Applyed refactoring

openid-connect-client/src/main/java/org/mitre/oauth2/introspectingfilter/IntrospectingTokenService.java

@@ -11,8 +11,9 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.StoredOAuth2Request;
 import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.util.LinkedMultiValueMap;
@@ -79,17 +80,18 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
         return null;
     }
     
-    private OAuth2Request createAuthRequest(final JsonObject token) {
+    private StoredOAuth2Request createStoredRequest(final JsonObject token) {
-    	
     	clientId = token.get("client_id").getAsString();
         Set<String> scopes = new HashSet<String>();
         for (JsonElement e : token.get("scope").getAsJsonArray()) {
             scopes.add(e.getAsString());
         }   
-        OAuth2Request authReq = new OAuth2Request();
+        Map<String, String> parameters = new HashMap<String, String>();
-        authReq.setScope(scopes);
+        parameters.put("client_id", clientId);
-        authReq.setClientId(clientId);
+        parameters.put("scope", OAuth2Utils.formatParameterList(scopes));
-        return authReq;
+        StoredOAuth2Request storedRequest = new StoredOAuth2Request(parameters, clientId, null, true, scopes, null, null, null);
+        return storedRequest;
+    	
     }
     
     // create a default authentication object with authority ROLE_API
@@ -141,7 +143,7 @@ public class IntrospectingTokenService implements ResourceServerTokenServices {
                 return false;
             }
             // create an OAuth2Authentication
-            OAuth2Authentication auth = new OAuth2Authentication(createAuthRequest(tokenResponse), createAuthentication(tokenResponse));
+            OAuth2Authentication auth = new OAuth2Authentication(createStoredRequest(tokenResponse), createAuthentication(tokenResponse));
             // create an OAuth2AccessToken
             OAuth2AccessToken token = createAccessToken(tokenResponse, accessToken);
             

openid-connect-common/src/main/java/org/mitre/oauth2/model/AuthorizationCodeEntity.java

@@ -12,7 +12,7 @@ import javax.persistence.NamedQueries;
 import javax.persistence.NamedQuery;
 import javax.persistence.Table;
 
-import org.springframework.security.oauth2.provider.code.AuthorizationRequestHolder;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
 
 /**
  * Entity class for authorization codes
@@ -31,7 +31,7 @@ public class AuthorizationCodeEntity {
 	
 	private String code;
 	
-	private AuthorizationRequestHolder authorizationRequestHolder;
+	private OAuth2Authentication authentication;
 
 	/**
 	 * Default constructor.
@@ -46,9 +46,9 @@ public class AuthorizationCodeEntity {
 	 * @param code 			the authorization code
 	 * @param authRequest	the AuthoriztionRequestHolder associated with the original code request
 	 */
-	public AuthorizationCodeEntity(String code, AuthorizationRequestHolder authRequest) {
+	public AuthorizationCodeEntity(String code, OAuth2Authentication authRequest) {
 		this.code = code;
-		this.authorizationRequestHolder = authRequest;
+		this.authentication = authRequest;
 	}
 	
 	/**
@@ -83,20 +83,20 @@ public class AuthorizationCodeEntity {
 	}
 
 	/**
-	 * @return the authorizationRequestHolder
+	 * @return the authentication
 	 */
 	@Lob
 	@Basic(fetch=FetchType.EAGER)
-	@Column(name="authorization_request_holder")
+	@Column(name="authentication")
-	public AuthorizationRequestHolder getAuthorizationRequestHolder() {
+	public OAuth2Authentication getAuthentication() {
-		return authorizationRequestHolder;
+		return authentication;
 	}
 
 	/**
-	 * @param authorizationRequestHolder the authorizationRequestHolder to set
+	 * @param authentication the authentication to set
 	 */
-	public void setAuthorizationRequestHolder(AuthorizationRequestHolder authorizationRequestHolder) {
+	public void setAuthentication(OAuth2Authentication authentication) {
-		this.authorizationRequestHolder = authorizationRequestHolder;
+		this.authentication = authentication;
 	}
 	
 }

openid-connect-common/src/main/java/org/mitre/oauth2/repository/AuthorizationCodeRepository.java

@@ -2,7 +2,7 @@ package org.mitre.oauth2.repository;
 
 import org.mitre.oauth2.model.AuthorizationCodeEntity;
 import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
-import org.springframework.security.oauth2.provider.code.AuthorizationRequestHolder;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
 
 /**
  * Interface for saving and consuming OAuth2 authorization codes as AuthorizationCodeEntitys. 
@@ -27,6 +27,6 @@ public interface AuthorizationCodeRepository {
 	 * @return							the authentication associated with the code	
 	 * @throws InvalidGrantException	if no AuthorizationCodeEntity is found with the given value
 	 */
-	public AuthorizationRequestHolder consume(String code) throws InvalidGrantException;
+	public OAuth2Authentication consume(String code) throws InvalidGrantException;
 	
