Permalink
Browse files

Major updates

- Update OAuth2.0 version from draft30 to final spec (RFC6749).
- Add Client types support.
- Support multiple redirection URIs.
- Revise the architecture for tokens, clients, and users management.
- Memory and MongoDB implementations.
- Client-side implementations are removed temporary. (Not supported at this time.)
- Fix the license informations.

Token Endpoint:
- Ensure that the requested grant type is allowed for the client.
- Add support for client type.
- Fix the token response. (token_type, scope)
Updates for 'authorization_code' flow:
- Ensure that the authorization code was issued to the client.
- Add 'redirect_uri' validation.
Updates for 'client_credentials' flow:
- Implement the 'client_credentials' flow.

Authorization Endpoint:
- Fix the 'POST' method support.
- Add session timout support.
- Fix the session management bugs.
- Allow clients to send multiple response types.
- Ensure that the requested response type is allowed for the client.
- Fix the issue that 'state' was actually not managed.
- Update the recirect_uri handling. (Dynamic Configuration)

Client Management:
- Revise ClientStore to ClientManager.
- Remove client_id and client_secret from #createClient method. (These parameters should provided from AuthServer.)

Token Management:
- Remove TokenGenerator, replaced with TokenManager.
- Support token management suitable for RFC6749.

User Management:
- Add UserManager for Resource Owner Password Credentials.
  • Loading branch information...
1 parent e3d586c commit 2a1f9ea8ec6d5d01258dbc0db25b247267a273b2 @FantomJAC committed Jan 28, 2013
Showing with 2,483 additions and 3,415 deletions.
  1. +220 −136 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/AccessTokenServerResource.java
  2. +19 −48 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/AuthPageServerResource.java
  3. +0 −180 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/AuthenticatedUser.java
  4. +99 −28 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/AuthorizationBaseServerResource.java
  5. +132 −135 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/AuthorizationServerResource.java
  6. +0 −154 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/ClientStore.java
  7. +0 −155 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/ClientStoreFactory.java
  8. +41 −17 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/ClientVerifier.java
  9. +0 −234 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/Flow.java
  10. +4 −5 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/OAuthError.java
  11. +58 −22 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/OAuthException.java
  12. +0 −224 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/OAuthParameters.java
  13. +0 −377 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/OAuthProxy.java
  14. +66 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/OAuthResourceDefs.java
  15. +13 −69 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/OAuthServerResource.java
  16. +0 −249 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/OAuthUser.java
  17. +34 −51 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/TokenAuthServerResource.java
  18. +31 −14 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/TokenVerifier.java
  19. +144 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/AbstractClientManager.java
  20. +132 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/AbstractTokenManager.java
  21. +118 −155 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/AuthSession.java
  22. +41 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/AuthSessionTimeoutException.java
  23. +25 −11 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/{ → internal}/Client.java
  24. +35 −25 ...es/org.restlet.ext.oauth/src/org/restlet/ext/oauth/{UserStore.java → internal/ClientManager.java}
  25. +0 −144 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/CookieCopyClientResource.java
  26. +65 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/RedirectionURI.java
  27. +44 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/ResourceOwnerManager.java
  28. +8 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/Scopes.java
  29. +40 −18 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/Token.java
  30. +0 −224 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/TokenGenerator.java
  31. +70 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/TokenManager.java
  32. +0 −181 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/memory/AuthenticatedUserImpl.java
  33. +0 −134 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/memory/ClientImpl.java
  34. +0 −117 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/memory/ExpireToken.java
  35. +0 −157 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/memory/MemTokenGenerator.java
  36. +96 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/memory/MemoryClient.java
  37. +16 −38 ....oauth/src/org/restlet/ext/oauth/internal/memory/{MemClientStore.java → MemoryClientManager.java}
  38. +163 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/memory/MemoryToken.java
  39. +213 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/memory/MemoryTokenManager.java
  40. +0 −113 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/memory/UnlimitedToken.java
  41. +127 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/mongo/MongoClient.java
  42. +112 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/mongo/MongoClientManager.java
  43. +103 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/mongo/MongoToken.java
  44. +214 −0 modules/org.restlet.ext.oauth/src/org/restlet/ext/oauth/internal/mongo/MongoTokenManager.java

Large diffs are not rendered by default.

