Blame - src/main/java/de/ids_mannheim/korap/oauth2/service/OAuth2TokenService.java - KorAP/Kustvakt

2018-04-25 22:48:09 +0200

[diff] [blame]

1

package de.ids_mannheim.korap.oauth2.service;

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

2

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

3

import java.net.URI;

margaretha

2018-06-28 10:11:43 +0200

[diff] [blame]

4

import java.time.ZoneId;

5

import java.time.ZonedDateTime;

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

6

import java.time.format.DateTimeFormatter;

7

import java.time.temporal.ChronoUnit;

8

import java.util.ArrayList;

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

9

import java.util.HashMap;

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

10

import java.util.HashSet;

11

import java.util.List;

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

12

import java.util.Map;

margaretha

f839dde

2018-04-16 17:52:57 +0200

[diff] [blame]

13

import java.util.Set;

14

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

15

import org.springframework.beans.factory.annotation.Autowired;

16

import org.springframework.stereotype.Service;

17

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

18

import com.nimbusds.oauth2.sdk.AccessTokenResponse;

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

19

import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;

20

import com.nimbusds.oauth2.sdk.AuthorizationGrant;

21

import com.nimbusds.oauth2.sdk.GrantType;

22

import com.nimbusds.oauth2.sdk.RefreshTokenGrant;

23

import com.nimbusds.oauth2.sdk.ResourceOwnerPasswordCredentialsGrant;

24

import com.nimbusds.oauth2.sdk.Scope;

25

import com.nimbusds.oauth2.sdk.TokenRequest;

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

26

import com.nimbusds.oauth2.sdk.token.BearerAccessToken;

27

import com.nimbusds.oauth2.sdk.token.Tokens;

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

28

import com.unboundid.ldap.sdk.LDAPException;

29

margaretha

3495447

2018-10-24 20:05:17 +0200

[diff] [blame]

30

import de.ids_mannheim.korap.authentication.AuthenticationManager;

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

31

import de.ids_mannheim.korap.authentication.LdapAuth3;

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

32

import de.ids_mannheim.korap.config.Attributes;

margaretha

2018-04-12 19:59:31 +0200

[diff] [blame]

33

import de.ids_mannheim.korap.config.FullConfiguration;

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

34

import de.ids_mannheim.korap.constant.AuthenticationMethod;

35

import de.ids_mannheim.korap.encryption.RandomCodeGenerator;

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

36

import de.ids_mannheim.korap.exceptions.KustvaktException;

margaretha

0512231

2018-04-16 15:01:34 +0200

[diff] [blame]

37

import de.ids_mannheim.korap.exceptions.StatusCodes;

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

38

import de.ids_mannheim.korap.oauth2.constant.OAuth2Error;

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

39

import de.ids_mannheim.korap.oauth2.dao.AccessTokenDao;

40

import de.ids_mannheim.korap.oauth2.dao.RefreshTokenDao;

41

import de.ids_mannheim.korap.oauth2.dto.OAuth2TokenDto;

42

import de.ids_mannheim.korap.oauth2.entity.AccessScope;

43

import de.ids_mannheim.korap.oauth2.entity.AccessToken;

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

44

import de.ids_mannheim.korap.oauth2.entity.Authorization;

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

45

import de.ids_mannheim.korap.oauth2.entity.OAuth2Client;

46

import de.ids_mannheim.korap.oauth2.entity.RefreshToken;

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

47

import jakarta.persistence.NoResultException;

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

48

margaretha

07402f4

2018-05-07 19:07:45 +0200

[diff] [blame]

49

/**

50

* OAuth2TokenService manages business logic related to OAuth2

51

* requesting and creating access token.

