upgrade spring, add javadoc, formatting
This commit is contained in:
@@ -27,11 +27,11 @@ public class OidcAuthorizationCodeManager {
|
||||
/**
|
||||
* Creates the.
|
||||
*
|
||||
* @param clientId the client id
|
||||
* @param clientId the client id
|
||||
* @param redirectUri the redirect uri
|
||||
* @param scopes the scopes
|
||||
* @param userId the user id
|
||||
* @param nonce the nonce
|
||||
* @param scopes the scopes
|
||||
* @param userId the user id
|
||||
* @param nonce the nonce
|
||||
* @return the oidc authorization code
|
||||
*/
|
||||
public OidcAuthorizationCode create(String clientId, URI redirectUri, Set<String> scopes, Long userId,
|
||||
|
||||
@@ -38,34 +38,32 @@ public class OidcClientManager {
|
||||
/**
|
||||
* Creates the client.
|
||||
*
|
||||
* @param clientName the client name
|
||||
* @param clientName the client name
|
||||
* @param redirectUris the redirect uris
|
||||
* @return the oidc client
|
||||
*/
|
||||
public OidcClient createClient(String clientName, Set<String> redirectUris) {
|
||||
return createClient(clientName,
|
||||
Sets.newHashSet(OidcClientAuthenticationMethod.basic,
|
||||
OidcClientAuthenticationMethod.basic),
|
||||
Sets.newHashSet(OidcAuthorizationGrantType.authorization_code), redirectUris,
|
||||
Sets.newHashSet("openid"), null, false);
|
||||
Sets.newHashSet(OidcClientAuthenticationMethod.basic, OidcClientAuthenticationMethod.basic),
|
||||
Sets.newHashSet(OidcAuthorizationGrantType.authorization_code), redirectUris, Sets.newHashSet("openid"),
|
||||
null, false);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates the client.
|
||||
*
|
||||
* @param clientName the client name
|
||||
* @param clientName the client name
|
||||
* @param clientAuthenticationMethods the client authentication methods
|
||||
* @param authorizationGrantTypes the authorization grant types
|
||||
* @param redirectUris the redirect uris
|
||||
* @param scopes the scopes
|
||||
* @param loginUrl the login url
|
||||
* @param alwaysPermitted the always permitted
|
||||
* @param authorizationGrantTypes the authorization grant types
|
||||
* @param redirectUris the redirect uris
|
||||
* @param scopes the scopes
|
||||
* @param loginUrl the login url
|
||||
* @param alwaysPermitted the always permitted
|
||||
* @return the oidc client
|
||||
*/
|
||||
public OidcClient createClient(String clientName,
|
||||
Set<OidcClientAuthenticationMethod> clientAuthenticationMethods,
|
||||
Set<OidcAuthorizationGrantType> authorizationGrantTypes, Set<String> redirectUris,
|
||||
Set<String> scopes, String loginUrl, boolean alwaysPermitted) {
|
||||
public OidcClient createClient(String clientName, Set<OidcClientAuthenticationMethod> clientAuthenticationMethods,
|
||||
Set<OidcAuthorizationGrantType> authorizationGrantTypes, Set<String> redirectUris, Set<String> scopes,
|
||||
String loginUrl, boolean alwaysPermitted) {
|
||||
|
||||
OidcClient oidcClient = new OidcClient();
|
||||
|
||||
@@ -85,8 +83,7 @@ public class OidcClientManager {
|
||||
}
|
||||
|
||||
oidcClient.setClientId(clientId);
|
||||
oidcClient.setClientSecret(
|
||||
RandomStringUtils.random(OIDC_CLIENT_CLIENT_SECRET_LENGTH, true, true));
|
||||
oidcClient.setClientSecret(RandomStringUtils.random(OIDC_CLIENT_CLIENT_SECRET_LENGTH, true, true));
|
||||
|
||||
return oidcClientRepository.save(oidcClient);
|
||||
}
|
||||
@@ -110,8 +107,7 @@ public class OidcClientManager {
|
||||
public OidcClient createNewSecretByClientName(String clientName) {
|
||||
OidcClient oidcClient = getByClientName(clientName);
|
||||
Assert.notNull(oidcClient, "No client found for name '" + clientName + "'");
|
||||
oidcClient.setClientSecret(
|
||||
RandomStringUtils.random(OIDC_CLIENT_CLIENT_SECRET_LENGTH, true, true));
|
||||
oidcClient.setClientSecret(RandomStringUtils.random(OIDC_CLIENT_CLIENT_SECRET_LENGTH, true, true));
|
||||
|
||||
return oidcClientRepository.save(oidcClient);
|
||||
}
|
||||
@@ -139,14 +135,13 @@ public class OidcClientManager {
|
||||
/**
|
||||
* Gets the by client id and secret.
