Package org.forgerock.oauth2.core

Class AuthorizationService

java.lang.Object

org.forgerock.oauth2.core.AuthorizationService

public class AuthorizationService
extends Object

Handles authorization requests from OAuth2 clients to the OAuth2 provider to grant authorization for a specific client by a specific resource owner.

Since:

12.0.0

Constructor Summary

Constructors

Constructor

Description

AuthorizationService(List<AuthorizeRequestValidator> requestValidators, ResourceOwnerSessionValidator resourceOwnerSessionValidator, OAuth2ProviderSettingsFactory providerSettingsFactory, ResourceOwnerConsentVerifier consentVerifier, ClientRegistrationStore clientRegistrationStore, AuthorizationTokenIssuer tokenIssuer, ClientAuthenticationFailureFactory failureFactory, CsrfProtection csrfProtection)

Constructs a new AuthorizationServiceImpl.

Method Summary

Modifier and Type	Method	Description
AuthorizationToken	authorize(OAuth2Request request)	Handles an initial authorization request from a OAuth2 client, validates the request is valid and contains the required parameters, checks the resource owner has authenticated and given their consent for the client to be authorized before issuing an AuthorizationToken.
AuthorizationToken	authorize(OAuth2Request request, boolean consentGiven, boolean saveConsent)	Handles an authorization request from a OAuth2 client, validates the request is valid and contains the required parameters, checks the resource owner has authenticated and given their consent for the client to be authorized before issuing an AuthorizationToken.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AuthorizationService

@Inject
public AuthorizationService(List<AuthorizeRequestValidator> requestValidators,
                            ResourceOwnerSessionValidator resourceOwnerSessionValidator,
                            OAuth2ProviderSettingsFactory providerSettingsFactory,
                            ResourceOwnerConsentVerifier consentVerifier,
                            ClientRegistrationStore clientRegistrationStore,
                            AuthorizationTokenIssuer tokenIssuer,
                            ClientAuthenticationFailureFactory failureFactory,
                            CsrfProtection csrfProtection)

Constructs a new AuthorizationServiceImpl.

Parameters:

requestValidators - A List of AuthorizeRequestValidators.

resourceOwnerSessionValidator - An instance of the ResourceOwnerSessionValidator.

providerSettingsFactory - An instance of the OAuth2ProviderSettingsFactory.

consentVerifier - An instance of the ResourceOwnerConsentVerifier.

clientRegistrationStore - An instance of the ClientRegistrationStore.

tokenIssuer - An instance of the AuthorizationTokenIssuer.

failureFactory - The factory which creates ClientExceptions

csrfProtection - An instance of the CsrfProtection.

Method Detail

authorize

public AuthorizationToken authorize(OAuth2Request request)
                             throws ResourceOwnerAuthenticationRequired,
                                    ResourceOwnerConsentRequired,
                                    InvalidClientException,
                                    UnsupportedResponseTypeException,
                                    RedirectUriMismatchException,
                                    InvalidRequestException,
                                    AccessDeniedException,
                                    ServerException,
                                    LoginRequiredException,
                                    BadRequestException,
                                    InteractionRequiredException,
                                    ResourceOwnerConsentRequiredException,
                                    InvalidScopeException,
                                    NotFoundException,
                                    DuplicateRequestParameterException

Handles an initial authorization request from a OAuth2 client, validates the request is valid and contains the required parameters, checks the resource owner has authenticated and given their consent for the client to be authorized before issuing an AuthorizationToken.
If the resource owner is not authenticated, then the user-agent is redirected to a login page for the resource owner to authenticate. And if the resource owner has not given their consent (or have not requested it to be saved from a previous authorization request) the user-agent is redirected to the user consent page. The user-agent is then redirected back to the OAuth2 authorize endpoint.
An AuthorizationToken is only ever issued by this method if the resource owner has previously given their consent. In the case where the user-agent is redirected to the user consent page, when the user-agent is redirected back to OAuth2 authorize endpoint the #authorize(OAuth2Request, boolean, boolean) method on this class must be called.