*

* @author margaretha

*

*/

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

56

@Service

margaretha

b4ce660

2018-04-26 20:23:57 +0200

[diff] [blame]

57

public class OAuth2TokenService {

margaretha

2018-04-05 14:11:52 +0200

[diff] [blame]

58

59

@Autowired

margaretha

20f3123

2018-07-09 17:49:39 +0200

[diff] [blame]

60

protected OAuth2ClientService clientService;

margaretha

2018-06-20 20:13:07 +0200

[diff] [blame]

61

margaretha

2018-04-12 19:59:31 +0200

[diff] [blame]

62

@Autowired

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

63

private OAuth2AuthorizationService authorizationService;

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

64

65

@Autowired

margaretha

2df0660

2018-11-14 19:10:30 +0100

[diff] [blame]

66

protected OAuth2ScopeServiceImpl scopeService;

margaretha

2018-06-20 20:13:07 +0200

[diff] [blame]

67

68

@Autowired

69

protected FullConfiguration config;

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

70

@Autowired

margaretha

3495447

2018-10-24 20:05:17 +0200

[diff] [blame]

71

private AuthenticationManager authenticationManager;

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

72

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

73

@Autowired

74

private RandomCodeGenerator randomGenerator;

75

76

@Autowired

77

private AccessTokenDao tokenDao;

78

@Autowired

79

private RefreshTokenDao refreshDao;

margaretha

2018-04-12 19:59:31 +0200

[diff] [blame]

80

margaretha

fb027f9

2018-04-23 20:00:13 +0200

[diff] [blame]

81

/**

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

82

* RFC 6749:

83

* If the client type is confidential or the client was issued

84

* client credentials, the client MUST authenticate with the

85

* authorization server.

margaretha

2018-04-12 19:59:31 +0200

[diff] [blame]

86

*

margaretha

2018-04-12 19:59:31 +0200

[diff] [blame]

87

* @param authorizationCode

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

88

* @param redirectURI

89

* required if included in the authorization request

90

* @param clientId

91

* required if there is no authorization header

92

* @param clientSecret

margaretha

249a0aa

2018-06-28 22:25:14 +0200

[diff] [blame]

93

* client_secret, required if client_secret was issued

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

94

* for the client in client registration.

margaretha

2018-06-20 20:13:07 +0200

[diff] [blame]

95

* @return an authorization

margaretha

2018-04-12 19:59:31 +0200

[diff] [blame]

96

* @throws KustvaktException

margaretha

2018-04-12 19:59:31 +0200

[diff] [blame]

97

*/

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

98

protected Authorization retrieveAuthorization (String authorizationCode,

99

String redirectURI, String clientId, String clientSecret)

100

throws KustvaktException {

margaretha

fb027f9

2018-04-23 20:00:13 +0200

[diff] [blame]

101

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

102

Authorization authorization = authorizationService

103

.retrieveAuthorization(authorizationCode);

margaretha

be4c5c9

2018-05-03 18:55:49 +0200

[diff] [blame]

104

try {

105

clientService.authenticateClient(clientId, clientSecret);

106

authorization = authorizationService

107

.verifyAuthorization(authorization, clientId, redirectURI);

108

}

109

catch (KustvaktException e) {

110

authorizationService.addTotalAttempts(authorization);

111

throw e;

112

}

margaretha

2018-06-20 20:13:07 +0200

[diff] [blame]

113

return authorization;

margaretha

2018-04-12 19:59:31 +0200

[diff] [blame]

114

}

115

margaretha

2018-06-28 10:11:43 +0200

[diff] [blame]

116

public ZonedDateTime authenticateUser (String username, String password,

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

117

Set<String> scopes) throws KustvaktException {

118

if (username == null || username.isEmpty()) {

119

throw new KustvaktException(StatusCodes.MISSING_PARAMETER,

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

120

"username is missing.", OAuth2Error.INVALID_REQUEST);

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

121

}

122

if (password == null || password.isEmpty()) {

123

throw new KustvaktException(StatusCodes.MISSING_PARAMETER,

margaretha

2018-04-25 22:48:09 +0200

[diff] [blame]

124

"password is missing", OAuth2Error.INVALID_REQUEST);

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

125

}

126

127

Map<String, Object> attributes = new HashMap<>();

