Class ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider

java.lang.Object
com.broadleafcommerce.auth.authorization.security.spring.ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider
All Implemented Interfaces:
org.springframework.security.authentication.AuthenticationProvider

public class ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider extends Object implements org.springframework.security.authentication.AuthenticationProvider
An AuthenticationProvider implementation for the OAuth 2.0 Authorization Code Request. This is a customized version of the original Spring class (OAuth2AuthorizationCodeRequestAuthenticationProvider).

This implementation adds scope validation to the authentication process. There are 3 parts of scope validation:

  • If there are no scopes on the request, the default scopes from the client are added to the request. Handled in DefaultClientScopeAuthorizationCodeRequestConverter.
  • The requested scopes are compared to all the scopes that a User is able to access. Any invalid scopes are removed from the request.
  • After the previous steps, if there are no scopes on the request, then throw an INVALID_SCOPE exception.
See Also:
  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
     
  • Constructor Summary

    Constructors
    Constructor
    Description
    ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider(org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository registeredClientRepository, org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService authorizationService, org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService authorizationConsentService, SecurityService securityService)
    Constructs an OAuth2AuthorizationCodeRequestAuthenticationProvider using the provided parameters.
  • Method Summary

    Modifier and Type
    Method
    Description
    org.springframework.security.core.Authentication
    authenticate(org.springframework.security.core.Authentication authentication)
     
    protected Set<String>
    getAuthorizedScopes(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken requestToken)
    Filter the requested scopes to the scopes the user is able to access.
    protected Set<String>
    getUserAuthorizedScopes(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestToken, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient)
    Validate and filter the requested scopes to the scopes that the authenticated user is able to access.
    protected void
    handleOfflineAccessScope(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication, Set<String> userAuthorizedScopes)
    If the scope "OFFLINE_ACCESS" is present on the request, add it to the authorized scopes.
    void
    setAuthenticationValidator(Consumer<org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator)
    Sets the Consumer providing access to the OAuth2AuthorizationCodeRequestAuthenticationContext and is responsible for validating specific OAuth 2.0 Authorization Request parameters associated in the OAuth2AuthorizationCodeRequestAuthenticationToken.
    void
    setAuthorizationCodeGenerator(org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator<org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode> authorizationCodeGenerator)
    Sets the OAuth2TokenGenerator that generates the OAuth2AuthorizationCode.
    boolean
    supports(Class<?> authentication)
     
    protected void
    validateScopesForClient(Set<String> userAuthorizedScopes, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient, org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestToken)
    Validate that the userAuthorizedScopes are permitted by the RegisteredClient.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Field Details

  • Constructor Details

    • ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider

      public ScopeNarrowingOAuth2AuthorizationCodeRequestAuthenticationProvider(org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository registeredClientRepository, org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService authorizationService, org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService authorizationConsentService, SecurityService securityService)
      Constructs an OAuth2AuthorizationCodeRequestAuthenticationProvider using the provided parameters.
      Parameters:
      registeredClientRepository - the repository of registered clients
      authorizationService - the authorization service
      authorizationConsentService - the authorization consent service
      securityService -
  • Method Details

    • authenticate

      public org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication) throws org.springframework.security.core.AuthenticationException
      Specified by:
      authenticate in interface org.springframework.security.authentication.AuthenticationProvider
      Throws:
      org.springframework.security.core.AuthenticationException
    • getUserAuthorizedScopes

      protected Set<String> getUserAuthorizedScopes(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestToken, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient)
      Validate and filter the requested scopes to the scopes that the authenticated user is able to access. If the user is not authorized for any scopes, throw an OAuth2AuthorizationCodeRequestAuthenticationException.
      Parameters:
      authorizationCodeRequestToken - The token representing the authorization web request and its parameters.
      registeredClient - The RegisteredClient that is making requests on behalf of the authenticated end-user.
      Returns:
      The sub-set of requested scopes that the authenticated user is able to access.
    • getAuthorizedScopes

      protected Set<String> getAuthorizedScopes(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken requestToken)
      Filter the requested scopes to the scopes the user is able to access. Use the SecurityService to filter the requested scopes to only the scopes that the user is able to access.
      Parameters:
      requestToken - The OAuth2AuthorizationCodeRequestAuthenticationToken that represents the web request and parameters.
      Returns:
      The sub-set of requested scopes that the authenticated user is able to access.
    • validateScopesForClient

      protected void validateScopesForClient(Set<String> userAuthorizedScopes, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient, org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestToken)
      Validate that the userAuthorizedScopes are permitted by the RegisteredClient.
      Parameters:
      userAuthorizedScopes - The scopes that the user requested and have been authorized based on their user data.
      registeredClient - The RegisteredClient that is making requests on behalf of the authenticated end-user.
      authorizationCodeRequestToken - The token representing the authorization web request and its parameters.
    • handleOfflineAccessScope

      protected void handleOfflineAccessScope(org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication, Set<String> userAuthorizedScopes)
      If the scope "OFFLINE_ACCESS" is present on the request, add it to the authorized scopes.
      Parameters:
      authorizationCodeRequestAuthentication - The token representing the authorization web request and its parameters.
      userAuthorizedScopes - Set of requested scopes that the authenticated user is able to access
    • supports

      public boolean supports(Class<?> authentication)
      Specified by:
      supports in interface org.springframework.security.authentication.AuthenticationProvider
    • setAuthorizationCodeGenerator

      public void setAuthorizationCodeGenerator(org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator<org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode> authorizationCodeGenerator)
      Sets the OAuth2TokenGenerator that generates the OAuth2AuthorizationCode.
      Parameters:
      authorizationCodeGenerator - the OAuth2TokenGenerator that generates the OAuth2AuthorizationCode
      Since:
      0.2.3
    • setAuthenticationValidator

      public void setAuthenticationValidator(Consumer<org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator)
      Sets the Consumer providing access to the OAuth2AuthorizationCodeRequestAuthenticationContext and is responsible for validating specific OAuth 2.0 Authorization Request parameters associated in the OAuth2AuthorizationCodeRequestAuthenticationToken. The default authentication validator is OAuth2AuthorizationCodeRequestAuthenticationValidator.

      NOTE: The authentication validator MUST throw OAuth2AuthorizationCodeRequestAuthenticationException if validation fails.

      Parameters:
      authenticationValidator - the Consumer providing access to the OAuth2AuthorizationCodeRequestAuthenticationContext and is responsible for validating specific OAuth 2.0 Authorization Request parameters
      Since:
      0.4.0