|
||||
*
|
||||
* @param clientId the client id
|
||||
* @param clientId the client id
|
||||
* @param clientSecret the client secret
|
||||
* @return the by client id and secret
|
||||
*/
|
||||
public OidcClient getByClientIdAndSecret(String clientId, String clientSecret) {
|
||||
return oidcClientRepository.findOne(
|
||||
qOidcClient.clientId.eq(clientId).and(qOidcClient.clientSecret.eq(clientSecret)))
|
||||
.orElse(null);
|
||||
return oidcClientRepository
|
||||
.findOne(qOidcClient.clientId.eq(clientId).and(qOidcClient.clientSecret.eq(clientSecret))).orElse(null);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -175,9 +170,9 @@ public class OidcClientManager {
|
||||
/**
|
||||
* Gets the.
|
||||
*
|
||||
* @param page the page
|
||||
* @param size the size
|
||||
* @param sortBy the sort by
|
||||
* @param page the page
|
||||
* @param size the size
|
||||
* @param sortBy the sort by
|
||||
* @param descending the descending
|
||||
* @return the page
|
||||
*/
|
||||
|
||||
@@ -69,13 +69,7 @@ public class OidcTokenManager implements SmartInitializingSingleton {
|
||||
private QOidcToken qOidcToken = QOidcToken.oidcToken;
|
||||
|
||||
/*
|
||||
* @see org.springframework.beans.factory.SmartInitializingSingleton#
|
||||
* afterSingletonsInstantiated()
|
||||
*/
|
||||
/*
|
||||
* @see org.springframework.beans.factory.SmartInitializingSingleton#afterSingletonsInstantiated()
|
||||
*/
|
||||
/*
|
||||
*
|
||||
* @see org.springframework.beans.factory.SmartInitializingSingleton#
|
||||
* afterSingletonsInstantiated()
|
||||
*/
|
||||
@@ -122,14 +116,14 @@ public class OidcTokenManager implements SmartInitializingSingleton {
|
||||
*
|
||||
* @param client the client
|
||||
* @param userId the user id
|
||||
* @param nonce the nonce
|
||||
* @param nonce the nonce
|
||||
* @param scopes the scopes
|
||||
* @param issuer the issuer
|
||||
* @return the oidc token
|
||||
* @throws JOSEException the JOSE exception
|
||||
*/
|
||||
public OidcToken createTokenWithIdToken(OidcClient client, Long userId, String nonce,
|
||||
Set<String> scopes, String issuer) throws JOSEException {
|
||||
public OidcToken createTokenWithIdToken(OidcClient client, Long userId, String nonce, Set<String> scopes,
|
||||
String issuer) throws JOSEException {
|
||||
OidcToken token = new OidcToken();
|
||||
token.setClient(client.getId());
|
||||
|
||||
@@ -145,9 +139,8 @@ public class OidcTokenManager implements SmartInitializingSingleton {
|
||||
|
||||
claimsSetBuilder.issuer(issuer);
|
||||
claimsSetBuilder.audience(client.getClientId());
|
||||
claimsSetBuilder.expirationTime(
|
||||
Date.from(Instant.now().plus(client.getTokenLifetime(), ChronoUnit.SECONDS)
|
||||
.atZone(ZoneId.systemDefault()).toInstant()));
|
||||
claimsSetBuilder.expirationTime(Date.from(Instant.now().plus(client.getTokenLifetime(), ChronoUnit.SECONDS)
|
||||
.atZone(ZoneId.systemDefault()).toInstant()));
|
||||
claimsSetBuilder.issueTime(new Date());
|
||||
|
||||
if (StringUtils.hasText(nonce)) {
|
||||
@@ -160,8 +153,7 @@ public class OidcTokenManager implements SmartInitializingSingleton {
|
||||
jwtKey = createDefaultJwtKey();
|
||||
}
|
||||
|
||||
JWSHeader.Builder headerBuilder = new JWSHeader.Builder(
|
||||
jwtKeyManager.getJwsAlgorithm(jwtKey));
|
||||
JWSHeader.Builder headerBuilder = new JWSHeader.Builder(jwtKeyManager.getJwsAlgorithm(jwtKey));
|
||||
headerBuilder.keyID(jwtKey.getKeyID());
|
||||
headerBuilder.type(JOSEObjectType.JWT);
|
||||
|
||||
@@ -200,7 +192,7 @@ public class OidcTokenManager implements SmartInitializingSingleton {
|
||||
} else {
|
||||
claimsSetBuilder.claim("email_verified", true);
|
||||
}
|
||||
|
||||
|
||||