Parameters:

request - The OAuth2Request for the client requesting authorization. Must not be null.

Returns:

An AuthorizationToken containing the OAuth2 tokens granted as apart of the authorize call.

Throws:

ResourceOwnerAuthenticationRequired - If the resource owner needs to authenticate before the authorize request can be allowed.

ResourceOwnerConsentRequired - If the resource owner's consent is required before the authorize request can be allowed.

InvalidClientException - If either the request does not contain the client's id or the client fails to be authenticated.

UnsupportedResponseTypeException - If the requested response type is not supported by either the client or the OAuth2 provider.

RedirectUriMismatchException - If the redirect uri on the request does not match the redirect uri registered for the client.

InvalidRequestException - If the request is missing any required parameters or is otherwise malformed.

AccessDeniedException - If resource owner authentication fails.

ServerException - If any internal server error occurs.

LoginRequiredException - If authenticating the resource owner fails.

BadRequestException - If the request is malformed.

InteractionRequiredException - If the OpenID Connect prompt parameter enforces that the resource owner is not asked to authenticate, but the resource owner does not have a current authenticated session.

ResourceOwnerConsentRequiredException - If the OpenID Connect prompt parameter enforces that the resource owner is not asked for consent, but the resource owners consent has not been previously stored.

IllegalArgumentException - If the request is missing any required parameters.

InvalidScopeException - If the requested scope is invalid, unknown, or malformed.

NotFoundException - If the realm does not have an OAuth 2.0 provider service.

DuplicateRequestParameterException - If the request contains duplicate parameter.

authorize

public AuthorizationToken authorize(OAuth2Request request,
                                    boolean consentGiven,
                                    boolean saveConsent)
                             throws AccessDeniedException,
                                    ResourceOwnerAuthenticationRequired,
                                    InvalidClientException,
                                    UnsupportedResponseTypeException,
                                    InvalidRequestException,
                                    RedirectUriMismatchException,
                                    ServerException,
                                    LoginRequiredException,
                                    BadRequestException,
                                    InteractionRequiredException,
                                    InvalidScopeException,
                                    NotFoundException,
                                    DuplicateRequestParameterException,
                                    CsrfException

Handles an authorization request from a OAuth2 client, validates the request is valid and contains the required parameters, checks the resource owner has authenticated and given their consent for the client to be authorized before issuing an AuthorizationToken.
If the resource owner is not authenticated, then the user-agent is redirected to a login page for the resource owner to authenticate.

Parameters:

request - The OAuth2Request for the client requesting authorization. Must not be null.

consentGiven - true if the user has given their consent for the requesting client to be authorized.

saveConsent - true if the user has requested that their consent be saved for future authorization requests.

Returns:

An AuthorizationToken containing the OAuth2 tokens granted as apart of the authorize call.

Throws:

AccessDeniedException - If resource owner authentication fails or the resource owner does not grant authorization for the client.

ResourceOwnerAuthenticationRequired - If the resource owner needs to authenticate before the authorize request can be allowed.

InvalidClientException - If either the request does not contain the client's id or the client fails to be authenticated.

UnsupportedResponseTypeException - If the requested response type is not supported by either the client or the OAuth2 provider.

InvalidRequestException - If the request is missing any required parameters or is otherwise malformed.

RedirectUriMismatchException - If the redirect uri on the request does not match the redirect uri registered for the client.

ServerException - If any internal server error occurs.

LoginRequiredException - If authenticating the resource owner fails.

BadRequestException - If the request is malformed.

InteractionRequiredException - If the OpenID Connect prompt parameter enforces that the resource owner is not asked to authenticate, but the resource owner does not have a current authenticated session.

IllegalArgumentException - If the request is missing any required parameters.

InvalidScopeException - If the requested scope is invalid, unknown, or malformed.

NotFoundException - If the realm does not have an OAuth 2.0 provider service.

DuplicateRequestParameterException - If the request contains duplicate parameter.

CsrfException - If an CSRF attack is detected.