org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService の継承関係図

org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService 連携図

クラス
class	SectorIdentifierLoader

公開メンバ関数
ClientDetailsEntity	saveNewClient (ClientDetailsEntity client)

ClientDetailsEntity	getClientById (Long id)

ClientDetailsEntity	loadClientByClientId (String clientId) throws OAuth2Exception, InvalidClientException, IllegalArgumentException

void	deleteClient (ClientDetailsEntity client) throws InvalidClientException

ClientDetailsEntity	updateClient (ClientDetailsEntity oldClient, ClientDetailsEntity newClient) throws IllegalArgumentException

Collection< ClientDetailsEntity >	getAllClients ()

ClientDetailsEntity	generateClientId (ClientDetailsEntity client)

ClientDetailsEntity	generateClientSecret (ClientDetailsEntity client)

非公開メンバ関数
void	ensureKeyConsistency (ClientDetailsEntity client)

void	ensureNoReservedScopes (ClientDetailsEntity client)

void	checkSectorIdentifierUri (ClientDetailsEntity client)

void	ensureRefreshTokenConsistency (ClientDetailsEntity client)

void	checkHeartMode (ClientDetailsEntity client)

非公開変数類
OAuth2ClientRepository	clientRepository

OAuth2TokenRepository	tokenRepository

ApprovedSiteService	approvedSiteService

WhitelistedSiteService	whitelistedSiteService

BlacklistedSiteService	blacklistedSiteService

SystemScopeService	scopeService

StatsService	statsService

ResourceSetService	resourceSetService

ConfigurationPropertiesBean	config

LoadingCache< String, List< String > >	sectorRedirects

静的非公開変数類
static final Logger	logger = LoggerFactory.getLogger(DefaultOAuth2ClientDetailsEntityService.class)

詳解

関数詳解

◆ checkHeartMode()

void org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.checkHeartMode ( ClientDetailsEntity client )

inlineprivate

If HEART mode is enabled, make sure the client meets the requirements:

Only one of authorization_code, implicit, or client_credentials can be used at a time
A redirect_uri must be registered with either authorization_code or implicit
A key must be registered
A client secret must not be generated
authorization_code and client_credentials must use the private_key authorization method
引数

client

                                                                 {
                 if (config.isHeartMode()) {
                         if (client.getGrantTypes().contains("authorization_code")) {
                                 // make sure we don't have incompatible grant types
                                 if (client.getGrantTypes().contains("implicit") || client.getGrantTypes().contains("client_credentials")) {
                                         throw new IllegalArgumentException("[HEART mode] Incompatible grant types");
                                 }
 
                                 // make sure we've got the right authentication method
                                 if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
                                         throw new IllegalArgumentException("[HEART mode] Authorization code clients must use the private_key authentication method");
                                 }
 
                                 // make sure we've got a redirect URI
                                 if (client.getRedirectUris().isEmpty()) {
                                         throw new IllegalArgumentException("[HEART mode] Authorization code clients must register at least one redirect URI");
                                 }
                         }
 
                         if (client.getGrantTypes().contains("implicit")) {
                                 // make sure we don't have incompatible grant types
                                 if (client.getGrantTypes().contains("authorization_code") || client.getGrantTypes().contains("client_credentials") || client.getGrantTypes().contains("refresh_token")) {
                                         throw new IllegalArgumentException("[HEART mode] Incompatible grant types");
                                 }
 
                                 // make sure we've got the right authentication method
                                 if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.NONE)) {
                                         throw new IllegalArgumentException("[HEART mode] Implicit clients must use the none authentication method");
                                 }
 
                                 // make sure we've got a redirect URI
                                 if (client.getRedirectUris().isEmpty()) {
                                         throw new IllegalArgumentException("[HEART mode] Implicit clients must register at least one redirect URI");
                                 }
                         }
 
                         if (client.getGrantTypes().contains("client_credentials")) {
                                 // make sure we don't have incompatible grant types
                                 if (client.getGrantTypes().contains("authorization_code") || client.getGrantTypes().contains("implicit") || client.getGrantTypes().contains("refresh_token")) {
                                         throw new IllegalArgumentException("[HEART mode] Incompatible grant types");
                                 }
 
                                 // make sure we've got the right authentication method
                                 if (client.getTokenEndpointAuthMethod() == null || !client.getTokenEndpointAuthMethod().equals(AuthMethod.PRIVATE_KEY)) {
                                         throw new IllegalArgumentException("[HEART mode] Client credentials clients must use the private_key authentication method");
                                 }
 
