|
|
@ -20,12 +20,16 @@ import org.mitre.oauth2.service.OAuth2TokenEntityService;
|
|
|
|
import org.mitre.oauth2.service.SystemScopeService;
|
|
|
|
import org.mitre.oauth2.service.SystemScopeService;
|
|
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
|
|
|
import org.springframework.beans.factory.annotation.Autowired;
|
|
|
|
import org.springframework.http.HttpStatus;
|
|
|
|
import org.springframework.http.HttpStatus;
|
|
|
|
|
|
|
|
import org.springframework.security.access.prepost.PreAuthorize;
|
|
|
|
import org.springframework.security.core.AuthenticationException;
|
|
|
|
import org.springframework.security.core.AuthenticationException;
|
|
|
|
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
|
|
|
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
|
|
|
|
|
|
|
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
|
|
|
|
import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest;
|
|
|
|
import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest;
|
|
|
|
import org.springframework.security.oauth2.provider.OAuth2Authentication;
|
|
|
|
import org.springframework.security.oauth2.provider.OAuth2Authentication;
|
|
|
|
|
|
|
|
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
|
|
|
|
import org.springframework.stereotype.Controller;
|
|
|
|
import org.springframework.stereotype.Controller;
|
|
|
|
import org.springframework.ui.Model;
|
|
|
|
import org.springframework.ui.Model;
|
|
|
|
|
|
|
|
import org.springframework.web.bind.annotation.PathVariable;
|
|
|
|
import org.springframework.web.bind.annotation.RequestBody;
|
|
|
|
import org.springframework.web.bind.annotation.RequestBody;
|
|
|
|
import org.springframework.web.bind.annotation.RequestMapping;
|
|
|
|
import org.springframework.web.bind.annotation.RequestMapping;
|
|
|
|
import org.springframework.web.bind.annotation.RequestMethod;
|
|
|
|
import org.springframework.web.bind.annotation.RequestMethod;
|
|
|
@ -36,12 +40,11 @@ import com.google.gson.Gson;
|
|
|
|
import com.google.gson.JsonElement;
|
|
|
|
import com.google.gson.JsonElement;
|
|
|
|
import com.google.gson.JsonObject;
|
|
|
|
import com.google.gson.JsonObject;
|
|
|
|
import com.google.gson.JsonParser;
|
|
|
|
import com.google.gson.JsonParser;
|
|
|
|
import com.google.gson.JsonPrimitive;
|
|
|
|
|
|
|
|
import com.google.gson.JsonSyntaxException;
|
|
|
|
import com.google.gson.JsonSyntaxException;
|
|
|
|
import com.google.gson.reflect.TypeToken;
|
|
|
|
import com.google.gson.reflect.TypeToken;
|
|
|
|
|
|
|
|
|
|
|
|
@Controller
|
|
|
|
@Controller
|
|
|
|
@RequestMapping(value = "register"/*, method = RequestMethod.POST*/)
|
|
|
|
@RequestMapping(value = "register")
|
|
|
|
public class ClientDynamicRegistrationEndpoint {
|
|
|
|
public class ClientDynamicRegistrationEndpoint {
|
|
|
|
|
|
|
|
|
|
|
|
@Autowired
|
|
|
|
@Autowired
|
|
|
@ -56,8 +59,15 @@ public class ClientDynamicRegistrationEndpoint {
|
|
|
|
private JsonParser parser = new JsonParser();
|
|
|
|
private JsonParser parser = new JsonParser();
|
|
|
|
private Gson gson = new Gson();
|
|
|
|
private Gson gson = new Gson();
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
|
|
* Create a new Client, issue a client ID, and create a registration access token.