 }

openid-connect-server/src/main/java/org/mitre/oauth2/repository/impl/JpaAuthorizationCodeRepository.java

@@ -11,7 +11,7 @@ import org.mitre.oauth2.model.AuthorizationCodeEntity;
 import org.mitre.oauth2.repository.AuthorizationCodeRepository;
 import org.mitre.util.jpa.JpaUtil;
 import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
-import org.springframework.security.oauth2.provider.code.AuthorizationRequestHolder;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.stereotype.Repository;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -44,7 +44,7 @@ public class JpaAuthorizationCodeRepository implements AuthorizationCodeReposito
 	 */
 	@Override
 	@Transactional
-	public AuthorizationRequestHolder consume(String code) throws InvalidGrantException {
+	public OAuth2Authentication consume(String code) throws InvalidGrantException {
 		
 		TypedQuery<AuthorizationCodeEntity> query = manager.createNamedQuery("AuthorizationCodeEntity.getByValue", AuthorizationCodeEntity.class);
 		query.setParameter("code", code);
@@ -55,7 +55,7 @@ public class JpaAuthorizationCodeRepository implements AuthorizationCodeReposito
 			throw new InvalidGrantException("JpaAuthorizationCodeRepository: no authorization code found for value " + code);
 		}
 		
-		AuthorizationRequestHolder authRequest = result.getAuthorizationRequestHolder();
+		OAuth2Authentication authRequest = result.getAuthentication();
 		
 		manager.remove(result);
 		

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2AuthorizationCodeService.java

@@ -8,8 +8,8 @@ import org.mitre.oauth2.repository.AuthorizationCodeRepository;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
 import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices;
-import org.springframework.security.oauth2.provider.code.AuthorizationRequestHolder;
 import org.springframework.stereotype.Service;
 
 /**
@@ -35,7 +35,7 @@ public class DefaultOAuth2AuthorizationCodeService implements AuthorizationCodeS
 	 * @return 					the authorization code
 	 */
 	@Override
-	public String createAuthorizationCode(AuthorizationRequestHolder authentication) {
+	public String createAuthorizationCode(OAuth2Authentication authentication) {
 		String code = generator.generate();
 		
 		AuthorizationCodeEntity entity = new AuthorizationCodeEntity(code, authentication);
@@ -55,9 +55,9 @@ public class DefaultOAuth2AuthorizationCodeService implements AuthorizationCodeS
 	 * @throws 			InvalidGrantException, if an AuthorizationCodeEntity is not found with the given value
 	 */
 	@Override
-	public AuthorizationRequestHolder consumeAuthorizationCode(String code) throws InvalidGrantException {
+	public OAuth2Authentication consumeAuthorizationCode(String code) throws InvalidGrantException {
 		
-		AuthorizationRequestHolder auth = repository.consume(code);
+		OAuth2Authentication auth = repository.consume(code);
 		return auth;
 	}
 

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -43,7 +43,8 @@ import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.StoredOAuth2Request;
+import org.springframework.security.oauth2.provider.TokenRequest;
 import org.springframework.security.oauth2.provider.token.TokenEnhancer;
 import org.springframework.stereotype.Service;
 
@@ -78,9 +79,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 	
 	@Override
     public OAuth2AccessTokenEntity createAccessToken(OAuth2Authentication authentication) throws AuthenticationException, InvalidClientException {
-		if (authentication != null && authentication.getAuthorizationRequest() != null) {
+		if (authentication != null && authentication.getStoredRequest() != null) {
 			// look up our client
-			OAuth2Request clientAuth = authentication.getAuthorizationRequest();
+			StoredOAuth2Request clientAuth = authentication.getStoredRequest();
 			
 			ClientDetailsEntity client = clientDetailsService.loadClientByClientId(clientAuth.getClientId());
 		
@@ -151,7 +152,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		    tokenRepository.saveAccessToken(token);
 		    
 	    	//Add approved site reference, if any
-		    OAuth2Request originalAuthRequest = authHolder.getAuthentication().getAuthorizationRequest();
+		    StoredOAuth2Request originalAuthRequest = authHolder.getAuthentication().getStoredRequest();
 			
 	    	if (originalAuthRequest.getExtensionProperties().containsKey("approved_site")) {
 				
@@ -175,7 +176,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
     }
 
 	@Override
-    public OAuth2AccessTokenEntity refreshAccessToken(String refreshTokenValue, OAuth2Request authRequest) throws AuthenticationException {
+    public OAuth2AccessTokenEntity refreshAccessToken(String refreshTokenValue, TokenRequest authRequest) throws AuthenticationException {
 		
