Disallow scope all for non super clients.
Change-Id: I238d96d88e27a73d39e7d0228d83f22d28772298
diff --git a/Changes b/Changes
index ef15a5d..5fd23c6 100644
--- a/Changes
+++ b/Changes
@@ -18,6 +18,8 @@
- Added deprecation messages to deprecated services
- Removed mail configuration (#764)
- Deprecate VC access deletion.
+- Change default port to 8089.
+- Disallow scope all for non super clients.
# version 0.74.1-SNAPSHOT
diff --git a/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java b/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java
index 36b027f..2d09877 100644
--- a/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java
+++ b/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2AuthorizationService.java
@@ -25,6 +25,7 @@
import de.ids_mannheim.korap.config.Attributes;
import de.ids_mannheim.korap.config.FullConfiguration;
+import de.ids_mannheim.korap.constant.OAuth2Scope;
import de.ids_mannheim.korap.encryption.RandomCodeGenerator;
import de.ids_mannheim.korap.exceptions.KustvaktException;
import de.ids_mannheim.korap.exceptions.StatusCodes;
@@ -88,6 +89,18 @@
OAuth2Client client = clientService.authenticateClientId(clientId);
redirectURI = verifyRedirectUri(client, redirectUri);
//checkResponseType(authzRequest.getResponseType(), redirectURI);
+
+ if (scope == null || scope.isEmpty()) {
+ throw new KustvaktException(StatusCodes.MISSING_PARAMETER,
+ "scope is required", OAuth2Error.INVALID_SCOPE);
+ }
+ else if (!client.isSuper()
+ && scope.contains(OAuth2Scope.ALL.toString())) {
+ throw new KustvaktException(StatusCodes.NOT_ALLOWED,
+ "Requested scope all is not allowed.",
+ OAuth2Error.INVALID_SCOPE);
+ }
+
code = codeGenerator.createRandomCode();
URI responseURI = createAuthorizationResponse(requestURI,
redirectURI, code, state);
@@ -102,7 +115,7 @@
throw e;
}
}
-
+
private URI createAuthorizationResponse (URI requestURI, URI redirectURI,
String code, String state) throws KustvaktException {
AuthorizationRequest authRequest = null;
@@ -171,10 +184,6 @@
ZonedDateTime authenticationTime, String nonce)
throws KustvaktException {
- if (scope == null || scope.isEmpty()) {
- throw new KustvaktException(StatusCodes.MISSING_PARAMETER,
- "scope is required", OAuth2Error.INVALID_SCOPE);
- }
Set<AccessScope> accessScopes = scopeService
.convertToAccessScope(scope);
diff --git a/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationTest.java b/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationTest.java
index 27903e7..e2dd072 100644
--- a/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationTest.java
+++ b/src/test/java/de/ids_mannheim/korap/web/controller/OAuth2AuthorizationTest.java
@@ -277,6 +277,21 @@
}
@Test
+ public void testAuthorizeScopeAll () throws KustvaktException {
+ String scope = "all";
+ Response response = requestAuthorizationCode("code",
+ confidentialClientId, "", scope, state, userAuthHeader);
+ assertEquals(Status.TEMPORARY_REDIRECT.getStatusCode(),
+ response.getStatus());
+
+ assertEquals(
+ "https://third.party.com/confidential/redirect?"
+ + "error=invalid_scope&error_description=Requested+scope"
+ + "+all+is+not+allowed.&state=thisIsMyState",
+ response.getLocation().toString());
+ }
+
+ @Test
public void testAuthorizeUnsupportedTokenResponseType ()
throws KustvaktException {
Response response = requestAuthorizationCode("token",