128

if (scopes != null && !scopes.isEmpty()) {

margaretha

20f3123

2018-07-09 17:49:39 +0200

[diff] [blame]

129

attributes.put(Attributes.SCOPE, scopes);

margaretha

2018-04-17 18:45:57 +0200

[diff] [blame]

130

}

131

authenticationManager.authenticate(

132

config.getOAuth2passwordAuthentication(), username, password,

133

attributes);

margaretha

2018-06-28 10:11:43 +0200

[diff] [blame]

134

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

135

ZonedDateTime authenticationTime = ZonedDateTime

136

.now(ZoneId.of(Attributes.DEFAULT_TIME_ZONE));

margaretha

2018-06-28 10:11:43 +0200

[diff] [blame]

137

return authenticationTime;

margaretha

2018-04-12 19:59:31 +0200

[diff] [blame]

138

}

139

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

140

public AccessTokenResponse requestAccessToken (TokenRequest tokenRequest,

141

String clientId, String clientSecret) throws KustvaktException {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

142

143

AuthorizationGrant authGrant = tokenRequest.getAuthorizationGrant();

144

GrantType grantType = authGrant.getType();

145

Scope scope = tokenRequest.getScope();

146

Set<String> scopeSet = new HashSet<>();

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

147

if (scope != null)

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

148

scopeSet.addAll(scope.toStringList());

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

149

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

150

if (grantType.equals(GrantType.AUTHORIZATION_CODE)) {

151

AuthorizationCodeGrant codeGrant = (AuthorizationCodeGrant) authGrant;

152

String authCode = codeGrant.getAuthorizationCode().getValue();

153

URI uri = codeGrant.getRedirectionURI();

154

String redirectionURI = (uri != null) ? uri.toString() : null;

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

155

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

156

return requestAccessTokenWithAuthorizationCode(authCode,

157

redirectionURI, clientId, clientSecret);

158

}

159

else if (grantType.equals(GrantType.PASSWORD)) {

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

160

ResourceOwnerPasswordCredentialsGrant passwordGrant = (ResourceOwnerPasswordCredentialsGrant) authGrant;

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

161

String username = passwordGrant.getUsername();

162

String password = passwordGrant.getPassword().getValue();

163

return requestAccessTokenWithPassword(clientId, clientSecret,

164

username, password, scopeSet);

165

}

166

else if (grantType.equals(GrantType.CLIENT_CREDENTIALS)) {

167

return requestAccessTokenWithClientCredentials(clientId,

168

clientSecret, scopeSet);

169

}

170

else if (grantType.equals(GrantType.REFRESH_TOKEN)) {

171

RefreshTokenGrant refreshGrant = (RefreshTokenGrant) authGrant;

172

String refreshToken = refreshGrant.getRefreshToken().getValue();

173

return requestAccessTokenWithRefreshToken(refreshToken, scopeSet,

174

clientId, clientSecret);

175

}

176

else {

177

throw new KustvaktException(StatusCodes.UNSUPPORTED_GRANT_TYPE,

178

grantType + " is not supported.",

179

OAuth2Error.UNSUPPORTED_GRANT_TYPE);

180

}

181

182

}

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

183

184

/**

185

* Revokes all access token associated with the given refresh

186

* token, and creates a new access token and a new refresh

187

* token with the same scopes. Thus, at one point of time,

188

* there is only one active access token associated with

189

* a refresh token.

190

*

191

* Client authentication is done using the given client

192

* credentials.

193

*

194

* TODO: should create a new refresh token when the old refresh

195

* token is used (DONE)

196

*

197

* @param refreshTokenStr

198

* @param requestScopes

199

* @param clientId

200

* @param clientSecret

201

* @return if successful, a new access token

202

* @throws KustvaktException

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

203

*/

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

204

private AccessTokenResponse requestAccessTokenWithRefreshToken (

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

205

String refreshTokenStr, Set<String> requestScopes, String clientId,

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

206

String clientSecret) throws KustvaktException {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