 		OAuth2RefreshTokenEntity refreshToken = tokenRepository.getRefreshTokenByValue(refreshTokenValue);
 		
@@ -207,7 +208,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 		OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity(); 
 
 		// get the stored scopes from the authentication holder's authorization request; these are the scopes associated with the refresh token
-		Set<String> refreshScopes = new HashSet<String>(refreshToken.getAuthenticationHolder().getAuthentication().getAuthorizationRequest().getScope());
+		Set<String> refreshScopes = new HashSet<String>(refreshToken.getAuthenticationHolder().getAuthentication().getStoredRequest().getScope());
 		
 		Set<String> scope = new HashSet<String>(authRequest.getScope());
 		if (scope != null && !scope.isEmpty()) { 

openid-connect-server/src/main/java/org/mitre/oauth2/token/ChainedTokenGranter.java

@@ -10,14 +10,13 @@ import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
+import org.springframework.security.oauth2.provider.TokenRequest;
 import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
-import org.springframework.stereotype.Component;
 
 import com.google.common.collect.Sets;
 
@@ -25,7 +24,7 @@ import com.google.common.collect.Sets;
  * @author jricher
  *
  */
-@Component("chainedTokenGranter")
+//@Component("chainedTokenGranter")
 public class ChainedTokenGranter extends AbstractTokenGranter {
 
 	private static final String grantType = "urn:ietf:params:oauth:grant_type:redelegate";
@@ -33,14 +32,16 @@ public class ChainedTokenGranter extends AbstractTokenGranter {
 	// keep down-cast versions so we can get to the right queries
 	private OAuth2TokenEntityService tokenServices;
 	
+	
+	
 	/**
 	 * @param tokenServices
 	 * @param clientDetailsService
 	 * @param grantType
 	 */
-	@Autowired
+	//@Autowired
-	public ChainedTokenGranter(OAuth2TokenEntityService tokenServices, ClientDetailsEntityService clientDetailsService) {
+	public ChainedTokenGranter(OAuth2TokenEntityService tokenServices, ClientDetailsEntityService clientDetailsService, OAuth2RequestFactory requestFactory) {
-		super(tokenServices, clientDetailsService, grantType);
+		super(tokenServices, clientDetailsService, requestFactory, grantType);
 		this.tokenServices = tokenServices;
 	}
 	
@@ -48,14 +49,14 @@ public class ChainedTokenGranter extends AbstractTokenGranter {
      * @see org.springframework.security.oauth2.provider.token.AbstractTokenGranter#getOAuth2Authentication(org.springframework.security.oauth2.provider.AuthorizationRequest)
      */
     @Override
-    protected OAuth2Authentication getOAuth2Authentication(OAuth2Request authorizationRequest) throws AuthenticationException, InvalidTokenException {
+    protected OAuth2Authentication getOAuth2Authentication(TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException {
     	// read and load up the existing token
-	    String incomingTokenValue = authorizationRequest.getRequestParameters().get("token");
+	    String incomingTokenValue = tokenRequest.getRequestParameters().get("token");
 	    OAuth2AccessTokenEntity incomingToken = tokenServices.readAccessToken(incomingTokenValue);
 	    
 	    // check for scoping in the request, can't up-scope with a chained request
 	    Set<String> approvedScopes = incomingToken.getScope();
-	    Set<String> requestedScopes = authorizationRequest.getScope();
+	    Set<String> requestedScopes = tokenRequest.getScope();
 	    
 	    if (requestedScopes == null) {
 	    	requestedScopes = new HashSet<String>();
@@ -71,21 +72,19 @@ public class ChainedTokenGranter extends AbstractTokenGranter {
 	    // if our scopes are a valid subset of what's allowed, we can continue
 	    if (approvedScopes.containsAll(requestedScopes)) {
 
-	    	// build an appropriate auth request to hand to the token services layer
-	    	authorizationRequest.setApproved(true);
 	    	if (requestedScopes.isEmpty()) {
 	    		// if there are no scopes, inherit the original scopes from the token
-	    		authorizationRequest.setScope(approvedScopes);
+	    		tokenRequest.setScope(approvedScopes);
 	    	} else {
 	    		// if scopes were asked for, give only the subset of scopes requested
 	    		// this allows safe downscoping
-	    		authorizationRequest.setScope(Sets.intersection(requestedScopes, approvedScopes));
+	    		tokenRequest.setScope(Sets.intersection(requestedScopes, approvedScopes));
 	    	}
 		    
