Examples of AuthorizationRequest

• com.nimbusds.oauth2.sdk.AuthorizationRequest
  r.example.com/authorize? response_type=code &client_id=s6BhdRkqt3 &state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

  Related specifications:

  • OAuth 2.0 (RFC 6749), sections 4.1.1 and 4.2.1.
• org.springframework.security.oauth2.provider.AuthorizationRequest
  A request for authorization by an OAuth 2 Client, normally received and processed by the AuthorizationEndpoint. This class is meant to be manipulated throughout the authorization process, and is therefore treated as ephemeral and not to be stored long term. For long term storage, use the read-only {@link OAuth2Request} class.HTTP request parameters are stored in the parameters map, and any processing the server makes throughout the lifecycle of a request are stored on individual properties. The original request parameters will remain available through the parameters map. For convenience, constants are defined in order to get at those original values. However, the parameters map is unmodifiable so that processing cannot drop the original values. This class is {@link Serializable} in order to support storage of theauthorization request as a {@link SessionAttributes} member while the enduser through the authorization process (which may span several page requests). @author Ryan Heaton @author Dave Syer @author Amanda Anganes
• org.surfnet.oaaas.model.AuthorizationRequest
  .ietf.org/html/draft-ietf-oauth-v2#section-4.1.1" >AuthorizationRequest.

Examples of com.nimbusds.oauth2.sdk.AuthorizationRequest

  public static AuthenticationRequest parse(final URI uri, final Map<String,String> params)
    throws ParseException {

    // Parse and validate the core OAuth 2.0 autz request params in
    // the context of OIDC
    AuthorizationRequest ar = AuthorizationRequest.parse(uri, params);

    ClientID clientID = ar.getClientID();
    State state = ar.getState();

    // Required in OIDC
    URI redirectURI = ar.getRedirectionURI();

    if (redirectURI == null)
      throw new ParseException("Missing \"redirect_uri\" parameter",
                         OAuth2Error.INVALID_REQUEST, clientID, null, state);


    ResponseType rt = ar.getResponseType();

    try {
      OIDCResponseTypeValidator.validate(rt);

    } catch (IllegalArgumentException e) {

      throw new ParseException("Unsupported \"response_type\" parameter: " + e.getMessage(),
                   OAuth2Error.UNSUPPORTED_RESPONSE_TYPE,
                   clientID, redirectURI, state);
    }

    // Required in OIDC, must include "openid" parameter
    Scope scope = ar.getScope();

    if (scope == null)
      throw new ParseException("Missing \"scope\" parameter",
                         OAuth2Error.INVALID_REQUEST,
                   clientID, redirectURI, state);

Examples of org.springframework.security.oauth2.provider.AuthorizationRequest

  @Override
  public AuthorizationRequest createAuthorizationRequest(Map<String, String> inputParams) {


    AuthorizationRequest request = new AuthorizationRequest(inputParams, Collections.<String, String> emptyMap(),
        inputParams.get(OAuth2Utils.CLIENT_ID),
        OAuth2Utils.parseParameterList(inputParams.get(OAuth2Utils.SCOPE)), null,
        null, false, inputParams.get(OAuth2Utils.STATE),
        inputParams.get(OAuth2Utils.REDIRECT_URI),
        OAuth2Utils.parseParameterList(inputParams.get(OAuth2Utils.RESPONSE_TYPE)));