claimsSetBuilder.claim("email", email.toLowerCase());
|
||||
|
||||
UserProfileField localeProfileField = userProfileFieldManager.get(user.getId(),
|
||||
@@ -210,8 +202,7 @@ public class OidcTokenManager implements SmartInitializingSingleton {
|
||||
if ("de-informal".equals(localeProfileField.getValue())) {
|
||||
claimsSetBuilder.claim(UserProfileFields.PROFILE_FIELD_LOCALE, "de");
|
||||
} else if (StringUtils.hasText(localeProfileField.getValue())) {
|
||||
claimsSetBuilder.claim(UserProfileFields.PROFILE_FIELD_LOCALE,
|
||||
localeProfileField.getValue());
|
||||
claimsSetBuilder.claim(UserProfileFields.PROFILE_FIELD_LOCALE, localeProfileField.getValue());
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -53,8 +53,7 @@ public class OIDCClientController extends BaseController {
|
||||
@GetMapping
|
||||
public Page<OidcClient> getClients(@RequestParam("page") Optional<Integer> pageParameter,
|
||||
@RequestParam("size") Optional<Integer> sizeParameter) {
|
||||
return registeredClientService.get(pageParameter.orElse(0), sizeParameter.orElse(10),
|
||||
"clientName", true);
|
||||
return registeredClientService.get(pageParameter.orElse(0), sizeParameter.orElse(10), "clientName", true);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -106,21 +105,19 @@ public class OIDCClientController extends BaseController {
|
||||
|
||||
if (oidcClientModel.getClientAuthenticationMethods() == null
|
||||
|| oidcClientModel.getClientAuthenticationMethods().isEmpty()) {
|
||||
oidcClientModel.setClientAuthenticationMethods(Sets.newHashSet(
|
||||
OidcClientAuthenticationMethod.basic, OidcClientAuthenticationMethod.post));
|
||||
oidcClientModel.setClientAuthenticationMethods(
|
||||
Sets.newHashSet(OidcClientAuthenticationMethod.basic, OidcClientAuthenticationMethod.post));
|
||||
}
|
||||
|
||||
if (oidcClientModel.getAuthorizationGrantTypes() == null
|
||||
|| oidcClientModel.getAuthorizationGrantTypes().isEmpty()) {
|
||||
oidcClientModel.setAuthorizationGrantTypes(
|
||||
Sets.newHashSet(OidcAuthorizationGrantType.authorization_code));
|
||||
oidcClientModel.setAuthorizationGrantTypes(Sets.newHashSet(OidcAuthorizationGrantType.authorization_code));
|
||||
}
|
||||
|
||||
return registeredClientService.createClient(oidcClientModel.getName(),
|
||||
oidcClientModel.getClientAuthenticationMethods(),
|
||||
oidcClientModel.getAuthorizationGrantTypes(),
|
||||
oidcClientModel.getRegisteredRedirectUris(), oidcClientModel.getScopes(),
|
||||
oidcClientModel.getLoginUrl(), oidcClientModel.isAlwaysPermitted());
|
||||
oidcClientModel.getClientAuthenticationMethods(), oidcClientModel.getAuthorizationGrantTypes(),
|
||||
oidcClientModel.getRegisteredRedirectUris(), oidcClientModel.getScopes(), oidcClientModel.getLoginUrl(),
|
||||
oidcClientModel.isAlwaysPermitted());
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -54,15 +54,15 @@ public class OidcAuthorizationController {
|
||||
/**
|
||||
* Authorization request.
|
||||
*
|
||||
* @param scope the scope
|
||||
* @param scope the scope
|
||||
* @param responseType the response type
|
||||
* @param clientId the client id
|
||||
* @param redirectUri the redirect uri
|
||||
* @param state the state
|
||||
* @param nonce the nonce
|
||||
* @param principal the principal
|
||||
* @param request the request
|
||||
* @param response the response
|
||||
* @param clientId the client id
|
||||
* @param redirectUri the redirect uri
|
||||
* @param state the state
|
||||
* @param nonce the nonce
|
||||
* @param principal the principal
|
||||
* @param request the request
|
||||
* @param response the response
|
||||
* @throws IOException Signals that an I/O exception has occurred.
