org.forgerock.openam.oauth2

Class OpenAMScopeValidator

java.lang.Object

org.forgerock.openam.oauth2.OpenAMScopeValidator

All Implemented Interfaces:

ScopeValidator

@Singleton
public class OpenAMScopeValidator
extends Object
implements ScopeValidator

Provided as extension points to allow the OpenAM OAuth2 provider to customise the requested scope of authorize, access token and refresh token requests and to allow the OAuth2 provider to return additional data from these endpoints as well.

Since:

12.0.0

Constructor Summary

Constructors

Constructor and Description
OpenAMScopeValidator(IdentityManager identityManager, OpenIDTokenIssuer openIDTokenIssuer, OAuth2ProviderSettingsFactory providerSettingsFactory, OpenAMSettings openAMSettings, ScriptEvaluator scriptEvaluator, ScriptingServiceFactory scriptingServiceFactory, TokenRestrictionResolver agentValidator, SessionService sessionService) Constructs a new OpenAMScopeValidator.

Method Summary

Modifier and Type	Method and Description
Map<String,String>	additionalDataToReturnFromAuthorizeEndpoint(Map<String,Token> tokens, OAuth2Request request) Provided as an extension point to allow the OAuth2 provider to return additional data from an authorization request.
void	additionalDataToReturnFromTokenEndpoint(AccessToken accessToken, OAuth2Request request) Provided as an extension point to allow the OAuth2 provider to return additional data from an access token request.
Map<String,Object>	evaluateScope(AccessToken accessToken) Gets the specified access token's information.
UserInfoClaims	getUserInfo(ClientRegistration clientRegistration, AccessToken token, OAuth2Request request) Gets the resource owners information based on an issued access token.
Set<String>	validateAccessTokenScope(ClientRegistration client, Set<String> scope, OAuth2Request request) Provided as an extension point to allow the OAuth2 provider to customise the scope requested when an access token is requested.
Set<String>	validateAuthorizationScope(ClientRegistration client, Set<String> scope, OAuth2Request request) Provided as an extension point to allow the OAuth2 provider to customise the scope requested when authorization is requested.
Set<String>	validateRefreshTokenScope(ClientRegistration clientRegistration, Set<String> requestedScope, Set<String> tokenScope, OAuth2Request request) Provided as an extension point to allow the OAuth2 provider to customise the scope requested when a refresh token is requested.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

OpenAMScopeValidator

@Inject
public OpenAMScopeValidator(IdentityManager identityManager,
                                    OpenIDTokenIssuer openIDTokenIssuer,
                                    OAuth2ProviderSettingsFactory providerSettingsFactory,
                                    OpenAMSettings openAMSettings,
                                    @Named(value="OIDC_CLAIMS")
                                    ScriptEvaluator scriptEvaluator,
                                    ScriptingServiceFactory scriptingServiceFactory,
                                    TokenRestrictionResolver agentValidator,
                                    SessionService sessionService)

Constructs a new OpenAMScopeValidator.

Parameters:

identityManager - An instance of the IdentityManager.

openIDTokenIssuer - An instance of the OpenIDTokenIssuer.

providerSettingsFactory - An instance of the CTSPersistentStore.

openAMSettings - An instance of the OpenAMSettings.

scriptEvaluator - An instance of the OIDC Claims ScriptEvaluator.

scriptingServiceFactory - An instance of the ScriptingServiceFactory.

agentValidator - An instance of LDAPAgentValidator used to retrieve the token restriction.

sessionService - An instance of SessionService.

Method Detail

validateAuthorizationScope

public Set<String> validateAuthorizationScope(ClientRegistration client,
                                              Set<String> scope,
                                              OAuth2Request request)
                                       throws InvalidScopeException,
                                              ServerException

Provided as an extension point to allow the OAuth2 provider to customise the scope requested when authorization is requested.

Specified by:

validateAuthorizationScope in interface ScopeValidator

Parameters:

client - The client registration.

scope - The requested scope.

request - The OAuth2 request.

