Moved special token scopes to scope service interface

openid-connect-common/src/main/java/org/mitre/oauth2/model/OAuth2AccessTokenEntity.java

@@ -68,10 +68,7 @@ import com.nimbusds.jwt.JWTParser;
 //@JsonDeserialize(using = OAuth2AccessTokenDeserializer.class)
 public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 
-	public static final String ID_TOKEN_SCOPE = "id-token";
-	public static final String REGISTRATION_TOKEN_SCOPE = "registration-token";
-
-	public static String ID_TOKEN = "id_token";
+	public static String ID_TOKEN_FIELD_NAME = "id_token";
 
 	private Long id;
 
@@ -123,7 +120,7 @@ public class OAuth2AccessTokenEntity implements OAuth2AccessToken {
 	public Map<String, Object> getAdditionalInformation() {
 		Map<String, Object> map = new HashMap<String, Object>(); //super.getAdditionalInformation();
 		if (getIdToken() != null) {
-			map.put(ID_TOKEN, getIdTokenString());
+			map.put(ID_TOKEN_FIELD_NAME, getIdTokenString());
 		}
 		return map;
 	}

openid-connect-common/src/main/java/org/mitre/oauth2/service/SystemScopeService.java

@@ -29,6 +29,10 @@ import org.mitre.oauth2.model.SystemScope;
  */
 public interface SystemScopeService {
 
+	public static final String OFFLINE_ACCESS = "offline_access";
+	public static final String ID_TOKEN_SCOPE = "id-token";
+	public static final String REGISTRATION_TOKEN_SCOPE = "registration-token";
+	
 	public Set<SystemScope> getAll();
 
 	/**

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java

@@ -33,6 +33,7 @@ import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.repository.OAuth2ClientRepository;
 import org.mitre.oauth2.repository.OAuth2TokenRepository;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
+import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.openid.connect.model.WhitelistedSite;
 import org.mitre.openid.connect.service.ApprovedSiteService;
 import org.mitre.openid.connect.service.BlacklistedSiteService;
@@ -101,9 +102,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 
 		// if the client is flagged to allow for refresh tokens, make sure it's got the right granted scopes
 		if (client.isAllowRefresh()) {
-			client.getScope().add("offline_access");
+			client.getScope().add(SystemScopeService.OFFLINE_ACCESS);
 		} else {
-			client.getScope().remove("offline_access");
+			client.getScope().remove(SystemScopeService.OFFLINE_ACCESS);
 		}
 
 		// timestamp this to right now
@@ -203,9 +204,9 @@ public class DefaultOAuth2ClientDetailsEntityService implements ClientDetailsEnt
 
 			// if the client is flagged to allow for refresh tokens, make sure it's got the right scope
 			if (newClient.isAllowRefresh()) {
-				newClient.getScope().add("offline_access");
+				newClient.getScope().add(SystemScopeService.OFFLINE_ACCESS);
 			} else {
-				newClient.getScope().remove("offline_access");
+				newClient.getScope().remove(SystemScopeService.OFFLINE_ACCESS);
 			}
 
 			// check the sector URI

openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ProviderTokenService.java

@@ -34,6 +34,7 @@ import org.mitre.oauth2.repository.AuthenticationHolderRepository;
 import org.mitre.oauth2.repository.OAuth2TokenRepository;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
+import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.openid.connect.model.ApprovedSite;
 import org.mitre.openid.connect.service.ApprovedSiteService;
 import org.slf4j.Logger;
@@ -159,8 +160,7 @@ public class DefaultOAuth2ProviderTokenService implements OAuth2TokenEntityServi
 			token.setAuthenticationHolder(authHolder);
 
 			// attach a refresh token, if this client is allowed to request them and the user gets the offline scope
-			// TODO: tie this to some kind of scope service
-			if (client.isAllowRefresh() && scopes.contains("offline_access")) {
+			if (client.isAllowRefresh() && scopes.contains(SystemScopeService.OFFLINE_ACCESS)) {
 				OAuth2RefreshTokenEntity refreshToken = new OAuth2RefreshTokenEntity(); //refreshTokenFactory.createNewRefreshToken();
 				JWTClaimsSet refreshClaims = new JWTClaimsSet();
 

openid-connect-server/src/main/java/org/mitre/oauth2/token/JwtAssertionTokenGranter.java