                                 // make sure we've got a redirect URI
                                 if (!client.getRedirectUris().isEmpty()) {
                                         throw new IllegalArgumentException("[HEART mode] Client credentials clients must not register a redirect URI");
                                 }
 
                         }
 
                         if (client.getGrantTypes().contains("password")) {
                                 throw new IllegalArgumentException("[HEART mode] Password grant type is forbidden");
                         }
 
                         // make sure we don't have a client secret
                         if (!Strings.isNullOrEmpty(client.getClientSecret())) {
                                 throw new IllegalArgumentException("[HEART mode] Client secrets are not allowed");
                         }
 
                         // make sure we've got a key registered
                         if (client.getJwks() == null && Strings.isNullOrEmpty(client.getJwksUri())) {
                                 throw new IllegalArgumentException("[HEART mode] All clients must have a key registered");
                         }
 
                         // make sure our redirect URIs each fit one of the allowed categories
                         if (client.getRedirectUris() != null && !client.getRedirectUris().isEmpty()) {
                                 boolean localhost = false;
                                 boolean remoteHttps = false;
                                 boolean customScheme = false;
                                 for (String uri : client.getRedirectUris()) {
                                         UriComponents components = UriComponentsBuilder.fromUriString(uri).build();
                                         if (components.getScheme() == null) {
                                                 // this is a very unknown redirect URI
                                                 customScheme = true;
                                         } else if (components.getScheme().equals("http")) {
                                                 // http scheme, check for localhost
                                                 if (components.getHost().equals("localhost") || components.getHost().equals("127.0.0.1")) {
                                                         localhost = true;
                                                 } else {
                                                         throw new IllegalArgumentException("[HEART mode] Can't have an http redirect URI on non-local host");
                                                 }
                                         } else if (components.getScheme().equals("https")) {
                                                 remoteHttps = true;
                                         } else {
                                                 customScheme = true;
                                         }
                                 }
 
                                 // now we make sure the client has a URI in only one of each of the three categories
                                 if (!((localhost ^ remoteHttps ^ customScheme)
                                                 && !(localhost && remoteHttps && customScheme))) {
                                         throw new IllegalArgumentException("[HEART mode] Can't have more than one class of redirect URI");
                                 }
                         }
 
                 }
         }

◆ checkSectorIdentifierUri()

void org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.checkSectorIdentifierUri ( ClientDetailsEntity client )

inlineprivate

Load the sector identifier URI if it exists and check the redirect URIs against it

引数

client

                                                                           {
                 if (!Strings.isNullOrEmpty(client.getSectorIdentifierUri())) {
                         try {
                                 List<String> redirects = sectorRedirects.get(client.getSectorIdentifierUri());
 
                                 if (client.getRegisteredRedirectUri() != null) {
                                         for (String uri : client.getRegisteredRedirectUri()) {
                                                 if (!redirects.contains(uri)) {
                                                         throw new IllegalArgumentException("Requested Redirect URI " + uri + " is not listed at sector identifier " + redirects);
                                                 }
                                         }
                                 }
 
                         } catch (UncheckedExecutionException | ExecutionException e) {
                                 throw new IllegalArgumentException("Unable to load sector identifier URI " + client.getSectorIdentifierUri() + ": " + e.getMessage());
                         }
                 }
         }

◆ deleteClient()

void org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.deleteClient ( ClientDetailsEntity client ) throws InvalidClientException

inline

Delete a client and all its associated tokens

org.mitre.oauth2.service.ClientDetailsEntityServiceを実装しています。

                                                                                            {
 
                 if (clientRepository.getById(client.getId()) == null) {
                         throw new InvalidClientException("Client with id " + client.getClientId() + " was not found");
                 }
 
                 // clean out any tokens that this client had issued
                 tokenRepository.clearTokensForClient(client);
 
                 // clean out any approved sites for this client
                 approvedSiteService.clearApprovedSitesForClient(client);
 
                 // clear out any whitelisted sites for this client
                 WhitelistedSite whitelistedSite = whitelistedSiteService.getByClientId(client.getClientId());
                 if (whitelistedSite != null) {
                         whitelistedSiteService.remove(whitelistedSite);
                 }
 
                 // clear out resource sets registered for this client
                 Collection<ResourceSet> resourceSets = resourceSetService.getAllForClient(client);
                 for (ResourceSet rs : resourceSets) {
                         resourceSetService.remove(rs);
                 }
 
                 // take care of the client itself
                 clientRepository.deleteClient(client);
 
                 statsService.resetCache();
 
         }

◆ ensureKeyConsistency()

void org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.ensureKeyConsistency ( ClientDetailsEntity client )

inlineprivate

Make sure the client has only one type of key registered

引数

client

                                                                       {
                 if (client.getJwksUri() != null && client.getJwks() != null) {
                         // a client can only have one key type or the other, not both
                         throw new IllegalArgumentException("A client cannot have both JWKS URI and JWKS value");
                 }
         }

