diff --git a/Model/src/main/java/org/xdi/oxauth/model/configuration/AppConfiguration.java b/Model/src/main/java/org/xdi/oxauth/model/configuration/AppConfiguration.java index d7da86154a..9fef56ae66 100644 --- a/Model/src/main/java/org/xdi/oxauth/model/configuration/AppConfiguration.java +++ b/Model/src/main/java/org/xdi/oxauth/model/configuration/AppConfiguration.java @@ -108,6 +108,7 @@ public class AppConfiguration implements Configuration { private Boolean persistRefreshTokenInLdap = true; private Boolean allowPostLogoutRedirectWithoutValidation = false; private Boolean invalidateSessionCookiesAfterAuthorizationFlow = false; + private Boolean allowAuthorizationByAccessToken = false; private Boolean useCacheForAllImplicitFlowObjects = false; @@ -933,6 +934,17 @@ public void setInvalidateSessionCookiesAfterAuthorizationFlow(Boolean invalidate this.invalidateSessionCookiesAfterAuthorizationFlow = invalidateSessionCookiesAfterAuthorizationFlow; } + public Boolean getAllowAuthorizationByAccessToken() { + if (allowAuthorizationByAccessToken == null) { + allowAuthorizationByAccessToken = false; + } + return allowAuthorizationByAccessToken; + } + + public void setAllowAuthorizationByAccessToken(Boolean allowAuthorizationByAccessToken) { + this.allowAuthorizationByAccessToken = allowAuthorizationByAccessToken; + } + public Boolean getUseCacheForAllImplicitFlowObjects() { return useCacheForAllImplicitFlowObjects; } diff --git a/Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.java b/Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.java index 6a57629748..8ca5196d22 100644 --- a/Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.java +++ b/Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.java @@ -6,34 +6,8 @@ package org.xdi.oxauth.authorize.ws.rs; -import static org.xdi.oxauth.model.util.StringUtils.implode; - -import java.net.ConnectException; -import java.net.URI; -import java.net.URISyntaxException; -import java.net.UnknownHostException; -import java.security.SignatureException; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.Calendar; -import java.util.GregorianCalendar; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Map.Entry; -import java.util.Set; -import java.util.TimeZone; - -import javax.inject.Inject; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import javax.ws.rs.HttpMethod; -import javax.ws.rs.Path; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.Response; -import javax.ws.rs.core.Response.ResponseBuilder; -import javax.ws.rs.core.SecurityContext; - +import com.google.common.collect.Maps; +import com.wordnik.swagger.annotations.Api; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.ArrayUtils; import org.apache.commons.lang.StringUtils; @@ -44,25 +18,8 @@ import org.xdi.oxauth.audit.ApplicationAuditLogger; import org.xdi.oxauth.model.audit.Action; import org.xdi.oxauth.model.audit.OAuth2AuditLog; -import org.xdi.oxauth.model.authorize.AuthorizeErrorResponseType; -import org.xdi.oxauth.model.authorize.AuthorizeParamsValidator; -import org.xdi.oxauth.model.authorize.AuthorizeRequestParam; -import org.xdi.oxauth.model.authorize.AuthorizeResponseParam; -import org.xdi.oxauth.model.authorize.Claim; -import org.xdi.oxauth.model.authorize.JwtAuthorizationRequest; -import org.xdi.oxauth.model.authorize.ScopeChecker; -import org.xdi.oxauth.model.common.AbstractToken; -import org.xdi.oxauth.model.common.AccessToken; -import org.xdi.oxauth.model.common.AuthorizationCode; -import org.xdi.oxauth.model.common.AuthorizationGrant; -import org.xdi.oxauth.model.common.AuthorizationGrantList; -import org.xdi.oxauth.model.common.IdToken; -import org.xdi.oxauth.model.common.Prompt; -import org.xdi.oxauth.model.common.ResponseMode; -import org.xdi.oxauth.model.common.ResponseType; -import org.xdi.oxauth.model.common.SessionId; -import org.xdi.oxauth.model.common.SessionIdState; -import org.xdi.oxauth.model.common.User; +import org.xdi.oxauth.model.authorize.*; +import org.xdi.oxauth.model.common.*; import org.xdi.oxauth.model.config.ConfigurationFactory; import org.xdi.oxauth.model.configuration.AppConfiguration; import org.xdi.oxauth.model.crypto.binding.TokenBindingMessage; @@ -76,13 +33,7 @@ import org.xdi.oxauth.model.util.JwtUtil; import org.xdi.oxauth.model.util.Util; import org.xdi.oxauth.security.Identity; -import org.xdi.oxauth.service.AuthenticationFilterService; -import org.xdi.oxauth.service.ClientAuthorizationsService; -import org.xdi.oxauth.service.ClientService; -import org.xdi.oxauth.service.RedirectionUriService; -import org.xdi.oxauth.service.RequestParameterService; -import org.xdi.oxauth.service.SessionIdService; -import org.xdi.oxauth.service.UserService; +import org.xdi.oxauth.service.*; import org.xdi.oxauth.util.QueryStringDecoder; import org.xdi.oxauth.util.RedirectUri; import org.xdi.oxauth.util.RedirectUtil; @@ -90,8 +41,24 @@ import org.xdi.util.StringHelper; import org.xdi.util.security.StringEncrypter; -import com.google.common.collect.Maps; -import com.wordnik.swagger.annotations.Api; +import javax.inject.Inject; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.HttpMethod; +import javax.ws.rs.Path; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.Response; +import javax.ws.rs.core.Response.ResponseBuilder; +import javax.ws.rs.core.SecurityContext; +import java.net.ConnectException; +import java.net.URI; +import java.net.URISyntaxException; +import java.net.UnknownHostException; +import java.security.SignatureException; +import java.util.*; +import java.util.Map.Entry; + +import static org.xdi.oxauth.model.util.StringUtils.implode; /** * Implementation for request authorization through REST web services. @@ -292,7 +259,7 @@ public Response requestAuthorization( && AuthorizeParamsValidator.validateGrantType(responseTypes, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) { if (validRedirectUri) { - if (StringUtils.isNotBlank(accessToken)) { + if (StringUtils.isNotBlank(accessToken) && appConfiguration.getAllowAuthorizationByAccessToken()) { boolean onlyFromCache = ServerUtil.isTrue(appConfiguration.getUseCacheForAllImplicitFlowObjects() && ResponseType.isImplicitFlow(responseType)); AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(accessToken, onlyFromCache); boolean denyAccess = true;