|
||||
*/
|
||||
@PreAuthorize("isAuthenticated()")
|
||||
@@ -89,43 +89,37 @@ public class OidcAuthorizationController {
|
||||
|
||||
if (!StringUtils.hasText(clientId)) {
|
||||
logger.debug("missing client_id");
|
||||
throw new InvalidAuthorizationRequestError(redirectUri,
|
||||
OidcAuthorizationErrorCode.INVALID_REQUEST, "missing client_id", state);
|
||||
throw new InvalidAuthorizationRequestError(redirectUri, OidcAuthorizationErrorCode.INVALID_REQUEST,
|
||||
"missing client_id", state);
|
||||
}
|
||||
|
||||
OidcClient client = oidcClientManager.getByClientId(clientId);
|
||||
|
||||
if (client == null) {
|
||||
logger.debug("invalid client_id: " + clientId);
|
||||
throw new InvalidAuthorizationRequestError(redirectUri,
|
||||
OidcAuthorizationErrorCode.INVALID_REQUEST, "invalid client_id", state);
|
||||
throw new InvalidAuthorizationRequestError(redirectUri, OidcAuthorizationErrorCode.INVALID_REQUEST,
|
||||
"invalid client_id", state);
|
||||
|
||||
}
|
||||
|
||||
if (!client.getRedirectUris().contains(redirectUri.toString())) {
|
||||
logger.debug("invalid redirect_uri: " + redirectUri + " allowed: "
|
||||
+ client.getRedirectUris());
|
||||
throw new InvalidAuthorizationRequestError(redirectUri,
|
||||
OidcAuthorizationErrorCode.INVALID_REQUEST, "invalid redirect_uri", state);
|
||||
logger.debug("invalid redirect_uri: " + redirectUri + " allowed: " + client.getRedirectUris());
|
||||
throw new InvalidAuthorizationRequestError(redirectUri, OidcAuthorizationErrorCode.INVALID_REQUEST,
|
||||
"invalid redirect_uri", state);
|
||||
}
|
||||
|
||||
if (!client.isAlwaysPermitted()
|
||||
&& !permissionManager.hasPermission(principal.getUserId(), client.getClientName())
|
||||
&& !permissionManager.hasPermission(principal.getUserId(),
|
||||
Permissions.ROLE_ADMIN)) {
|
||||
logger.debug(
|
||||
"user not allowed: " + principal.getUserId() + " - " + client.getClientName());
|
||||
throw new InvalidAuthorizationRequestError(redirectUri,
|
||||
OidcAuthorizationErrorCode.ACCESS_DENIED, "user not allowed", state);
|
||||
&& !permissionManager.hasPermission(principal.getUserId(), Permissions.ROLE_ADMIN)) {
|
||||
logger.debug("user not allowed: " + principal.getUserId() + " - " + client.getClientName());
|
||||
throw new InvalidAuthorizationRequestError(redirectUri, OidcAuthorizationErrorCode.ACCESS_DENIED,
|
||||
"user not allowed", state);
|
||||
}
|
||||
|
||||
if (!client.getAuthorizationGrantTypes()
|
||||
.contains(OidcAuthorizationGrantType.authorization_code)) {
|
||||
logger.debug("authorization grant type not allowed: "
|
||||
+ OidcAuthorizationGrantType.authorization_code + " - "
|
||||
+ client.getClientName());
|
||||
throw new InvalidAuthorizationRequestError(redirectUri,
|
||||
OidcAuthorizationErrorCode.UNAUTHORIZED_CLIENT,
|
||||
if (!client.getAuthorizationGrantTypes().contains(OidcAuthorizationGrantType.authorization_code)) {
|
||||
logger.debug("authorization grant type not allowed: " + OidcAuthorizationGrantType.authorization_code
|
||||
+ " - " + client.getClientName());
|
||||
throw new InvalidAuthorizationRequestError(redirectUri, OidcAuthorizationErrorCode.UNAUTHORIZED_CLIENT,
|
||||
"authorization grant type not allowed", state);
|
||||
|
||||
}
|
||||
@@ -135,8 +129,7 @@ public class OidcAuthorizationController {
|
||||
|
||||
+ " - " + client.getClientName());
|
||||
throw new InvalidAuthorizationRequestError(redirectUri,
|
||||
OidcAuthorizationErrorCode.UNSUPPORTED_RESPONSE_TYPE,
|
||||
"response type not allowed", state);
|
||||
OidcAuthorizationErrorCode.UNSUPPORTED_RESPONSE_TYPE, "response type not allowed", state);
|
||||
|
||||
}
|
||||
|
||||
@@ -144,13 +137,13 @@ public class OidcAuthorizationController {
|
||||
|
||||
if (!scopes.contains("openid")) {
|
||||
logger.debug("missing openid scope: " + scopes + " - " + client.getClientName());
|
||||
throw new InvalidAuthorizationRequestError(redirectUri,
|
||||
OidcAuthorizationErrorCode.INVALID_SCOPE, "missing openid scope", state);
|
||||
throw new InvalidAuthorizationRequestError(redirectUri, OidcAuthorizationErrorCode.INVALID_SCOPE,
|
||||
"missing openid scope", state);
|
||||
|
||||
}
|
||||
|
||||
OidcAuthorizationCode authorizationCode = oidcAuthorizationCodeManager.create(clientId,
|
||||
redirectUri, scopes, principal.getUserId(), nonce);
|
||||
OidcAuthorizationCode authorizationCode = oidcAuthorizationCodeManager.create(clientId, redirectUri, scopes,
|
||||
principal.getUserId(), nonce);
|
||||
|
||||
String uri = redirectUri.toString();
|
||||
|
||||
@@ -171,12 +164,11 @@ public class OidcAuthorizationController {
|
||||
* Handle.