    //Add extension parameters to the 'extensions' map

    if (inputParams.containsKey("prompt")) {
      request.getExtensions().put("prompt", inputParams.get("prompt"));
    }
    if (inputParams.containsKey("nonce")) {
      request.getExtensions().put("nonce", inputParams.get("nonce"));
    }

    if (inputParams.containsKey("claims")) {
      JsonObject claimsRequest = parseClaimRequest(inputParams.get("claims"));
      if (claimsRequest != null) {
        request.getExtensions().put("claims", claimsRequest.toString());
      }
    }

    if (inputParams.containsKey("max_age")) {
      request.getExtensions().put("max_age", inputParams.get("max_age"));
    }

    if (inputParams.containsKey("request")) {
      request.getExtensions().put("request", inputParams.get("request"));
      processRequestObject(inputParams.get("request"), request);
    }

    if (request.getClientId() != null) {
      try {
        ClientDetailsEntity client = clientDetailsService.loadClientByClientId(request.getClientId());

        if ((request.getScope() == null || request.getScope().isEmpty())) {
          Set<String> clientScopes = client.getScope();
          request.setScope(clientScopes);
        }

        if (request.getExtensions().get("max_age") == null && client.getDefaultMaxAge() != null) {
          request.getExtensions().put("max_age", client.getDefaultMaxAge().toString());
        }
      } catch (OAuth2Exception e) {
        logger.error("Caught OAuth2 exception trying to test client scopes and max age:", e);
      }
    }


    // add CSRF protection to the request on first parse
    String csrf = UUID.randomUUID().toString();
    request.getExtensions().put("csrf", csrf);



    return request;
  }

Examples of org.springframework.security.oauth2.provider.AuthorizationRequest

      chain.doFilter(req, res);
      return;
    }

    // we have to create our own auth request in order to get at all the parmeters appropriately
    AuthorizationRequest authRequest = authRequestFactory.createAuthorizationRequest(createRequestMap(request.getParameterMap()));

    ClientDetailsEntity client = null;

    try {
      client = clientService.loadClientByClientId(authRequest.getClientId());
    } catch (InvalidClientException e) {
      // no need to worry about this here, it would be caught elsewhere
    } catch (IllegalArgumentException e) {
      // no need to worry about this here, it would be caught elsewhere
    }

    if (authRequest.getExtensions().get("prompt") != null) {
      // we have a "prompt" parameter
      String prompt = (String)authRequest.getExtensions().get("prompt");
      List<String> prompts = Splitter.on(" ").splitToList(Strings.nullToEmpty(prompt));

      if (prompts.contains("none")) {
        logger.info("Client requested no prompt");
        // see if the user's logged in
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();

        if (auth != null) {
          // user's been logged in already (by session management)
          // we're OK, continue without prompting
          chain.doFilter(req, res);
        } else {
          // user hasn't been logged in, we need to "return an error"
          logger.info("User not logged in, no prompt requested, returning 403 from filter");
          response.sendError(HttpServletResponse.SC_FORBIDDEN, "Access Denied");
          return;
        }
      } else if (prompts.contains("login")) {

        // first see if the user's already been prompted in this session
        HttpSession session = request.getSession();
        if (session.getAttribute(PROMPTED) == null) {
          // user hasn't been PROMPTED yet, we need to check

          session.setAttribute(PROMPT_REQUESTED, Boolean.TRUE);

          // see if the user's logged in
          Authentication auth = SecurityContextHolder.getContext().getAuthentication();
          if (auth != null) {
            // user's been logged in already (by session management)
            // log them out and continue
            SecurityContextHolder.getContext().setAuthentication(null);
            chain.doFilter(req, res);
          } else {
            // user hasn't been logged in yet, we can keep going since we'll get there
            chain.doFilter(req, res);
          }
        } else {
          // user has been PROMPTED, we're fine

          // but first, undo the prompt tag
          session.removeAttribute(PROMPTED);
          chain.doFilter(req, res);
        }
      } else {
        // prompt parameter is a value we don't care about, not our business
        chain.doFilter(req, res);
      }

    } else if (authRequest.getExtensions().get("max_age") != null ||
        (client != null && client.getDefaultMaxAge() != null)) {