◆ ensureNoReservedScopes()

void org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.ensureNoReservedScopes ( ClientDetailsEntity client )

inlineprivate

Make sure the client doesn't request any system reserved scopes

                                                                         {
                 // make sure a client doesn't get any special system scopes
                 Set<SystemScope> requestedScope = scopeService.fromStrings(client.getScope());
 
                 requestedScope = scopeService.removeReservedScopes(requestedScope);
 
                 client.setScope(scopeService.toStrings(requestedScope));
         }

◆ ensureRefreshTokenConsistency()

void org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.ensureRefreshTokenConsistency ( ClientDetailsEntity client )

inlineprivate

Make sure the client has the appropriate scope and grant type.

引数

client

                                                                                {
                 if (client.getAuthorizedGrantTypes().contains("refresh_token")
                                 || client.getScope().contains(SystemScopeService.OFFLINE_ACCESS)) {
                         client.getScope().add(SystemScopeService.OFFLINE_ACCESS);
                         client.getAuthorizedGrantTypes().add("refresh_token");
                 }
         }

◆ generateClientId()

ClientDetailsEntity org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.generateClientId ( ClientDetailsEntity client )

inline

Generates a clientId for the given client and sets it to the client's clientId field. Returns the client that was passed in, now with id set.

org.mitre.oauth2.service.ClientDetailsEntityServiceを実装しています。

                                                                                 {
                 client.setClientId(UUID.randomUUID().toString());
                 return client;
         }

◆ generateClientSecret()

ClientDetailsEntity org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.generateClientSecret ( ClientDetailsEntity client )

inline

Generates a new clientSecret for the given client and sets it to the client's clientSecret field. Returns the client that was passed in, now with secret set.

org.mitre.oauth2.service.ClientDetailsEntityServiceを実装しています。

                                                                                     {
                 if (config.isHeartMode()) {
                         logger.error("[HEART mode] Can't generate a client secret, skipping step; client won't be saved due to invalid configuration");
                         client.setClientSecret(null);
                 } else {
                         client.setClientSecret(Base64.encodeBase64URLSafeString(new BigInteger(512, new SecureRandom()).toByteArray()).replace("=", ""));
                 }
                 return client;
         }

◆ getAllClients()

Collection<ClientDetailsEntity> org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.getAllClients ( )

inline

Get all clients in the system

org.mitre.oauth2.service.ClientDetailsEntityServiceを実装しています。

                                                                {
                 return clientRepository.getAllClients();
         }

◆ getClientById()

ClientDetailsEntity org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.getClientById ( Long id )

inline

Get the client by its internal ID

org.mitre.oauth2.service.ClientDetailsEntityServiceを実装しています。

                                                           {
                 ClientDetailsEntity client = clientRepository.getById(id);
 
                 return client;
         }

◆ loadClientByClientId()

ClientDetailsEntity org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.loadClientByClientId ( String clientId ) throws OAuth2Exception, InvalidClientException, IllegalArgumentException

inline

Get the client for the given ClientID

org.mitre.oauth2.service.ClientDetailsEntityServiceを実装しています。

                                                                                                                                                   {
                 if (!Strings.isNullOrEmpty(clientId)) {
                         ClientDetailsEntity client = clientRepository.getClientByClientId(clientId);
                         if (client == null) {
                                 throw new InvalidClientException("Client with id " + clientId + " was not found");
                         }
                         else {
                                 return client;
                         }
                 }
 
                 throw new IllegalArgumentException("Client id must not be empty!");
         }

◆ saveNewClient()

ClientDetailsEntity org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.saveNewClient ( ClientDetailsEntity client )

inline

org.mitre.oauth2.service.ClientDetailsEntityServiceを実装しています。

                                                                              {
                 if (client.getId() != null) { // if it's not null, it's already been saved, this is an error
                         throw new IllegalArgumentException("Tried to save a new client with an existing ID: " + client.getId());
                 }
 
                 if (client.getRegisteredRedirectUri() != null) {
                         for (String uri : client.getRegisteredRedirectUri()) {
                                 if (blacklistedSiteService.isBlacklisted(uri)) {
                                         throw new IllegalArgumentException("Client URI is blacklisted: " + uri);
                                 }
                         }
                 }
 
                 // assign a random clientid if it's empty
                 // NOTE: don't assign a random client secret without asking, since public clients have no secret
                 if (Strings.isNullOrEmpty(client.getClientId())) {
                         client = generateClientId(client);
                 }
 