207

208

if (refreshTokenStr == null || refreshTokenStr.isEmpty()) {

209

throw new KustvaktException(StatusCodes.MISSING_PARAMETER,

210

"Missing parameter: refresh_token",

211

OAuth2Error.INVALID_REQUEST);

212

}

213

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

214

OAuth2Client oAuth2Client = clientService.authenticateClient(clientId,

215

clientSecret);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

216

217

RefreshToken refreshToken;

218

try {

219

refreshToken = refreshDao.retrieveRefreshToken(refreshTokenStr);

220

}

221

catch (NoResultException e) {

222

throw new KustvaktException(StatusCodes.INVALID_REFRESH_TOKEN,

223

"Refresh token is not found", OAuth2Error.INVALID_GRANT);

224

}

225

226

if (!clientId.equals(refreshToken.getClient().getId())) {

227

throw new KustvaktException(StatusCodes.CLIENT_AUTHORIZATION_FAILED,

228

"Client " + clientId + " is not authorized",

229

OAuth2Error.INVALID_CLIENT);

230

}

231

else if (refreshToken.isRevoked()) {

232

throw new KustvaktException(StatusCodes.INVALID_REFRESH_TOKEN,

233

"Refresh token has been revoked",

234

OAuth2Error.INVALID_GRANT);

235

}

236

else if (ZonedDateTime.now(ZoneId.of(Attributes.DEFAULT_TIME_ZONE))

237

.isAfter(refreshToken.getExpiryDate())) {

238

throw new KustvaktException(StatusCodes.INVALID_REFRESH_TOKEN,

239

"Refresh token is expired", OAuth2Error.INVALID_GRANT);

240

}

241

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

242

Set<AccessScope> tokenScopes = new HashSet<>(refreshToken.getScopes());

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

243

if (requestScopes != null && !requestScopes.isEmpty()) {

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

244

tokenScopes = scopeService.verifyRefreshScope(requestScopes,

245

tokenScopes);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

246

requestScopes = scopeService

247

.convertAccessScopesToStringSet(tokenScopes);

248

}

249

250

// revoke the refresh token and all access tokens associated to it

251

revokeRefreshToken(refreshTokenStr);

252

253

return createsAccessTokenResponse(requestScopes, tokenScopes, clientId,

254

refreshToken.getUserId(),

255

refreshToken.getUserAuthenticationTime(), oAuth2Client);

256

257

// without new refresh token

258

// return createsAccessTokenResponse(scopes, requestedScopes,

259

// clientId,

260

// refreshToken.getUserId(),

261

// refreshToken.getUserAuthenticationTime(), refreshToken);

}

/**

* Issues an access token for the specified client if the

266

* authorization code is valid and client successfully

* authenticates.

*

* @param code

* authorization code, required

271

* @param redirectionURI

272

* client redirect uri, required if specified in the

273

* authorization request

274

* @param clientId

275

* client id, required

276

* @param clientSecret

277

* client secret, required

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

278

* @return an {@link AccessTokenResponse}

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

279

* @throws KustvaktException

280

*/

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

281

private AccessTokenResponse requestAccessTokenWithAuthorizationCode (

282

String code, String redirectionURI, String clientId,

283

String clientSecret) throws KustvaktException {

284

Authorization authorization = retrieveAuthorization(code,

285

redirectionURI, clientId, clientSecret);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

286

287

Set<String> scopes = scopeService

288

.convertAccessScopesToStringSet(authorization.getScopes());

289

OAuth2Client oAuth2Client = clientService.retrieveClient(clientId);

290

return createsAccessTokenResponse(scopes, authorization.getScopes(),

291

authorization.getClientId(), authorization.getUserId(),

292

authorization.getUserAuthenticationTime(), oAuth2Client);

}

/**

* Third party apps must not be allowed to use password grant.

297

* MH: password grant is only allowed for trusted clients (korap

298

* frontend)

299

*

300

* According to RFC 6749, client authentication is only required

301

* for confidential clients and whenever client credentials are

302

* provided. Moreover, client_id is optional for password grant,

303

* but without it, the authentication server cannot check the

304

* client type. To make sure that confidential clients

305

* authenticate, client_id is made required (similar to

306

* authorization code grant).

