org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint 連携図

公開メンバ関数
String	registerNewProtectedResource (@RequestBody String jsonString, Model m)

String	readResourceConfiguration (@PathVariable("id") String clientId, Model m, OAuth2Authentication auth)

String	updateProtectedResource (@PathVariable("id") String clientId, @RequestBody String jsonString, Model m, OAuth2Authentication auth)

String	deleteResource (@PathVariable("id") String clientId, Model m, OAuth2Authentication auth)

静的公開変数類
static final String	URL = "resource"

非公開メンバ関数
ClientDetailsEntity	validateScopes (ClientDetailsEntity newClient) throws ValidationException

ClientDetailsEntity	validateAuth (ClientDetailsEntity newClient) throws ValidationException

OAuth2AccessTokenEntity	fetchValidRegistrationToken (OAuth2Authentication auth, ClientDetailsEntity client)

非公開変数類
ClientDetailsEntityService	clientService

OAuth2TokenEntityService	tokenService

SystemScopeService	scopeService

ConfigurationPropertiesBean	config

OIDCTokenService	connectTokenService

静的非公開変数類
static final Logger	logger = LoggerFactory.getLogger(ProtectedResourceRegistrationEndpoint.class)

詳解

関数詳解

◆ deleteResource()

String org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.deleteResource	(	@PathVariable("id") String	clientId,
		Model	m,
		OAuth2Authentication	auth
	)

inline

Delete the indicated client from the system.

引数

clientId
m
auth

戻り値

                                                                                                               {
 
                 ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
 
                 if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) {
 
                         clientService.deleteClient(client);
 
                         m.addAttribute(HttpCodeView.CODE, HttpStatus.NO_CONTENT); // http 204
 
                         return HttpCodeView.VIEWNAME;
                 } else {
                         // client mismatch
                         logger.error("readClientConfiguration failed, client ID mismatch: "
                                         + clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match.");
                         m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); // http 403
 
                         return HttpCodeView.VIEWNAME;
                 }
         }

◆ fetchValidRegistrationToken()

OAuth2AccessTokenEntity org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.fetchValidRegistrationToken	(	OAuth2Authentication	auth,
		ClientDetailsEntity	client
	)

inlineprivate

                                                                                                                            {
 
                 OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) auth.getDetails();
                 OAuth2AccessTokenEntity token = tokenService.readAccessToken(details.getTokenValue());
 
                 if (config.getRegTokenLifeTime() != null) {
 
                         try {
                                 // Re-issue the token if it has been issued before [currentTime - validity]
                                 Date validToDate = new Date(System.currentTimeMillis() - config.getRegTokenLifeTime() * 1000);
                                 if(token.getJwt().getJWTClaimsSet().getIssueTime().before(validToDate)) {
                                         logger.info("Rotating the registration access token for " + client.getClientId());
                                         tokenService.revokeAccessToken(token);
                                         OAuth2AccessTokenEntity newToken = connectTokenService.createResourceAccessToken(client);
                                         tokenService.saveAccessToken(newToken);
                                         return newToken;
                                 } else {
                                         // it's not expired, keep going
                                         return token;
                                 }
                         } catch (ParseException e) {
                                 logger.error("Couldn't parse a known-valid token?", e);
                                 return token;
                         }
                 } else {
                         // tokens don't expire, just return it
                         return token;
                 }
         }

◆ readResourceConfiguration()

String org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.readResourceConfiguration	(	@PathVariable("id") String	clientId,
		Model	m,
		OAuth2Authentication	auth
	)

inline

Get the meta information for a client.

引数

clientId
m
auth

戻り値

                                                                                                                          {
 
                 ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
 
                 if (client != null && client.getClientId().equals(auth.getOAuth2Request().getClientId())) {
 
 
 
                         try {
                                 // possibly update the token
                                 OAuth2AccessTokenEntity token = fetchValidRegistrationToken(auth, client);
 
                                 RegisteredClient registered = new RegisteredClient(client, token.getValue(), config.getIssuer() + "resource/" +  UriUtils.encodePathSegment(client.getClientId(), "UTF-8"));
 
                                 // send it all out to the view
                                 m.addAttribute("client", registered);
                                 m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200
 
                                 return ClientInformationResponseView.VIEWNAME;
                         } catch (UnsupportedEncodingException e) {
                                 logger.error("Unsupported encoding", e);
                                 m.addAttribute(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR);
                                 return HttpCodeView.VIEWNAME;
                         }
                 } else {
                         // client mismatch
                         logger.error("readResourceConfiguration failed, client ID mismatch: "
                                         + clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match.");
                         m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); // http 403
 
                         return HttpCodeView.VIEWNAME;
                 }
         }

◆ registerNewProtectedResource()

String org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.registerNewProtectedResource	(	@RequestBody String	jsonString,
		Model	m
	)

inline

Create a new Client, issue a client ID, and create a registration access token.

