Added authorization request with GET and deprecated that with POST.
Change-Id: I1a26048c0691bb87ccb05edb06fc99be0e5205c5
diff --git a/full/Changes b/full/Changes
index 5117c88..4902952 100644
--- a/full/Changes
+++ b/full/Changes
@@ -8,6 +8,8 @@
- Added registration_date, refresh_token_expiry, source and is_permitted
to the oauth2_client database table, and updated the OAuth2 client
registration mechanism.
+ - Added authorization request with GET and deprecated that with POST.
+
# version 0.65.2
diff --git a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
index 0b1d438..e29ad15 100644
--- a/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
+++ b/full/src/main/java/de/ids_mannheim/korap/web/controller/OAuth2Controller.java
@@ -6,9 +6,11 @@
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.FormParam;
+import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
@@ -92,6 +94,7 @@
* form parameters
* @return a redirect URL
*/
+ @Deprecated
@POST
@Path("authorize")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@@ -125,6 +128,38 @@
throw responseHandler.throwit(e, state);
}
}
+
+ @GET
+ @Path("authorize")
+ public Response requestAuthorizationCode (
+ @Context HttpServletRequest request,
+ @Context SecurityContext context,
+ @QueryParam("state") String state
+ ) {
+
+ TokenContext tokenContext = (TokenContext) context.getUserPrincipal();
+ String username = tokenContext.getUsername();
+ ZonedDateTime authTime = tokenContext.getAuthenticationTime();
+
+ try {
+ scopeService.verifyScope(tokenContext, OAuth2Scope.AUTHORIZE);
+
+ OAuth2AuthorizationRequest authzRequest =
+ new OAuth2AuthorizationRequest(request);
+ String uri = authorizationService.requestAuthorizationCode(
+ request, authzRequest, username, authTime);
+ return responseHandler.sendRedirect(uri);
+ }
+ catch (OAuthSystemException e) {
+ throw responseHandler.throwit(e, state);
+ }
+ catch (OAuthProblemException e) {
+ throw responseHandler.throwit(e, state);
+ }
+ catch (KustvaktException e) {
+ throw responseHandler.throwit(e, state);
+ }
+ }
/**
* Grants a client an access token, namely a string used in
diff --git a/full/src/main/resources/db/test/V3.5__insert_oauth2_clients.sql b/full/src/main/resources/db/test/V3.5__insert_oauth2_clients.sql
index 043426d..b2d6949 100644
--- a/full/src/main/resources/db/test/V3.5__insert_oauth2_clients.sql
+++ b/full/src/main/resources/db/test/V3.5__insert_oauth2_clients.sql
@@ -24,12 +24,11 @@
"http://third.party.com/confidential", CURRENT_TIMESTAMP,1);
INSERT INTO oauth2_client(id,name,secret,type,super,
- redirect_uri,registered_by, description,url, registration_date,
+ registered_by, description,url, registration_date,
is_permitted)
VALUES ("52atrL0ajex_3_5imd9Mgw","confidential client 2",
"$2a$08$vi1FbuN3p6GcI1tSxMAoeuIYL8Yw3j6A8wJthaN8ZboVnrQaTwLPq",
- "CONFIDENTIAL", 0,
- "https://example.client.de/redirect", "system",
+ "CONFIDENTIAL", 0,"system",
"This is a test nonsuper confidential client.",
"http://example.client.de", CURRENT_TIMESTAMP, 1);
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
index f6768f1..eeae3b7 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AccessTokenTest.java
@@ -5,6 +5,7 @@
import static org.junit.Assert.assertTrue;
import java.io.IOException;
+import java.net.URI;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response.Status;
@@ -12,6 +13,8 @@
import org.apache.http.entity.ContentType;
import org.apache.oltu.oauth2.common.message.types.GrantType;
import org.junit.Test;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.util.UriComponentsBuilder;
import com.fasterxml.jackson.databind.JsonNode;
import com.google.common.net.HttpHeaders;
@@ -60,9 +63,17 @@
@Test
public void testCustomScope () throws KustvaktException {
- String code = requestAuthorizationCode(confidentialClientId,
- clientSecret, OAuth2Scope.VC_INFO.toString(), userAuthHeader);
- ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
+ ClientResponse response =
+ requestAuthorizationCode("code", confidentialClientId, "",
+ OAuth2Scope.VC_INFO.toString(), "", userAuthHeader);
+ assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
+ response.getStatus());
+ URI redirectUri = response.getLocation();
