From 99ad9b883eec1bffa6daa076c877687537537a19 Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mitre.org>
Date: Fri, 30 Aug 2013 16:00:09 -0400
Subject: [PATCH] added validator that knows how to deal with structured scopes

---
 ...turedScopeAwareOAuth2RequestValidator.java | 43 +++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 openid-connect-server/src/main/java/org/mitre/oauth2/token/StructuredScopeAwareOAuth2RequestValidator.java

diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/token/StructuredScopeAwareOAuth2RequestValidator.java b/openid-connect-server/src/main/java/org/mitre/oauth2/token/StructuredScopeAwareOAuth2RequestValidator.java
new file mode 100644
index 000000000..e3293d283
--- /dev/null
+++ b/openid-connect-server/src/main/java/org/mitre/oauth2/token/StructuredScopeAwareOAuth2RequestValidator.java
@@ -0,0 +1,43 @@
+/**
+ * 
+ */
+package org.mitre.oauth2.token;
+
+import java.util.Map;
+import java.util.Set;
+
+import org.mitre.oauth2.service.SystemScopeService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
+import org.springframework.security.oauth2.common.util.OAuth2Utils;
+import org.springframework.security.oauth2.provider.OAuth2RequestValidator;
+
+/**
+ * 
+ * Validates the scopes on a request by comparing them against a client's
+ * allowed scopes, but allow structured scopes to function.
+ * 
+ * @author jricher
+ * 
+ */
+public class StructuredScopeAwareOAuth2RequestValidator implements OAuth2RequestValidator {
+
+	@Autowired
+	private SystemScopeService scopeService;
+	
+	/* (non-Javadoc)
+	 * @see org.springframework.security.oauth2.provider.OAuth2RequestValidator#validateScope(java.util.Map, java.util.Set)
+	 */
+	@Override
+	public void validateScope(Map<String, String> parameters, Set<String> clientScopes) throws InvalidScopeException {
+		if (parameters.containsKey("scope")) {
+			if (clientScopes != null && !clientScopes.isEmpty()) {
+				Set<String> requestedScopes = OAuth2Utils.parseParameterList(parameters.get("scope"));
+				if (!scopeService.scopesMatch(clientScopes, requestedScopes)) {
+					throw new InvalidScopeException("Invalid scope", clientScopes);
+				}
+			}
+		}
+	}
+
+}