Class ScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider

java.lang.Object
com.broadleafcommerce.auth.authorization.security.spring.ScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider
All Implemented Interfaces:
org.springframework.security.authentication.AuthenticationProvider

public class ScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider extends Object implements org.springframework.security.authentication.AuthenticationProvider
An AuthenticationProvider implementation for the OAuth 2.0 Client Credential Grant. This is a customized version of the original Spring class (OAuth2ClientCredentialsAuthenticationProvider).

This implementation adds scope validation to the authentication process. There are 3 parts of scope validation:

  • If there are no scopes on the request, the default scopes from the client are added to the request. Handled in DefaultClientScopeClientCredentialsRequestConverter.
  • The requested scopes are compared to all the scopes that the client is able to access. Any invalid scopes are removed from the request.
  • After the previous steps, if there are no scopes on the request, then throw an INVALID_SCOPE exception.
See Also:
  • Constructor Summary

    Constructors
    Constructor
    Description
    ScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider(org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService authorizationService, org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator<? extends org.springframework.security.oauth2.core.OAuth2Token> tokenGenerator, SecurityService securityService)
    Constructs an OAuth2ClientCredentialsAuthenticationProvider using the provided parameters.
  • Method Summary

    Modifier and Type
    Method
    Description
    org.springframework.security.core.Authentication
    authenticate(org.springframework.security.core.Authentication authentication)
     
    protected Set<String>
    getClientAccessibleScopes(org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken requestToken, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient)
    Validate and filter the requested scopes to the scopes that the authenticated client is able to access.
    protected void
    handleOfflineAccessScope(org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken clientCredentialsRequestToken, Set<String> clientAuthorizedScopes)
    If the scope "OFFLINE_ACCESS" is present on the request, add it to the authorized scopes.
    boolean
    supports(Class<?> authentication)
     

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
  • Constructor Details

    • ScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider

      public ScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider(org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService authorizationService, org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator<? extends org.springframework.security.oauth2.core.OAuth2Token> tokenGenerator, SecurityService securityService)
      Constructs an OAuth2ClientCredentialsAuthenticationProvider using the provided parameters.
      Parameters:
      authorizationService - the authorization service
      tokenGenerator - the token generator
      securityService - SecurityService to evaluate the scopes accessible to the client
  • Method Details

    • authenticate

      public org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication) throws org.springframework.security.core.AuthenticationException
      Specified by:
      authenticate in interface org.springframework.security.authentication.AuthenticationProvider
      Throws:
      org.springframework.security.core.AuthenticationException
    • getClientAccessibleScopes

      protected Set<String> getClientAccessibleScopes(org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken requestToken, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient)
      Validate and filter the requested scopes to the scopes that the authenticated client is able to access. If the client is not authorized for any scopes, throw an OAuth2AuthorizationCodeRequestAuthenticationException.
      Parameters:
      requestToken - The token representing the client credentials web request and its parameters.
      registeredClient - The RegisteredClient that is requesting authorization.
      Returns:
      The sub-set of requested scopes that the authenticated client is able to access.
    • handleOfflineAccessScope

      protected void handleOfflineAccessScope(org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken clientCredentialsRequestToken, Set<String> clientAuthorizedScopes)
      If the scope "OFFLINE_ACCESS" is present on the request, add it to the authorized scopes.
      Parameters:
      clientCredentialsRequestToken - The token representing the client credentials web request and its parameters.
      clientAuthorizedScopes - Set of requested scopes that the authenticated client is able to access
    • supports

      public boolean supports(Class<?> authentication)
      Specified by:
      supports in interface org.springframework.security.authentication.AuthenticationProvider