+ MultiValueMap<String, String> params = UriComponentsBuilder
+ .fromUri(redirectUri).build().getQueryParams();
+ String code = params.getFirst("code");
+
+ response = requestTokenWithAuthorizationCodeAndForm(
confidentialClientId, clientSecret, code);
JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
@@ -82,8 +93,7 @@
@Test
public void testDefaultScope () throws KustvaktException, IOException {
- String code = requestAuthorizationCode(confidentialClientId, clientSecret,
- null, userAuthHeader);
+ String code = requestAuthorizationCode(confidentialClientId, userAuthHeader);
ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
confidentialClientId, clientSecret, code);
assertEquals(Status.OK.getStatusCode(), response.getStatus());
@@ -160,7 +170,7 @@
public void testRevokeAccessTokenConfidentialClient ()
throws KustvaktException {
String code = requestAuthorizationCode(confidentialClientId,
- clientSecret, null, userAuthHeader);
+ userAuthHeader);
JsonNode node = requestTokenWithAuthorizationCodeAndHeader(
confidentialClientId, code, clientAuthHeader);
@@ -183,7 +193,7 @@
@Test
public void testRevokeAccessTokenPublicClientViaSuperClient()
throws KustvaktException {
- String code = requestAuthorizationCode(publicClientId, "", null,
+ String code = requestAuthorizationCode(publicClientId,
userAuthHeader);
ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
publicClientId, "", code);
@@ -211,8 +221,8 @@
@Test
public void testAccessTokenAfterRequestRefreshToken ()
throws KustvaktException, IOException {
- String code = requestAuthorizationCode(confidentialClientId,
- clientSecret, null, userAuthHeader);
+ String code =
+ requestAuthorizationCode(confidentialClientId, userAuthHeader);
JsonNode node = requestTokenWithAuthorizationCodeAndHeader(
confidentialClientId, code, clientAuthHeader);
@@ -245,22 +255,13 @@
public void testRequestAuthorizationWithBearerTokenUnauthorized ()
throws KustvaktException {
String code = requestAuthorizationCode(confidentialClientId,
- clientSecret, null, userAuthHeader);
+ userAuthHeader);
JsonNode node = requestTokenWithAuthorizationCodeAndHeader(
confidentialClientId, code, clientAuthHeader);
String userAuthToken = node.at("/access_token").asText();
- MultivaluedMap<String, String> form = new MultivaluedMapImpl();
- form.add("response_type", "code");
- form.add("client_id", confidentialClientId);
- form.add("client_secret", clientSecret);
-
- ClientResponse response = resource().path(API_VERSION).path("oauth2").path("authorize")
- .header(Attributes.AUTHORIZATION, "Bearer " + userAuthToken)
- .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
- .header(HttpHeaders.CONTENT_TYPE,
- ContentType.APPLICATION_FORM_URLENCODED)
- .entity(form).post(ClientResponse.class);
+ ClientResponse response = requestAuthorizationCode("code",
+ confidentialClientId, "", "", "", "Bearer " + userAuthToken);
assertEquals(Status.UNAUTHORIZED.getStatusCode(), response.getStatus());
@@ -286,7 +287,7 @@
assertNotNull(node.at("/expires_in").asText());
String code = requestAuthorizationCode(superClientId,
- clientSecret, null, "Bearer " + userAuthToken);
+ "Bearer " + userAuthToken);
assertNotNull(code);
}
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AdminControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AdminControllerTest.java
index 435bf1b..b656b63 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AdminControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AdminControllerTest.java
@@ -96,9 +96,7 @@
public void testCleanRevokedTokens () throws KustvaktException {
int accessTokensBefore = accessDao.retrieveInvalidAccessTokens().size();
-
- String code = requestAuthorizationCode(publicClientId, "", null,
- userAuthHeader);
+ String code = requestAuthorizationCode(publicClientId, userAuthHeader);
ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
publicClientId, clientSecret, code);
@@ -129,8 +127,7 @@
// request an access token
String clientAuthHeader = HttpAuthorizationHandler
.createBasicAuthorizationHeaderValue(clientId, clientSecret);
- String code = requestAuthorizationCode(clientId, clientSecret, null,
- userAuthHeader);
+ String code = requestAuthorizationCode(clientId, userAuthHeader);
node = requestTokenWithAuthorizationCodeAndHeader(clientId, code,