|
|
|
|
|
|
|
|
* @param jsonString
|
|
|
|
|
|
|
|
* @param m
|
|
|
|
|
|
|
|
* @param p
|
|
|
|
|
|
|
|
* @return
|
|
|
|
|
|
|
|
*/
|
|
|
|
@RequestMapping(method = RequestMethod.POST, consumes = "application/json", produces = "application/json")
|
|
|
|
@RequestMapping(method = RequestMethod.POST, consumes = "application/json", produces = "application/json")
|
|
|
|
public String registerNewClient(@RequestBody String jsonString, Model m, Principal p) {
|
|
|
|
public String registerNewClient(@RequestBody String jsonString, Model m) {
|
|
|
|
|
|
|
|
|
|
|
|
ClientDetailsEntity newClient = parse(jsonString);
|
|
|
|
ClientDetailsEntity newClient = parse(jsonString);
|
|
|
|
|
|
|
|
|
|
|
@ -101,14 +111,6 @@ public class ClientDynamicRegistrationEndpoint {
|
|
|
|
newClient.setResponseTypes(Sets.newHashSet("code")); // default to allowing only the auth code flow
|
|
|
|
newClient.setResponseTypes(Sets.newHashSet("code")); // default to allowing only the auth code flow
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// set some defaults for token timeouts
|
|
|
|
|
|
|
|
newClient.setAccessTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(1)); // access tokens good for 1hr
|
|
|
|
|
|
|
|
newClient.setIdTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(10)); // id tokens good for 10min
|
|
|
|
|
|
|
|
newClient.setRefreshTokenValiditySeconds(null); // refresh tokens good until revoked
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// this client has been dynamically registered (obviously)
|
|
|
|
|
|
|
|
newClient.setDynamicallyRegistered(true);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (newClient.getTokenEndpointAuthMethod() == null) {
|
|
|
|
if (newClient.getTokenEndpointAuthMethod() == null) {
|
|
|
|
newClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
|
|
|
|
newClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
|
|
|
|
}
|
|
|
|
}
|
|
|
@ -121,6 +123,13 @@ public class ClientDynamicRegistrationEndpoint {
|
|
|
|
newClient = clientService.generateClientSecret(newClient);
|
|
|
|
newClient = clientService.generateClientSecret(newClient);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// set some defaults for token timeouts
|
|
|
|
|
|
|
|
newClient.setAccessTokenValiditySeconds((int)TimeUnit.HOURS.toSeconds(1)); // access tokens good for 1hr
|
|
|
|
|
|
|
|
newClient.setIdTokenValiditySeconds((int)TimeUnit.MINUTES.toSeconds(10)); // id tokens good for 10min
|
|
|
|
|
|
|
|
newClient.setRefreshTokenValiditySeconds(null); // refresh tokens good until revoked
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// this client has been dynamically registered (obviously)
|
|
|
|
|
|
|
|
newClient.setDynamicallyRegistered(true);
|
|
|
|
|
|
|
|
|
|
|
|
// now save it
|
|
|
|
// now save it
|
|
|
|
ClientDetailsEntity savedClient = clientService.saveNewClient(newClient);
|
|
|
|
ClientDetailsEntity savedClient = clientService.saveNewClient(newClient);
|
|
|
@ -137,13 +146,130 @@ public class ClientDynamicRegistrationEndpoint {
|
|
|
|
} else {
|
|
|
|
} else {
|
|
|
|
// didn't parse, this is a bad request
|
|
|
|
// didn't parse, this is a bad request
|
|
|
|
|
|
|
|
|
|
|
|
m.addAttribute("code", HttpStatus.BAD_REQUEST);
|
|
|
|
m.addAttribute("code", HttpStatus.BAD_REQUEST); // http 400
|
|
|
|
|
|
|
|
|
|
|
|
return "httpCodeView";
|
|
|
|
return "httpCodeView";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE + "')")
|
|
|
|
|
|
|
|
@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = "application/json")
|
|
|
|
|
|
|
|
public String readClientConfiguration(@PathVariable("id") String clientId, Model m, OAuth2Authentication auth) {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (client != null && client.getClientId().equals(auth.getAuthorizationRequest().getClientId())) {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// we return the token that we got in
|
|
|
|
|
|
|
|
OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails();
|
|
|
|
|
|
|
|
OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue());
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// send it all out to the view
|
|
|
|
|
|
|
|
m.addAttribute("client", client);
|
|
|
|
|
|
|
|
m.addAttribute("code", HttpStatus.OK); // http 200
|
|
|
|
|
|
|
|
m.addAttribute("token", token);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return "clientInformationResponseView";
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
// client mismatch
|
|
|
|
|
|
|
|
m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return "httpCodeView";
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE + "')")
|
|
|
|
|
|
|
|
@RequestMapping(value = "/{id}", method = RequestMethod.PUT, produces = "application/json", consumes = "application/json")
|
|
|
|
|
|
|
|
public String updateClient(@PathVariable("id") String clientId, @RequestBody String jsonString, Model m, OAuth2Authentication auth) {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ClientDetailsEntity newClient = parse(jsonString);
|
|
|
|
|
|
|
|
ClientDetailsEntity oldClient = clientService.loadClientByClientId(clientId);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (newClient != null && oldClient != null // we have an existing client and the new one parsed
|
|
|
|
|
|
|
|