@@ -27,6 +27,7 @@ import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
 import org.mitre.oauth2.service.OAuth2TokenEntityService;
+import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.BadCredentialsException;
@@ -79,7 +80,7 @@ public class JwtAssertionTokenGranter extends AbstractTokenGranter {
 		String incomingTokenValue = tokenRequest.getRequestParameters().get("assertion");
 		OAuth2AccessTokenEntity incomingToken = tokenServices.readAccessToken(incomingTokenValue);
 
-		if (incomingToken.getScope().contains(OAuth2AccessTokenEntity.ID_TOKEN_SCOPE)) {
+		if (incomingToken.getScope().contains(SystemScopeService.ID_TOKEN_SCOPE)) {
 
 			if (!client.getClientId().equals(tokenRequest.getClientId())) {
 				throw new InvalidClientException("Not the right client for this token");

openid-connect-server/src/main/java/org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.java

@@ -26,6 +26,7 @@ import org.mitre.oauth2.model.AuthenticationHolderEntity;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
 import org.mitre.oauth2.repository.AuthenticationHolderRepository;
+import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
 import org.mitre.openid.connect.service.OIDCTokenService;
 import org.mitre.openid.connect.util.IdTokenHashUtils;
@@ -118,7 +119,7 @@ public class DefaultOIDCTokenService implements OIDCTokenService {
 
 		// create a scope set with just the special "id-token" scope
 		//Set<String> idScopes = new HashSet<String>(token.getScope()); // this would copy the original token's scopes in, we don't really want that
-		Set<String> idScopes = Sets.newHashSet(OAuth2AccessTokenEntity.ID_TOKEN_SCOPE);
+		Set<String> idScopes = Sets.newHashSet(SystemScopeService.ID_TOKEN_SCOPE);
 		idTokenEntity.setScope(idScopes);
 
 		idTokenEntity.setClient(accessToken.getClient());
@@ -136,12 +137,12 @@ public class DefaultOIDCTokenService implements OIDCTokenService {
 		Map<String, String> authorizationParameters = Maps.newHashMap();
 		OAuth2Request clientAuth = new OAuth2Request(authorizationParameters, client.getClientId(),
 				Sets.newHashSet(new SimpleGrantedAuthority("ROLE_CLIENT")), true,
-				Sets.newHashSet(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE), null, null, null, null);
+				Sets.newHashSet(SystemScopeService.REGISTRATION_TOKEN_SCOPE), null, null, null, null);
 		OAuth2Authentication authentication = new OAuth2Authentication(clientAuth, null);
 
 		OAuth2AccessTokenEntity token = new OAuth2AccessTokenEntity();
 		token.setClient(client);
-		token.setScope(Sets.newHashSet(OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE));
+		token.setScope(Sets.newHashSet(SystemScopeService.REGISTRATION_TOKEN_SCOPE));
 
 		AuthenticationHolderEntity authHolder = new AuthenticationHolderEntity();
 		authHolder.setAuthentication(authentication);

openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java

@@ -189,7 +189,7 @@ public class ClientDynamicRegistrationEndpoint {
 	 * @param auth
 	 * @return
 	 */
-	@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE + "')")
+	@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + SystemScopeService.REGISTRATION_TOKEN_SCOPE + "')")
 	@RequestMapping(value = "/{id}", method = RequestMethod.GET, produces = "application/json")
 	public String readClientConfiguration(@PathVariable("id") String clientId, Model m, OAuth2Authentication auth) {
 
@@ -228,7 +228,7 @@ public class ClientDynamicRegistrationEndpoint {
 	 * @param auth
 	 * @return
 	 */
-	@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE + "')")
+	@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + SystemScopeService.REGISTRATION_TOKEN_SCOPE + "')")
 	@RequestMapping(value = "/{id}", method = RequestMethod.PUT, produces = "application/json", consumes = "application/json")
 	public String updateClient(@PathVariable("id") String clientId, @RequestBody String jsonString, Model m, OAuth2Authentication auth) {
 