 		    // NOTE: don't revoke the existing access token
 
 	    	// create a new access token
-	    	OAuth2Authentication authentication = new OAuth2Authentication(authorizationRequest, incomingToken.getAuthenticationHolder().getAuthentication().getUserAuthentication()); 
+	    	OAuth2Authentication authentication = new OAuth2Authentication(getRequestFactory().createStoredOAuth2Request(tokenRequest), incomingToken.getAuthenticationHolder().getAuthentication().getUserAuthentication()); 
 	    	
 	    	return authentication;
 	    	

openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java

@@ -17,7 +17,8 @@ import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
-import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
+import org.springframework.security.oauth2.provider.TokenRequest;
 import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
 import org.springframework.stereotype.Component;
 
@@ -46,8 +47,8 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter {
 	private ConfigurationPropertiesBean config;
 	
 	@Autowired
-	public JwtAssertionTokenGranter(OAuth2TokenEntityService tokenServices, ClientDetailsEntityService clientDetailsService) {
+	public JwtAssertionTokenGranter(OAuth2TokenEntityService tokenServices, ClientDetailsEntityService clientDetailsService, OAuth2RequestFactory requestFactory) {
-	    super(tokenServices, clientDetailsService, grantType);
+	    super(tokenServices, clientDetailsService, requestFactory, grantType);
 	    this.tokenServices = tokenServices;
     }
 
@@ -55,9 +56,9 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter {
      * @see org.springframework.security.oauth2.provider.token.AbstractTokenGranter#getOAuth2Authentication(org.springframework.security.oauth2.provider.AuthorizationRequest)
      */
     @Override
-    protected OAuth2AccessToken getAccessToken(OAuth2Request oAuthRequest) throws AuthenticationException, InvalidTokenException {
+    protected OAuth2AccessToken getAccessToken(TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException {
     	// read and load up the existing token
-	    String incomingTokenValue = oAuthRequest.getRequestParameters().get("assertion");
+	    String incomingTokenValue = tokenRequest.getRequestParameters().get("assertion");
 	    OAuth2AccessTokenEntity incomingToken = tokenServices.readAccessToken(incomingTokenValue);
 	    
 	    ClientDetailsEntity client = incomingToken.getClient();
@@ -65,7 +66,7 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter {
 	    
 	    if (incomingToken.getScope().contains(OAuth2AccessTokenEntity.ID_TOKEN_SCOPE)) {
 		    
-	    	if (!client.getClientId().equals(oAuthRequest.getClientId())) {
+	    	if (!client.getClientId().equals(tokenRequest.getClientId())) {
 		    	throw new InvalidClientException("Not the right client for this token");
 		    }
 

openid-connect-server/src/main/java/org/mitre/oauth2/view/TokenIntrospectionView.java

@@ -101,7 +101,7 @@ public class TokenIntrospectionView extends AbstractView {
             	
             	token.addProperty("subject", src.getAuthenticationHolder().getAuthentication().getName());
             	
-            	token.addProperty("client_id", src.getAuthenticationHolder().getAuthentication().getAuthorizationRequest().getClientId());
+            	token.addProperty("client_id", src.getAuthenticationHolder().getAuthentication().getStoredRequest().getClientId());
             	
             	return token;
             }

openid-connect-server/src/main/java/org/mitre/oauth2/web/OAuthConfirmationController.java

@@ -31,8 +31,8 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.provider.AuthorizationRequest;
 import org.springframework.security.oauth2.provider.ClientDetails;
-import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -67,7 +67,7 @@ public class OAuthConfirmationController {
 	
 	@PreAuthorize("hasRole('ROLE_USER')")
 	@RequestMapping("/oauth/confirm_access")
-	public ModelAndView confimAccess(Map<String, Object> model, @ModelAttribute("authorizationRequest") OAuth2Request clientAuth) {
+	public ModelAndView confimAccess(Map<String, Object> model, @ModelAttribute("authorizationRequest") AuthorizationRequest clientAuth) {
 
 		//AuthorizationRequest clientAuth = (AuthorizationRequest) model.remove("authorizationRequest");
 

openid-connect-server/src/main/java/org/mitre/oauth2/web/RevocationEndpoint.java

@@ -28,7 +28,7 @@ import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.StoredOAuth2Request;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -86,7 +86,7 @@ public class RevocationEndpoint {
 			
 			// we've got a client acting on its own behalf, not an admin
 			//ClientAuthentication clientAuth = (ClientAuthenticationToken) ((OAuth2Authentication) auth).getClientAuthentication();
-			OAuth2Request clientAuth = ((OAuth2Authentication) principal).getAuthorizationRequest();
+			StoredOAuth2Request clientAuth = ((OAuth2Authentication) principal).getStoredRequest();
 
 			if (refreshToken != null) {
 				if (!refreshToken.getClient().getClientId().equals(clientAuth.getClientId())) {

openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectOAuth2RequestFactory.java