&& oldClient.getClientId().equals(auth.getAuthorizationRequest().getClientId()) // the client passed in the URI matches the one in the auth
|
|
|
|
|
|
|
|
&& oldClient.getClientId().equals(newClient.getClientId()) // the client passed in the body matches the one in the URI
|
|
|
|
|
|
|
|
) {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// a client can't ask to update its own client secret to any particular value
|
|
|
|
|
|
|
|
newClient.setClientSecret(oldClient.getClientSecret());
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// we need to copy over all of the local and SECOAUTH fields
|
|
|
|
|
|
|
|
newClient.setAccessTokenValiditySeconds(oldClient.getAccessTokenValiditySeconds());
|
|
|
|
|
|
|
|
newClient.setIdTokenValiditySeconds(oldClient.getIdTokenValiditySeconds());
|
|
|
|
|
|
|
|
newClient.setRefreshTokenValiditySeconds(oldClient.getRefreshTokenValiditySeconds());
|
|
|
|
|
|
|
|
newClient.setDynamicallyRegistered(true); // it's still dynamically registered
|
|
|
|
|
|
|
|
newClient.setAllowIntrospection(oldClient.isAllowIntrospection());
|
|
|
|
|
|
|
|
newClient.setAuthorities(oldClient.getAuthorities());
|
|
|
|
|
|
|
|
newClient.setClientDescription(oldClient.getClientDescription());
|
|
|
|
|
|
|
|
newClient.setCreatedAt(oldClient.getCreatedAt());
|
|
|
|
|
|
|
|
newClient.setReuseRefreshToken(oldClient.isReuseRefreshToken());
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// set of scopes that are OK for clients to dynamically register for
|
|
|
|
|
|
|
|
Set<SystemScope> dynScopes = scopeService.getDynReg();
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// scopes that the client is asking for
|
|
|
|
|
|
|
|
Set<SystemScope> requestedScopes = scopeService.fromStrings(newClient.getScope());
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// the scopes that the client can have must be a subset of the dynamically allowed scopes
|
|
|
|
|
|
|
|
Set<SystemScope> allowedScopes = Sets.intersection(dynScopes, requestedScopes);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// make sure that the client doesn't ask for scopes it can't have
|
|
|
|
|
|
|
|
newClient.setScope(scopeService.toStrings(allowedScopes));
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// save the client
|
|
|
|
|
|
|
|
ClientDetailsEntity savedClient = clientService.updateClient(oldClient, newClient);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// we return the token that we got in
|
|
|
|
|
|
|
|
OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails();
|
|
|
|
|
|
|
|
OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue());
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// send it all out to the view
|
|
|
|
|
|
|
|
m.addAttribute("client", savedClient);
|
|
|
|
|
|
|
|
m.addAttribute("code", HttpStatus.OK); // http 200
|
|
|
|
|
|
|
|
m.addAttribute("token", token);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return "clientInformationResponseView";
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
// client mismatch
|
|
|
|
|
|
|
|
m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return "httpCodeView";
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE + "')")
|
|
|
|
|
|
|
|
@RequestMapping(value = "/{id}", method = RequestMethod.DELETE, produces = "application/json")
|
|
|
|
|
|
|
|
public String deleteClient(@PathVariable("id") String clientId, Model m, OAuth2Authentication auth) {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (client != null && client.getClientId().equals(auth.getAuthorizationRequest().getClientId())) {
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// we return the token that we got in
|
|
|
|
|
|
|
|
OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails();
|
|
|
|
|
|
|
|
OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue());
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// send it all out to the view
|
|
|
|
|
|
|
|
m.addAttribute("client", client);
|
|
|
|
|
|
|
|
m.addAttribute("code", HttpStatus.OK); // http 200
|
|
|
|
|
|
|
|
m.addAttribute("token", token);
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return "clientInformationResponseView";
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
// client mismatch
|
|
|
|
|
|
|
|
m.addAttribute("code", HttpStatus.FORBIDDEN); // http 403
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return "httpCodeView";
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
*
|
|
|
|
*
|
|
|
|
* Create an unbound ClientDetailsEntity from the given JSON string.
|
|
|
|
* Create an unbound ClientDetailsEntity from the given JSON string.
|
|
|
@ -160,6 +286,10 @@ public class ClientDynamicRegistrationEndpoint {
|
|
|
|
|
|
|
|
|
|
|
|
// TODO: make these field names into constants
|
|
|
|
// TODO: make these field names into constants
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// these two fields should only be sent in the update request, and MUST match existing values
|
|
|
|
|
|
|
|
c.setClientId(getAsString(o, "client_id"));
|
|
|
|
|
|
|
|
c.setClientSecret(getAsString(o, "client_secret"));
|
|
|
|
|
|
|
|
|
|
|
|
// OAuth DynReg
|
|
|
|
// OAuth DynReg
|
|
|
|
c.setRedirectUris(getAsStringSet(o, "redirect_uris"));
|
|
|
|
c.setRedirectUris(getAsStringSet(o, "redirect_uris"));
|
|
|
|
c.setClientName(getAsString(o, "client_name"));
|
|
|
|
c.setClientName(getAsString(o, "client_name"));
|
|
|
|