|
||||
*
|
||||
* @param exception the exception
|
||||
* @param response the response
|
||||
* @param response the response
|
||||
* @throws IOException Signals that an I/O exception has occurred.
|
||||
*/
|
||||
@ExceptionHandler(InvalidAuthorizationRequestError.class)
|
||||
public void handle(InvalidAuthorizationRequestError exception, HttpServletResponse response)
|
||||
throws IOException {
|
||||
public void handle(InvalidAuthorizationRequestError exception, HttpServletResponse response) throws IOException {
|
||||
String uri = exception.getRedirectUri().toString();
|
||||
|
||||
uri += "?error=" + exception.getErrorCode().getAuthorizationErrorCode();
|
||||
@@ -209,13 +201,13 @@ public class OidcAuthorizationController {
|
||||
/**
|
||||
* Instantiates a new invalid authorization request error.
|
||||
*
|
||||
* @param redirectUri the redirect uri
|
||||
* @param errorCode the error code
|
||||
* @param redirectUri the redirect uri
|
||||
* @param errorCode the error code
|
||||
* @param errorDescription the error description
|
||||
* @param state the state
|
||||
* @param state the state
|
||||
*/
|
||||
InvalidAuthorizationRequestError(URI redirectUri, OidcAuthorizationErrorCode errorCode,
|
||||
String errorDescription, String state) {
|
||||
InvalidAuthorizationRequestError(URI redirectUri, OidcAuthorizationErrorCode errorCode, String errorDescription,
|
||||
String state) {
|
||||
super(errorDescription);
|
||||
this.redirectUri = redirectUri;
|
||||
this.errorCode = errorCode;
|
||||
|
||||
@@ -34,13 +34,12 @@ public class OidcDiscoveryController {
|
||||
/**
|
||||
* Gets the configuration.
|
||||
*
|
||||
* @param request the request
|
||||
* @param request the request
|
||||
* @param response the response
|
||||
* @return the configuration
|
||||
*/
|
||||
@GetMapping
|
||||
public OidcConfiguration getConfiguration(HttpServletRequest request,
|
||||
HttpServletResponse response) {
|
||||
public OidcConfiguration getConfiguration(HttpServletRequest request, HttpServletResponse response) {
|
||||
OidcConfiguration config = new OidcConfiguration();
|
||||
|
||||
String issuer = oidcIssuer;
|
||||
@@ -56,8 +55,7 @@ public class OidcDiscoveryController {
|
||||
config.setScopes_supported(Sets.newHashSet("openid"));
|
||||
config.setResponse_types_supported(Sets.newHashSet("code"));
|
||||
config.setGrant_types_supported(Sets.newHashSet("authorization_code"));
|
||||
config.setToken_endpoint_auth_methods_supported(
|
||||
Sets.newHashSet("client_secret_post", "client_secret_basic"));
|
||||
config.setToken_endpoint_auth_methods_supported(Sets.newHashSet("client_secret_post", "client_secret_basic"));
|
||||
config.setSubject_types_supported(Sets.newHashSet("public"));
|
||||
|
||||
try {
|
||||
|
||||
@@ -68,9 +68,9 @@ public class OidcTokenController {
|
||||
* Gets the token.