clientAuthHeader);
String accessToken = node.at("/access_token").asText();
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationPostTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationPostTest.java
new file mode 100644
index 0000000..7501798
--- /dev/null
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationPostTest.java
@@ -0,0 +1,97 @@
+package de.ids_mannheim.korap.web.controller;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+import java.net.URI;
+
+import javax.ws.rs.core.MultivaluedMap;
+
+import org.apache.http.entity.ContentType;
+import org.apache.oltu.oauth2.common.message.types.TokenType;
+import org.junit.Test;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.google.common.net.HttpHeaders;
+import com.sun.jersey.api.client.ClientResponse;
+import com.sun.jersey.api.client.ClientResponse.Status;
+import com.sun.jersey.api.uri.UriComponent;
+import com.sun.jersey.core.util.MultivaluedMapImpl;
+
+import de.ids_mannheim.korap.authentication.http.HttpAuthorizationHandler;
+import de.ids_mannheim.korap.config.Attributes;
+import de.ids_mannheim.korap.exceptions.KustvaktException;
+import de.ids_mannheim.korap.utils.JsonUtils;
+
+public class OAuth2AuthorizationPostTest extends OAuth2TestBase {
+
+ public String userAuthHeader;
+
+ public OAuth2AuthorizationPostTest () throws KustvaktException {
+ userAuthHeader = HttpAuthorizationHandler
+ .createBasicAuthorizationHeaderValue("dory", "password");
+ }
+
+ private ClientResponse requestAuthorizationCode (
+ MultivaluedMap<String, String> form, String authHeader)
+ throws KustvaktException {
+
+ return resource().path(API_VERSION).path("oauth2").path("authorize")
+ .header(Attributes.AUTHORIZATION, authHeader)
+ .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
+ .header(HttpHeaders.CONTENT_TYPE,
+ ContentType.APPLICATION_FORM_URLENCODED)
+ .entity(form).post(ClientResponse.class);
+ }
+
+ @Test
+ public void testAuthorizeConfidentialClient () throws KustvaktException {
+ MultivaluedMap<String, String> form = new MultivaluedMapImpl();
+ form.add("response_type", "code");
+ form.add("client_id", confidentialClientId);
+ form.add("state", "thisIsMyState");
+
+ ClientResponse response =
+ requestAuthorizationCode(form, userAuthHeader);
+
+ assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
+ response.getStatus());
+ URI redirectUri = response.getLocation();
+ MultiValueMap<String, String> params = UriComponentsBuilder
+ .fromUri(redirectUri).build().getQueryParams();
+ assertNotNull(params.getFirst("code"));
+ assertEquals("thisIsMyState", params.getFirst("state"));
+ }
+
+ @Test
+ public void testRequestTokenAuthorizationConfidential ()
+ throws KustvaktException {
+
+ MultivaluedMap<String, String> authForm = new MultivaluedMapImpl();
+ authForm.add("response_type", "code");
+ authForm.add("client_id", confidentialClientId);
+ authForm.add("scope", "search");
+
+ ClientResponse response =
+ requestAuthorizationCode(authForm, userAuthHeader);
+ URI redirectUri = response.getLocation();
+ MultivaluedMap<String, String> params =
+ UriComponent.decodeQuery(redirectUri, true);
+ String code = params.get("code").get(0);
+ String scopes = params.get("scope").get(0);
+
+ assertEquals(scopes, "search");
+
+ response = requestTokenWithAuthorizationCodeAndForm(
+ confidentialClientId, clientSecret, code);
+ String entity = response.getEntity(String.class);
+ JsonNode node = JsonUtils.readTree(entity);
+ assertNotNull(node.at("/access_token").asText());
+ assertNotNull(node.at("/refresh_token").asText());
+ assertEquals(TokenType.BEARER.toString(),
+ node.at("/token_type").asText());
+ assertNotNull(node.at("/expires_in").asText());
+ }
+}
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
index ec73796..1cf6c9c 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ClientControllerTest.java
@@ -119,7 +119,7 @@
assertNotNull(clientId);
assertNotNull(clientSecret);
assertFalse(clientId.contains("a"));
-
+
testConfidentialClientInfo(clientId, username);
testResetConfidentialClientSecret(clientId, clientSecret);
deregisterConfidentialClient(username, clientId);
@@ -238,11 +238,12 @@
@Test
public void testRegisterPublicClient () throws UniformInterfaceException,
