added uma-processing of scopes to introspection results
parent
627bcaee43
commit
65d7b00f4d
|
@ -18,6 +18,7 @@ package org.mitre.oauth2.service;
|
||||||
|
|
||||||
import java.text.SimpleDateFormat;
|
import java.text.SimpleDateFormat;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
import javax.swing.text.DateFormatter;
|
import javax.swing.text.DateFormatter;
|
||||||
|
|
||||||
|
@ -46,17 +47,19 @@ public interface IntrospectionResultAssembler {
|
||||||
*
|
*
|
||||||
* @param accessToken the access token
|
* @param accessToken the access token
|
||||||
* @param userInfo the user info
|
* @param userInfo the user info
|
||||||
|
* @param authScopes TODO
|
||||||
* @return the token introspection result
|
* @return the token introspection result
|
||||||
*/
|
*/
|
||||||
Map<String, Object> assembleFrom(OAuth2AccessTokenEntity accessToken, UserInfo userInfo);
|
Map<String, Object> assembleFrom(OAuth2AccessTokenEntity accessToken, UserInfo userInfo, Set<String> authScopes);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Assemble a token introspection result from the given refresh token and user info.
|
* Assemble a token introspection result from the given refresh token and user info.
|
||||||
*
|
*
|
||||||
* @param refreshToken the refresh token
|
* @param refreshToken the refresh token
|
||||||
* @param userInfo the user info
|
* @param userInfo the user info
|
||||||
|
* @param authScopes TODO
|
||||||
* @return the token introspection result
|
* @return the token introspection result
|
||||||
*/
|
*/
|
||||||
Map<String, Object> assembleFrom(OAuth2RefreshTokenEntity refreshToken, UserInfo userInfo);
|
Map<String, Object> assembleFrom(OAuth2RefreshTokenEntity refreshToken, UserInfo userInfo, Set<String> authScopes);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,6 +20,7 @@ import static com.google.common.collect.Maps.newLinkedHashMap;
|
||||||
|
|
||||||
import java.text.ParseException;
|
import java.text.ParseException;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
|
|
||||||
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
|
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
|
||||||
|
@ -32,6 +33,7 @@ import org.springframework.security.oauth2.provider.OAuth2Authentication;
|
||||||
import org.springframework.stereotype.Service;
|
import org.springframework.stereotype.Service;
|
||||||
|
|
||||||
import com.google.common.base.Joiner;
|
import com.google.common.base.Joiner;
|
||||||
|
import com.google.common.collect.Sets;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Default implementation of the {@link IntrospectionResultAssembler} interface.
|
* Default implementation of the {@link IntrospectionResultAssembler} interface.
|
||||||
|
@ -42,14 +44,16 @@ public class DefaultIntrospectionResultAssembler implements IntrospectionResultA
|
||||||
private static Logger log = LoggerFactory.getLogger(DefaultIntrospectionResultAssembler.class);
|
private static Logger log = LoggerFactory.getLogger(DefaultIntrospectionResultAssembler.class);
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Map<String, Object> assembleFrom(OAuth2AccessTokenEntity accessToken, UserInfo userInfo) {
|
public Map<String, Object> assembleFrom(OAuth2AccessTokenEntity accessToken, UserInfo userInfo, Set<String> authScopes) {
|
||||||
|
|
||||||
Map<String, Object> result = newLinkedHashMap();
|
Map<String, Object> result = newLinkedHashMap();
|
||||||
OAuth2Authentication authentication = accessToken.getAuthenticationHolder().getAuthentication();
|
OAuth2Authentication authentication = accessToken.getAuthenticationHolder().getAuthentication();
|
||||||
|
|
||||||
result.put(ACTIVE, true);
|
result.put(ACTIVE, true);
|
||||||
|
|
||||||
result.put(SCOPE, Joiner.on(SCOPE_SEPARATOR).join(accessToken.getScope()));
|
Set<String> scopes = Sets.intersection(authScopes, accessToken.getScope());
|
||||||
|
|
||||||
|
result.put(SCOPE, Joiner.on(SCOPE_SEPARATOR).join(scopes));
|
||||||
|
|
||||||
if (accessToken.getExpiration() != null) {
|
if (accessToken.getExpiration() != null) {
|
||||||
try {
|
try {
|
||||||
|