                 // make sure that clients with the "refresh_token" grant type have the "offline_access" scope, and vice versa
                 ensureRefreshTokenConsistency(client);
 
                 // make sure we don't have both a JWKS and a JWKS URI
                 ensureKeyConsistency(client);
 
                 // check consistency when using HEART mode
                 checkHeartMode(client);
 
                 // timestamp this to right now
                 client.setCreatedAt(new Date());
 
 
                 // check the sector URI
                 checkSectorIdentifierUri(client);
 
 
                 ensureNoReservedScopes(client);
 
                 ClientDetailsEntity c = clientRepository.saveClient(client);
 
                 statsService.resetCache();
 
                 return c;
         }

◆ updateClient()

ClientDetailsEntity org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.updateClient	(	ClientDetailsEntity	oldClient,
		ClientDetailsEntity	newClient
	)		throws IllegalArgumentException

inline

Update the oldClient with information from the newClient. The id from oldClient is retained.

Checks to make sure the refresh grant type and the scopes are set appropriately.

Checks to make sure the redirect URIs aren't blacklisted.

Attempts to load the redirect URI (possibly cached) to check the sector identifier against the contents there.

org.mitre.oauth2.service.ClientDetailsEntityServiceを実装しています。

                                                                                                                                               {
                 if (oldClient != null && newClient != null) {
 
                         for (String uri : newClient.getRegisteredRedirectUri()) {
                                 if (blacklistedSiteService.isBlacklisted(uri)) {
                                         throw new IllegalArgumentException("Client URI is blacklisted: " + uri);
                                 }
                         }
 
                         // if the client is flagged to allow for refresh tokens, make sure it's got the right scope
                         ensureRefreshTokenConsistency(newClient);
 
                         // make sure we don't have both a JWKS and a JWKS URI
                         ensureKeyConsistency(newClient);
 
                         // check consistency when using HEART mode
                         checkHeartMode(newClient);
 
                         // check the sector URI
                         checkSectorIdentifierUri(newClient);
 
                         // make sure a client doesn't get any special system scopes
                         ensureNoReservedScopes(newClient);
 
                         return clientRepository.updateClient(oldClient.getId(), newClient);
                 }
                 throw new IllegalArgumentException("Neither old client or new client can be null!");
         }

メンバ詳解

◆ approvedSiteService

ApprovedSiteService org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.approvedSiteService

private

◆ blacklistedSiteService

BlacklistedSiteService org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.blacklistedSiteService

private

◆ clientRepository

OAuth2ClientRepository org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.clientRepository

private

◆ config

ConfigurationPropertiesBean org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.config

private

◆ logger

final Logger org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.logger = LoggerFactory.getLogger(DefaultOAuth2ClientDetailsEntityService.class)

staticprivate

Logger for this class

◆ resourceSetService

ResourceSetService org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.resourceSetService

private

◆ scopeService

SystemScopeService org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.scopeService

private

◆ sectorRedirects

LoadingCache<String, List<String> > org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.sectorRedirects

private

初期値:

= CacheBuilder.newBuilder()
                        .expireAfterAccess(1, TimeUnit.HOURS)
                        .maximumSize(100)
                        .build(new SectorIdentifierLoader(HttpClientBuilder.create().useSystemProperties().build()))

◆ statsService

StatsService org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.statsService

private

◆ tokenRepository

OAuth2TokenRepository org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.tokenRepository

private

◆ whitelistedSiteService

WhitelistedSiteService org.mitre.oauth2.service.impl.DefaultOAuth2ClientDetailsEntityService.whitelistedSiteService

private

このクラス詳解は次のファイルから抽出されました:

D:/AppData/OpenId/mitreid-connect/src/openid-connect-server/src/main/java/org/mitre/oauth2/service/impl/DefaultOAuth2ClientDetailsEntityService.java

クラス

公開メンバ関数

非公開メンバ関数

非公開変数類

静的非公開変数類

詳解

関数詳解

◆ checkHeartMode()

◆ checkSectorIdentifierUri()

◆ deleteClient()

◆ ensureKeyConsistency()

◆ ensureNoReservedScopes()

◆ ensureRefreshTokenConsistency()

◆ generateClientId()

◆ generateClientSecret()

◆ getAllClients()

◆ getClientById()

◆ loadClientByClientId()

◆ saveNewClient()

◆ updateClient()

メンバ詳解

◆ approvedSiteService

◆ blacklistedSiteService

◆ clientRepository

◆ config

◆ logger

◆ resourceSetService

◆ scopeService

◆ sectorRedirects

◆ statsService

◆ tokenRepository

◆ whitelistedSiteService