ClientHandlerException, KustvaktException {
+ String redirectUri = "https://test.public.client.com/redirect";
OAuth2ClientJson clientJson =
createOAuth2ClientJson("OAuth2PublicClient",
OAuth2ClientType.PUBLIC, "A public test client.");
clientJson.setUrl("http://test.public.client.com");
- clientJson.setRedirectURI("https://test.public.client.com/redirect");
+ clientJson.setRedirectURI(redirectUri);
ClientResponse response = registerClient(username, clientJson);
@@ -255,7 +256,7 @@
testRegisterClientUnauthorizedScope(clientId);
testResetPublicClientSecret(clientId);
- testAccessTokenAfterDeregistration(clientId, null, null);
+ testAccessTokenAfterDeregistration(clientId, null, "");
}
private void testRegisterClientUnauthorizedScope (String clientId)
@@ -264,10 +265,9 @@
String userAuthHeader = HttpAuthorizationHandler
.createBasicAuthorizationHeaderValue("dory", "password");
- String code = requestAuthorizationCode(clientId, "", null,
- userAuthHeader, null);
+ String code = requestAuthorizationCode(clientId, userAuthHeader);
ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
- clientId, clientSecret, code, null);
+ clientId, clientSecret, code);
JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
assertEquals("match_info search", node.at("/scope").asText());
@@ -318,7 +318,7 @@
assertTrue(node.at("/client_secret").isMissingNode());
testResetPublicClientSecret(clientId);
- testAccessTokenAfterDeregistration(clientId, null, null);
+ testAccessTokenAfterDeregistration(clientId, null, "");
}
@Test
@@ -387,8 +387,8 @@
String userAuthHeader = HttpAuthorizationHandler
.createBasicAuthorizationHeaderValue("dory", "password");
- String code = requestAuthorizationCode(clientId, "", null,
- userAuthHeader, redirectUri);
+ String code = requestAuthorizationCode(clientId, redirectUri, userAuthHeader);
+
ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
clientId, clientSecret, code, redirectUri);
JsonNode node = JsonUtils.readTree(response.getEntity(String.class));
@@ -397,8 +397,7 @@
response = searchWithAccessToken(accessToken);
assertEquals(Status.OK.getStatusCode(), response.getStatus());
- code = requestAuthorizationCode(clientId, "", null, userAuthHeader,
- redirectUri);
+ code = requestAuthorizationCode(clientId, redirectUri, userAuthHeader);
testDeregisterPublicClient(clientId, username);
response = requestTokenWithAuthorizationCodeAndForm(clientId,
@@ -552,8 +551,7 @@
assertEquals(Status.OK.getStatusCode(), response.getStatus());
// client 1
- String code = requestAuthorizationCode(publicClientId, "", null,
- userAuthHeader);
+ String code = requestAuthorizationCode(publicClientId, userAuthHeader);
response = requestTokenWithAuthorizationCodeAndForm(publicClientId, "",
code);
assertEquals(Status.OK.getStatusCode(), response.getStatus());
@@ -562,8 +560,7 @@
String accessToken = node.at("/access_token").asText();
// client 2
- code = requestAuthorizationCode(confidentialClientId, clientSecret,
- null, userAuthHeader);
+ code = requestAuthorizationCode(confidentialClientId, userAuthHeader);
response = requestTokenWithAuthorizationCodeAndForm(
confidentialClientId, clientSecret, code);
String refreshToken = node.at("/refresh_token").asText();
@@ -591,8 +588,8 @@
private void testListAuthorizedClientWithMultipleRefreshTokens (
String userAuthHeader) throws KustvaktException {
// client 2
- String code = requestAuthorizationCode(confidentialClientId,
- clientSecret, null, userAuthHeader);
+ String code =
+ requestAuthorizationCode(confidentialClientId, userAuthHeader);
ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
confidentialClientId, clientSecret, code);
@@ -604,8 +601,7 @@
private void testListAuthorizedClientWithMultipleAccessTokens (
String userAuthHeader) throws KustvaktException {
// client 1
- String code = requestAuthorizationCode(publicClientId, "", null,
- userAuthHeader);
+ String code = requestAuthorizationCode(publicClientId, userAuthHeader);
ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
publicClientId, "", code);
@@ -621,8 +617,7 @@
.createBasicAuthorizationHeaderValue("aaa", "pwd");
// client 1
- String code = requestAuthorizationCode(publicClientId, "", null,
- aaaAuthHeader);