Oops, something went wrong.
@@ -33,6 +33,7 @@
package org.restlet.ext.oauth;
+import org.restlet.ext.oauth.internal.Client;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
@@ -48,8 +49,6 @@
import org.restlet.resource.Get;
import freemarker.template.Configuration;
-import java.util.HashSet;
-import java.util.Set;
import org.restlet.data.CacheDirective;
import org.restlet.ext.oauth.internal.Token;
@@ -148,6 +147,7 @@
* root.
*
* @author Kristoffer Gronowski
+ * @author Shotaro Uchida <fantom@xmaker.mx>
*/
public class AuthPageServerResource extends AuthorizationBaseServerResource {
@@ -194,7 +194,7 @@ public Representation showPage() throws OAuthException {
// requested...
getLogger().fine(
"All scopes already approved. - skip auth page.");
- handleAction("Accept", scopesArray);
+ handleAction(ACTION_ACCEPT, scopesArray);
return new EmptyRepresentation(); // Will redirect
}
}
@@ -217,50 +217,24 @@ public Representation showPage() throws OAuthException {
*
* @param action
* as interacted by the user.
- * @param scopes
+ * @param grantedScope
* the scopes that was approved.
*/
- protected void handleAction(String action, String[] scopes) throws OAuthException {
+ protected void handleAction(String action, String[] grantedScope) throws OAuthException {
// TODO: SessionId should maybe be removed
AuthSession session = getAuthSession();
+ session.setGrantedScope(grantedScope);
if (action.equals(ACTION_REJECT)) {
getLogger().fine("Rejected.");
throw new OAuthException(OAuthError.access_denied, "Rejected.", null);
}
getLogger().fine("Accepting scopes - in handleAction");
- Client client = session.getClient();
- String id = session.getScopeOwner();
-
- String redirUrl = session.getDynamicCallbackURI();
- getLogger().fine("OAuth2 get dynamic callback = " + redirUrl);
- if (redirUrl == null || redirUrl.isEmpty()) {
- redirUrl = client.getRedirectUri();
- }
-
- final AuthenticatedUser user;
- if (client.containsUser(id)) {
- user = client.findUser(id);
- } else {
- user = client.createUser(id);
- }
-
- // Make sure each scope does not duplicate.
- Set<String> scopeSet = new HashSet<String>();
- scopeSet.addAll(Arrays.asList(scopes));
-
- // Refresh scopes.
- user.revokeRoles();
- for (String s : scopeSet) {
- getLogger().fine("Adding scope = " + s + " to user = " + id);
- user.addRole(Scopes.toRole(s), "");
- }
-
- // Save the user if using DB
- user.persist();
+ Client client = clients.findById(session.getClientId());
+ String scopeOwner = session.getScopeOwner();
// Create redirection
- final Reference location = new Reference(redirUrl);
+ final Reference location = new Reference(session.getRedirectionURI().getURI());
String state = session.getState();
if (state != null && !state.isEmpty()) {
@@ -271,21 +245,18 @@ protected void handleAction(String action, String[] scopes) throws OAuthExceptio
// Add query parameters for each flow.
ResponseType flow = session.getAuthFlow();
if (flow.equals(ResponseType.token)) {
- Token token = generator.generateToken(user, tokenTimeSec);
- location.addQueryParameter(TOKEN_TYPE, TOKEN_TYPE_BEARER);
- location.addQueryParameter(ACCESS_TOKEN, token.getToken());
- long expiresIn = token.getExpirePeriod();
- if (expiresIn != Token.UNLIMITED) {
- location.addQueryParameter(EXPIRES_IN, Long.toString(expiresIn));
- }
- String[] granted = scopeSet.toArray(new String[0]);
- if (!Arrays.equals(session.getRequestedScope(), granted)) {
+ Token token = tokens.generateToken(client, scopeOwner, grantedScope);
+ location.addQueryParameter(TOKEN_TYPE, token.getTokenType());
+ location.addQueryParameter(ACCESS_TOKEN, token.getAccessToken());
+ location.addQueryParameter(EXPIRES_IN, Integer.toString(token.getExpirePeriod()));
+ String[] scope = token.getScope();
+ if (!Scopes.isIdentical(scope, session.getRequestedScope())) {
// OPTIONAL, if identical to the scope requested by the client,
// otherwise REQUIRED. (4.2.2. Access Token Response)
- location.addQueryParameter(SCOPE, Scopes.toString(granted));
+ location.addQueryParameter(SCOPE, Scopes.toString(scope));
}
} else if (flow.equals(ResponseType.code)) {
- String code = generator.generateCode(user);
+ String code = tokens.storeSession(session);
location.addQueryParameter(CODE, code);
}
@@ -349,8 +320,8 @@ protected Representation getPage(String authPage) {
// TODO check with Restlet lead
data.put("clientId", clientId);
data.put("clientDescription", client.toString());
- data.put("clientCallback", client.getRedirectUri());
- data.put("clientName", client.getApplicationName());
+ data.put("clientCallback", client.getRedirectURIs());
+ data.put("clientProperties", client.getProperties());
// scopes