307

*

308

* TODO: FORCE client secret

309

*

310

* @param clientId

311

* client_id, required

312

* @param clientSecret

313

* client_secret, required if client_secret was issued

314

* for the client in client registration.

* @param username

* username, required

* @param password

* password, required

* @param scopes

* authorization scopes, optional

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

321

* @return an {@link AccessTokenResponse}

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

322

* @throws KustvaktException

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

323

*/

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

324

private AccessTokenResponse requestAccessTokenWithPassword (String clientId,

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

325

String clientSecret, String username, String password,

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

326

Set<String> scopes) throws KustvaktException {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

327

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

328

OAuth2Client client = clientService.authenticateClient(clientId,

329

clientSecret);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

330

if (!client.isSuper()) {

331

throw new KustvaktException(StatusCodes.CLIENT_AUTHORIZATION_FAILED,

332

"Password grant is not allowed for third party clients",

333

OAuth2Error.UNAUTHORIZED_CLIENT);

334

}

335

336

if (scopes == null || scopes.isEmpty()) {

337

scopes = new HashSet<String>(1);

338

scopes.add("all");

339

// scopes = config.getDefaultAccessScopes();

340

}

341

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

342

ZonedDateTime authenticationTime = authenticateUser(username, password,

343

scopes);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

344

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

345

Set<AccessScope> accessScopes = scopeService

346

.convertToAccessScope(scopes);

347

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

348

if (config.getOAuth2passwordAuthentication()

349

.equals(AuthenticationMethod.LDAP)) {

350

try {

351

//username = LdapAuth3.getEmail(username, config.getLdapConfig());

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

352

username = LdapAuth3.getUsername(username,

353

config.getLdapConfig());

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

354

}

355

catch (LDAPException e) {

356

throw new KustvaktException(StatusCodes.LDAP_BASE_ERRCODE,

357

e.getExceptionMessage());

358

}

359

}

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

360

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

361

return createsAccessTokenResponse(scopes, accessScopes, clientId,

362

username, authenticationTime, client);

}

/**

* Clients must authenticate.

367

* Client credentials grant is limited to native clients.

368

*

369

* @param clientId

370

* client_id parameter, required

371

* @param clientSecret

372

* client_secret parameter, required

373

* @param scopes

374

* authorization scopes, optional

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

375

* @return an {@link AccessTokenResponse}

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

376

* @throws KustvaktException

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

377

*/

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

378

protected AccessTokenResponse requestAccessTokenWithClientCredentials (

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

379

String clientId, String clientSecret, Set<String> scopes)

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

380

throws KustvaktException {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

381

382

if (clientSecret == null || clientSecret.isEmpty()) {

383

throw new KustvaktException(

384

StatusCodes.CLIENT_AUTHENTICATION_FAILED,

385

"Missing parameter: client_secret",

386

OAuth2Error.INVALID_REQUEST);

387

}

388

389

// OAuth2Client client =

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

390

OAuth2Client oAuth2Client = clientService.authenticateClient(clientId,

391

clientSecret);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

392

393

// if (!client.isNative()) {

394

// throw new KustvaktException(

395

// StatusCodes.CLIENT_AUTHENTICATION_FAILED,

396

// "Client credentials grant is not allowed for third party

397

// clients",

398

// OAuth2Error.UNAUTHORIZED_CLIENT);

399

// }

400

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

401

ZonedDateTime authenticationTime = ZonedDateTime

402

.now(ZoneId.of(Attributes.DEFAULT_TIME_ZONE));

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

403

404

scopes = scopeService.filterScopes(scopes,

405

config.getClientCredentialsScopes());

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

406

Set<AccessScope> accessScopes = scopeService

407

.convertToAccessScope(scopes);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

408

return createsAccessTokenResponse(scopes, accessScopes, clientId, null,

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

409

authenticationTime, oAuth2Client);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

410

}

411

412

/**

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

413

* Creates an OAuth response containing an access token of type

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

414

* Bearer. By default, MD generator is used to generates access

415

* token of 128 bit values, represented in hexadecimal comprising

416

* 32 bytes. The generated value is subsequently encoded in

417

* Base64.