@ -78,14 +82,16 @@ public class DefaultIntrospectionResultAssembler implements IntrospectionResultA
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Map<String, Object> assembleFrom(OAuth2RefreshTokenEntity refreshToken, UserInfo userInfo) {
|
public Map<String, Object> assembleFrom(OAuth2RefreshTokenEntity refreshToken, UserInfo userInfo, Set<String> authScopes) {
|
||||||
|
|
||||||
Map<String, Object> result = newLinkedHashMap();
|
Map<String, Object> result = newLinkedHashMap();
|
||||||
OAuth2Authentication authentication = refreshToken.getAuthenticationHolder().getAuthentication();
|
OAuth2Authentication authentication = refreshToken.getAuthenticationHolder().getAuthentication();
|
||||||
|
|
||||||
result.put(ACTIVE, true);
|
result.put(ACTIVE, true);
|
||||||
|
|
||||||
result.put(SCOPE, Joiner.on(SCOPE_SEPARATOR).join(authentication.getOAuth2Request().getScope()));
|
Set<String> scopes = Sets.intersection(authScopes, authentication.getOAuth2Request().getScope());
|
||||||
|
|
||||||
|
result.put(SCOPE, Joiner.on(SCOPE_SEPARATOR).join(scopes));
|
||||||
|
|
||||||
if (refreshToken.getExpiration() != null) {
|
if (refreshToken.getExpiration() != null) {
|
||||||
try {
|
try {
|
||||||
|
|
|
@ -16,6 +16,8 @@
|
||||||
*******************************************************************************/
|
*******************************************************************************/
|
||||||
package org.mitre.oauth2.web;
|
package org.mitre.oauth2.web;
|
||||||
|
|
||||||
|
import java.util.Collection;
|
||||||
|
import java.util.HashSet;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
|
@ -30,6 +32,8 @@ import org.mitre.openid.connect.model.UserInfo;
|
||||||
import org.mitre.openid.connect.service.UserInfoService;
|
import org.mitre.openid.connect.service.UserInfoService;
|
||||||
import org.mitre.openid.connect.view.HttpCodeView;
|
import org.mitre.openid.connect.view.HttpCodeView;
|
||||||
import org.mitre.openid.connect.view.JsonEntityView;
|
import org.mitre.openid.connect.view.JsonEntityView;
|
||||||
|
import org.mitre.uma.model.ResourceSet;
|
||||||
|
import org.mitre.uma.service.ResourceSetService;
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
@ -62,6 +66,9 @@ public class IntrospectionEndpoint {
|
||||||
@Autowired
|
@Autowired
|
||||||
private UserInfoService userInfoService;
|
private UserInfoService userInfoService;
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private ResourceSetService resourceSetService;
|
||||||
|
|
||||||
private static Logger logger = LoggerFactory.getLogger(IntrospectionEndpoint.class);
|
private static Logger logger = LoggerFactory.getLogger(IntrospectionEndpoint.class);
|
||||||
|
|
||||||
public IntrospectionEndpoint() {
|
public IntrospectionEndpoint() {
|
||||||
|
@ -85,6 +92,7 @@ public class IntrospectionEndpoint {
|
||||||
}
|
}
|
||||||
|
|
||||||
ClientDetailsEntity authClient = null;
|
ClientDetailsEntity authClient = null;
|
||||||
|
Set<String> authScopes = new HashSet<>();
|
||||||
|
|
||||||
if (auth instanceof OAuth2Authentication) {
|
if (auth instanceof OAuth2Authentication) {
|
||||||
// the client authenticated with OAuth, do our UMA checks
|
// the client authenticated with OAuth, do our UMA checks
|
||||||
|
@ -96,12 +104,28 @@ public class IntrospectionEndpoint {
|
||||||
String authClientId = o2a.getOAuth2Request().getClientId();
|
String authClientId = o2a.getOAuth2Request().getClientId();
|
||||||
authClient = clientService.loadClientByClientId(authClientId);
|
authClient = clientService.loadClientByClientId(authClientId);
|
||||||
|
|
||||||
|
// the owner is the user who authorized the token in the first place
|
||||||
|
String ownerId = o2a.getUserAuthentication().getName();
|
||||||
|
|
||||||
|
authScopes.addAll(authClient.getScope());
|
||||||
|
|
||||||
|
// UMA style clients also get a subset of scopes of all the resource sets they've registered
|
||||||
|
Collection<ResourceSet> resourceSets = resourceSetService.getAllForOwnerAndClient(ownerId, authClientId);
|
||||||
|
|
||||||
|
// collect all the scopes
|
||||||
|
for (ResourceSet rs : resourceSets) {
|