@@ -23,19 +23,19 @@ import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
+import org.springframework.security.oauth2.provider.AuthorizationRequest;
 import org.springframework.security.oauth2.provider.ClientDetails;
-import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.DefaultOAuth2RequestFactory;
-import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
 import org.springframework.stereotype.Component;
 
 import com.google.common.base.Strings;
 import com.nimbusds.jose.util.JSONObjectUtils;
 import com.nimbusds.jwt.SignedJWT;
 
-@Component("oAuth2RequestManager")
+@Component("oAuth2RequestFactory")
-public class ConnectOAuth2RequestManager implements OAuth2RequestFactory {
+public class ConnectOAuth2RequestFactory extends DefaultOAuth2RequestFactory {
 
-	private static Logger logger = LoggerFactory.getLogger(ConnectOAuth2RequestManager.class);
+	private static Logger logger = LoggerFactory.getLogger(ConnectOAuth2RequestFactory.class);
 	
 	@Autowired
 	private NonceService nonceService;
@@ -52,7 +52,8 @@ public class ConnectOAuth2RequestManager implements OAuth2RequestFactory {
 	 * @param clientDetailsService
 	 * @param nonceService
 	 */
-	public ConnectOAuth2RequestManager(ClientDetailsEntityService clientDetailsService, NonceService nonceService) {
+	public ConnectOAuth2RequestFactory(ClientDetailsEntityService clientDetailsService, NonceService nonceService) {
+		super(clientDetailsService);
 		this.clientDetailsService = clientDetailsService;
 		this.nonceService = nonceService;
 	}
@@ -60,12 +61,12 @@ public class ConnectOAuth2RequestManager implements OAuth2RequestFactory {
 	/**
 	 * Default empty constructor
 	 */
-	public ConnectOAuth2RequestManager() {
+	public ConnectOAuth2RequestFactory() {
-		
+		super(null);
 	}
 
 	@Override
-	public OAuth2Request createOAuth2Request(Map<String, String> inputParams) {
+	public AuthorizationRequest createAuthorizationRequest(Map<String, String> inputParams) {
 
 		Map<String, String> parameters = processRequestObject(inputParams);
 		
@@ -78,12 +79,12 @@ public class ConnectOAuth2RequestManager implements OAuth2RequestFactory {
 		
 		String requestNonce = parameters.get("nonce");
 		
-		OAuth2Request request = new OAuth2Request(parameters, Collections.<String, String> emptyMap(), 
+		AuthorizationRequest request = new AuthorizationRequest(parameters, Collections.<String, String> emptyMap(), 
-				parameters.get(OAuth2Request.CLIENT_ID), 
+				parameters.get(OAuth2Utils.CLIENT_ID), 
-				OAuth2Utils.parseParameterList(parameters.get(OAuth2Request.SCOPE)), null,
+				OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.SCOPE)), null,
-				null, false, parameters.get(OAuth2Request.STATE), 
+				null, false, parameters.get(OAuth2Utils.STATE), 
-				parameters.get(OAuth2Request.REDIRECT_URI), 
+				parameters.get(OAuth2Utils.REDIRECT_URI), 
-				OAuth2Utils.parseParameterList(parameters.get(OAuth2Request.RESPONSE_TYPE)));
+				OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.RESPONSE_TYPE)));
 		
 		//Only process if the user is authenticated. If the user is not authenticated yet, this 
 		//code will be called a second time once the user is redirected from the login page back 

openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java

@@ -30,7 +30,7 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.StoredOAuth2Request;
 import org.springframework.security.oauth2.provider.token.TokenEnhancer;
 import org.springframework.stereotype.Service;
 
@@ -62,7 +62,7 @@ public class ConnectTokenEnhancer implements TokenEnhancer {
 	public OAuth2AccessToken enhance(OAuth2AccessToken accessToken,	OAuth2Authentication authentication) {
 		
 		OAuth2AccessTokenEntity token = (OAuth2AccessTokenEntity) accessToken;
-		OAuth2Request originalAuthRequest = authentication.getAuthorizationRequest();
+		StoredOAuth2Request originalAuthRequest = authentication.getStoredRequest();
 		
 		String clientId = originalAuthRequest.getClientId();
 		ClientDetailsEntity client = clientService.loadClientByClientId(clientId);

openid-connect-server/src/main/java/org/mitre/openid/connect/token/TofuUserApprovalHandler.java

