added chained token grant
Justin Richer
parent
54708fb0ac
commit
edc96d646c
|
|
@ -0,0 +1,98 @@
|
|||
/**
|
||||
*
|
||||
*/
|
||||
package org.mitre.oauth2.token;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
|
||||
import org.mitre.oauth2.service.ClientDetailsEntityService;
|
||||
import org.mitre.oauth2.service.OAuth2TokenEntityService;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.security.oauth2.common.OAuth2AccessToken;
|
||||
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
|
||||
import org.springframework.security.oauth2.provider.AuthorizationRequest;
|
||||
import org.springframework.security.oauth2.provider.ClientDetailsService;
|
||||
import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest;
|
||||
import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
|
||||
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
|
||||
import org.springframework.stereotype.Component;
|
||||
|
||||
import com.google.common.collect.Sets;
|
||||
|
||||
/**
|
||||
* @author jricher
|
||||
*
|
||||
*/
|
||||
@Component("chainedTokenGranter")
|
||||
public class ChainedTokenGranter extends AbstractTokenGranter {
|
||||
|
||||
private static final String grantType = "urn:ietf:params:oauth:grant_type:redelegate";
|
||||
|
||||
// keep down-cast versions so we can get to the right queries
|
||||
private OAuth2TokenEntityService tokenServices;
|
||||
private ClientDetailsEntityService clientDetailsService;
|
||||
|
||||
/**
|
||||
* @param tokenServices
|
||||
* @param clientDetailsService
|
||||
* @param grantType
|
||||
*/
|
||||
@Autowired
|
||||
public ChainedTokenGranter(OAuth2TokenEntityService tokenServices, ClientDetailsEntityService clientDetailsService) {
|
||||
super(tokenServices, clientDetailsService, grantType);
|
||||
|
||||
this.tokenServices = tokenServices;
|
||||
this.clientDetailsService = clientDetailsService;
|
||||
|
||||
}
|
||||
|
||||
/* (non-Javadoc)
|
||||
* @see org.springframework.security.oauth2.provider.token.AbstractTokenGranter#getAccessToken(org.springframework.security.oauth2.provider.AuthorizationRequest)
|
||||
*/
|
||||
@Override
|
||||
protected OAuth2AccessToken getAccessToken(AuthorizationRequest authorizationRequest) {
|
||||
|
||||
// read and load up the existing token
|
||||
String incomingTokenValue = authorizationRequest.getAuthorizationParameters().get("token");
|
||||
OAuth2AccessTokenEntity incomingToken = tokenServices.readAccessToken(incomingTokenValue);
|
||||
|
||||
// check for scoping in the request, can't up-scope with a chained request
|
||||
Set<String> approvedScopes = incomingToken.getScope();
|
||||
Set<String> requestedScopes = authorizationRequest.getScope();
|
||||
|
||||
if (requestedScopes == null) {
|
||||
requestedScopes = new HashSet<String>();
|
||||
}
|
||||
|
||||
// if our scopes are a valid subset of what's allowed, we can continue
|
||||
if (approvedScopes.containsAll(requestedScopes)) {
|
||||
|
||||
// build an appropriate auth request to hand to the token services layer
|
||||
DefaultAuthorizationRequest outgoingAuthRequest = new DefaultAuthorizationRequest(authorizationRequest);
|
||||
outgoingAuthRequest.setApproved(true);
|
||||
if (requestedScopes.isEmpty()) {
|
||||
// if there are no scopes, inherit the original scopes from the token
|
||||
outgoingAuthRequest.setScope(approvedScopes);
|
||||
} else {
|
||||
// if scopes were asked for, give only the subset of scopes requested
|
||||
// this allows safe downscoping
|
||||
outgoingAuthRequest.setScope(Sets.intersection(requestedScopes, approvedScopes));
|
||||
}
|
||||
|
||||
// NOTE: don't revoke the existing access token
|
||||
|
||||
// create a new access token
|
||||
return tokenServices.createAccessToken(getOAuth2Authentication(outgoingAuthRequest));
|
||||
|
||||
} else {
|
||||
throw new InvalidScopeException("Invalid scope requested in chained request", approvedScopes);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
@ -114,7 +114,8 @@
|
|||
<oauth:authorization-code authorization-code-services-ref="defaultOAuth2AuthorizationCodeService"/>
|
||||
<oauth:implicit />
|
||||
<oauth:refresh-token/>
|
||||
|
||||
<oauth:custom-grant token-granter-ref="chainedTokenGranter" />
|
||||
|
||||
</oauth:authorization-server>
|
||||
|
||||
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
|
||||
|
|
|
|||
Loading…
Reference in New Issue