@@ -307,7 +307,7 @@ public class ClientDynamicRegistrationEndpoint {
 	 * @param auth
 	 * @return
 	 */
-	@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + OAuth2AccessTokenEntity.REGISTRATION_TOKEN_SCOPE + "')")
+	@PreAuthorize("hasRole('ROLE_CLIENT') and #oauth2.hasScope('" + SystemScopeService.REGISTRATION_TOKEN_SCOPE + "')")
 	@RequestMapping(value = "/{id}", method = RequestMethod.DELETE, produces = "application/json")
 	public String deleteClient(@PathVariable("id") String clientId, Model m, OAuth2Authentication auth) {
 

openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ClientDetailsEntityService.java

@@ -24,6 +24,7 @@ import org.junit.runner.RunWith;
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.repository.OAuth2ClientRepository;
 import org.mitre.oauth2.repository.OAuth2TokenRepository;
+import org.mitre.oauth2.service.SystemScopeService;
 import org.mitre.openid.connect.model.WhitelistedSite;
 import org.mitre.openid.connect.service.ApprovedSiteService;
 import org.mitre.openid.connect.service.BlacklistedSiteService;
@@ -133,7 +134,7 @@ public class TestDefaultOAuth2ClientDetailsEntityService {
 
 		service.saveNewClient(client);
 
-		Mockito.verify(scopes).add("offline_access");
+		Mockito.verify(scopes).add(SystemScopeService.OFFLINE_ACCESS);
 	}
 
 	/**
@@ -155,7 +156,7 @@ public class TestDefaultOAuth2ClientDetailsEntityService {
 
 		service.saveNewClient(client);
 
-		Mockito.verify(scopes).remove("offline_access");
+		Mockito.verify(scopes).remove(SystemScopeService.OFFLINE_ACCESS);
 	}
 
 	@Test
@@ -281,7 +282,7 @@ public class TestDefaultOAuth2ClientDetailsEntityService {
 
 		service.updateClient(oldClient, newClient);
 
-		Mockito.verify(scopes).add("offline_access");
+		Mockito.verify(scopes).add(SystemScopeService.OFFLINE_ACCESS);
 	}
 
 	@Test
@@ -300,6 +301,6 @@ public class TestDefaultOAuth2ClientDetailsEntityService {
 
 		service.updateClient(oldClient, newClient);
 
-		Mockito.verify(scopes).remove("offline_access");
+		Mockito.verify(scopes).remove(SystemScopeService.OFFLINE_ACCESS);
 	}
 }

openid-connect-server/src/test/java/org/mitre/oauth2/service/impl/TestDefaultOAuth2ProviderTokenService.java

@@ -37,6 +37,7 @@ import org.mitre.oauth2.model.OAuth2RefreshTokenEntity;
 import org.mitre.oauth2.repository.AuthenticationHolderRepository;
 import org.mitre.oauth2.repository.OAuth2TokenRepository;
 import org.mitre.oauth2.service.ClientDetailsEntityService;
+import org.mitre.oauth2.service.SystemScopeService;
 import org.mockito.InjectMocks;
 import org.mockito.Matchers;
 import org.mockito.Mock;
@@ -191,7 +192,7 @@ public class TestDefaultOAuth2ProviderTokenService {
 	@Test
 	public void createAccessToken_yesRefresh() {
 
-		OAuth2Request clientAuth = new OAuth2Request(null, clientId, null, true, Sets.newHashSet("offline_access"), null, null, null, null);
+		OAuth2Request clientAuth = new OAuth2Request(null, clientId, null, true, Sets.newHashSet(SystemScopeService.OFFLINE_ACCESS), null, null, null, null);
 		Mockito.when(authentication.getOAuth2Request()).thenReturn(clientAuth);
 		Mockito.when(client.isAllowRefresh()).thenReturn(true);