@@ -27,9 +27,9 @@ import org.mitre.openid.connect.service.ApprovedSiteService;
 import org.mitre.openid.connect.service.WhitelistedSiteService;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.provider.AuthorizationRequest;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
-import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
 import org.springframework.stereotype.Component;
 
@@ -66,17 +66,17 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 	
 
 	@Override
-	public boolean isApproved(OAuth2Request oAuthRequest, Authentication userAuthentication) {
+	public boolean isApproved(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
 		
 		// if this request is already approved, pass that info through
 		// (this flag may be set by updateBeforeApproval, which can also do funny things with scopes, etc)
-		if (oAuthRequest.isApproved()) {
+		if (authorizationRequest.isApproved()) {
 			return true;
 		} else {
 			// if not, check to see if the user has approved it
 			
 			// TODO: make parameter name configurable?
-			boolean approved = Boolean.parseBoolean(oAuthRequest.getApprovalParameters().get("user_oauth_approval"));
+			boolean approved = Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"));
 	
 			return userAuthentication.isAuthenticated() && approved;
 		}
@@ -89,19 +89,19 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 	 * 
 	 * Otherwise the user will be directed to the approval page and can make their own decision.
 	 * 
-	 * @param oAuthRequest	the incoming authorization request	
+	 * @param authorizationRequest	the incoming authorization request	
 	 * @param userAuthentication	the Principal representing the currently-logged-in user
 	 * 
 	 * @return 						the updated AuthorizationRequest
 	 */
 	@Override
-	public OAuth2Request checkForPreApproval(OAuth2Request oAuthRequest, Authentication userAuthentication) {
+	public AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
 		
 		//First, check database to see if the user identified by the userAuthentication has stored an approval decision
 		
 		//getName may not be filled in? TODO: investigate
 		String userId = userAuthentication.getName();
-		String clientId = oAuthRequest.getClientId();
+		String clientId = authorizationRequest.getClientId();
 
 		//lookup ApprovedSites by userId and clientId
 		boolean alreadyApproved = false;
@@ -111,14 +111,14 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 			if (!ap.isExpired()) {
 			
 				// if we find one that fits...
-				if (scopesMatch(oAuthRequest.getScope(), ap.getAllowedScopes())) {
+				if (scopesMatch(authorizationRequest.getScope(), ap.getAllowedScopes())) {
 					
 					//We have a match; update the access date on the AP entry and return true.
 					ap.setAccessDate(new Date());
 					approvedSiteService.save(ap);
 	
-					oAuthRequest.getExtensionProperties().put("approved_site", ap.getId());
+					authorizationRequest.getExtensionProperties().put("approved_site", ap.getId());
-					oAuthRequest.setApproved(true);					
+					authorizationRequest.setApproved(true);					
 					alreadyApproved = true;
 				}
 			}
@@ -126,37 +126,37 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 		
 		if (!alreadyApproved) {
 			WhitelistedSite ws = whitelistedSiteService.getByClientId(clientId);
-			if (ws != null && scopesMatch(oAuthRequest.getScope(), ws.getAllowedScopes())) {
+			if (ws != null && scopesMatch(authorizationRequest.getScope(), ws.getAllowedScopes())) {
 				
 				//Create an approved site
 				ApprovedSite newSite = approvedSiteService.createApprovedSite(clientId, userId, null, ws.getAllowedScopes(), ws);	
-				oAuthRequest.getExtensionProperties().put("approved_site", newSite.getId());
+				authorizationRequest.getExtensionProperties().put("approved_site", newSite.getId());
-				oAuthRequest.setApproved(true);
+				authorizationRequest.setApproved(true);
 			}
 		}
 		
-		return oAuthRequest;
+		return authorizationRequest;
 		
 	}
 	
 
 	@Override
-    public OAuth2Request updateAfterApproval(OAuth2Request oAuthRequest, Authentication userAuthentication) {
+    public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizationRequest, Authentication userAuthentication) {
 
 		String userId = userAuthentication.getName();
-		String clientId = oAuthRequest.getClientId();
+		String clientId = authorizationRequest.getClientId();
 		ClientDetails client = clientDetailsService.loadClientByClientId(clientId);
 		
 		// This must be re-parsed here because SECOAUTH forces us to call things in a strange order
-		boolean approved = Boolean.parseBoolean(oAuthRequest.getApprovalParameters().get("user_oauth_approval"));
+		boolean approved = Boolean.parseBoolean(authorizationRequest.getApprovalParameters().get("user_oauth_approval"));
 		
 		if (approved) {
 			
-			oAuthRequest.setApproved(true);
+			authorizationRequest.setApproved(true);
 			