+ String code = requestAuthorizationCode(publicClientId, aaaAuthHeader);
ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
publicClientId, "", code);
@@ -630,8 +625,7 @@
String accessToken1 = node.at("/access_token").asText();
// client 2
- code = requestAuthorizationCode(confidentialClientId, clientSecret,
- null, aaaAuthHeader);
+ code = requestAuthorizationCode(confidentialClientId, aaaAuthHeader);
response = requestTokenWithAuthorizationCodeAndForm(
confidentialClientId, clientSecret, code);
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
index b6cc9ef..b7911b3 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2ControllerTest.java
@@ -47,13 +47,8 @@
@Test
public void testAuthorizeConfidentialClient () throws KustvaktException {
- MultivaluedMap<String, String> form = new MultivaluedMapImpl();
- form.add("response_type", "code");
- form.add("client_id", confidentialClientId);
- form.add("state", "thisIsMyState");
-
- ClientResponse response =
- requestAuthorizationCode(form, userAuthHeader);
+ ClientResponse response = requestAuthorizationCode("code",
+ confidentialClientId, "", "", state, userAuthHeader);
assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
response.getStatus());
@@ -66,22 +61,15 @@
@Test
public void testAuthorizePublicClient () throws KustvaktException {
- String code = requestAuthorizationCode(publicClientId, clientSecret,
- null, userAuthHeader);
+ String code = requestAuthorizationCode(publicClientId, userAuthHeader);
assertNotNull(code);
}
@Test
public void testAuthorizeInvalidRedirectUri () throws KustvaktException {
String redirectUri = "https://different.uri/redirect";
-
- MultivaluedMap<String, String> form = new MultivaluedMapImpl();
- form.add("response_type", "code");
- form.add("client_id", confidentialClientId);
- form.add("redirect_uri", redirectUri);
- form.add("state", "thisIsMyState");
- ClientResponse response =
- requestAuthorizationCode(form, userAuthHeader);
+ ClientResponse response = requestAuthorizationCode("code",
+ confidentialClientId, redirectUri, "", state, userAuthHeader);
assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
@@ -93,15 +81,23 @@
node.at("/error_description").asText());
assertEquals("thisIsMyState", node.at("/state").asText());
}
+
+// @Test
+// public void testAuthorizeRedirectUriLocalhost () throws KustvaktException {
+// String redirectUri = "http://localhost:1410/";
+// ClientResponse response =
+// requestAuthorizationCode("code", confidentialClientId2,
+// redirectUri, null, "myState", userAuthHeader);
+// System.out.println(response.getStatus());
+// System.out.println(response.getEntity(String.class));
+// }
@Test
public void testAuthorizeMissingRequiredParameters ()
throws KustvaktException {
- MultivaluedMap<String, String> form = new MultivaluedMapImpl();
- form.add("state", "thisIsMyState");
// missing response_type
- ClientResponse response =
- requestAuthorizationCode(form, userAuthHeader);
+ ClientResponse response = requestAuthorizationCode("",
+ confidentialClientId, "", "", state, userAuthHeader);
assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
@@ -114,8 +110,7 @@
assertEquals("thisIsMyState", node.at("/state").asText());
// missing client_id
- form.add("response_type", "code");
- response = requestAuthorizationCode(form, userAuthHeader);
+ response = requestAuthorizationCode("code","", "", "", "", userAuthHeader);
entity = response.getEntity(String.class);
node = JsonUtils.readTree(entity);
assertEquals("Missing parameters: client_id",
@@ -128,8 +123,8 @@
form.add("response_type", "string");
form.add("state", "thisIsMyState");
- ClientResponse response =
- requestAuthorizationCode(form, userAuthHeader);
+ ClientResponse response = requestAuthorizationCode("string",
+ confidentialClientId, "", "", state, userAuthHeader);
assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
String entity = response.getEntity(String.class);
@@ -143,14 +138,10 @@
@Test
public void testAuthorizeInvalidScope () throws KustvaktException {
- MultivaluedMap<String, String> form = new MultivaluedMapImpl();
- form.add("response_type", "code");
- form.add("client_id", confidentialClientId);
- form.add("scope", "read_address");
- form.add("state", "thisIsMyState");