|
||||
*
|
||||
* @param authorizationHeader the authorization header
|
||||
* @param tokenRequest the token request
|
||||
* @param request the request
|
||||
* @param response the response
|
||||
* @param tokenRequest the token request
|
||||
* @param request the request
|
||||
* @param response the response
|
||||
* @return the token
|
||||
*/
|
||||
@PostMapping
|
||||
@@ -91,8 +91,9 @@ public class OidcTokenController {
|
||||
|
||||
if (StringUtils.hasText(authorizationHeader)
|
||||
&& StringUtils.startsWithIgnoreCase(authorizationHeader, BASIC_AUTH)) {
|
||||
String decoded = new String(Base64.getDecoder().decode(authorizationHeader
|
||||
.replaceFirst(BASIC_AUTH, "").trim().getBytes(StandardCharsets.UTF_8)),
|
||||
String decoded = new String(
|
||||
Base64.getDecoder().decode(
|
||||
authorizationHeader.replaceFirst(BASIC_AUTH, "").trim().getBytes(StandardCharsets.UTF_8)),
|
||||
StandardCharsets.UTF_8);
|
||||
if (decoded.indexOf(":") != -1) {
|
||||
tokenRequest.setClient_id(decoded.split(":")[0]);
|
||||
@@ -100,8 +101,7 @@ public class OidcTokenController {
|
||||
clientAuthenticationMethod = OidcClientAuthenticationMethod.basic;
|
||||
} else {
|
||||
logger.debug("invalid_basic_authentication: " + decoded);
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_CLIENT,
|
||||
"invalid_basic_authentication");
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_CLIENT, "invalid_basic_authentication");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -115,45 +115,38 @@ public class OidcTokenController {
|
||||
|
||||
if (!client.getClientAuthenticationMethods().contains(clientAuthenticationMethod)) {
|
||||
logger.debug("invalid_authentication_method: " + clientAuthenticationMethod);
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_REQUEST,
|
||||
"invalid_authentication_method");
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_REQUEST, "invalid_authentication_method");
|
||||
}
|
||||
|
||||
if (!client.getAuthorizationGrantTypes().contains(tokenRequest.getGrant_type())) {
|
||||
logger.debug("invalid_grant_type: " + tokenRequest.getGrant_type());
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.UNAUTHORIZED_CLIENT,
|
||||
"invalid_grant_type");
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.UNAUTHORIZED_CLIENT, "invalid_grant_type");
|
||||
}
|
||||
|
||||
if (tokenRequest.getRedirect_uri() != null
|
||||
&& !client.getRedirectUris().contains(tokenRequest.getRedirect_uri().toString())) {
|
||||
logger.debug("invalid redirect_uri: " + tokenRequest.getRedirect_uri().toString()
|
||||
+ " allowed: " + client.getRedirectUris());
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_REQUEST,
|
||||
"invalid_redirect_uri");
|
||||
logger.debug("invalid redirect_uri: " + tokenRequest.getRedirect_uri().toString() + " allowed: "
|
||||
+ client.getRedirectUris());
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_REQUEST, "invalid_redirect_uri");
|
||||
}
|
||||
|
||||
OidcToken token = null;
|
||||
switch (tokenRequest.getGrant_type()) {
|
||||
case authorization_code:
|
||||
OidcAuthorizationCode authorizationCode = oidcAuthorizationCodeManager
|
||||
.getByCode(tokenRequest.getCode());
|
||||
OidcAuthorizationCode authorizationCode = oidcAuthorizationCodeManager.getByCode(tokenRequest.getCode());
|
||||
if (authorizationCode == null) {
|
||||
logger.debug("invalid authorization code: " + tokenRequest.getCode());
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_GRANT,
|
||||
"invalid_authorization_code");
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_GRANT, "invalid_authorization_code");
|
||||
}
|
||||
if (Instant.now().isAfter(authorizationCode.getExpiry())) {
|
||||
logger.debug("authorization code expired: " + authorizationCode.getExpiry());
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_GRANT,
|
||||
"invalid_authorization_code");
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_GRANT, "invalid_authorization_code");
|
||||
}
|
||||
