Disallow scope all for non super clients.

Change-Id: I238d96d88e27a73d39e7d0228d83f22d28772298
diff --git a/Changes b/Changes
index ef15a5d..5fd23c6 100644
--- a/Changes
+++ b/Changes
@@ -18,6 +18,8 @@
 - Added deprecation messages to deprecated services
 - Removed mail configuration (#764)
 - Deprecate VC access deletion.
+- Change default port to 8089.
+- Disallow scope all for non super clients.
 
 # version 0.74.1-SNAPSHOT
 
diff --git a/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java b/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java
index 36b027f..2d09877 100644
--- a/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java
+++ b/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java
@@ -25,6 +25,7 @@
 
 import de.ids_mannheim.korap.config.Attributes;
 import de.ids_mannheim.korap.config.FullConfiguration;
+import de.ids_mannheim.korap.constant.OAuth2Scope;
 import de.ids_mannheim.korap.encryption.RandomCodeGenerator;
 import de.ids_mannheim.korap.exceptions.KustvaktException;
 import de.ids_mannheim.korap.exceptions.StatusCodes;
@@ -88,6 +89,18 @@
             OAuth2Client client = clientService.authenticateClientId(clientId);
             redirectURI = verifyRedirectUri(client, redirectUri);
             //checkResponseType(authzRequest.getResponseType(), redirectURI);
+            
+            if (scope == null || scope.isEmpty()) {
+                throw new KustvaktException(StatusCodes.MISSING_PARAMETER,
+                        "scope is required", OAuth2Error.INVALID_SCOPE);
+            }
+            else if (!client.isSuper()
+                    && scope.contains(OAuth2Scope.ALL.toString())) {
+                throw new KustvaktException(StatusCodes.NOT_ALLOWED,
+                        "Requested scope all is not allowed.", 
+                        OAuth2Error.INVALID_SCOPE);
+            }
+            
             code = codeGenerator.createRandomCode();
             URI responseURI = createAuthorizationResponse(requestURI,
                     redirectURI, code, state);
@@ -102,7 +115,7 @@
             throw e;
         }
     }
-
+    
     private URI createAuthorizationResponse (URI requestURI, URI redirectURI,
             String code, String state) throws KustvaktException {
         AuthorizationRequest authRequest = null;
@@ -171,10 +184,6 @@
             ZonedDateTime authenticationTime, String nonce)
             throws KustvaktException {
 
-        if (scope == null || scope.isEmpty()) {
-            throw new KustvaktException(StatusCodes.MISSING_PARAMETER,
-                    "scope is required", OAuth2Error.INVALID_SCOPE);
-        }
         Set<AccessScope> accessScopes = scopeService
                 .convertToAccessScope(scope);
 
diff --git a/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationTest.java b/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationTest.java
index 27903e7..e2dd072 100644
--- a/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationTest.java
+++ b/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationTest.java
@@ -277,6 +277,21 @@
     }
 
     @Test
+    public void testAuthorizeScopeAll () throws KustvaktException {
+        String scope = "all";
+        Response response = requestAuthorizationCode("code",
+                confidentialClientId, "", scope, state, userAuthHeader);
+        assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
+                response.getStatus());
+
+        assertEquals(
+                "https://third.party.com/confidential/redirect?"
+                        + "error=invalid_scope&error_description=Requested+scope"
+                        + "+all+is+not+allowed.&state=thisIsMyState",
+                response.getLocation().toString());
+    }
+    
+    @Test
     public void testAuthorizeUnsupportedTokenResponseType ()
             throws KustvaktException {
         Response response = requestAuthorizationCode("token",