+ String scope = "read_address";
- ClientResponse response =
- requestAuthorizationCode(form, userAuthHeader);
+ ClientResponse response = requestAuthorizationCode("code",
+ confidentialClientId, "", scope, state, userAuthHeader);
assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
URI location = response.getLocation();
@@ -165,8 +156,8 @@
@Test
public void testRequestTokenAuthorizationPublic ()
throws KustvaktException {
- String code = requestAuthorizationCode(publicClientId, "", null,
- userAuthHeader);
+ String code =
+ requestAuthorizationCode(publicClientId, userAuthHeader);
ClientResponse response = requestTokenWithAuthorizationCodeAndForm(
publicClientId, clientSecret, code);
@@ -188,13 +179,9 @@
public void testRequestTokenAuthorizationConfidential ()
throws KustvaktException {
- MultivaluedMap<String, String> authForm = new MultivaluedMapImpl();
- authForm.add("response_type", "code");
- authForm.add("client_id", confidentialClientId);
- authForm.add("scope", "search");
-
- ClientResponse response =
- requestAuthorizationCode(authForm, userAuthHeader);
+ String scope = "search";
+ ClientResponse response = requestAuthorizationCode("code",
+ confidentialClientId, "", scope, state, userAuthHeader);
URI redirectUri = response.getLocation();
MultivaluedMap<String, String> params =
UriComponent.decodeQuery(redirectUri, true);
@@ -256,15 +243,12 @@
@Test
public void testRequestTokenAuthorizationReplyAttack ()
throws KustvaktException {
- String uri = "https://third.party.com/confidential/redirect";
- MultivaluedMap<String, String> authForm = new MultivaluedMapImpl();
- authForm.add("response_type", "code");
- authForm.add("client_id", confidentialClientId);
- authForm.add("scope", "search");
- authForm.add("redirect_uri", uri);
+ String redirect_uri = "https://third.party.com/confidential/redirect";
+ String scope = "search";
ClientResponse response =
- requestAuthorizationCode(authForm, userAuthHeader);
+ requestAuthorizationCode("code", confidentialClientId,
+ redirect_uri, scope, state, userAuthHeader);
URI redirectUri = response.getLocation();
MultivaluedMap<String, String> params =
UriComponent.decodeQuery(redirectUri, true);
@@ -272,7 +256,7 @@
testRequestTokenAuthorizationInvalidClient(code);
testRequestTokenAuthorizationInvalidRedirectUri(code);
- testRequestTokenAuthorizationRevoked(code, uri);
+ testRequestTokenAuthorizationRevoked(code, redirect_uri);
}
private void testRequestTokenAuthorizationInvalidClient (String code)
@@ -701,17 +685,17 @@
String refreshToken1 = node.at("/refresh_token").asText();
// client 1
- String code = requestAuthorizationCode(confidentialClientId,
- clientSecret, null, userAuthHeader);
+ String code =
+ requestAuthorizationCode(confidentialClientId, userAuthHeader);
response = requestTokenWithAuthorizationCodeAndForm(
confidentialClientId, clientSecret, code);
assertEquals(Status.OK.getStatusCode(), response.getStatus());
// client 2
- code = requestAuthorizationCode(confidentialClientId2, clientSecret,
- null, userAuthHeader);
+ code = requestAuthorizationCode(confidentialClientId2,
+ clientRedirectUri, userAuthHeader);
response = requestTokenWithAuthorizationCodeAndForm(
- confidentialClientId2, clientSecret, code);
+ confidentialClientId2, clientSecret, code, clientRedirectUri);
assertEquals(Status.OK.getStatusCode(), response.getStatus());
// list
@@ -721,8 +705,7 @@
assertEquals(confidentialClientId2, node.at("/1/client_id").asText());
// client 1
- code = requestAuthorizationCode(confidentialClientId, clientSecret,
- null, userAuthHeader);
+ code = requestAuthorizationCode(confidentialClientId, userAuthHeader);
response = requestTokenWithAuthorizationCodeAndForm(
confidentialClientId, clientSecret, code);
assertEquals(Status.OK.getStatusCode(), response.getStatus());
@@ -736,8 +719,7 @@
assertEquals(0, node.size());
// client 1
- code = requestAuthorizationCode(confidentialClientId, clientSecret,
- null, darlaAuthHeader);
+ code = requestAuthorizationCode(confidentialClientId, darlaAuthHeader);
assertEquals(Status.OK.getStatusCode(), response.getStatus());
response = requestTokenWithAuthorizationCodeAndForm(
confidentialClientId, clientSecret, code);
@@ -788,8 +770,7 @@
