Blame - full/src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2TokenService.java - KorAP/Kustvakt

blob: 067ad818273a8cefd3e08801bc7d2cee13a688ca [file] [log] [blame]

margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	1	package de.ids_mannheim.korap.oauth2.service;
margaretha	0e8f4e7	2018-04-05 14:11:52 +0200	[diff] [blame]	2
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	3	import java.util.HashMap;
				4	import java.util.Map;
margaretha	f839dde	2018-04-16 17:52:57 +0200	[diff] [blame]	5	import java.util.Set;
				6
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	7	import javax.ws.rs.core.Response.Status;
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	8
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	9	import org.apache.oltu.oauth2.as.issuer.OAuthIssuer;
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	10	import org.apache.oltu.oauth2.as.request.AbstractOAuthTokenRequest;
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	11	import org.apache.oltu.oauth2.as.response.OAuthASResponse;
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	12	import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
				13	import org.apache.oltu.oauth2.common.message.OAuthResponse;
margaretha	0e8f4e7	2018-04-05 14:11:52 +0200	[diff] [blame]	14	import org.apache.oltu.oauth2.common.message.types.GrantType;
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	15	import org.apache.oltu.oauth2.common.message.types.TokenType;
margaretha	0e8f4e7	2018-04-05 14:11:52 +0200	[diff] [blame]	16	import org.springframework.beans.factory.annotation.Autowired;
				17	import org.springframework.stereotype.Service;
				18
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	19	import de.ids_mannheim.korap.config.Attributes;
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	20	import de.ids_mannheim.korap.config.FullConfiguration;
margaretha	0e8f4e7	2018-04-05 14:11:52 +0200	[diff] [blame]	21	import de.ids_mannheim.korap.exceptions.KustvaktException;
margaretha	0512231	2018-04-16 15:01:34 +0200	[diff] [blame]	22	import de.ids_mannheim.korap.exceptions.StatusCodes;
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	23	import de.ids_mannheim.korap.interfaces.AuthenticationManagerIface;
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	24	import de.ids_mannheim.korap.oauth2.constant.OAuth2Error;
				25	import de.ids_mannheim.korap.oauth2.dao.AccessTokenDao;
				26	import de.ids_mannheim.korap.oauth2.entity.Authorization;
				27	import de.ids_mannheim.korap.oauth2.entity.OAuth2Client;
margaretha	0e8f4e7	2018-04-05 14:11:52 +0200	[diff] [blame]	28
				29	@Service
margaretha	b4ce660	2018-04-26 20:23:57 +0200	[diff] [blame^]	30	public class OAuth2TokenService {
margaretha	0e8f4e7	2018-04-05 14:11:52 +0200	[diff] [blame]	31
				32	@Autowired
				33	private OAuth2ClientService clientService;
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	34	@Autowired
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	35	private OAuth2AuthorizationService authorizationService;
				36	@Autowired
				37	private AccessTokenDao tokenDao;
				38
				39	@Autowired
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	40	private FullConfiguration config;
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	41	@Autowired
				42	private AuthenticationManagerIface authenticationManager;
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	43	@Autowired
				44	private OAuthIssuer oauthIssuer;
margaretha	0e8f4e7	2018-04-05 14:11:52 +0200	[diff] [blame]	45
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	46	public OAuthResponse requestAccessToken (
				47	AbstractOAuthTokenRequest oAuthRequest)
margaretha	f839dde	2018-04-16 17:52:57 +0200	[diff] [blame]	48	throws KustvaktException, OAuthSystemException {
				49
				50	String grantType = oAuthRequest.getGrantType();
margaretha	0e8f4e7	2018-04-05 14:11:52 +0200	[diff] [blame]	51
margaretha	0512231	2018-04-16 15:01:34 +0200	[diff] [blame]	52	if (grantType.equals(GrantType.AUTHORIZATION_CODE.toString())) {
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	53	return requestAccessTokenWithAuthorizationCode(
margaretha	f839dde	2018-04-16 17:52:57 +0200	[diff] [blame]	54	oAuthRequest.getCode(), oAuthRequest.getRedirectURI(),
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	55	oAuthRequest.getClientId(), oAuthRequest.getClientSecret());
margaretha	0e8f4e7	2018-04-05 14:11:52 +0200	[diff] [blame]	56	}