||||||
|
authScopes.addAll(rs.getScopes());
|
||||||
|
}
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
// the client authenticated directly, make sure it's got the right access
|
// the client authenticated directly, make sure it's got the right access
|
||||||
|
|
||||||
String authClientId = auth.getName(); // direct authentication puts the client_id into the authentication's name field
|
String authClientId = auth.getName(); // direct authentication puts the client_id into the authentication's name field
|
||||||
authClient = clientService.loadClientByClientId(authClientId);
|
authClient = clientService.loadClientByClientId(authClientId);
|
||||||
|
|
||||||
|
// directly authenticated clients get a subset of any scopes that they've registered for
|
||||||
|
authScopes.addAll(authClient.getScope());
|
||||||
|
|
||||||
if (!AuthenticationUtilities.hasRole(auth, "ROLE_CLIENT")
|
if (!AuthenticationUtilities.hasRole(auth, "ROLE_CLIENT")
|
||||||
|| !authClient.isAllowIntrospection()) {
|
|| !authClient.isAllowIntrospection()) {
|
||||||
|
|
||||||
|
@ -115,19 +139,11 @@ public class IntrospectionEndpoint {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (authClient == null) {
|
|
||||||
// shouldn't ever get here, if the client's been authenticated by now it should exist
|
|
||||||
logger.error("Introspection client wasn't found");
|
|
||||||
model.addAttribute("code", HttpStatus.FORBIDDEN);
|
|
||||||
return HttpCodeView.VIEWNAME;
|
|
||||||
}
|
|
||||||
|
|
||||||
// now we need to look up the token in our token stores
|
// now we need to look up the token in our token stores
|
||||||
|
|
||||||
OAuth2AccessTokenEntity accessToken = null;
|
OAuth2AccessTokenEntity accessToken = null;
|
||||||
OAuth2RefreshTokenEntity refreshToken = null;
|
OAuth2RefreshTokenEntity refreshToken = null;
|
||||||
ClientDetailsEntity tokenClient;
|
ClientDetailsEntity tokenClient;
|
||||||
Set<String> scopes;
|
|
||||||
UserInfo user;
|
UserInfo user;
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
@ -136,7 +152,6 @@ public class IntrospectionEndpoint {
|
||||||
accessToken = tokenServices.readAccessToken(tokenValue);
|
accessToken = tokenServices.readAccessToken(tokenValue);
|
||||||
|
|
||||||
tokenClient = accessToken.getClient();
|
tokenClient = accessToken.getClient();
|
||||||
scopes = accessToken.getScope();
|
|
||||||
|
|
||||||
// get the user information of the user that authorized this token in the first place
|
// get the user information of the user that authorized this token in the first place
|
||||||
String userName = accessToken.getAuthenticationHolder().getAuthentication().getName();
|
String userName = accessToken.getAuthenticationHolder().getAuthentication().getName();
|
||||||
|
@ -150,7 +165,6 @@ public class IntrospectionEndpoint {
|
||||||
refreshToken = tokenServices.getRefreshToken(tokenValue);
|
refreshToken = tokenServices.getRefreshToken(tokenValue);
|
||||||
|
|
||||||
tokenClient = refreshToken.getClient();
|
tokenClient = refreshToken.getClient();
|
||||||
scopes = refreshToken.getAuthenticationHolder().getAuthentication().getOAuth2Request().getScope();
|
|
||||||
|
|
||||||
// get the user information of the user that authorized this token in the first place
|
// get the user information of the user that authorized this token in the first place
|
||||||
String userName = refreshToken.getAuthenticationHolder().getAuthentication().getName();
|
String userName = refreshToken.getAuthenticationHolder().getAuthentication().getName();
|
||||||
|
@ -167,10 +181,10 @@ public class IntrospectionEndpoint {
|
||||||
// if it's a valid token, we'll print out information on it
|
// if it's a valid token, we'll print out information on it
|
||||||
|
|
||||||
if (accessToken != null) {
|
if (accessToken != null) {
|
||||||
Map<String, Object> entity = introspectionResultAssembler.assembleFrom(accessToken, user);
|
Map<String, Object> entity = introspectionResultAssembler.assembleFrom(accessToken, user, authScopes);
|
||||||
model.addAttribute("entity", entity);
|
model.addAttribute("entity", entity);
|
||||||