|
||||
if (!tokenRequest.getClient_id().equals(authorizationCode.getClientId())) {
|
||||
logger.debug("invalid client for authorization code, expected: "
|
||||
+ authorizationCode.getClientId() + " got: " + tokenRequest.getClient_id());
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_CLIENT,
|
||||
"invalid_client");
|
||||
logger.debug("invalid client for authorization code, expected: " + authorizationCode.getClientId()
|
||||
+ " got: " + tokenRequest.getClient_id());
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_CLIENT, "invalid_client");
|
||||
}
|
||||
|
||||
Set<String> scopes = StringUtils.hasText(tokenRequest.getScope())
|
||||
@@ -162,8 +155,7 @@ public class OidcTokenController {
|
||||
|
||||
if (!scopes.contains("openid") || !client.getScopes().containsAll(scopes)) {
|
||||
logger.debug("missing openid scope: " + scopes + " - " + client.getClientName());
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_SCOPE,
|
||||
"invalid scopes");
|
||||
throw new InvalidTokenRequestError(OidcTokenErrorCode.INVALID_SCOPE, "invalid scopes");
|
||||
}
|
||||
|
||||
String issuer = oidcIssuer;
|
||||
@@ -176,9 +168,8 @@ public class OidcTokenController {
|
||||
}
|
||||
|
||||
try {
|
||||
token = oidcTokenManager.createTokenWithIdToken(client,
|
||||
authorizationCode.getUserId(), authorizationCode.getNonce(), scopes,
|
||||
issuer);
|
||||
token = oidcTokenManager.createTokenWithIdToken(client, authorizationCode.getUserId(),
|
||||
authorizationCode.getNonce(), scopes, issuer);
|
||||
} catch (JOSEException e) {
|
||||
logger.error("error creating token", client, authorizationCode);
|
||||
e.printStackTrace();
|
||||
@@ -208,13 +199,13 @@ public class OidcTokenController {
|
||||
* Handle.
|
||||
*
|
||||
* @param exception the exception
|
||||
* @param response the response
|
||||
* @param response the response
|
||||
* @return the response entity
|
||||
* @throws IOException Signals that an I/O exception has occurred.
|
||||
*/
|
||||
@ExceptionHandler(InvalidTokenRequestError.class)
|
||||
public ResponseEntity<String> handle(InvalidTokenRequestError exception,
|
||||
HttpServletResponse response) throws IOException {
|
||||
public ResponseEntity<String> handle(InvalidTokenRequestError exception, HttpServletResponse response)
|
||||
throws IOException {
|
||||
// response.sendError(400, "redirect uri mismatch");
|
||||
return ResponseEntity.badRequest().contentType(MediaType.APPLICATION_JSON)
|
||||
.body(" {\"error\": \"" + exception.getMessage() + "\"}");
|
||||
@@ -236,7 +227,7 @@ public class OidcTokenController {
|
||||
/**
|
||||
* Instantiates a new invalid token request error.
|
||||
*
|
||||
* @param errorCode the error code
|
||||
* @param errorCode the error code
|
||||
* @param errorDescription the error description
|
||||
*/
|
||||
InvalidTokenRequestError(OidcTokenErrorCode errorCode, String errorDescription) {
|
||||
|
||||
@@ -71,8 +71,7 @@ public class OidcClientModel {
|
||||
*
|
||||
* @param clientAuthenticationMethods the new client authentication methods
|
||||
*/
|
||||
public void setClientAuthenticationMethods(
|
||||
Set<OidcClientAuthenticationMethod> clientAuthenticationMethods) {
|
||||
public void setClientAuthenticationMethods(Set<OidcClientAuthenticationMethod> clientAuthenticationMethods) {
|
||||
this.clientAuthenticationMethods = clientAuthenticationMethods;
|
||||
}
|
||||
|
||||
@@ -90,8 +89,7 @@ public class OidcClientModel {
|
||||
*
|
||||
* @param authorizationGrantTypes the new authorization grant types
|
||||
*/
|
||||
public void setAuthorizationGrantTypes(
|
||||
Set<OidcAuthorizationGrantType> authorizationGrantTypes) {
|
||||
public void setAuthorizationGrantTypes(Set<OidcAuthorizationGrantType> authorizationGrantTypes) {
|
||||
this.authorizationGrantTypes = authorizationGrantTypes;
|
||||
}
|
||||
|
||||
|
||||
@@ -29,14 +29,13 @@ public class OidcAuthorizationCode {
|
||||
/**
|
||||
* Instantiates a new oidc authorization code.