引数

jsonString
m
p

戻り値

                                                                                             {
 
                 ClientDetailsEntity newClient = null;
                 try {
                         newClient = ClientDetailsEntityJsonProcessor.parse(jsonString);
                 } catch (JsonSyntaxException e) {
                         // bad parse
                         // didn't parse, this is a bad request
                         logger.error("registerNewProtectedResource failed; submitted JSON is malformed");
                         m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
                         return HttpCodeView.VIEWNAME;
                 }
 
                 if (newClient != null) {
                         // it parsed!
 
                         //
                         // Now do some post-processing consistency checks on it
                         //
 
                         // clear out any spurious id/secret (clients don't get to pick)
                         newClient.setClientId(null);
                         newClient.setClientSecret(null);
 
                         // do validation on the fields
                         try {
                                 newClient = validateScopes(newClient);
                                 newClient = validateAuth(newClient);
                         } catch (ValidationException ve) {
                                 // validation failed, return an error
                                 m.addAttribute(JsonErrorView.ERROR, ve.getError());
                                 m.addAttribute(JsonErrorView.ERROR_MESSAGE, ve.getErrorDescription());
                                 m.addAttribute(HttpCodeView.CODE, ve.getStatus());
                                 return JsonErrorView.VIEWNAME;
                         }
 
 
                         // no grant types are allowed
                         newClient.setGrantTypes(new HashSet<String>());
                         newClient.setResponseTypes(new HashSet<String>());
                         newClient.setRedirectUris(new HashSet<String>());
 
                         // don't issue tokens to this client
                         newClient.setAccessTokenValiditySeconds(0);
                         newClient.setIdTokenValiditySeconds(0);
                         newClient.setRefreshTokenValiditySeconds(0);
 
                         // clear out unused fields
                         newClient.setDefaultACRvalues(new HashSet<String>());
                         newClient.setDefaultMaxAge(null);
                         newClient.setIdTokenEncryptedResponseAlg(null);
                         newClient.setIdTokenEncryptedResponseEnc(null);
                         newClient.setIdTokenSignedResponseAlg(null);
                         newClient.setInitiateLoginUri(null);
                         newClient.setPostLogoutRedirectUris(null);
                         newClient.setRequestObjectSigningAlg(null);
                         newClient.setRequireAuthTime(null);
                         newClient.setReuseRefreshToken(false);
                         newClient.setSectorIdentifierUri(null);
                         newClient.setSubjectType(null);
                         newClient.setUserInfoEncryptedResponseAlg(null);
                         newClient.setUserInfoEncryptedResponseEnc(null);
                         newClient.setUserInfoSignedResponseAlg(null);
 
                         // this client has been dynamically registered (obviously)
                         newClient.setDynamicallyRegistered(true);
 
                         // this client has access to the introspection endpoint
                         newClient.setAllowIntrospection(true);
 
                         // now save it
                         try {
                                 ClientDetailsEntity savedClient = clientService.saveNewClient(newClient);
 
                                 // generate the registration access token
                                 OAuth2AccessTokenEntity token = connectTokenService.createResourceAccessToken(savedClient);
                                 tokenService.saveAccessToken(token);
 
                                 // send it all out to the view
 
                                 RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "resource/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
                                 m.addAttribute("client", registered);
                                 m.addAttribute(HttpCodeView.CODE, HttpStatus.CREATED); // http 201
 
                                 return ClientInformationResponseView.VIEWNAME;
                         } catch (UnsupportedEncodingException e) {
                                 logger.error("Unsupported encoding", e);
                                 m.addAttribute(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR);
                                 return HttpCodeView.VIEWNAME;
                         } catch (IllegalArgumentException e) {
                                 logger.error("Couldn't save client", e);
 
                                 m.addAttribute(JsonErrorView.ERROR, "invalid_client_metadata");
                                 m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Unable to save client due to invalid or inconsistent metadata.");
                                 m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
 
                                 return JsonErrorView.VIEWNAME;
                         }
                 } else {
                         // didn't parse, this is a bad request
                         logger.error("registerNewClient failed; submitted JSON is malformed");
                         m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
 
                         return HttpCodeView.VIEWNAME;
                 }
 
         }

◆ updateProtectedResource()

String org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.updateProtectedResource	(	@PathVariable("id") String	clientId,
		@RequestBody String	jsonString,
		Model	m,
		OAuth2Authentication	auth
	)

inline

Update the metainformation for a given client.