418

*

419

* <br /><br />

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

420

* Additionally, a refresh token is issued for confidential

421

* clients.

422

* It can be used to request a new access token without requiring

423

* user

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

* re-authentication.

*

* @param scopes

* a set of access token scopes in String

428

* @param accessScopes

429

* a set of access token scopes in {@link AccessScope}

* @param clientId

* a client id

* @param userId

* a user id

* @param authenticationTime

435

* the user authentication time

margaretha

93bfbea

2023-11-06 21:09:21 +0100

[diff] [blame]

436

* @param client

437

* an OAuth2Client

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

438

* @return an {@link AccessTokenResponse}

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

439

* @throws KustvaktException

440

*/

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

441

private AccessTokenResponse createsAccessTokenResponse (Set<String> scopes,

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

442

Set<AccessScope> accessScopes, String clientId, String userId,

443

ZonedDateTime authenticationTime, OAuth2Client client)

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

444

throws KustvaktException {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

445

446

String random = randomGenerator.createRandomCode();

447

random += randomGenerator.createRandomCode();

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

448

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

449

if (clientService.isPublicClient(client)) {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

450

// refresh token == null, getAccessTokenLongExpiry

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

451

return createsAccessTokenResponse(null, scopes, accessScopes,

452

clientId, userId, authenticationTime);

453

}

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

454

else {

455

// refresh token != null, getAccessTokenExpiry

456

// default refresh token expiry: 365 days in seconds

457

RefreshToken refreshToken = refreshDao.storeRefreshToken(random,

458

userId, authenticationTime, client, accessScopes);

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

459

return createsAccessTokenResponse(refreshToken, scopes,

460

accessScopes, clientId, userId, authenticationTime);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

}

}

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

464

private AccessTokenResponse createsAccessTokenResponse (

465

RefreshToken refreshToken, Set<String> scopes,

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

466

Set<AccessScope> accessScopes, String clientId, String userId,

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

467

ZonedDateTime authenticationTime) throws KustvaktException {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

468

469

String accessToken = randomGenerator.createRandomCode();

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

470

accessToken += randomGenerator.createRandomCode();

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

471

tokenDao.storeAccessToken(accessToken, refreshToken, accessScopes,

472

userId, clientId, authenticationTime);

473

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

474

Tokens tokens = null;

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

475

if (refreshToken != null) {

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

476

BearerAccessToken bearerToken = new BearerAccessToken(accessToken,

477

(long) config.getAccessTokenExpiry(), Scope.parse(scopes));

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

478

com.nimbusds.oauth2.sdk.token.RefreshToken rf = new com.nimbusds.oauth2.sdk.token.RefreshToken(

479

refreshToken.getToken());

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

480

tokens = new Tokens(bearerToken, rf);

481

}

482

else {

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

483

BearerAccessToken bearerToken = new BearerAccessToken(accessToken,

484

(long) config.getAccessTokenLongExpiry(),

485

Scope.parse(scopes));

486

tokens = new Tokens(bearerToken, null);

margaretha

2023-10-25 12:00:10 +0200

[diff] [blame]

487

}

488

return new AccessTokenResponse(tokens);

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

489

}

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

490

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

491

public void revokeToken (String clientId, String clientSecret, String token,

492

String tokenType) throws KustvaktException {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

493

clientService.authenticateClient(clientId, clientSecret);

494

if (tokenType != null && tokenType.equals("refresh_token")) {

495

if (!revokeRefreshToken(token)) {

496

revokeAccessToken(token);

}

return;

}

if (!revokeAccessToken(token)) {

502

revokeRefreshToken(token);

}

}

private boolean revokeAccessToken (String token) throws KustvaktException {

507

try {

508

AccessToken accessToken = tokenDao.retrieveAccessToken(token);