|
||||
*
|
||||
* @param clientId the client id
|
||||
* @param clientId the client id
|
||||
* @param redirectUri the redirect uri
|
||||
* @param scopes the scopes
|
||||
* @param userId the user id
|
||||
* @param nonce the nonce
|
||||
* @param scopes the scopes
|
||||
* @param userId the user id
|
||||
* @param nonce the nonce
|
||||
*/
|
||||
public OidcAuthorizationCode(String clientId, URI redirectUri, Set<String> scopes, Long userId,
|
||||
String nonce) {
|
||||
public OidcAuthorizationCode(String clientId, URI redirectUri, Set<String> scopes, Long userId, String nonce) {
|
||||
this.clientId = clientId;
|
||||
this.redirectUri = redirectUri;
|
||||
this.scopes = scopes;
|
||||
|
||||
@@ -149,8 +149,7 @@ public class OidcClient {
|
||||
*
|
||||
* @param clientAuthenticationMethods the new client authentication methods
|
||||
*/
|
||||
public void setClientAuthenticationMethods(
|
||||
Set<OidcClientAuthenticationMethod> clientAuthenticationMethods) {
|
||||
public void setClientAuthenticationMethods(Set<OidcClientAuthenticationMethod> clientAuthenticationMethods) {
|
||||
this.clientAuthenticationMethods = clientAuthenticationMethods;
|
||||
}
|
||||
|
||||
@@ -168,8 +167,7 @@ public class OidcClient {
|
||||
*
|
||||
* @param authorizationGrantTypes the new authorization grant types
|
||||
*/
|
||||
public void setAuthorizationGrantTypes(
|
||||
Set<OidcAuthorizationGrantType> authorizationGrantTypes) {
|
||||
public void setAuthorizationGrantTypes(Set<OidcAuthorizationGrantType> authorizationGrantTypes) {
|
||||
this.authorizationGrantTypes = authorizationGrantTypes;
|
||||
}
|
||||
|
||||
|
||||
@@ -196,10 +196,10 @@ public class OidcConfiguration {
|
||||
/**
|
||||
* Sets the token endpoint auth methods supported.
|
||||
*
|
||||
* @param token_endpoint_auth_methods_supported the new token endpoint auth methods supported
|
||||
* @param token_endpoint_auth_methods_supported the new token endpoint auth
|
||||
* methods supported
|
||||
*/
|
||||
public void setToken_endpoint_auth_methods_supported(
|
||||
Set<String> token_endpoint_auth_methods_supported) {
|
||||
public void setToken_endpoint_auth_methods_supported(Set<String> token_endpoint_auth_methods_supported) {
|
||||
this.token_endpoint_auth_methods_supported = token_endpoint_auth_methods_supported;
|
||||
}
|
||||
|
||||
|
||||
@@ -7,9 +7,9 @@ package de.bstly.we.oidc.model;
|
||||
* The Enum OidcTokenErrorCode.
|
||||
*/
|
||||
public enum OidcTokenErrorCode {
|
||||
INVALID_REQUEST("invalid_request"), INVALID_CLIENT("invalid_client"),
|
||||
INVALID_GRANT("invalid_grant"), UNAUTHORIZED_CLIENT("unauthorized_client"),
|
||||
UNSUPPORTED_GRANT_TYPE("unsupported_grant_type"), INVALID_SCOPE("invalid_scope");
|
||||
INVALID_REQUEST("invalid_request"), INVALID_CLIENT("invalid_client"), INVALID_GRANT("invalid_grant"),
|
||||
UNAUTHORIZED_CLIENT("unauthorized_client"), UNSUPPORTED_GRANT_TYPE("unsupported_grant_type"),
|
||||
INVALID_SCOPE("invalid_scope");
|
||||
|
||||
private final String tokenErrorCode;
|
||||
|
||||
|
||||
@@ -20,15 +20,15 @@ public class OidcTokenRequest {
|
||||
/**
|
||||
* Instantiates a new oidc token request.
|
||||
*
|
||||
* @param code the code
|
||||
* @param grant_type the grant type
|
||||
* @param client_id the client id
|
||||
* @param code the code
|
||||
* @param grant_type the grant type
|
||||
* @param client_id the client id
|
||||
* @param client_secret the client secret
|
||||
* @param redirect_uri the redirect uri
|
||||
* @param scope the scope
|
||||
* @param redirect_uri the redirect uri
|
||||
* @param scope the scope
|
||||
*/
|
||||
public OidcTokenRequest(String code, OidcAuthorizationGrantType grant_type, String client_id,
|
||||
String client_secret, URI redirect_uri, String scope) {
|
||||
public OidcTokenRequest(String code, OidcAuthorizationGrantType grant_type, String client_id, String client_secret,
|
||||
URI redirect_uri, String scope) {
|
||||
super();
|
||||
this.code = code;
|
||||
this.grant_type = grant_type;
|
||||
|
||||
Reference in New Issue
Block a user