 			// process scopes from user input
 			Set<String> allowedScopes = Sets.newHashSet();
-			Map<String,String> approvalParams = oAuthRequest.getApprovalParameters();
+			Map<String,String> approvalParams = authorizationRequest.getApprovalParameters();
 			
 			Set<String> keys = approvalParams.keySet();
 			
@@ -177,10 +177,10 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 
 			// inject the user-allowed scopes into the auth request
 			// TODO: for the moment this allows both upscoping and downscoping.
-			oAuthRequest.setScope(allowedScopes);
+			authorizationRequest.setScope(allowedScopes);
 			
 			//Only store an ApprovedSite if the user has checked "remember this decision":
-			String remember = oAuthRequest.getApprovalParameters().get("remember");
+			String remember = authorizationRequest.getApprovalParameters().get("remember");
 			if (!Strings.isNullOrEmpty(remember) && !remember.equals("none")) {
 				
 				Date timeout = null;
@@ -192,12 +192,12 @@ public class TofuUserApprovalHandler implements UserApprovalHandler {
 				}
 				
 				ApprovedSite newSite = approvedSiteService.createApprovedSite(clientId, userId, timeout, allowedScopes, null);
-				oAuthRequest.getExtensionProperties().put("approved_site", newSite.getId());
+				authorizationRequest.getExtensionProperties().put("approved_site", newSite.getId());
 			}
 			
 		}
 
-		return oAuthRequest;
+		return authorizationRequest;
     }
 	
 	/**

openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java

@@ -26,8 +26,8 @@ import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
-import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
+import org.springframework.security.oauth2.provider.StoredOAuth2Request;
 import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
@@ -173,7 +173,7 @@ public class ClientDynamicRegistrationEndpoint {
 		
 		ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
 		
-		if (client != null && client.getClientId().equals(auth.getAuthorizationRequest().getClientId())) {
+		if (client != null && client.getClientId().equals(auth.getStoredRequest().getClientId())) {
 
 			
 			// we return the token that we got in
@@ -189,7 +189,7 @@ public class ClientDynamicRegistrationEndpoint {
 		} else {
 			// client mismatch
 			logger.error("readClientConfiguration failed, client ID mismatch: " 
-					+ clientId + " and " + auth.getAuthorizationRequest().getClientId() + " do not match.");
+					+ clientId + " and " + auth.getStoredRequest().getClientId() + " do not match.");
 			m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403
 			
 			return "httpCodeView";
@@ -213,7 +213,7 @@ public class ClientDynamicRegistrationEndpoint {
 		ClientDetailsEntity oldClient = clientService.loadClientByClientId(clientId);
 		
 		if (newClient != null && oldClient != null  // we have an existing client and the new one parsed
-				&& oldClient.getClientId().equals(auth.getAuthorizationRequest().getClientId()) // the client passed in the URI matches the one in the auth
+				&& oldClient.getClientId().equals(auth.getStoredRequest().getClientId()) // the client passed in the URI matches the one in the auth
 				&& oldClient.getClientId().equals(newClient.getClientId()) // the client passed in the body matches the one in the URI
 				) {
 
@@ -260,7 +260,7 @@ public class ClientDynamicRegistrationEndpoint {
 		} else {
 			// client mismatch
 			logger.error("readClientConfiguration failed, client ID mismatch: " 
-					+ clientId + " and " + auth.getAuthorizationRequest().getClientId() + " do not match.");
+					+ clientId + " and " + auth.getStoredRequest().getClientId() + " do not match.");
 			m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403
 			
 			return "httpCodeView";
@@ -280,7 +280,7 @@ public class ClientDynamicRegistrationEndpoint {
 		
 		ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
 		
-		if (client != null && client.getClientId().equals(auth.getAuthorizationRequest().getClientId())) {
+		if (client != null && client.getClientId().equals(auth.getStoredRequest().getClientId())) {
 
 			clientService.deleteClient(client);
 			
@@ -297,7 +297,7 @@ public class ClientDynamicRegistrationEndpoint {
 		} else {
 			// client mismatch
 			logger.error("readClientConfiguration failed, client ID mismatch: " 
-					+ clientId + " and " + auth.getAuthorizationRequest().getClientId() + " do not match.");
+					+ clientId + " and " + auth.getStoredRequest().getClientId() + " do not match.");
 			m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403
 			
