diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java b/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java index b7a0e1c74..02dacac20 100644 --- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java +++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java @@ -78,4 +78,11 @@ public interface SystemScopeService { * a scope with or without a value in "actual". */ public boolean scopesMatch(Set expected, Set actual); + + /** + * Remove any system-restricted scopes from the set and return the result. + * @param scopes + * @return + */ + public Set removeRestrictedScopes(Set scopes); } diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java index 8051b58bc..35e7e5614 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java @@ -73,6 +73,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt @Autowired private BlacklistedSiteService blacklistedSiteService; + + @Autowired + private SystemScopeService scopeService; // map of sector URI -> list of redirect URIs private LoadingCache> sectorRedirects = CacheBuilder.newBuilder() @@ -130,6 +133,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt } + // make sure a client doesn't get any special system scopes + client.setScope(scopeService.removeRestrictedScopes(client.getScope())); + return clientRepository.saveClient(client); } @@ -226,6 +232,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt throw new IllegalArgumentException("Unable to load sector identifier URI: " + newClient.getSectorIdentifierUri()); } } + + // make sure a client doesn't get any special system scopes + newClient.setScope(scopeService.removeRestrictedScopes(newClient.getScope())); return clientRepository.updateClient(oldClient.getId(), newClient); } diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java index a712a9f79..d4bec2c03 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java @@ -79,6 +79,9 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi @Autowired private TokenEnhancer tokenEnhancer; + @Autowired + private SystemScopeService scopeService; + @Override public Set getAllAccessTokensForUser(String id) { @@ -144,6 +147,8 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi //not unmodifiable. Unmodifiables don't play nicely with Eclipselink, which //wants to use the clone operation. Set scopes = Sets.newHashSet(clientAuth.getScope()); + // remove any of the special system scopes + scopes = scopeService.removeRestrictedScopes(scopes); token.setScope(scopes); // make it expire if necessary @@ -254,8 +259,13 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi // get the stored scopes from the authentication holder's authorization request; these are the scopes associated with the refresh token Set refreshScopes = new HashSet(refreshToken.getAuthenticationHolder().getAuthentication().getOAuth2Request().getScope()); - + // remove any of the special system scopes + refreshScopes = scopeService.removeRestrictedScopes(refreshScopes); + Set scope = authRequest.getScope() == null ? new HashSet() : new HashSet(authRequest.getScope()); + // remove any of the special system scopes + scope = scopeService.removeRestrictedScopes(scope); + if (scope != null && !scope.isEmpty()) { // ensure a proper subset of scopes if (refreshScopes != null && refreshScopes.containsAll(scope)) { diff --git a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultSystemScopeService.java b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultSystemScopeService.java index 8aceb4f55..37082b600 100644 --- a/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultSystemScopeService.java +++ b/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultSystemScopeService.java @@ -63,6 +63,15 @@ public class DefaultSystemScopeService implements SystemScopeService { return (input != null && input.isAllowDynReg()); } }; + + private Predicate isRestricted = new Predicate() { + @Override + public boolean apply(String input) { + return (input != null && + !input.equals(ID_TOKEN_SCOPE) && + !input.equals(REGISTRATION_TOKEN_SCOPE)); + } + }; private Function stringToSystemScope = new Function() { @Override @@ -230,6 +239,11 @@ public class DefaultSystemScopeService implements SystemScopeService { } + @Override + public Set removeRestrictedScopes(Set scopes) { + return new LinkedHashSet(Collections2.filter(scopes, isRestricted)); + } + }