引数

clientId
jsonString
m
auth

戻り値

                                                                                                                                                        {
 
 
                 ClientDetailsEntity newClient = null;
                 try {
                         newClient = ClientDetailsEntityJsonProcessor.parse(jsonString);
                 } catch (JsonSyntaxException e) {
                         // bad parse
                         // didn't parse, this is a bad request
                         logger.error("updateProtectedResource failed; submitted JSON is malformed");
                         m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
                         return HttpCodeView.VIEWNAME;
                 }
 
                 ClientDetailsEntity oldClient = clientService.loadClientByClientId(clientId);
 
                 if (newClient != null && oldClient != null  // we have an existing client and the new one parsed
                                 && oldClient.getClientId().equals(auth.getOAuth2Request().getClientId()) // the client passed in the URI matches the one in the auth
                                 && oldClient.getClientId().equals(newClient.getClientId()) // the client passed in the body matches the one in the URI
                                 ) {
 
                         // a client can't ask to update its own client secret to any particular value
                         newClient.setClientSecret(oldClient.getClientSecret());
 
                         newClient.setCreatedAt(oldClient.getCreatedAt());
 
                         // no grant types are allowed
                         newClient.setGrantTypes(new HashSet<String>());
                         newClient.setResponseTypes(new HashSet<String>());
                         newClient.setRedirectUris(new HashSet<String>());
 
                         // don't issue tokens to this client
                         newClient.setAccessTokenValiditySeconds(0);
                         newClient.setIdTokenValiditySeconds(0);
                         newClient.setRefreshTokenValiditySeconds(0);
 
                         // clear out unused fields
                         newClient.setDefaultACRvalues(new HashSet<String>());
                         newClient.setDefaultMaxAge(null);
                         newClient.setIdTokenEncryptedResponseAlg(null);
                         newClient.setIdTokenEncryptedResponseEnc(null);
                         newClient.setIdTokenSignedResponseAlg(null);
                         newClient.setInitiateLoginUri(null);
                         newClient.setPostLogoutRedirectUris(null);
                         newClient.setRequestObjectSigningAlg(null);
                         newClient.setRequireAuthTime(null);
                         newClient.setReuseRefreshToken(false);
                         newClient.setSectorIdentifierUri(null);
                         newClient.setSubjectType(null);
                         newClient.setUserInfoEncryptedResponseAlg(null);
                         newClient.setUserInfoEncryptedResponseEnc(null);
                         newClient.setUserInfoSignedResponseAlg(null);
 
                         // this client has been dynamically registered (obviously)
                         newClient.setDynamicallyRegistered(true);
 
                         // this client has access to the introspection endpoint
                         newClient.setAllowIntrospection(true);
 
                         // do validation on the fields
                         try {
                                 newClient = validateScopes(newClient);
                                 newClient = validateAuth(newClient);
                         } catch (ValidationException ve) {
                                 // validation failed, return an error
                                 m.addAttribute(JsonErrorView.ERROR, ve.getError());
                                 m.addAttribute(JsonErrorView.ERROR_MESSAGE, ve.getErrorDescription());
                                 m.addAttribute(HttpCodeView.CODE, ve.getStatus());
                                 return JsonErrorView.VIEWNAME;
                         }
 
 
                         try {
                                 // save the client
                                 ClientDetailsEntity savedClient = clientService.updateClient(oldClient, newClient);
 
                                 // possibly update the token
                                 OAuth2AccessTokenEntity token = fetchValidRegistrationToken(auth, savedClient);
 
                                 RegisteredClient registered = new RegisteredClient(savedClient, token.getValue(), config.getIssuer() + "resource/" + UriUtils.encodePathSegment(savedClient.getClientId(), "UTF-8"));
 
                                 // send it all out to the view
                                 m.addAttribute("client", registered);
                                 m.addAttribute(HttpCodeView.CODE, HttpStatus.OK); // http 200
 