      // default to the client's stored value, check the string parameter
      Integer max = (client != null ? client.getDefaultMaxAge() : null);
      String maxAge = (String) authRequest.getExtensions().get("max_age");
      if (maxAge != null) {
        max = Integer.parseInt(maxAge);
      }

      if (max != null) {

Examples of org.springframework.security.oauth2.provider.AuthorizationRequest

              "No client authentication found. Remember to put a filter upstream of the TokenEndpointAuthenticationFilter.");
        }

        Map<String, String> map = getSingleValueMap(request);
        map.put(OAuth2Utils.CLIENT_ID, clientAuth.getName());
        AuthorizationRequest authorizationRequest = oAuth2RequestFactory.createAuthorizationRequest(map);

        authorizationRequest.setScope(getScope(request));
        if (clientAuth.isAuthenticated()) {
          // Ensure the OAuth2Authentication is authenticated
          authorizationRequest.setApproved(true);
        }

        OAuth2Request storedOAuth2Request = oAuth2RequestFactory.createOAuth2Request(authorizationRequest);

        SecurityContextHolder.getContext().setAuthentication(

Examples of org.springframework.security.oauth2.provider.AuthorizationRequest

    Set<String> responseTypes = OAuth2Utils.parseParameterList(authorizationParameters
        .get(OAuth2Utils.RESPONSE_TYPE));

    Set<String> scopes = extractScopes(authorizationParameters, clientId);

    AuthorizationRequest request = new AuthorizationRequest(authorizationParameters,
        Collections.<String, String> emptyMap(), clientId, scopes, null, null, false, state, redirectUri,
        responseTypes);

    ClientDetails clientDetails = clientDetailsService.loadClientByClientId(clientId);
    request.setResourceIdsAndAuthoritiesFromClientDetails(clientDetails);

    return request;

  }

Examples of org.springframework.security.oauth2.provider.AuthorizationRequest

      SessionStatus sessionStatus, Principal principal) {

    // Pull out the authorization request first, using the OAuth2RequestFactory. All further logic should
    // query off of the authorization request instead of referring back to the parameters map. The contents of the
    // parameters map will be stored without change in the AuthorizationRequest object once it is created.
    AuthorizationRequest authorizationRequest = getOAuth2RequestFactory().createAuthorizationRequest(parameters);

    Set<String> responseTypes = authorizationRequest.getResponseTypes();

    if (!responseTypes.contains("token") && !responseTypes.contains("code")) {
      throw new UnsupportedResponseTypeException("Unsupported response types: " + responseTypes);
    }

    if (authorizationRequest.getClientId() == null) {
      throw new InvalidClientException("A client id must be provided");
    }

    try {

      if (!(principal instanceof Authentication) || !((Authentication) principal).isAuthenticated()) {
        throw new InsufficientAuthenticationException(
            "User must be authenticated with Spring Security before authorization can be completed.");
      }

      ClientDetails client = getClientDetailsService().loadClientByClientId(authorizationRequest.getClientId());

      // The resolved redirect URI is either the redirect_uri from the parameters or the one from
      // clientDetails. Either way we need to store it on the AuthorizationRequest.
      String redirectUriParameter = authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI);
      String resolvedRedirect = redirectResolver.resolveRedirect(redirectUriParameter, client);
      if (!StringUtils.hasText(resolvedRedirect)) {
        throw new RedirectMismatchException(
            "A redirectUri must be either supplied or preconfigured in the ClientDetails");
      }
      authorizationRequest.setRedirectUri(resolvedRedirect);

      // We intentionally only validate the parameters requested by the client (ignoring any data that may have
      // been added to the request by the manager).
      oauth2RequestValidator.validateScope(authorizationRequest, client);

      // Some systems may allow for approval decisions to be remembered or approved by default. Check for
      // such logic here, and set the approved flag on the authorization request accordingly.
      authorizationRequest = userApprovalHandler.checkForPreApproval(authorizationRequest,
          (Authentication) principal);
      // TODO: is this call necessary?
      boolean approved = userApprovalHandler.isApproved(authorizationRequest, (Authentication) principal);
      authorizationRequest.setApproved(approved);