509

revokeAccessToken(accessToken);

510

return true;

511

}

512

catch (KustvaktException e) {

513

if (!e.getStatusCode().equals(StatusCodes.INVALID_ACCESS_TOKEN)) {

return false;

}

throw e;

}

}

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

519

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

520

private void revokeAccessToken (AccessToken accessToken)

521

throws KustvaktException {

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

522

if (accessToken != null) {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

523

accessToken.setRevoked(true);

524

tokenDao.updateAccessToken(accessToken);

}

}

private boolean revokeRefreshToken (String token) throws KustvaktException {

529

RefreshToken refreshToken = null;

530

try {

531

refreshToken = refreshDao.retrieveRefreshToken(token);

532

}

533

catch (NoResultException e) {

return false;

}

return revokeRefreshToken(refreshToken);

538

}

539

540

public boolean revokeRefreshToken (RefreshToken refreshToken)

541

throws KustvaktException {

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

542

if (refreshToken != null) {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

543

refreshToken.setRevoked(true);

544

refreshDao.updateRefreshToken(refreshToken);

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

545

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

546

Set<AccessToken> accessTokenList = refreshToken.getAccessTokens();

547

for (AccessToken accessToken : accessTokenList) {

548

accessToken.setRevoked(true);

549

tokenDao.updateAccessToken(accessToken);

}

return true;

}

return false;

}

public void revokeAllClientTokensViaSuperClient (String username,

margaretha

2023-09-27 10:54:34 +0200

[diff] [blame]

557

String superClientId, String superClientSecret, String clientId)

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

558

throws KustvaktException {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

559

OAuth2Client superClient = clientService

560

.authenticateClient(superClientId, superClientSecret);

561

if (!superClient.isSuper()) {

562

throw new KustvaktException(

563

StatusCodes.CLIENT_AUTHENTICATION_FAILED);

564

}

565

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

566

revokeAllClientTokensForUser(clientId, username);

567

}

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

568

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

569

public void revokeAllClientTokensForUser (String clientId, String username)

570

throws KustvaktException {

571

OAuth2Client client = clientService.retrieveClient(clientId);

572

if (clientService.isPublicClient(client)) {

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

573

List<AccessToken> accessTokens = tokenDao

574

.retrieveAccessTokenByClientId(clientId, username);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

575

for (AccessToken t : accessTokens) {

576

revokeAccessToken(t);

}

}

else {

List<RefreshToken> refreshTokens = refreshDao

581

.retrieveRefreshTokenByClientId(clientId, username);

582

for (RefreshToken r : refreshTokens) {

583

revokeRefreshToken(r);

584

}

585

}

586

}

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

587

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

588

public void revokeTokensViaSuperClient (String username,

margaretha

2023-09-27 10:54:34 +0200

[diff] [blame]

589

String superClientId, String superClientSecret, String token)

590

throws KustvaktException {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

591

OAuth2Client superClient = clientService

592

.authenticateClient(superClientId, superClientSecret);

593

if (!superClient.isSuper()) {

594

throw new KustvaktException(

595

StatusCodes.CLIENT_AUTHENTICATION_FAILED);

596

}

margaretha

2023-09-27 10:54:34 +0200

[diff] [blame]

597

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

598

RefreshToken refreshToken = refreshDao.retrieveRefreshToken(token,

599

username);

margaretha

2023-09-27 10:54:34 +0200

[diff] [blame]

600

if (!revokeRefreshToken(refreshToken)) {

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

601

AccessToken accessToken = tokenDao.retrieveAccessToken(token,

602

username);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

603

revokeAccessToken(accessToken);

604

}

605

}

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

606

607

public List<OAuth2TokenDto> listUserRefreshToken (String username,

608

String superClientId, String superClientSecret, String clientId)

609

throws KustvaktException {

610

611

OAuth2Client client = clientService.authenticateClient(superClientId,

612

superClientSecret);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

613

if (!client.isSuper()) {

614

throw new KustvaktException(StatusCodes.CLIENT_AUTHORIZATION_FAILED,

615

"Only super client is allowed.",

616

OAuth2Error.UNAUTHORIZED_CLIENT);