Returns:

The updated scope used in the remaining OAuth2 process.

Throws:

InvalidScopeException - If the requested scope is invalid, unknown, or malformed.

ServerException - If any internal server error occurs.

validateAccessTokenScope

public Set<String> validateAccessTokenScope(ClientRegistration client,
                                            Set<String> scope,
                                            OAuth2Request request)
                                     throws InvalidScopeException,
                                            ServerException

Provided as an extension point to allow the OAuth2 provider to customise the scope requested when an access token is requested.

Specified by:

validateAccessTokenScope in interface ScopeValidator

Parameters:

client - The client registration.

scope - The requested scope.

request - The OAuth2 request.

Returns:

The updated scope used in the remaining OAuth2 process.

Throws:

InvalidScopeException - If the requested scope is invalid, unknown, or malformed.

ServerException - If any internal server error occurs.

validateRefreshTokenScope

public Set<String> validateRefreshTokenScope(ClientRegistration clientRegistration,
                                             Set<String> requestedScope,
                                             Set<String> tokenScope,
                                             OAuth2Request request)
                                      throws ServerException,
                                             InvalidScopeException

Provided as an extension point to allow the OAuth2 provider to customise the scope requested when a refresh token is requested.

Specified by:

validateRefreshTokenScope in interface ScopeValidator

Parameters:

clientRegistration - The client registration.

requestedScope - The requested scope.

tokenScope - The scope from the access token.

request - The OAuth2 request.

Returns:

The updated scope used in the remaining OAuth2 process.

Throws:

ServerException - If any internal server error occurs.

InvalidScopeException - If the requested scope is invalid, unknown, or malformed.

getUserInfo

public UserInfoClaims getUserInfo(ClientRegistration clientRegistration,
                                  AccessToken token,
                                  OAuth2Request request)
                           throws UnauthorizedClientException,
                                  NotFoundException

Gets the resource owners information based on an issued access token.

Specified by:

getUserInfo in interface ScopeValidator

Parameters:

clientRegistration - The client registration.

token - The access token.

request - The OAuth2 request.

Returns:

A Map<String, Object> of the resource owner's information.

Throws:

UnauthorizedClientException - If the client's authorization fails.

NotFoundException - If the realm does not have an OAuth 2.0 provider service.

evaluateScope

public Map<String,Object> evaluateScope(AccessToken accessToken)

Gets the specified access token's information.

Specified by:

evaluateScope in interface ScopeValidator

Parameters:

accessToken - The access token.

Returns:

A Map<String, Object> of the access token's information.

additionalDataToReturnFromAuthorizeEndpoint

public Map<String,String> additionalDataToReturnFromAuthorizeEndpoint(Map<String,Token> tokens,
                                                                      OAuth2Request request)

Provided as an extension point to allow the OAuth2 provider to return additional data from an authorization request.

Specified by:

additionalDataToReturnFromAuthorizeEndpoint in interface ScopeValidator

Parameters:

tokens - The tokens that will be returned from the authorization call.

request - The OAuth2 request.

Returns:

A Map<String, String> of the additional data to return.

additionalDataToReturnFromTokenEndpoint

public void additionalDataToReturnFromTokenEndpoint(AccessToken accessToken,
                                                    OAuth2Request request)
                                             throws ServerException,
                                                    InvalidClientException,
                                                    NotFoundException

Provided as an extension point to allow the OAuth2 provider to return additional data from an access token request.
Any additional data to be returned should be added to the access token by invoking, AccessToken#addExtraData(String, String).

Specified by:

additionalDataToReturnFromTokenEndpoint in interface ScopeValidator

Parameters:

accessToken - The access token.

request - The OAuth2 request.

Throws:

ServerException - If any internal server error occurs.

InvalidClientException - If either the request does not contain the client's id or the client fails to be authenticated.

NotFoundException - If the realm does not have an OAuth 2.0 provider service.