diff --git a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java index ab46d69c1..8ce59373a 100644 --- a/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java +++ b/openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java @@ -122,7 +122,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices { Map parameters = new HashMap(); parameters.put("client_id", clientId); parameters.put("scope", OAuth2Utils.formatParameterList(scopes)); - OAuth2Request storedRequest = new OAuth2Request(parameters, clientId, null, true, scopes, null, null, null); + OAuth2Request storedRequest = new OAuth2Request(parameters, clientId, null, true, scopes, null, null, null, null); return storedRequest; } diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java b/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java index cbaca2bff..caf0a57eb 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/model/ClientDetailsEntity.java @@ -1024,4 +1024,12 @@ public class ClientDetailsEntity implements ClientDetails { this.createdAt = createdAt; } + /** + * Our framework doesn't use this construct, we use WhitelistedSites and ApprovedSites instead. + */ + @Override + public boolean isAutoApprove(String scope) { + return false; + } + } diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/token/StructuredScopeAwareOAuth2RequestValidator.java b/openid-connect-server/src/main/java/org/mitre/oauth2/token/StructuredScopeAwareOAuth2RequestValidator.java index e3293d283..ac1614554 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/token/StructuredScopeAwareOAuth2RequestValidator.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/StructuredScopeAwareOAuth2RequestValidator.java @@ -10,7 +10,10 @@ import org.mitre.oauth2.service.SystemScopeService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.oauth2.common.exceptions.InvalidScopeException; import org.springframework.security.oauth2.common.util.OAuth2Utils; +import org.springframework.security.oauth2.provider.AuthorizationRequest; +import org.springframework.security.oauth2.provider.ClientDetails; import org.springframework.security.oauth2.provider.OAuth2RequestValidator; +import org.springframework.security.oauth2.provider.TokenRequest; /** * @@ -28,11 +31,9 @@ public class StructuredScopeAwareOAuth2RequestValidator implements OAuth2Request /* (non-Javadoc) * @see org.springframework.security.oauth2.provider.OAuth2RequestValidator#validateScope(java.util.Map, java.util.Set) */ - @Override - public void validateScope(Map parameters, Set clientScopes) throws InvalidScopeException { - if (parameters.containsKey("scope")) { + private void validateScope(Set requestedScopes, Set clientScopes) throws InvalidScopeException { + if (requestedScopes != null && !requestedScopes.isEmpty()) { if (clientScopes != null && !clientScopes.isEmpty()) { - Set requestedScopes = OAuth2Utils.parseParameterList(parameters.get("scope")); if (!scopeService.scopesMatch(clientScopes, requestedScopes)) { throw new InvalidScopeException("Invalid scope", clientScopes); } @@ -40,4 +41,14 @@ public class StructuredScopeAwareOAuth2RequestValidator implements OAuth2Request } } + @Override + public void validateScope(AuthorizationRequest authorizationRequest, ClientDetails client) throws InvalidScopeException { + validateScope(authorizationRequest.getScope(), client.getScope()); + } + + @Override + public void validateScope(TokenRequest tokenRequest, ClientDetails client) throws InvalidScopeException { + validateScope(tokenRequest.getScope(), client.getScope()); + } + } diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java index bac354398..e389547ec 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java @@ -93,7 +93,7 @@ public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory { @Override public OAuth2Request createOAuth2Request(AuthorizationRequest request) { return new OAuth2Request(request.getRequestParameters(), request.getClientId(), request.getAuthorities(), - request.isApproved(), request.getScope(), request.getResourceIds(), request.getRedirectUri(), request.getExtensions()); + request.isApproved(), request.getScope(), request.getResourceIds(), request.getRedirectUri(), request.getResponseTypes(), request.getExtensions()); } @Override diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java index fbfb15c16..c74a6a1e8 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java @@ -136,7 +136,7 @@ public class DefaultOIDCTokenService implements OIDCTokenService { Map authorizationParameters = Maps.newHashMap(); OAuth2Request clientAuth = new OAuth2Request(authorizationParameters, client.getClientId(), Sets.newHashSet(new SimpleGrantedAuthority("ROLE_CLIENT")), true, - Sets.newHashSet(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE), null, null, null); + Sets.newHashSet(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE), null, null, null, null); OAuth2Authentication authentication = new OAuth2Authentication(clientAuth, null); OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); diff --git a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java index cef7ead69..347e598ed 100644 --- a/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java +++ b/openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java @@ -103,7 +103,7 @@ public class TestDefaultOAuth2ProviderTokenService { authentication = Mockito.mock(OAuth2Authentication.class); - OAuth2Request clientAuth = new OAuth2Request(null, clientId, null, true, scope, null, null, null); + OAuth2Request clientAuth = new OAuth2Request(null, clientId, null, true, scope, null, null, null, null); Mockito.when(authentication.getOAuth2Request()).thenReturn(clientAuth); client = Mockito.mock(ClientDetailsEntity.class); @@ -191,7 +191,7 @@ public class TestDefaultOAuth2ProviderTokenService { @Test public void createAccessToken_yesRefresh() { - OAuth2Request clientAuth = new OAuth2Request(null, clientId, null, true, Sets.newHashSet("offline_access"), null, null, null); + OAuth2Request clientAuth = new OAuth2Request(null, clientId, null, true, Sets.newHashSet("offline_access"), null, null, null, null); Mockito.when(authentication.getOAuth2Request()).thenReturn(clientAuth); Mockito.when(client.isAllowRefresh()).thenReturn(true);