Updated OAuth2 client authentication.
Change-Id: Ic13a38afd2d405fa2b450d80c4737261a4ab1edc
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
index 7cd3311..08d2a0a 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
@@ -1,5 +1,6 @@
package de.ids_mannheim.korap.web.controller;
+import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
import javax.ws.rs.HeaderParam;
@@ -9,8 +10,13 @@
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.ResponseBuilder;
import javax.ws.rs.core.SecurityContext;
+import org.apache.http.HttpHeaders;
+import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
+import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
+import org.apache.oltu.oauth2.common.message.OAuthResponse;
import org.apache.oltu.oauth2.common.message.types.GrantType;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
@@ -28,11 +34,28 @@
@Autowired
private OAuth2Service oauth2Service;
+ /** Grants a client an access token, namely a string used in authenticated
+ * requests representing user authorization for the client to access user
+ * resources.
+ *
+ * EM: should we allow client_secret in the request body?
+ *
+ * @param securityContext
+ * @param authorization
+ * @param grantType
+ * @param authorizationCode
+ * @param redirectURI
+ * @param client_id a client id required for authorization_code grant, otherwise optional
+ * @param username
+ * @param password
+ * @param scope
+ * @return
+ */
@POST
@Path("token")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON + ";charset=utf-8")
- public Response requestAccessToken (
+ public Response requestAccessToken (@Context HttpServletRequest request,
@Context SecurityContext securityContext,
@HeaderParam("Authorization") String authorization,
// required for all grants
@@ -41,21 +64,29 @@
@FormParam("code") String authorizationCode,
@FormParam("redirect_uri") String redirectURI,
@FormParam("client_id") String client_id,
- // required for Resource Owner Password Credentials Grant
+ // required for Resource Owner Password Grant
@FormParam("username") String username,
@FormParam("password") String password,
// optional for Resource Owner Password and Client Credentials Grants
@FormParam("scope") String scope) {
try {
- oauth2Service.requestAccessToken(authorization, grantType,
- authorizationCode, redirectURI, client_id, username,
- password, scope);
+ OAuthResponse oauth2Response = oauth2Service.requestAccessToken(request,
+ authorization, grantType, authorizationCode, redirectURI,
+ client_id, username, password, scope);
- return Response.ok().build();
+ ResponseBuilder builder =
+ Response.status(oauth2Response.getResponseStatus());
+ builder.entity(oauth2Response.getBody());
+ builder.header(HttpHeaders.CACHE_CONTROL, "no-store");
+ builder.header(HttpHeaders.PRAGMA, "no-store");
+ return builder.build();
}
catch (KustvaktException e) {
throw responseHandler.throwit(e);
}
+ catch (OAuthProblemException e) {
+ throw responseHandler.throwit(e);
+ }
}
}