Class ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider
java.lang.Object
com.broadleafcommerce.auth.authorization.security.spring.ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider
- All Implemented Interfaces:
org.springframework.security.authentication.AuthenticationProvider
public class ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider
extends Object
implements org.springframework.security.authentication.AuthenticationProvider
An
AuthenticationProvider
implementation for the OAuth 2.0 Authorization Code Request.
This is a customized version of the original Spring class
(OAuth2AuthorizationCodeRequestAuthenticationProvider
).
This implementation adds scope validation to the authentication process. There are 3 parts of scope validation:
- If there are no scopes on the request, the default scopes from the client are added to the
request. Handled in
DefaultClientScopeAuthorizationCodeRequestConverter
. - The requested scopes are compared to all the scopes that a User is able to access. Any invalid scopes are removed from the request.
- After the previous steps, if there are no scopes on the request, then throw an
INVALID_SCOPE
exception.
-
Field Summary
-
Constructor Summary
ConstructorDescriptionScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider
(org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository registeredClientRepository, org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService authorizationService, org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService authorizationConsentService, SecurityService securityService) Constructs anOAuth2AuthorizationCodeRequestAuthenticationProvider
using the provided parameters. -
Method Summary
Modifier and TypeMethodDescriptionorg.springframework.security.core.Authentication
authenticate
(org.springframework.security.core.Authentication authentication) getAuthorizedScopes
(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken requestToken) Filter the requested scopes to the scopes the user is able to access.getUserAuthorizedScopes
(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestToken, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient) Validate and filter the requested scopes to the scopes that the authenticated user is able to access.protected void
handleOfflineAccessScope
(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication, Set<String> userAuthorizedScopes) If the scope "OFFLINE_ACCESS" is present on the request, add it to the authorized scopes.void
setAuthenticationValidator
(Consumer<org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator) Sets theConsumer
providing access to theOAuth2AuthorizationCodeRequestAuthenticationContext
and is responsible for validating specific OAuth 2.0 Authorization Request parameters associated in theOAuth2AuthorizationCodeRequestAuthenticationToken
.void
setAuthorizationCodeGenerator
(org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator<org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode> authorizationCodeGenerator) Sets theOAuth2TokenGenerator
that generates theOAuth2AuthorizationCode
.boolean
protected void
validateScopesForClient
(Set<String> userAuthorizedScopes, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient, org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestToken) Validate that the userAuthorizedScopes are permitted by the RegisteredClient.
-
Field Details
-
OFFLINE_ACCESS_SCOPE
- See Also:
-
-
Constructor Details
-
ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider
public ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider(org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository registeredClientRepository, org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService authorizationService, org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService authorizationConsentService, SecurityService securityService) Constructs anOAuth2AuthorizationCodeRequestAuthenticationProvider
using the provided parameters.- Parameters:
registeredClientRepository
- the repository of registered clientsauthorizationService
- the authorization serviceauthorizationConsentService
- the authorization consent servicesecurityService
-
-
-
Method Details
-
authenticate
public org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication) throws org.springframework.security.core.AuthenticationException - Specified by:
authenticate
in interfaceorg.springframework.security.authentication.AuthenticationProvider
- Throws:
org.springframework.security.core.AuthenticationException
-
getUserAuthorizedScopes
protected Set<String> getUserAuthorizedScopes(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestToken, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient) Validate and filter the requested scopes to the scopes that the authenticated user is able to access. If the user is not authorized for any scopes, throw anOAuth2AuthorizationCodeRequestAuthenticationException
.- Parameters:
authorizationCodeRequestToken
- The token representing the authorization web request and its parameters.registeredClient
- TheRegisteredClient
that is making requests on behalf of the authenticated end-user.- Returns:
- The sub-set of requested scopes that the authenticated user is able to access.
-
getAuthorizedScopes
protected Set<String> getAuthorizedScopes(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken requestToken) Filter the requested scopes to the scopes the user is able to access. Use theSecurityService
to filter the requested scopes to only the scopes that the user is able to access.- Parameters:
requestToken
- TheOAuth2AuthorizationCodeRequestAuthenticationToken
that represents the web request and parameters.- Returns:
- The sub-set of requested scopes that the authenticated user is able to access.
-
validateScopesForClient
protected void validateScopesForClient(Set<String> userAuthorizedScopes, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient, org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestToken) Validate that the userAuthorizedScopes are permitted by the RegisteredClient.- Parameters:
userAuthorizedScopes
- The scopes that the user requested and have been authorized based on their user data.registeredClient
- TheRegisteredClient
that is making requests on behalf of the authenticated end-user.authorizationCodeRequestToken
- The token representing the authorization web request and its parameters.
-
handleOfflineAccessScope
protected void handleOfflineAccessScope(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication, Set<String> userAuthorizedScopes) If the scope "OFFLINE_ACCESS" is present on the request, add it to the authorized scopes.- Parameters:
authorizationCodeRequestAuthentication
- The token representing the authorization web request and its parameters.userAuthorizedScopes
- Set of requested scopes that the authenticated user is able to access
-
supports
- Specified by:
supports
in interfaceorg.springframework.security.authentication.AuthenticationProvider
-
setAuthorizationCodeGenerator
public void setAuthorizationCodeGenerator(org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator<org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode> authorizationCodeGenerator) Sets theOAuth2TokenGenerator
that generates theOAuth2AuthorizationCode
.- Parameters:
authorizationCodeGenerator
- theOAuth2TokenGenerator
that generates theOAuth2AuthorizationCode
- Since:
- 0.2.3
-
setAuthenticationValidator
public void setAuthenticationValidator(Consumer<org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator) Sets theConsumer
providing access to theOAuth2AuthorizationCodeRequestAuthenticationContext
and is responsible for validating specific OAuth 2.0 Authorization Request parameters associated in theOAuth2AuthorizationCodeRequestAuthenticationToken
. The default authentication validator isOAuth2AuthorizationCodeRequestAuthenticationValidator
.NOTE: The authentication validator MUST throw
OAuth2AuthorizationCodeRequestAuthenticationException
if validation fails.- Parameters:
authenticationValidator
- theConsumer
providing access to theOAuth2AuthorizationCodeRequestAuthenticationContext
and is responsible for validating specific OAuth 2.0 Authorization Request parameters- Since:
- 0.4.0
-