diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java b/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java index 143074e7b..347b31078 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java @@ -27,4 +27,8 @@ public interface SystemScopeService { public SystemScope save(SystemScope scope); + public Set fromStrings(Set scope); + + public Set toStrings(Set scope); + } diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultSystemScopeService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultSystemScopeService.java index 20b27f109..d74b29b2a 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultSystemScopeService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultSystemScopeService.java @@ -3,6 +3,7 @@ */ package org.mitre.oauth2.service.impl; +import java.util.HashSet; import java.util.Set; import javax.annotation.Nullable; @@ -13,7 +14,10 @@ import org.mitre.oauth2.service.SystemScopeService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import com.google.common.base.Function; import com.google.common.base.Predicate; +import com.google.common.base.Predicates; +import com.google.common.collect.Collections2; import com.google.common.collect.Sets; /** @@ -43,7 +47,23 @@ public class DefaultSystemScopeService implements SystemScopeService { } }; + private Function stringToSystemScope = new Function() { + @Override + public SystemScope apply(@Nullable String input) { + return getByValue(input); + } + }; + private Function systemScopeToString = new Function() { + @Override + public String apply(@Nullable SystemScope input) { + if (input == null) { + return null; + } else { + return input.getValue(); + } + } + }; /* (non-Javadoc) * @see org.mitre.oauth2.service.SystemScopeService#getAll() @@ -102,6 +122,30 @@ public class DefaultSystemScopeService implements SystemScopeService { return repository.save(scope); } + /* (non-Javadoc) + * @see org.mitre.oauth2.service.SystemScopeService#fromStrings(java.util.Set) + */ + @Override + public Set fromStrings(Set scope) { + if (scope == null) { + return null; + } else { + return new HashSet(Collections2.filter(Collections2.transform(scope, stringToSystemScope), Predicates.notNull())); + } + } + + /* (non-Javadoc) + * @see org.mitre.oauth2.service.SystemScopeService#toStrings(java.util.Set) + */ + @Override + public Set toStrings(Set scope) { + if (scope == null) { + return null; + } else { + return new HashSet(Collections2.filter(Collections2.transform(scope, systemScopeToString), Predicates.notNull())); + } + } + } diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java index 8f2edb033..e6316272d 100644 --- a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java +++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java @@ -12,8 +12,10 @@ import org.mitre.oauth2.model.ClientDetailsEntity.AppType; import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod; import org.mitre.oauth2.model.ClientDetailsEntity.SubjectType; import org.mitre.oauth2.model.OAuth2AccessTokenEntity; +import org.mitre.oauth2.model.SystemScope; import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.oauth2.service.OAuth2TokenEntityService; +import org.mitre.oauth2.service.SystemScopeService; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.core.AuthenticationException; @@ -44,6 +46,9 @@ public class ClientDynamicRegistrationEndpoint { @Autowired private OAuth2TokenEntityService tokenService; + + @Autowired + private SystemScopeService scopeService; /** * Bind utility data types to their classes @@ -254,12 +259,22 @@ public class ClientDynamicRegistrationEndpoint { client.setRequireAuthTime(requireAuthTime == null ? false : requireAuthTime.booleanValue()); client.setDefaultACR(defaultAcr); - if (scope != null) { - // TODO: check against some kind of scope service for scope validity - client.setScope(scope); - } else { - client.setScope(Sets.newHashSet("openid", "phone", "address", "profile", "email")); // provision all scopes + // set of scopes that are OK for clients to dynamically register for + Set dynScopes = scopeService.getDynReg(); + + // scopes that the client is asking for + Set requestedScopes = scopeService.fromStrings(scope); + if (requestedScopes == null) { + requestedScopes = scopeService.getDefaults(); } + + // the scopes that the client can have must be a subset of the dynamically allowed scopes + Set allowedScopes = Sets.intersection(dynScopes, requestedScopes); + + client.setScope(scopeService.toStrings(allowedScopes)); + + + if (grantType != null) { // TODO: check against some kind of grant type service for validity client.setAuthorizedGrantTypes(grantType); @@ -450,8 +465,16 @@ public class ClientDynamicRegistrationEndpoint { client.setDefaultACR(Strings.emptyToNull(defaultAcr)); } if (params.containsKey("scope")) { - // TODO: check against some kind of scope service for scope validity - client.setScope(scope); + // set of scopes that are OK for clients to dynamically register for + Set dynScopes = scopeService.getDynReg(); + + // scopes that the client is asking for + Set requestedScopes = scopeService.fromStrings(scope); + + // the scopes that the client can have must be a subset of the dynamically allowed scopes + Set allowedScopes = Sets.intersection(dynScopes, requestedScopes); + + client.setScope(scopeService.toStrings(allowedScopes)); } if (params.containsKey("grant_type")) { // TODO: check against some kind of grant type service for validity