margaretha	0512231	2018-04-16 15:01:34 +0200	[diff] [blame]	57	else if (grantType.equals(GrantType.PASSWORD.toString())) {
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	58	return requestAccessTokenWithPassword(oAuthRequest.getUsername(),
				59	oAuthRequest.getPassword(), oAuthRequest.getScopes(),
				60	oAuthRequest.getClientId(), oAuthRequest.getClientSecret());
margaretha	0e8f4e7	2018-04-05 14:11:52 +0200	[diff] [blame]	61	}
margaretha	0512231	2018-04-16 15:01:34 +0200	[diff] [blame]	62	else if (grantType.equals(GrantType.CLIENT_CREDENTIALS.toString())) {
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	63	return requestAccessTokenWithClientCredentials(
				64	oAuthRequest.getClientId(), oAuthRequest.getClientSecret(),
margaretha	f839dde	2018-04-16 17:52:57 +0200	[diff] [blame]	65	oAuthRequest.getScopes());
margaretha	0e8f4e7	2018-04-05 14:11:52 +0200	[diff] [blame]	66	}
				67	else {
margaretha	0512231	2018-04-16 15:01:34 +0200	[diff] [blame]	68	throw new KustvaktException(StatusCodes.UNSUPPORTED_GRANT_TYPE,
				69	grantType + " is not supported.",
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	70	OAuth2Error.UNSUPPORTED_GRANT_TYPE);
margaretha	0e8f4e7	2018-04-05 14:11:52 +0200	[diff] [blame]	71	}
				72
				73	}
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	74
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	75	/**
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	76	* RFC 6749:
				77	* If the client type is confidential or the client was issued
				78	* client credentials, the client MUST authenticate with the
				79	* authorization server.
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	80	*
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	81	* @param authorizationCode
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	82	* @param redirectURI
				83	* required if included in the authorization request
				84	* @param clientId
				85	* required if there is no authorization header
				86	* @param clientSecret
				87	* clilent_secret, required if client_secret was issued
				88	* for the client in client registration.
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	89	* @return
				90	* @throws OAuthSystemException
				91	* @throws KustvaktException
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	92	*/
				93	private OAuthResponse requestAccessTokenWithAuthorizationCode (
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	94	String authorizationCode, String redirectURI, String clientId,
				95	String clientSecret)
				96	throws KustvaktException, OAuthSystemException {
				97
				98	clientService.authenticateClient(clientId, clientSecret);
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	99	authorizationService.verifyAuthorization(authorizationCode, clientId,
				100	redirectURI);
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	101
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	102	return createsAccessTokenResponse();
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	103	}
				104
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	105
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	106	/**
				107	* Third party apps must not be allowed to use password grant.
				108	* MH: password grant is only allowed for trusted clients (korap
				109	* frontend)
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	110	*
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	111	* According to RFC 6749, client authentication is only required
				112	* for confidential clients and whenever client credentials are
				113	* provided. Moreover, client_id is optional for password grant,
				114	* but without it, the authentication server cannot check the
				115	* client type. To make sure that confidential clients
				116	* authenticate, client_id is made required (similar to
				117	* authorization code grant).
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	118	*
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	119	*
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	120	* @param username
				121	* username, required
				122	* @param password
				123	* user password, required
margaretha	f839dde	2018-04-16 17:52:57 +0200	[diff] [blame]	124	* @param scopes
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	125	* @param clientId
				126	* client_id, required
				127	* @param clientSecret
				128	* clilent_secret, required if client_secret was issued
				129	* for the client in client registration.
