org.mitre.oauth2.web.IntrospectionEndpoint クラス

org.mitre.oauth2.web.IntrospectionEndpoint 連携図

公開メンバ関数
	IntrospectionEndpoint ()
	IntrospectionEndpoint (OAuth2TokenEntityService tokenServices)
String	verify (@RequestParam("token") String tokenValue, @RequestParam(value="token_type_hint", required=false) String tokenType, Authentication auth, Model model)

静的公開変数類
static final String	URL = "introspect"

非公開変数類
OAuth2TokenEntityService	tokenServices
ClientDetailsEntityService	clientService
IntrospectionResultAssembler	introspectionResultAssembler
UserInfoService	userInfoService
ResourceSetService	resourceSetService

静的非公開変数類
static final Logger	logger = LoggerFactory.getLogger(IntrospectionEndpoint.class)

詳解

構築子と解体子

IntrospectionEndpoint() [1/2]

org.mitre.oauth2.web.IntrospectionEndpoint.IntrospectionEndpoint ( )

inline

                                       {

        }

IntrospectionEndpoint() [2/2]

org.mitre.oauth2.web.IntrospectionEndpoint.IntrospectionEndpoint ( OAuth2TokenEntityService  tokenServices )

inline

                                                                             {
                this.tokenServices = tokenServices;
        }

関数詳解

verify()

String org.mitre.oauth2.web.IntrospectionEndpoint.verify ( @RequestParam("token") String  tokenValue, @RequestParam(value="token_type_hint", required=false) String  tokenType, Authentication  auth, Model  model  )

inline

                                                          {

                ClientDetailsEntity authClient = null;
                Set<String> authScopes = new HashSet<>();

                if (auth instanceof OAuth2Authentication) {
                        // the client authenticated with OAuth, do our UMA checks
                        ensureOAuthScope(auth, SystemScopeService.UMA_PROTECTION_SCOPE);

                        // get out the client that was issued the access token (not the token being introspected)
                        OAuth2Authentication o2a = (OAuth2Authentication) auth;

                        String authClientId = o2a.getOAuth2Request().getClientId();
                        authClient = clientService.loadClientByClientId(authClientId);

                        // the owner is the user who authorized the token in the first place
                        String ownerId = o2a.getUserAuthentication().getName();

                        authScopes.addAll(authClient.getScope());

                        // UMA style clients also get a subset of scopes of all the resource sets they've registered
                        Collection<ResourceSet> resourceSets = resourceSetService.getAllForOwnerAndClient(ownerId, authClientId);

                        // collect all the scopes
                        for (ResourceSet rs : resourceSets) {
                                authScopes.addAll(rs.getScopes());
                        }

                } else {
                        // the client authenticated directly, make sure it's got the right access

                        String authClientId = auth.getName(); // direct authentication puts the client_id into the authentication's name field
                        authClient = clientService.loadClientByClientId(authClientId);

                        // directly authenticated clients get a subset of any scopes that they've registered for
                        authScopes.addAll(authClient.getScope());

                        if (!AuthenticationUtilities.hasRole(auth, "ROLE_CLIENT")
                                        || !authClient.isAllowIntrospection()) {

                                // this client isn't allowed to do direct introspection

                                logger.error("Client " + authClient.getClientId() + " is not allowed to call introspection endpoint");
                                model.addAttribute("code", HttpStatus.FORBIDDEN);
                                return HttpCodeView.VIEWNAME;

                        }

                }

                // by here we're allowed to introspect, now we need to look up the token in our token stores

                // first make sure the token is there
                if (Strings.isNullOrEmpty(tokenValue)) {
                        logger.error("Verify failed; token value is null");
                        Map<String,Boolean> entity = ImmutableMap.of("active", Boolean.FALSE);
                        model.addAttribute(JsonEntityView.ENTITY, entity);
                        return JsonEntityView.VIEWNAME;
                }

                OAuth2AccessTokenEntity accessToken = null;
                OAuth2RefreshTokenEntity refreshToken = null;
                ClientDetailsEntity tokenClient;
                UserInfo user;

                try {

                        // check access tokens first (includes ID tokens)
                        accessToken = tokenServices.readAccessToken(tokenValue);

                        tokenClient = accessToken.getClient();

                        // get the user information of the user that authorized this token in the first place
                        String userName = accessToken.getAuthenticationHolder().getAuthentication().getName();
                        user = userInfoService.getByUsernameAndClientId(userName, tokenClient.getClientId());

                } catch (InvalidTokenException e) {
                        logger.info("Invalid access token. Checking refresh token.");
                        try {

                                // check refresh tokens next
                                refreshToken = tokenServices.getRefreshToken(tokenValue);

                                tokenClient = refreshToken.getClient();

                                // get the user information of the user that authorized this token in the first place
                                String userName = refreshToken.getAuthenticationHolder().getAuthentication().getName();
                                user = userInfoService.getByUsernameAndClientId(userName, tokenClient.getClientId());

                        } catch (InvalidTokenException e2) {
                                logger.error("Invalid refresh token");
                                Map<String,Boolean> entity = ImmutableMap.of(IntrospectionResultAssembler.ACTIVE, Boolean.FALSE);
                                model.addAttribute(JsonEntityView.ENTITY, entity);
                                return JsonEntityView.VIEWNAME;
                        }
                }

                // if it's a valid token, we'll print out information on it

                if (accessToken != null) {
                        Map<String, Object> entity = introspectionResultAssembler.assembleFrom(accessToken, user, authScopes);
                        model.addAttribute(JsonEntityView.ENTITY, entity);
                } else if (refreshToken != null) {
                        Map<String, Object> entity = introspectionResultAssembler.assembleFrom(refreshToken, user, authScopes);
                        model.addAttribute(JsonEntityView.ENTITY, entity);
                } else {
                        // no tokens were found (we shouldn't get here)
                        logger.error("Verify failed; Invalid access/refresh token");
                        Map<String,Boolean> entity = ImmutableMap.of(IntrospectionResultAssembler.ACTIVE, Boolean.FALSE);
                        model.addAttribute(JsonEntityView.ENTITY, entity);
                        return JsonEntityView.VIEWNAME;
                }

                return JsonEntityView.VIEWNAME;

        }

メンバ詳解

clientService

ClientDetailsEntityService org.mitre.oauth2.web.IntrospectionEndpoint.clientService

private

introspectionResultAssembler

IntrospectionResultAssembler org.mitre.oauth2.web.IntrospectionEndpoint.introspectionResultAssembler

private

logger

final Logger org.mitre.oauth2.web.IntrospectionEndpoint.logger = LoggerFactory.getLogger(IntrospectionEndpoint.class)

staticprivate

Logger for this class

resourceSetService

ResourceSetService org.mitre.oauth2.web.IntrospectionEndpoint.resourceSetService

private

tokenServices

OAuth2TokenEntityService org.mitre.oauth2.web.IntrospectionEndpoint.tokenServices

private

URL

final String org.mitre.oauth2.web.IntrospectionEndpoint.URL = "introspect"

static

userInfoService

UserInfoService org.mitre.oauth2.web.IntrospectionEndpoint.userInfoService

private

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/OpenId/mitreid-connect/src/openid-connect-server/src/main/java/org/mitre/oauth2/web/IntrospectionEndpoint.java