.createBasicAuthorizationHeaderValue(username, password);
// access token 1
- String code = requestAuthorizationCode(publicClientId, clientSecret,
- null, userAuthHeader);
+ String code = requestAuthorizationCode(publicClientId, userAuthHeader);
ClientResponse response = requestTokenWithAuthorizationCodeAndForm(publicClientId, "",
code);
assertEquals(Status.OK.getStatusCode(), response.getStatus());
@@ -797,8 +778,7 @@
String accessToken1 = node.at("/access_token").asText();
// access token 2
- code = requestAuthorizationCode(publicClientId, clientSecret, null,
- userAuthHeader);
+ code = requestAuthorizationCode(publicClientId, userAuthHeader);
response = requestTokenWithAuthorizationCodeAndForm(publicClientId, "",
code);
assertEquals(Status.OK.getStatusCode(), response.getStatus());
diff --git a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
index 1574505..bcdcee7 100644
--- a/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
+++ b/full/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2TestBase.java
@@ -49,38 +49,33 @@
protected String confidentialClientId2 = "52atrL0ajex_3_5imd9Mgw";
protected String superClientId = "fCBbQkAyYzI4NzUxMg";
protected String clientSecret = "secret";
+ protected String state = "thisIsMyState";
public static String ACCESS_TOKEN_TYPE = "access_token";
public static String REFRESH_TOKEN_TYPE = "refresh_token";
- private String clientURL = "http://example.client.com";
- private String clientRedirectUri = "https://example.client.com/redirect";
+ protected String clientURL = "http://example.client.com";
+ protected String clientRedirectUri = "https://example.client.com/redirect";
- protected ClientResponse requestAuthorizationCode (
- MultivaluedMap<String, String> form, String authHeader)
- throws KustvaktException {
+ protected ClientResponse requestAuthorizationCode (String responseType,
+ String clientId, String redirectUri, String scope, String state,
+ String authHeader) throws KustvaktException {
return resource().path(API_VERSION).path("oauth2").path("authorize")
+ .queryParam("response_type", responseType)
+ .queryParam("client_id", clientId)
+ .queryParam("redirect_uri", redirectUri)
+ .queryParam("scope", scope)
+ .queryParam("state", state)
.header(Attributes.AUTHORIZATION, authHeader)
- .header(HttpHeaders.X_FORWARDED_FOR, "149.27.0.32")
- .header(HttpHeaders.CONTENT_TYPE,
- ContentType.APPLICATION_FORM_URLENCODED)
- .entity(form).post(ClientResponse.class);
+ .get(ClientResponse.class);
}
- protected String requestAuthorizationCode (String clientId,
- String clientSecret, String scope, String authHeader)
- throws KustvaktException {
+ protected String requestAuthorizationCode (String clientId,
+ String authHeader) throws KustvaktException {
- MultivaluedMap<String, String> form = new MultivaluedMapImpl();
- form.add("response_type", "code");
- form.add("client_id", clientId);
- form.add("client_secret", clientSecret);
- if (scope != null) {
- form.add("scope", scope);
- }
-
- ClientResponse response = requestAuthorizationCode(form, authHeader);
+ ClientResponse response = requestAuthorizationCode("code", clientId,
+ "", "", "", authHeader);
assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
response.getStatus());
URI redirectUri = response.getLocation();
@@ -90,22 +85,10 @@
return params.getFirst("code");
}
- protected String requestAuthorizationCode (String clientId,
- String clientSecret, String scope, String authHeader,
- String redirect_uri) throws KustvaktException {
-
- MultivaluedMap<String, String> form = new MultivaluedMapImpl();
- form.add("response_type", "code");
- form.add("client_id", clientId);
- form.add("client_secret", clientSecret);
- if (scope != null) {
- form.add("scope", scope);
- }
- if (redirect_uri!=null){
- form.add("redirect_uri", redirect_uri);
- }
-
- ClientResponse response = requestAuthorizationCode(form, authHeader);
+ protected String requestAuthorizationCode (String clientId, String redirect_uri,
+ String authHeader) throws KustvaktException {
+ ClientResponse response = requestAuthorizationCode("code", clientId,
+ redirect_uri, "", "", authHeader);
assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
response.getStatus());
URI redirectUri = response.getLocation();