} else if (refreshToken != null) {
|
} else if (refreshToken != null) {
|
||||||
Map<String, Object> entity = introspectionResultAssembler.assembleFrom(refreshToken, user);
|
Map<String, Object> entity = introspectionResultAssembler.assembleFrom(refreshToken, user, authScopes);
|
||||||
model.addAttribute("entity", entity);
|
model.addAttribute("entity", entity);
|
||||||
} else {
|
} else {
|
||||||
// no tokens were found (we shouldn't get here)
|
// no tokens were found (we shouldn't get here)
|
||||||
|
|
|
@ -57,8 +57,10 @@ public class TestDefaultIntrospectionResultAssembler {
|
||||||
|
|
||||||
UserInfo userInfo = userInfo("sub");
|
UserInfo userInfo = userInfo("sub");
|
||||||
|
|
||||||
|
Set<String> authScopes = scopes("foo", "bar", "baz");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
Map<String, Object> result = assembler.assembleFrom(accessToken, userInfo);
|
Map<String, Object> result = assembler.assembleFrom(accessToken, userInfo, authScopes);
|
||||||
|
|
||||||
|
|
||||||
// then
|
// then
|
||||||
|
@ -82,8 +84,10 @@ public class TestDefaultIntrospectionResultAssembler {
|
||||||
OAuth2AccessTokenEntity accessToken = accessToken(new Date(123 * 1000L), scopes("foo", "bar"), "Bearer",
|
OAuth2AccessTokenEntity accessToken = accessToken(new Date(123 * 1000L), scopes("foo", "bar"), "Bearer",
|
||||||
authentication("name", request("clientId")));
|
authentication("name", request("clientId")));
|
||||||
|
|
||||||
|
Set<String> authScopes = scopes("foo", "bar", "baz");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
Map<String, Object> result = assembler.assembleFrom(accessToken, null);
|
Map<String, Object> result = assembler.assembleFrom(accessToken, null, authScopes);
|
||||||
|
|
||||||
|
|
||||||
// then
|
// then
|
||||||
|
@ -109,8 +113,10 @@ public class TestDefaultIntrospectionResultAssembler {
|
||||||
|
|
||||||
UserInfo userInfo = userInfo("sub");
|
UserInfo userInfo = userInfo("sub");
|
||||||
|
|
||||||
|
Set<String> authScopes = scopes("foo", "bar", "baz");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
Map<String, Object> result = assembler.assembleFrom(accessToken, userInfo);
|
Map<String, Object> result = assembler.assembleFrom(accessToken, userInfo, authScopes);
|
||||||
|
|
||||||
|
|
||||||
// then
|
// then
|
||||||
|
@ -134,8 +140,10 @@ public class TestDefaultIntrospectionResultAssembler {
|
||||||
|
|
||||||
UserInfo userInfo = userInfo("sub");
|
UserInfo userInfo = userInfo("sub");
|
||||||
|
|
||||||
|
Set<String> authScopes = scopes("foo", "bar", "baz");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
Map<String, Object> result = assembler.assembleFrom(refreshToken, userInfo);
|
Map<String, Object> result = assembler.assembleFrom(refreshToken, userInfo, authScopes);
|
||||||
|
|
||||||
|
|
||||||
// then
|
// then
|
||||||
|
@ -158,8 +166,10 @@ public class TestDefaultIntrospectionResultAssembler {
|
||||||
OAuth2RefreshTokenEntity refreshToken = refreshToken(new Date(123 * 1000L),
|
OAuth2RefreshTokenEntity refreshToken = refreshToken(new Date(123 * 1000L),
|
||||||
authentication("name", request("clientId", scopes("foo", "bar"))));
|
authentication("name", request("clientId", scopes("foo", "bar"))));
|
||||||
|
|
||||||
|
Set<String> authScopes = scopes("foo", "bar", "baz");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
Map<String, Object> result = assembler.assembleFrom(refreshToken, null);
|
Map<String, Object> result = assembler.assembleFrom(refreshToken, null, authScopes);
|
||||||
|
|
||||||
|
|
||||||
// then
|
// then
|
||||||
|
@ -184,8 +194,10 @@ public class TestDefaultIntrospectionResultAssembler {
|
||||||
|
|
||||||
UserInfo userInfo = userInfo("sub");
|
UserInfo userInfo = userInfo("sub");
|
||||||
|
|
||||||
|
Set<String> authScopes = scopes("foo", "bar", "baz");
|
||||||
|
|
||||||
// when
|
// when
|
||||||
Map<String, Object> result = assembler.assembleFrom(refreshToken, userInfo);
|
Map<String, Object> result = assembler.assembleFrom(refreshToken, userInfo, authScopes);
|
||||||
|
|
||||||
|
|
||||||
// then
|
// then
|
||||||
|
|
Loading…
Reference in New Issue