Java源码示例:org.springframework.security.oauth2.common.exceptions.InvalidRequestException
示例1
@Override
public String resolveRedirect(String requestedRedirect, ClientDetails client) {
Set<String> authorizedGrantTypes = client.getAuthorizedGrantTypes();
if (authorizedGrantTypes.isEmpty()) {
throw new InvalidGrantException("A client must have at least one authorized grant type.");
}
if (!containsRedirectGrantType(authorizedGrantTypes)) {
throw new InvalidGrantException(
"A redirect_uri can only be used by implicit or authorization_code grant types.");
}
Set<String> redirectUris = client.getRegisteredRedirectUri();
if (redirectUris != null && !redirectUris.isEmpty()) {
return obtainMatchingRedirect(redirectUris, requestedRedirect);
} else if (StringUtils.hasText(requestedRedirect)) {
return requestedRedirect;
} else {
throw new InvalidRequestException("A redirect_uri must be supplied.");
}
}
示例2
private MultiValueMap<String, String> getParametersForTokenRequest(AuthorizationCodeResourceDetails resource, AccessTokenRequest request) {
MultiValueMap<String, String> form = new LinkedMultiValueMap();
String state = request.getStateKey();
// if (state.contains("session")) {
// form.set("appid", resource.getClientId());
// form.set("secret", resource.getClientSecret());
// } else {
// form.set("appid", "wx38871ac04c8208af");
// form.set("secret", "50f7e835165d91006bf32fb3ba8d53dd");
// }
form.set("appid", resource.getClientId());
form.set("secret", resource.getClientSecret());
form.set("code", request.getAuthorizationCode());
form.set("grant_type", "authorization_code");
Object preservedState = request.getPreservedState();
//if((request.getStateKey() != null || this.stateMandatory) && preservedState == null) {
if(false) {
throw new InvalidRequestException("Possible CSRF detected - state parameter was required but no state could be found");
} else {
String redirectUri = null;
if(preservedState instanceof String) {
redirectUri = String.valueOf(preservedState);
} else {
redirectUri = resource.getRedirectUri(request);
}
if(redirectUri != null && !"NONE".equals(redirectUri)) {
form.set("redirect_uri", redirectUri);
}
return form;
}
}
示例3
private MultiValueMap<String, String> getParametersForAuthorizeRequest(AuthorizationCodeResourceDetails resource, AccessTokenRequest request) {
MultiValueMap<String, String> form = new LinkedMultiValueMap();
form.set("response_type", "code");
form.set("client_id", resource.getClientId());
if(request.get("scope") != null) {
form.set("scope", request.getFirst("scope"));
} else {
form.set("scope", OAuth2Utils.formatParameterList(resource.getScope()));
}
String redirectUri = resource.getPreEstablishedRedirectUri();
Object preservedState = request.getPreservedState();
if(redirectUri == null && preservedState != null) {
redirectUri = String.valueOf(preservedState);
} else {
redirectUri = request.getCurrentUri();
}
String stateKey = request.getStateKey();
if(stateKey != null) {
form.set("state", stateKey);
if(preservedState == null) {
throw new InvalidRequestException("Possible CSRF detected - state parameter was present but no state could be found");
}
}
if(redirectUri != null) {
form.set("redirect_uri", redirectUri);
}
return form;
}
示例4
private ResponseEntity handleOAuth2Exception(OAuth2Exception e) throws IOException {
Response<String> result = new Response<>();
result.setCode(ERROR_CODE_START);
if (e instanceof InvalidClientException) {
result.setMsg("用户名或这密码错误");
} else if (e instanceof UnauthorizedClientException) {
result.setMsg("未授权的ClientId");
} else if (e instanceof InvalidGrantException) {
result.setMsg("授权失败,用户名或者密码错误");
} else if (e instanceof InvalidScopeException) {
result.setMsg("授权客户端错误");
} else if (e instanceof InvalidTokenException) {
result.setMsg("授权token错误");
} else if (e instanceof InvalidRequestException) {
result.setMsg("授权请求错误");
} else if (e instanceof RedirectMismatchException) {
result.setMsg("redirect_uri未匹配");
} else if (e instanceof UnsupportedGrantTypeException) {
result.setMsg("不支持此授权类型");
} else if (e instanceof UnsupportedResponseTypeException) {
result.setMsg("不支持此类型的授权码");
} else if (e instanceof UserDeniedAuthorizationException) {
result.setMsg("您没有访问权限");
} else {
result.setCode(ERROR_CODE_START + 1);
result.setMsg(e.getMessage());
}
int status = e.getHttpErrorCode();
HttpHeaders headers = new HttpHeaders();
headers.set("Cache-Control", "no-store");
headers.set("Pragma", "no-cache");
if (status == HttpStatus.UNAUTHORIZED.value() || (e instanceof InsufficientScopeException)) {
headers.set("WWW-Authenticate", String.format("%s %s", OAuth2AccessToken.BEARER_TYPE, e.getSummary()));
}
return new ResponseEntity<>(result, headers,
HttpStatus.OK);
}
示例5
@Override
protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
Map<String, String> parameters = tokenRequest.getRequestParameters();
String authorizationCode = parameters.get("code");