 			return "httpCodeView";
@@ -470,10 +470,10 @@ public class ClientDynamicRegistrationEndpoint {
     	Map<String, String> authorizationParameters = Maps.newHashMap();
     	authorizationParameters.put("client_id", client.getClientId());
     	authorizationParameters.put("scope", OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE);
-    	OAuth2Request oAuthRequest = oAuth2RequestFactory.createOAuth2Request(authorizationParameters);
+    	StoredOAuth2Request storedRequest = new StoredOAuth2Request(authorizationParameters, client.getClientId(), 
-    	oAuthRequest.setApproved(true);
+    			Sets.newHashSet(new SimpleGrantedAuthority("ROLE_CLIENT")), true, 
-    	oAuthRequest.setAuthorities(Sets.newHashSet(new SimpleGrantedAuthority("ROLE_CLIENT")));
+    			Sets.newHashSet(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE), null, null, null);
-		OAuth2Authentication authentication = new OAuth2Authentication(oAuthRequest, null);
+		OAuth2Authentication authentication = new OAuth2Authentication(storedRequest, null);
 		OAuth2AccessTokenEntity registrationAccessToken = (OAuth2AccessTokenEntity) tokenService.createAccessToken(authentication);
 	    return registrationAccessToken;
     }

openid-connect-server/src/main/java/org/mitre/openid/connect/web/UserInfoEndpoint.java

@@ -98,8 +98,8 @@ public class UserInfoEndpoint {
 		if (p instanceof OAuth2Authentication) {
 	        OAuth2Authentication authentication = (OAuth2Authentication)p;
 	        
-	        model.addAttribute("scope", authentication.getAuthorizationRequest().getScope());
+	        model.addAttribute("scope", authentication.getStoredRequest().getScope());
-	        model.addAttribute("requestObject", authentication.getAuthorizationRequest().getRequestParameters().get("request"));
+	        model.addAttribute("requestObject", authentication.getStoredRequest().getRequestParameters().get("request"));
         }
 
 		model.addAttribute("userInfo", userInfo);

openid-connect-server/src/main/resources/db/tables/hsql_database_tables.sql

@@ -53,7 +53,7 @@ CREATE TABLE IF NOT EXISTS client_authority (
 CREATE TABLE IF NOT EXISTS authorization_code (
 	id BIGINT GENERATED BY DEFAULT AS IDENTITY(START WITH 1) PRIMARY KEY,
 	code VARCHAR(256),
-	authorization_request_holder LONGVARBINARY
+	authentication LONGVARBINARY
 );
 
 CREATE TABLE IF NOT EXISTS client_grant_type (

openid-connect-server/src/main/resources/db/tables/mysql_database_tables.sql

@@ -53,7 +53,7 @@ CREATE TABLE IF NOT EXISTS client_authority (
 CREATE TABLE IF NOT EXISTS authorization_code (
 	id BIGINT AUTO_INCREMENT PRIMARY KEY,
 	code VARCHAR(256),
-	authorization_request_holder LONGBLOB
+	authentication LONGBLOB
 );
 
 CREATE TABLE IF NOT EXISTS client_grant_type (

openid-connect-server/src/main/webapp/WEB-INF/application-context.xml

@@ -105,7 +105,7 @@
 	<!-- SECOAUTH Authorization Server -->
 	<oauth:authorization-server 
 		client-details-service-ref="defaultOAuth2ClientDetailsEntityService"
-		authorization-request-manager-ref="oAuth2RequestManager" 
+		authorization-request-manager-ref="oAuth2RequestFactory" 
 		token-services-ref="defaultOAuth2ProviderTokenService" 
 		user-approval-handler-ref="tofuUserApprovalHandler" 
 		authorization-endpoint-url="/authorize" 
@@ -120,6 +120,12 @@
 
 	</oauth:authorization-server>
 
+	<bean id="chainedTokenGranter">
+		<constructor-arg ref="defaultOAuth2ProviderTokenService"/>
+		<constructor-arg ref="defaultOAuth2ClientDetailsEntityService"/>
+		<constructor-arg ref="oAuth2RequestFactory"/>
+	</bean>
+
 	<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
 
 	<bean id="clientCredentialsTokenEndpointFilter" class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
@@ -145,7 +151,7 @@
 		<constructor-arg type="int" index="3" value="0"/>
 	</bean>
 	
-	<!-- <bean id="oAuth2RequestManager" class="org.mitre.openid.connect.ConnectOAuth2RequestManager" /> -->
+	<!-- <bean id="oAuth2RequestManager" class="org.mitre.openid.connect.ConnectOAuth2RequestFactory" /> -->
 	
 	<bean id="clientAssertiontokenEndpointFilter" class="org.mitre.openid.connect.assertion.JwtBearerClientAssertionTokenEndpointFilter">
 		<property name="authenticationManager" ref="clientAssertionAuthenticationManager" />

spring-security-oauth

@@ -1 +1 @@
-Subproject commit 2b4beaf663490388b0d485b81bc8f2cf8a586b6c
+Subproject commit c377ba89fb066b40939459e4f192bb49487ec959