Class ScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider
java.lang.Object
com.broadleafcommerce.auth.authorization.security.spring.ScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider
- All Implemented Interfaces:
org.springframework.security.authentication.AuthenticationProvider
public class ScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider
extends Object
implements org.springframework.security.authentication.AuthenticationProvider
An
AuthenticationProvider
implementation for the OAuth 2.0 Client Credential Grant. This
is a customized version of the original Spring class
(OAuth2ClientCredentialsAuthenticationProvider
).
This implementation adds scope validation to the authentication process. There are 3 parts of scope validation:
- If there are no scopes on the request, the default scopes from the client are added to the
request. Handled in
DefaultClientScopeClientCredentialsRequestConverter
. - The requested scopes are compared to all the scopes that the client is able to access. Any invalid scopes are removed from the request.
- After the previous steps, if there are no scopes on the request, then throw an
INVALID_SCOPE
exception.
-
Constructor Summary
ConstructorDescriptionScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider
(org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService authorizationService, org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator<? extends org.springframework.security.oauth2.core.OAuth2Token> tokenGenerator, SecurityService securityService) Constructs anOAuth2ClientCredentialsAuthenticationProvider
using the provided parameters. -
Method Summary
Modifier and TypeMethodDescriptionorg.springframework.security.core.Authentication
authenticate
(org.springframework.security.core.Authentication authentication) getClientAccessibleScopes
(org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken requestToken, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient) Validate and filter the requested scopes to the scopes that the authenticated client is able to access.protected void
handleOfflineAccessScope
(org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken clientCredentialsRequestToken, Set<String> clientAuthorizedScopes) If the scope "OFFLINE_ACCESS" is present on the request, add it to the authorized scopes.boolean
-
Constructor Details
-
ScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider
public ScopeNarrowingOAuth2ClientCredentialsAuthenticationProvider(org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService authorizationService, org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator<? extends org.springframework.security.oauth2.core.OAuth2Token> tokenGenerator, SecurityService securityService) Constructs anOAuth2ClientCredentialsAuthenticationProvider
using the provided parameters.- Parameters:
authorizationService
- the authorization servicetokenGenerator
- the token generatorsecurityService
-SecurityService
to evaluate the scopes accessible to the client
-
-
Method Details
-
authenticate
public org.springframework.security.core.Authentication authenticate(org.springframework.security.core.Authentication authentication) throws org.springframework.security.core.AuthenticationException - Specified by:
authenticate
in interfaceorg.springframework.security.authentication.AuthenticationProvider
- Throws:
org.springframework.security.core.AuthenticationException
-
getClientAccessibleScopes
protected Set<String> getClientAccessibleScopes(org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken requestToken, org.springframework.security.oauth2.server.authorization.client.RegisteredClient registeredClient) Validate and filter the requested scopes to the scopes that the authenticated client is able to access. If the client is not authorized for any scopes, throw anOAuth2AuthorizationCodeRequestAuthenticationException
.- Parameters:
requestToken
- The token representing the client credentials web request and its parameters.registeredClient
- TheRegisteredClient
that is requesting authorization.- Returns:
- The sub-set of requested scopes that the authenticated client is able to access.
-
handleOfflineAccessScope
protected void handleOfflineAccessScope(org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken clientCredentialsRequestToken, Set<String> clientAuthorizedScopes) If the scope "OFFLINE_ACCESS" is present on the request, add it to the authorized scopes.- Parameters:
clientCredentialsRequestToken
- The token representing the client credentials web request and its parameters.clientAuthorizedScopes
- Set of requested scopes that the authenticated client is able to access
-
supports
- Specified by:
supports
in interfaceorg.springframework.security.authentication.AuthenticationProvider
-