorization);
    String redirectUri = authorizationRequest.getRedirectUri();
    if (!StringUtils.hasText(redirectUri)) {
        redirectUri = registeredClient.getRedirectUris().iterator().next();
    }
    return OAuth2AuthorizationCodeRequestAuthenticationToken.with(registeredClient.getClientId(), principal).authorizationUri(authorizationRequest.getAuthorizationUri()).redirectUri(redirectUri).scopes(authorizedScopes).state(authorizationRequest.getState()).authorizationCode(authorizationCode).build();
}

Example 7 with OAuth2AuthorizationConsent

use of org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent in project oauth2-server by gw2auth.

the class ClientConsentServiceImpl method save.

// region OAuth2AuthorizationConsentService
@Override
@Transactional
public void save(OAuth2AuthorizationConsent authorizationConsent) {
    if (!authorizationConsent.getScopes().containsAll(this.authorizationCodeParamAccessor.getRequestedScopes())) {
        throw this.authorizationCodeParamAccessor.error(new OAuth2Error(OAuth2ErrorCodes.ACCESS_DENIED));
    }
    final long accountId = Long.parseLong(authorizationConsent.getPrincipalName());
    final long clientRegistrationId = Long.parseLong(authorizationConsent.getRegisteredClientId());
    try (LoggingContext log = log(accountId, clientRegistrationId, LogType.CONSENT)) {
        ClientConsentEntity clientConsentEntity = this.clientConsentRepository.findByAccountIdAndClientRegistrationId(accountId, clientRegistrationId).orElseGet(() -> createAuthorizedClientEntity(accountId, clientRegistrationId)).withAdditionalScopes(authorizationConsent.getScopes());
        clientConsentEntity = this.clientConsentRepository.save(clientConsentEntity);
        log.log("Updated consented oauth2-scopes to [%s]", String.join(", ", clientConsentEntity.authorizedScopes()));
    }
}

Example 8 with OAuth2AuthorizationConsent

use of org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent in project best-cloud by shanzhaozhen.

the class AuthorizationConsentController method consent.

@GetMapping(value = "/oauth2/consent")
public String consent(Principal principal, Model model, @RequestParam(OAuth2ParameterNames.CLIENT_ID) String clientId, @RequestParam(OAuth2ParameterNames.SCOPE) String scope, @RequestParam(OAuth2ParameterNames.STATE) String state) {
    // Remove scopes that were already approved
    Set<String> scopesToApprove = new HashSet<>();
    Set<String> previouslyApprovedScopes = new HashSet<>();
    RegisteredClient registeredClient = this.registeredClientRepository.findByClientId(clientId);
    OAuth2AuthorizationConsent currentAuthorizationConsent = this.authorizationConsentService.findById(registeredClient.getId(), principal.getName());
    Set<String> authorizedScopes;
    if (currentAuthorizationConsent != null) {
        authorizedScopes = currentAuthorizationConsent.getScopes();
    } else {
        authorizedScopes = Collections.emptySet();
    }
    for (String requestedScope : StringUtils.delimitedListToStringArray(scope, " ")) {
        if (authorizedScopes.contains(requestedScope)) {
            previouslyApprovedScopes.add(requestedScope);
        } else {
            scopesToApprove.add(requestedScope);
        }
    }
    model.addAttribute("clientId", clientId);
    model.addAttribute("state", state);
    model.addAttribute("scopes", withDescription(scopesToApprove));
    model.addAttribute("previouslyApprovedScopes", withDescription(previouslyApprovedScopes));
    model.addAttribute("principalName", principal.getName());
    return "consent";
}

Example 9 with OAuth2AuthorizationConsent

use of org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent in project ordinaryroad by 1962247851.

the class AuthorizationConsentController method consent.

@GetMapping(value = "/oauth2/consent")
public String consent(Principal principal, Model model, @RequestParam(OAuth2ParameterNames.CLIENT_ID) String clientId, @RequestParam(OAuth2ParameterNames.SCOPE) String scope, @RequestParam(OAuth2ParameterNames.STATE) String state) {
    // Remove scopes that were already approved
    Set<String> scopesToApprove = new HashSet<>();
    Set<String> previouslyApprovedScopes = new HashSet<>();
    RegisteredClient registeredClient = this.registeredClientRepository.findByClientId(clientId);
    OAuth2AuthorizationConsent currentAuthorizationConsent = this.authorizationConsentService.findById(registeredClient.getId(), principal.getName());
    Set<String> authorizedScopes;
    if (currentAuthorizationConsent != null) {
        authorizedScopes = currentAuthorizationConsent.getScopes();
    } else {
        authorizedScopes = Collections.emptySet();
    }
    for (String requestedScope : StringUtils.delimitedListToStringArray(scope, " ")) {
        if (authorizedScopes.contains(requestedScope)) {
            previouslyApprovedScopes.add(requestedScope);
        } else {
            scopesToApprove.add(requestedScope);
        }
    }
    model.addAttribute("clientId", clientId);
    model.addAttribute("state", state);
    model.addAttribute("scopes", withDescription(scopesToApprove));
    model.addAttribute("previouslyApprovedScopes", withDescription(previouslyApprovedScopes));
    model.addAttribute("principalName", principal.getName());
    return "consent";
}

Example 10 with OAuth2AuthorizationConsent

use of org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent in project spring-authorization-server by spring-projects.

the class OAuth2AuthorizationCodeRequestAuthenticationProvider method authenticateAuthorizationRequest.