617

}

618

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

619

List<RefreshToken> tokens = refreshDao

620

.retrieveRefreshTokenByUser(username, clientId);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

621

List<OAuth2TokenDto> dtoList = new ArrayList<>(tokens.size());

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

622

for (RefreshToken t : tokens) {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

623

OAuth2Client tokenClient = t.getClient();

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

624

if (tokenClient.getId().equals(client.getId())) {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

625

continue;

626

}

627

OAuth2TokenDto dto = new OAuth2TokenDto();

628

dto.setClientId(tokenClient.getId());

629

dto.setClientName(tokenClient.getName());

630

dto.setClientUrl(tokenClient.getUrl());

631

dto.setClientDescription(tokenClient.getDescription());

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

632

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

633

DateTimeFormatter f = DateTimeFormatter.ISO_DATE_TIME;

634

dto.setCreatedDate(t.getCreatedDate().format(f));

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

635

long difference = ChronoUnit.SECONDS.between(ZonedDateTime.now(),

636

t.getExpiryDate());

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

637

dto.setExpiresIn(difference);

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

638

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

639

dto.setUserAuthenticationTime(

640

t.getUserAuthenticationTime().format(f));

641

dto.setToken(t.getToken());

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

642

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

643

Set<AccessScope> accessScopes = t.getScopes();

644

Set<String> scopes = new HashSet<>(accessScopes.size());

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

645

for (AccessScope s : accessScopes) {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

646

scopes.add(s.getId().toString());

647

}

648

dto.setScope(scopes);

dtoList.add(dto);

}

return dtoList;

}

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

653

654

public List<OAuth2TokenDto> listUserAccessToken (String username,

655

String superClientId, String superClientSecret, String clientId)

656

throws KustvaktException {

657

658

OAuth2Client superClient = clientService

659

.authenticateClient(superClientId, superClientSecret);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

660

if (!superClient.isSuper()) {

661

throw new KustvaktException(StatusCodes.CLIENT_AUTHORIZATION_FAILED,

662

"Only super client is allowed.",

663

OAuth2Error.UNAUTHORIZED_CLIENT);

664

}

665

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

666

List<AccessToken> tokens = tokenDao.retrieveAccessTokenByUser(username,

667

clientId);

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

668

List<OAuth2TokenDto> dtoList = new ArrayList<>(tokens.size());

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

669

for (AccessToken t : tokens) {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

670

OAuth2Client tokenClient = t.getClient();

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

671

if (tokenClient.getId().equals(superClient.getId())) {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

672

continue;

673

}

674

OAuth2TokenDto dto = new OAuth2TokenDto();

675

dto.setClientId(tokenClient.getId());

676

dto.setClientName(tokenClient.getName());

677

dto.setClientUrl(tokenClient.getUrl());

678

dto.setClientDescription(tokenClient.getDescription());

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

679

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

680

DateTimeFormatter f = DateTimeFormatter.ISO_DATE_TIME;

681

dto.setCreatedDate(t.getCreatedDate().format(f));

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

682

683

long difference = ChronoUnit.SECONDS.between(ZonedDateTime.now(),

684

t.getExpiryDate());

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

685

dto.setExpiresIn(difference);

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

686

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

687

dto.setUserAuthenticationTime(

688

t.getUserAuthenticationTime().format(f));

689

dto.setToken(t.getToken());

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

690

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

691

Set<AccessScope> accessScopes = t.getScopes();

692

Set<String> scopes = new HashSet<>(accessScopes.size());

margaretha

2023-11-16 22:00:01 +0100

[diff] [blame]

693

for (AccessScope s : accessScopes) {

margaretha

2023-09-27 09:40:16 +0200

[diff] [blame]

694

scopes.add(s.getId().toString());

695

}

696

dto.setScope(scopes);

dtoList.add(dto);

}

return dtoList;

}

margaretha