String redirectUri = parameters.get(OAuth2Utils.REDIRECT_URI);
String codeVerifier = parameters.get("code_verifier");
if (authorizationCode == null) {
throw new InvalidRequestException("An authorization code must be supplied.");
}
OAuth2Authentication storedAuth = authorizationCodeServices.consumeAuthorizationCode(authorizationCode);
if (storedAuth == null) {
throw new InvalidGrantException("Invalid authorization code: " + authorizationCode);
}
OAuth2Request pendingOAuth2Request = storedAuth.getOAuth2Request();
// Validates code verifier
Map<String, String> pendingOauth2RequestParams = pendingOAuth2Request.getRequestParameters();
String codeChallenge = pendingOauth2RequestParams.get("code_challenge");
String codeChallengeMethod = pendingOauth2RequestParams.get("code_challenge_method");
if (codeVerifier == null && codeChallenge != null) {
// client is using PKCE but did not send the codeVerifier
throw new InvalidRequestException(
"Invalid authorization code for current token request.");
}
if (codeVerifier != null && codeChallenge != null) {
String hashed = codeVerifier;
if ("S256".equals(codeChallengeMethod)) {
hashed = DigestUtils.sha256Hex(codeVerifier);
}
if (!hashed.equalsIgnoreCase(codeChallenge)) {
throw new InvalidRequestException(
"Invalid authorization code for current token request.");
}
}
// https://jira.springsource.org/browse/SECOAUTH-333
// This might be null, if the authorization was done without the redirect_uri parameter
String redirectUriApprovalParameter = pendingOAuth2Request.getRequestParameters().get(
OAuth2Utils.REDIRECT_URI);
if ((redirectUri != null || redirectUriApprovalParameter != null)
&& !pendingOAuth2Request.getRedirectUri().equals(redirectUri)) {
throw new RedirectMismatchException("Redirect URI mismatch.");
}
String pendingClientId = pendingOAuth2Request.getClientId();
String clientId = tokenRequest.getClientId();
if (clientId != null && !clientId.equals(pendingClientId)) {
// just a sanity check.
throw new InvalidClientException("Client ID mismatch");
}
// Secret is not required in the authorization request, so it won't be available
// in the pendingAuthorizationRequest. We do want to check that a secret is provided
// in the token request, but that happens elsewhere.
Map<String, String> combinedParameters = new HashMap<String, String>(pendingOAuth2Request
.getRequestParameters());
// Combine the parameters adding the new ones last so they override if there are any clashes
combinedParameters.putAll(parameters);
// Make a new stored request with the combined parameters
OAuth2Request finalStoredOAuth2Request = pendingOAuth2Request.createOAuth2Request(combinedParameters);
Authentication userAuth = storedAuth.getUserAuthentication();
return new OAuth2Authentication(finalStoredOAuth2Request, userAuth);
}
示例6
@Override
protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
Map<String, String> parameters = tokenRequest.getRequestParameters();
String authorizationCode = parameters.get("code");
String redirectUri = parameters.get(OAuth2Utils.REDIRECT_URI);
if (authorizationCode == null) {
throw new InvalidRequestException("An authorization code must be supplied.");
}
OAuth2Authentication storedAuth = authorizationCodeServices.consumeAuthorizationCode(authorizationCode);
if (storedAuth == null) {
throw new InvalidGrantException("Invalid authorization code: " + authorizationCode);
}
OAuth2Request pendingOAuth2Request = storedAuth.getOAuth2Request();
// https://jira.springsource.org/browse/SECOAUTH-333
// This might be null, if the authorization was done without the redirect_uri parameter
String redirectUriApprovalParameter = pendingOAuth2Request.getRequestParameters().get(OAuth2Utils.REDIRECT_URI);
if (redirectUriApprovalParameter != null && redirectUri == null
|| redirectUriApprovalParameter != null
&& !pendingOAuth2Request.getRedirectUri().startsWith(redirectUri)) {
throw new RedirectMismatchException("Redirect URI mismatch.");
}
String pendingClientId = pendingOAuth2Request.getClientId();
String clientId = tokenRequest.getClientId();
if (clientId != null && !clientId.equals(pendingClientId)) {
// just a sanity check.
throw new InvalidClientException("Client ID mismatch");
}
// Secret is not required in the authorization request, so it won't be available
// in the pendingAuthorizationRequest. We do want to check that a secret is provided
// in the token request, but that happens elsewhere.
Map<String, String> combinedParameters = new HashMap<>(pendingOAuth2Request.getRequestParameters());
// Combine the parameters adding the new ones last so they override if there are any clashes
combinedParameters.putAll(parameters);
// Make a new stored request with the combined parameters
OAuth2Request finalStoredOAuth2Request = pendingOAuth2Request.createOAuth2Request(combinedParameters);
Authentication userAuth = storedAuth.getUserAuthentication();
return new OAuth2Authentication(finalStoredOAuth2Request, userAuth);
}