private Authentication authenticateAuthorizationRequest(Authentication authentication) throws AuthenticationException {
    OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication = (OAuth2AuthorizationCodeRequestAuthenticationToken) authentication;
    RegisteredClient registeredClient = this.registeredClientRepository.findByClientId(authorizationCodeRequestAuthentication.getClientId());
    if (registeredClient == null) {
        throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.CLIENT_ID, authorizationCodeRequestAuthentication, null);
    }
    Map<Object, Object> context = new HashMap<>();
    context.put(RegisteredClient.class, registeredClient);
    OAuth2AuthenticationContext authenticationContext = new OAuth2AuthenticationContext(authorizationCodeRequestAuthentication, context);
    OAuth2AuthenticationValidator redirectUriValidator = resolveAuthenticationValidator(OAuth2ParameterNames.REDIRECT_URI);
    redirectUriValidator.validate(authenticationContext);
    if (!registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.AUTHORIZATION_CODE)) {
        throwError(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT, OAuth2ParameterNames.CLIENT_ID, authorizationCodeRequestAuthentication, registeredClient);
    }
    OAuth2AuthenticationValidator scopeValidator = resolveAuthenticationValidator(OAuth2ParameterNames.SCOPE);
    scopeValidator.validate(authenticationContext);
    // code_challenge (REQUIRED for public clients) - RFC 7636 (PKCE)
    String codeChallenge = (String) authorizationCodeRequestAuthentication.getAdditionalParameters().get(PkceParameterNames.CODE_CHALLENGE);
    if (StringUtils.hasText(codeChallenge)) {
        String codeChallengeMethod = (String) authorizationCodeRequestAuthentication.getAdditionalParameters().get(PkceParameterNames.CODE_CHALLENGE_METHOD);
        if (StringUtils.hasText(codeChallengeMethod)) {
            if (!"S256".equals(codeChallengeMethod) && !"plain".equals(codeChallengeMethod)) {
                throwError(OAuth2ErrorCodes.INVALID_REQUEST, PkceParameterNames.CODE_CHALLENGE_METHOD, PKCE_ERROR_URI, authorizationCodeRequestAuthentication, registeredClient, null);
            }
        }
    } else if (registeredClient.getClientSettings().isRequireProofKey()) {
        throwError(OAuth2ErrorCodes.INVALID_REQUEST, PkceParameterNames.CODE_CHALLENGE, PKCE_ERROR_URI, authorizationCodeRequestAuthentication, registeredClient, null);
    }
    // ---------------
    // The request is valid - ensure the resource owner is authenticated
    // ---------------
    Authentication principal = (Authentication) authorizationCodeRequestAuthentication.getPrincipal();
    if (!isPrincipalAuthenticated(principal)) {
        // Return the authorization request as-is where isAuthenticated() is false
        return authorizationCodeRequestAuthentication;
    }
    OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.authorizationCode().authorizationUri(authorizationCodeRequestAuthentication.getAuthorizationUri()).clientId(registeredClient.getClientId()).redirectUri(authorizationCodeRequestAuthentication.getRedirectUri()).scopes(authorizationCodeRequestAuthentication.getScopes()).state(authorizationCodeRequestAuthentication.getState()).additionalParameters(authorizationCodeRequestAuthentication.getAdditionalParameters()).build();
    OAuth2AuthorizationConsent currentAuthorizationConsent = this.authorizationConsentService.findById(registeredClient.getId(), principal.getName());
    if (requireAuthorizationConsent(registeredClient, authorizationRequest, currentAuthorizationConsent)) {
        String state = DEFAULT_STATE_GENERATOR.generateKey();
        OAuth2Authorization authorization = authorizationBuilder(registeredClient, principal, authorizationRequest).attribute(OAuth2ParameterNames.STATE, state).build();
        this.authorizationService.save(authorization);
        // TODO Need to remove 'in-flight' authorization if consent step is not completed (e.g. approved or cancelled)
        Set<String> currentAuthorizedScopes = currentAuthorizationConsent != null ? currentAuthorizationConsent.getScopes() : null;
        return OAuth2AuthorizationCodeRequestAuthenticationToken.with(registeredClient.getClientId(), principal).authorizationUri(authorizationRequest.getAuthorizationUri()).scopes(currentAuthorizedScopes).state(state).consentRequired(true).build();
    }
    OAuth2AuthorizationCode authorizationCode;
    if (this.authorizationCodeSupplier != null) {
        Instant issuedAt = Instant.now();
        // TODO Allow configuration for authorization code time-to-live
        Instant expiresAt = issuedAt.plus(5, ChronoUnit.MINUTES);
        authorizationCode = new OAuth2AuthorizationCode(this.authorizationCodeSupplier.get(), issuedAt, expiresAt);
    } else {
        OAuth2TokenContext tokenContext = createAuthorizationCodeTokenContext(authorizationCodeRequestAuthentication, registeredClient, null, authorizationRequest.getScopes());
        authorizationCode = this.authorizationCodeGenerator.generate(tokenContext);
        if (authorizationCode == null) {
            OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.SERVER_ERROR, "The token generator failed to generate the authorization code.", ERROR_URI);
            throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
        }
    }
    OAuth2Authorization authorization = authorizationBuilder(registeredClient, principal, authorizationRequest).token(authorizationCode).attribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME, authorizationRequest.getScopes()).build();
    this.authorizationService.save(authorization);
    String redirectUri = authorizationRequest.getRedirectUri();
    if (!StringUtils.hasText(redirectUri)) {
        redirectUri = registeredClient.getRedirectUris().iterator().next();
    }
    return OAuth2AuthorizationCodeRequestAuthenticationToken.with(registeredClient.getClientId(), principal).authorizationUri(authorizationRequest.getAuthorizationUri()).redirectUri(redirectUri).scopes(authorizationRequest.getScopes()).state(authorizationRequest.getState()).authorizationCode(authorizationCode).build();
}