Hello All,
We are currently implementing the Authorization Code Grant and are stuck on the
RedirectionBasedGrantService.
This one is called once the user has made a decision together with passing his
username and password.
The stack is:
/**
* Processes the end user decision
* @return The grant value, authorization code or the token
*/
@POST
@Path("/decision")
@Consumes("application/x-www-form-urlencoded")
public Response authorizeDecisionForm(MultivaluedMap<String, String> params) {
return completeAuthorization(params);
}
/**
* Completes the authorization process
*/
protected Response completeAuthorization(MultivaluedMap<String, String> params)
{
// Make sure the end user has authenticated, check if HTTPS is used
SecurityContext securityContext = getAndValidateSecurityContext();
UserSubject userSubject = createUserSubject(securityContext);
// Make sure the session is valid
String sessionToken =
params.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN);
if (!compareRequestAndSessionTokens(sessionToken, params, userSubject)) {
throw ExceptionUtils.toBadRequestException(null, null);
}
//TODO: additionally we can check that the Principal that got authenticated
// in startAuthorization is the same that got authenticated in
completeAuthorization
Client client = getClient(params);
String redirectUri = validateRedirectUri(client,
params.getFirst(OAuthConstants.REDIRECT_URI));
// Get the end user decision value
String decision =
params.getFirst(OAuthConstants.AUTHORIZATION_DECISION_KEY);
boolean allow =
OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(decision);
// Return the error if denied
if (!allow) {
return createErrorResponse(params, redirectUri,
OAuthConstants.ACCESS_DENIED);
}
// Check if the end user may have had a chance to down-scope the requested
scopes
List<String> requestedScope =
OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE));
List<String> approvedScope = new LinkedList<String>();
for (String rScope : requestedScope) {
String param = params.getFirst(rScope + "_status");
if (param != null &&
OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(param)) {
approvedScope.add(rScope);
}
}
if (!requestedScope.containsAll(approvedScope)
|| !OAuthUtils.validateScopes(requestedScope,
client.getRegisteredScopes(),
partialMatchScopeValidation)) {
return createErrorResponse(params, redirectUri,
OAuthConstants.INVALID_SCOPE);
}
// Request a new grant
return createGrant(params,
client,
redirectUri,
requestedScope,
approvedScope,
userSubject,
null);
}
private SecurityContext getAndValidateSecurityContext() {
SecurityContext securityContext =
(SecurityContext)getMessageContext().get(SecurityContext.class.getName());
if (securityContext == null || securityContext.getUserPrincipal() == null) {
throw ExceptionUtils.toNotAuthorizedException(null, null);
}
checkTransportSecurity();
return securityContext;
}
The problem we face is the principal is empty. Presumably the principal has to
be resolved from the Authorization header. But how is this done?
If no interceptor/handler does this, does this mean we are expected to register
a custom AbstractSecurityContextInInterceptor
implmentation?
Thanks for any help!
Met vriendelijke groet/Regards/Cordialement ,
Peter De Winter