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	130	* @return
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	131	* @throws KustvaktException
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	132	* @throws OAuthSystemException
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	133	*/
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	134	private OAuthResponse requestAccessTokenWithPassword (String username,
				135	String password, Set<String> scopes, String clientId,
				136	String clientSecret)
				137	throws KustvaktException, OAuthSystemException {
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	138
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	139	OAuth2Client client =
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	140	clientService.authenticateClient(clientId, clientSecret);
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	141	if (!client.isNative()) {
				142	throw new KustvaktException(StatusCodes.CLIENT_AUTHORIZATION_FAILED,
				143	"Password grant is not allowed for third party clients",
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	144	OAuth2Error.UNAUTHORIZED_CLIENT);
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	145	}
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	146
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	147	authenticateUser(username, password, scopes);
				148	return createsAccessTokenResponse();
				149	}
				150
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	151	public void authenticateUser (String username, String password,
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	152	Set<String> scopes) throws KustvaktException {
				153	if (username == null \|\| username.isEmpty()) {
				154	throw new KustvaktException(StatusCodes.MISSING_PARAMETER,
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	155	"username is missing.", OAuth2Error.INVALID_REQUEST);
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	156	}
				157	if (password == null \|\| password.isEmpty()) {
				158	throw new KustvaktException(StatusCodes.MISSING_PARAMETER,
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	159	"password is missing", OAuth2Error.INVALID_REQUEST);
margaretha	6374f72	2018-04-17 18:45:57 +0200	[diff] [blame]	160	}
				161
				162	Map<String, Object> attributes = new HashMap<>();
				163	if (scopes != null && !scopes.isEmpty()) {
				164	attributes.put(Attributes.SCOPES, scopes);
				165	}
				166	authenticationManager.authenticate(
				167	config.getOAuth2passwordAuthentication(), username, password,
				168	attributes);
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	169	}
				170
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	171	/**
				172	* Clients must authenticate.
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	173	*
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	174	* @param clientId
				175	* client_id parameter, required
				176	* @param clientSecret
				177	* client_secret parameter, required
margaretha	f839dde	2018-04-16 17:52:57 +0200	[diff] [blame]	178	* @param scopes
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	179	* @return
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	180	* @throws KustvaktException
				181	* @throws OAuthSystemException
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	182	*/
				183	private OAuthResponse requestAccessTokenWithClientCredentials (
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	184	String clientId, String clientSecret, Set<String> scopes)
margaretha	f839dde	2018-04-16 17:52:57 +0200	[diff] [blame]	185	throws KustvaktException, OAuthSystemException {
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	186
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	187	if (clientSecret == null \|\| clientSecret.isEmpty()) {
margaretha	0512231	2018-04-16 15:01:34 +0200	[diff] [blame]	188	throw new KustvaktException(
				189	StatusCodes.CLIENT_AUTHENTICATION_FAILED,
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	190	"Missing parameters: client_secret",
				191	OAuth2Error.INVALID_REQUEST);
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	192	}
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	193
				194	clientService.authenticateClient(clientId, clientSecret);
				195	return createsAccessTokenResponse();
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	196	}
				197
				198
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	199	/**
				200	* Creates an OAuthResponse containing an access token and a
				201	* refresh token with type Bearer.
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	202	*
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	203	* @return an OAuthResponse containing an access token
				204	* @throws OAuthSystemException
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	205	*/
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	206
margaretha	f839dde	2018-04-16 17:52:57 +0200	[diff] [blame]	207	private OAuthResponse createsAccessTokenResponse ()
				208	throws OAuthSystemException {
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	209	return createsAccessTokenResponse(null);
				210	}
				211
				212	private OAuthResponse createsAccessTokenResponse (
				213	Authorization authorization) throws OAuthSystemException {
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	214	String accessToken = oauthIssuer.accessToken();
				215	String refreshToken = oauthIssuer.refreshToken();
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	216
margaretha	a452c5e	2018-04-25 22:48:09 +0200	[diff] [blame]	217	tokenDao.storeAccessToken(authorization, accessToken);
				218
margaretha	fb027f9	2018-04-23 20:00:13 +0200	[diff] [blame]	219	OAuthResponse r =
				220	OAuthASResponse.tokenResponse(Status.OK.getStatusCode())
				221	.setAccessToken(accessToken)
				222	.setTokenType(TokenType.BEARER.toString())
				223	.setExpiresIn(String.valueOf(config.getTokenTTL()))
				224	.setRefreshToken(refreshToken).buildJSONMessage();
margaretha	f839dde	2018-04-16 17:52:57 +0200	[diff] [blame]	225	// scope
margaretha	a048627	2018-04-12 19:59:31 +0200	[diff] [blame]	226	return r;
				227	}
margaretha	0e8f4e7	2018-04-05 14:11:52 +0200	[diff] [blame]	228	}