      // Validation is all done, so we can check for auto approval...
      if (authorizationRequest.isApproved()) {
        if (responseTypes.contains("token")) {
          return getImplicitGrantResponse(authorizationRequest);
        }
        if (responseTypes.contains("code")) {
          return new ModelAndView(getAuthorizationCodeResponse(authorizationRequest,

Examples of org.springframework.security.oauth2.provider.AuthorizationRequest

      sessionStatus.setComplete();
      throw new InsufficientAuthenticationException(
          "User must be authenticated with Spring Security before authorizing an access token.");
    }

    AuthorizationRequest authorizationRequest = (AuthorizationRequest) model.get("authorizationRequest");

    if (authorizationRequest == null) {
      sessionStatus.setComplete();
      throw new InvalidRequestException("Cannot approve uninitialized authorization request.");
    }

    try {
      Set<String> responseTypes = authorizationRequest.getResponseTypes();

      authorizationRequest.setApprovalParameters(approvalParameters);
      authorizationRequest = userApprovalHandler.updateAfterApproval(authorizationRequest,
          (Authentication) principal);
      boolean approved = userApprovalHandler.isApproved(authorizationRequest, (Authentication) principal);
      authorizationRequest.setApproved(approved);

      if (authorizationRequest.getRedirectUri() == null) {
        sessionStatus.setComplete();
        throw new InvalidRequestException("Cannot approve request when no redirect URI is provided.");
      }

      if (!authorizationRequest.isApproved()) {
        return new RedirectView(getUnsuccessfulRedirect(authorizationRequest,
            new UserDeniedAuthorizationException("User denied access"), responseTypes.contains("token")),
            false, true, false);
      }

Examples of org.springframework.security.oauth2.provider.AuthorizationRequest

    if (e instanceof ClientAuthenticationException || e instanceof RedirectMismatchException) {
      return new ModelAndView(errorPage, Collections.singletonMap("error", translate.getBody()));
    }

    AuthorizationRequest authorizationRequest = null;
    try {
      authorizationRequest = getAuthorizationRequestForError(webRequest);
      String requestedRedirectParam = authorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI);
      String requestedRedirect = redirectResolver.resolveRedirect(requestedRedirectParam,
          getClientDetailsService().loadClientByClientId(authorizationRequest.getClientId()));
      authorizationRequest.setRedirectUri(requestedRedirect);
      String redirect = getUnsuccessfulRedirect(authorizationRequest, translate.getBody(), authorizationRequest
          .getResponseTypes().contains("token"));
      return new ModelAndView(new RedirectView(redirect, false, true, false));
    }
    catch (OAuth2Exception ex) {
      // If an AuthorizationRequest cannot be created from the incoming parameters it must be

Examples of org.springframework.security.oauth2.provider.AuthorizationRequest

  }

  private AuthorizationRequest getAuthorizationRequestForError(ServletWebRequest webRequest) {

    // If it's already there then we are in the approveOrDeny phase and we can use the saved request
    AuthorizationRequest authorizationRequest = (AuthorizationRequest) sessionAttributeStore.retrieveAttribute(
        webRequest, "authorizationRequest");
    if (authorizationRequest != null) {
      return authorizationRequest;
    }

Examples of org.springframework.security.oauth2.provider.AuthorizationRequest

    @Override
    public void run() {
      // There should be no scopes in the approval model
      UserApprovalHandler handler = (UserApprovalHandler) ReflectionTestUtils.getField(endpoint,
          "userApprovalHandler");
      AuthorizationRequest authorizationRequest = new AuthorizationRequest();
      authorizationRequest.setScope(Arrays.asList("read"));
      Map<String, Object> request = handler.getUserApprovalRequest(authorizationRequest,
          new UsernamePasswordAuthenticationToken("user", "password"));
      assertFalse(request.containsKey("scopes"));
    }