data.put("requestingScopes", scopes);
data.put("grantedScopes", previousScopes);
@@ -1,180 +0,0 @@
-/**
- * Copyright 2005-2012 Restlet S.A.S.
- *
- * The contents of this file are subject to the terms of one of the following
- * open source licenses: Apache 2.0 or LGPL 3.0 or LGPL 2.1 or CDDL 1.0 or EPL
- * 1.0 (the "Licenses"). You can select the license that you prefer but you may
- * not use this file except in compliance with one of these Licenses.
- *
- * You can obtain a copy of the Apache 2.0 license at
- * http://www.opensource.org/licenses/apache-2.0
- *
- * You can obtain a copy of the LGPL 3.0 license at
- * http://www.opensource.org/licenses/lgpl-3.0
- *
- * You can obtain a copy of the LGPL 2.1 license at
- * http://www.opensource.org/licenses/lgpl-2.1
- *
- * You can obtain a copy of the CDDL 1.0 license at
- * http://www.opensource.org/licenses/cddl1
- *
- * You can obtain a copy of the EPL 1.0 license at
- * http://www.opensource.org/licenses/eclipse-1.0
- *
- * See the Licenses for the specific language governing permissions and
- * limitations under the Licenses.
- *
- * Alternatively, you can obtain a royalty free commercial license with less
- * limitations, transferable or non-transferable, directly at
- * http://www.restlet.com/products/restlet-framework
- *
- * Restlet is a registered trademark of Restlet S.A.S.
- */
-
-package org.restlet.ext.oauth;
-
-import java.util.List;
-
-import org.restlet.ext.oauth.internal.Token;
-import org.restlet.security.Role;
-
-/**
- * POJO for keeping a grant that a user has approved. User with a specific id
- * has granted a set of scopes.
- *
- * Implementors should implement the storage and retrieval.
- *
- * @author Kristoffer Gronowski
- */
-public interface AuthenticatedUser {
-
- /**
- * Adds a scope for this user given a specified owner.
- */
- // @Deprecated
- // public abstract void addScope(String scope, String owner);
-
- public void addRole(Role r, String owner);
-
- /**
- * Removes a generated code that was used or revoked.
- */
- public void clearCode();
-
- /**
- * Gets the client object that associated and created this user. The Client
- * corresponds to a service provider that acts on behalf of a Authenticated
- * user.
- *
- * @return The parent client instance.
- */
- public Client getClient();
-
- /**
- * Returns the current oauth code if any available for exchange for a token.
- *
- * @return the current oauth code if any available for exchange for a token.
- */
- public String getCode();
-
- /**
- * Gets all scopes. Observe that no owner information is passed.
- */
- public List<Role> getGrantedRoles();
-
- /**
- * Returns the identifier of the user.
- *
- * @return The identifier of the user.
- */
- public String getId();
-
- /**
- * Password field for the username and password oauth flow.
- *
- * @return password or null if not present
- */
- public char[] getPassword();
-
- /**
- * Returns the currently issued token for this user.
- *
- * @return The currently issued token for this user.
- */
- public Token getToken();
-
- /**
- * Returns the default token expire time for this user.
- *
- * @return The default token expire time for this user.
- */
-
- public long getTokenExpire();
-
- /**
- * Checks if this user has a specific scope.
- *
- * @param role
- * The scope to check.
- * @param owner
- * The owner.
- * @return True if this user has the scope.
- */
- public boolean isGrantedRole(Role role, String owner);
-
- /**
- * Helper method to indicate when to checkpoint the user data. If not
- * handling permanent persistence should return true.
- *
- * @return true if stored - false if the caller wants to abort
- */
- public boolean persist();
-
- /**
- * Removes a specific scope.
- *
- * @param role
- * The scope to be removed.
- * @param owner
- * The scope owner.
- */
- public void revokeRole(Role role, String owner);
-
- /**
- * Revokes previously granted scopes.
- */
- public void revokeRoles();
-
- /**
- * Sets a generated code that was given out for this user.
- *
- * @param code
- * The generated code.
- */
- public void setCode(String code);
-
- /**
- * Sets the user password
- *
- * @param password
- * The user password.
- */
- public void setPassword(char[] password);
-
- /**
- * Sets the current issued token.
- *
- * @param token
- * The current issued token.
- */
- public void setToken(Token token);
-
- /**
- * Sets the time for all token expire time for this user.
- *
- * @param deltaTimeSec
- * The time for all token expire time for this user.
- */
- public void setTokenExpire(long deltaTimeSec);
-
-}
Oops, something went wrong.

0 comments on commit 2a1f9ea

Please sign in to comment.