                                 return ClientInformationResponseView.VIEWNAME;
                         } catch (UnsupportedEncodingException e) {
                                 logger.error("Unsupported encoding", e);
                                 m.addAttribute(HttpCodeView.CODE, HttpStatus.INTERNAL_SERVER_ERROR);
                                 return HttpCodeView.VIEWNAME;
                         } catch (IllegalArgumentException e) {
                                 logger.error("Couldn't save client", e);
 
                                 m.addAttribute(JsonErrorView.ERROR, "invalid_client_metadata");
                                 m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Unable to save client due to invalid or inconsistent metadata.");
                                 m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); // http 400
 
                                 return JsonErrorView.VIEWNAME;
                         }
                 } else {
                         // client mismatch
                         logger.error("updateProtectedResource" +
                                         " failed, client ID mismatch: "
                                         + clientId + " and " + auth.getOAuth2Request().getClientId() + " do not match.");
                         m.addAttribute(HttpCodeView.CODE, HttpStatus.FORBIDDEN); // http 403
 
                         return HttpCodeView.VIEWNAME;
                 }
         }

◆ validateAuth()

ClientDetailsEntity org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.validateAuth ( ClientDetailsEntity newClient ) throws ValidationException

inlineprivate

                                                                                                            {
                 if (newClient.getTokenEndpointAuthMethod() == null) {
                         newClient.setTokenEndpointAuthMethod(AuthMethod.SECRET_BASIC);
                 }
 
                 if (newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_BASIC ||
                                 newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_JWT ||
                                 newClient.getTokenEndpointAuthMethod() == AuthMethod.SECRET_POST) {
 
                         if (Strings.isNullOrEmpty(newClient.getClientSecret())) {
                                 // no secret yet, we need to generate a secret
                                 newClient = clientService.generateClientSecret(newClient);
                         }
                 } else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.PRIVATE_KEY) {
                         if (Strings.isNullOrEmpty(newClient.getJwksUri()) && newClient.getJwks() == null) {
                                 throw new ValidationException("invalid_client_metadata", "JWK Set URI required when using private key authentication", HttpStatus.BAD_REQUEST);
                         }
 
                         newClient.setClientSecret(null);
                 } else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.NONE) {
                         newClient.setClientSecret(null);
                 } else {
                         throw new ValidationException("invalid_client_metadata", "Unknown authentication method", HttpStatus.BAD_REQUEST);
                 }
                 return newClient;
         }

◆ validateScopes()

ClientDetailsEntity org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.validateScopes ( ClientDetailsEntity newClient ) throws ValidationException

inlineprivate

                                                                                                              {
                 // scopes that the client is asking for
                 Set<SystemScope> requestedScopes = scopeService.fromStrings(newClient.getScope());
 
                 // the scopes that the client can have must be a subset of the dynamically allowed scopes
                 Set<SystemScope> allowedScopes = scopeService.removeRestrictedAndReservedScopes(requestedScopes);
 
                 // if the client didn't ask for any, give them the defaults
                 if (allowedScopes == null || allowedScopes.isEmpty()) {
                         allowedScopes = scopeService.getDefaults();
                 }
 
                 newClient.setScope(scopeService.toStrings(allowedScopes));
 
                 return newClient;
         }

メンバ詳解

◆ clientService

ClientDetailsEntityService org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.clientService

private

◆ config

ConfigurationPropertiesBean org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.config

private

◆ connectTokenService

OIDCTokenService org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.connectTokenService

private

◆ logger

final Logger org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.logger = LoggerFactory.getLogger(ProtectedResourceRegistrationEndpoint.class)

staticprivate

Logger for this class

◆ scopeService

SystemScopeService org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.scopeService

private

◆ tokenService

OAuth2TokenEntityService org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.tokenService

private

◆ URL

final String org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint.URL = "resource"

static

このクラス詳解は次のファイルから抽出されました:

D:/AppData/OpenId/mitreid-connect/src/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ProtectedResourceRegistrationEndpoint.java

公開メンバ関数

静的公開変数類

非公開メンバ関数

非公開変数類

静的非公開変数類

詳解

関数詳解

◆ deleteResource()

◆ fetchValidRegistrationToken()

◆ readResourceConfiguration()

◆ registerNewProtectedResource()

◆ updateProtectedResource()

◆ validateAuth()

◆ validateScopes()

メンバ詳解

◆ clientService

◆ config

◆ connectTokenService

◆ logger

◆ scopeService

◆ tokenService

◆ URL