DWN-26566: Added password encoded to the client entity service and changed the Introspection token service to allow parsing of client authorities for api level access

openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java

@@ -21,12 +21,7 @@ import static org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod.SECRET_BASIC
 
 import java.io.IOException;
 import java.net.URI;
-import java.util.Calendar;
+import java.util.*;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.Set;
 
 import org.apache.http.client.HttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
@@ -41,6 +36,7 @@ import org.springframework.http.client.ClientHttpRequest;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
@@ -237,10 +233,15 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
 		Map<String, String> parameters = new HashMap<>();
 		parameters.put("client_id", clientId);
 		parameters.put("scope", OAuth2Utils.formatParameterList(scopes));
-		OAuth2Request storedRequest = new OAuth2Request(parameters, clientId, null, true, scopes, null, null, null, null);
+		OAuth2Request storedRequest = new OAuth2Request(parameters, clientId, parseClientAuthorities(token), true, scopes, null, null, null, null);
 		return storedRequest;
 	}
 
+	// Added the protected method to allow custom behaviour
+	protected Collection<? extends GrantedAuthority> parseClientAuthorities(JsonObject token) {
+	    return null;
+    }
+
 	private Authentication createUserAuthentication(JsonObject token) {
 		JsonElement userId = token.get("user_id");
 		if(userId == null) {

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java

@@ -50,6 +50,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 import org.springframework.stereotype.Service;
@@ -100,6 +101,10 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 	@Autowired
 	private ConfigurationPropertiesBean config;
 
+	@Autowired
+	private PasswordEncoder passwordEncoder;
+
+
     // map of sector URI -> list of redirect URIs
 	private LoadingCache<String, List<String>> sectorRedirects = CacheBuilder.newBuilder()
 			.expireAfterAccess(1, TimeUnit.HOURS)
@@ -145,6 +150,10 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 
 		ensureNoReservedScopes(client);
 
+		if(!Strings.isNullOrEmpty(client.getClientSecret())) {
+		    client.setClientSecret(this.passwordEncoder.encode(client.getClientSecret()));
+        }
+
 		ClientDetailsEntity c = clientRepository.saveClient(client);
 
 		statsService.resetCache();
@@ -423,6 +432,10 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 			// make sure a client doesn't get any special system scopes
 			ensureNoReservedScopes(newClient);
 
+            if(!Strings.isNullOrEmpty(newClient.getClientSecret())) {
+                newClient.setClientSecret(this.passwordEncoder.encode(newClient.getClientSecret()));
+            }
+
 			return clientRepository.updateClient(oldClient.getId(), newClient);
 		}
 		throw new IllegalArgumentException("Neither old client or new client can be null!");