Class ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider
java.lang.Object
com.broadleafcommerce.auth.authorization.security.spring.ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider
- All Implemented Interfaces:
org.springframework.security.authentication.AuthenticationProvider
public class ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider
extends Object
implements org.springframework.security.authentication.AuthenticationProvider
An
AuthenticationProvider implementation for the OAuth 2.0 Authorization Code Request.
This is a customized version of the original Spring class
(OAuth2AuthorizationCodeRequestAuthenticationProvider).
This implementation adds scope validation to the authentication process. There are 3 parts of scope validation:
- If there are no scopes on the request, the default scopes from the client are added to the
request. Handled in
DefaultClientScopeAuthorizationCodeRequestConverter. - The requested scopes are compared to all the scopes that a User is able to access. Any invalid scopes are removed from the request.
- After the previous steps, if there are no scopes on the request, then throw an
INVALID_SCOPEexception.
-
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider(org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository registeredClientRepository, org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService authorizationService, org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService authorizationConsentService, SecurityService securityService) Constructs anOAuth2AuthorizationCodeRequestAuthenticationProviderusing the provided parameters. -
Method Summary
Modifier and TypeMethodDescriptionorg.springframework.security.core.Authenticationauthenticate(org.springframework.security.core.Authentication authentication) getAuthorizedScopes(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken requestToken) Filter the requested scopes to the scopes the user is able to access.getUserAuthorizedScopes(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestToken, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient) Validate and filter the requested scopes to the scopes that the authenticated user is able to access.protected voidhandleOfflineAccessScope(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication, Set<String> userAuthorizedScopes) If the scope "OFFLINE_ACCESS" is present on the request, add it to the authorized scopes.voidsetAuthenticationValidator(Consumer<org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator) Sets theConsumerproviding access to theOAuth2AuthorizationCodeRequestAuthenticationContextand is responsible for validating specific OAuth 2.0 Authorization Request parameters associated in theOAuth2AuthorizationCodeRequestAuthenticationToken.voidsetAuthorizationCodeGenerator(org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator<org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode> authorizationCodeGenerator) Sets theOAuth2TokenGeneratorthat generates theOAuth2AuthorizationCode.booleanprotected voidvalidateScopesForClient(Set<String> userAuthorizedScopes, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient, org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestToken) Validate that the userAuthorizedScopes are permitted by the RegisteredClient.
-
Field Details
-
OFFLINE_ACCESS_SCOPE
- See Also:
-
-
Constructor Details
-
ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider
public ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider(org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository registeredClientRepository, org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService authorizationService, org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService authorizationConsentService, SecurityService securityService) Constructs anOAuth2AuthorizationCodeRequestAuthenticationProviderusing the provided parameters.- Parameters:
registeredClientRepository- the repository of registered clientsauthorizationService- the authorization serviceauthorizationConsentService- the authorization consent servicesecurityService-
-
-
Method Details
-
authenticate
public org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication) throws org.springframework.security.core.AuthenticationException - Specified by:
authenticatein interfaceorg.springframework.security.authentication.AuthenticationProvider- Throws:
org.springframework.security.core.AuthenticationException
-
getUserAuthorizedScopes
protected Set<String> getUserAuthorizedScopes(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestToken, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient) Validate and filter the requested scopes to the scopes that the authenticated user is able to access. If the user is not authorized for any scopes, throw anOAuth2AuthorizationCodeRequestAuthenticationException.- Parameters:
authorizationCodeRequestToken- The token representing the authorization web request and its parameters.registeredClient- TheRegisteredClientthat is making requests on behalf of the authenticated end-user.- Returns:
- The sub-set of requested scopes that the authenticated user is able to access.
-
getAuthorizedScopes
protected Set<String> getAuthorizedScopes(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken requestToken) Filter the requested scopes to the scopes the user is able to access. Use theSecurityServiceto filter the requested scopes to only the scopes that the user is able to access.- Parameters:
requestToken- TheOAuth2AuthorizationCodeRequestAuthenticationTokenthat represents the web request and parameters.- Returns:
- The sub-set of requested scopes that the authenticated user is able to access.
-
validateScopesForClient
protected void validateScopesForClient(Set<String> userAuthorizedScopes, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient, org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestToken) Validate that the userAuthorizedScopes are permitted by the RegisteredClient.- Parameters:
userAuthorizedScopes- The scopes that the user requested and have been authorized based on their user data.registeredClient- TheRegisteredClientthat is making requests on behalf of the authenticated end-user.authorizationCodeRequestToken- The token representing the authorization web request and its parameters.
-
handleOfflineAccessScope
protected void handleOfflineAccessScope(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication, Set<String> userAuthorizedScopes) If the scope "OFFLINE_ACCESS" is present on the request, add it to the authorized scopes.- Parameters:
authorizationCodeRequestAuthentication- The token representing the authorization web request and its parameters.userAuthorizedScopes- Set of requested scopes that the authenticated user is able to access
-
supports
- Specified by:
supportsin interfaceorg.springframework.security.authentication.AuthenticationProvider
-
setAuthorizationCodeGenerator
public void setAuthorizationCodeGenerator(org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator<org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode> authorizationCodeGenerator) Sets theOAuth2TokenGeneratorthat generates theOAuth2AuthorizationCode.- Parameters:
authorizationCodeGenerator- theOAuth2TokenGeneratorthat generates theOAuth2AuthorizationCode- Since:
- 0.2.3
-
setAuthenticationValidator
public void setAuthenticationValidator(Consumer<org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator) Sets theConsumerproviding access to theOAuth2AuthorizationCodeRequestAuthenticationContextand is responsible for validating specific OAuth 2.0 Authorization Request parameters associated in theOAuth2AuthorizationCodeRequestAuthenticationToken. The default authentication validator isOAuth2AuthorizationCodeRequestAuthenticationValidator.NOTE: The authentication validator MUST throw
OAuth2AuthorizationCodeRequestAuthenticationExceptionif validation fails.- Parameters:
authenticationValidator- theConsumerproviding access to theOAuth2AuthorizationCodeRequestAuthenticationContextand is responsible for validating specific OAuth 2.0 Authorization Request parameters- Since:
- 0.4.0
-