/
UserAuthorizer.java
491 lines (438 loc) · 17.9 KB
/
UserAuthorizer.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
/*
* Copyright 2015, Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.
*
* * Neither the name of Google Inc. nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package com.google.auth.oauth2;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestFactory;
import com.google.api.client.http.HttpResponse;
import com.google.api.client.http.UrlEncodedContent;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.JsonObjectParser;
import com.google.api.client.util.GenericData;
import com.google.api.client.util.Joiner;
import com.google.api.client.util.Preconditions;
import com.google.auth.http.HttpTransportFactory;
import com.google.common.collect.ImmutableList;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.util.Collection;
import java.util.Date;
/** Handles an interactive 3-Legged-OAuth2 (3LO) user consent authorization. */
public class UserAuthorizer {
static final URI DEFAULT_CALLBACK_URI = URI.create("/oauth2callback");
private final String TOKEN_STORE_ERROR = "Error parsing stored token data.";
private final String FETCH_TOKEN_ERROR = "Error reading result of Token API:";
private final ClientId clientId;
private final Collection<String> scopes;
private final TokenStore tokenStore;
private final URI callbackUri;
private final HttpTransportFactory transportFactory;
private final URI tokenServerUri;
private final URI userAuthUri;
/**
* Constructor with all parameters.
*
* @param clientId Client ID to identify the OAuth2 consent prompt
* @param scopes OAuth2 scopes defining the user consent
* @param tokenStore Implementation of a component for long term storage of tokens
* @param callbackUri URI for implementation of the OAuth2 web callback
* @param transportFactory HTTP transport factory, creates the transport used to get access
* tokens.
* @param tokenServerUri URI of the end point that provides tokens
* @param userAuthUri URI of the Web UI for user consent
*/
private UserAuthorizer(
ClientId clientId,
Collection<String> scopes,
TokenStore tokenStore,
URI callbackUri,
HttpTransportFactory transportFactory,
URI tokenServerUri,
URI userAuthUri) {
this.clientId = Preconditions.checkNotNull(clientId);
this.scopes = ImmutableList.copyOf(Preconditions.checkNotNull(scopes));
this.callbackUri = (callbackUri == null) ? DEFAULT_CALLBACK_URI : callbackUri;
this.transportFactory =
(transportFactory == null) ? OAuth2Utils.HTTP_TRANSPORT_FACTORY : transportFactory;
this.tokenServerUri = (tokenServerUri == null) ? OAuth2Utils.TOKEN_SERVER_URI : tokenServerUri;
this.userAuthUri = (userAuthUri == null) ? OAuth2Utils.USER_AUTH_URI : userAuthUri;
this.tokenStore = (tokenStore == null) ? new MemoryTokensStorage() : tokenStore;
}
/**
* Returns the Client ID user to identify the OAuth2 consent prompt.
*
* @return The Client ID.
*/
public ClientId getClientId() {
return clientId;
}
/**
* Returns the scopes defining the user consent.
*
* @return The collection of scopes defining the user consent.
*/
public Collection<String> getScopes() {
return scopes;
}
/**
* Returns the URI for implementation of the OAuth2 web callback.
*
* @return The URI for the OAuth2 web callback.
*/
public URI getCallbackUri() {
return callbackUri;
}
/**
* Returns the URI for implementation of the OAuth2 web callback, optionally relative to the
* specified URI.
*
* <p>The callback URI is often relative to enable an application to be tested from more than one
* place so this can be used to resolve it relative to another URI.
*
* @param baseUri The URI to resolve the callback URI relative to.
* @return The resolved URI.
*/
public URI getCallbackUri(URI baseUri) {
if (callbackUri.isAbsolute()) {
return callbackUri;
}
if (baseUri == null || !baseUri.isAbsolute()) {
throw new IllegalStateException(
"If the callback URI is relative, the baseUri passed must" + " be an absolute URI");
}
return baseUri.resolve(callbackUri);
}
/**
* Returns the implementation of a component for long term storage of tokens.
*
* @return The token storage implementation for long term storage of tokens.
*/
public TokenStore getTokenStore() {
return tokenStore;
}
/**
* Return an URL that performs the authorization consent prompt web UI.
*
* @param userId Application's identifier for the end user.
* @param state State that is passed on to the OAuth2 callback URI after the consent.
* @param baseUri The URI to resolve the OAuth2 callback URI relative to.
* @return The URL that can be navigated or redirected to.
*/
public URL getAuthorizationUrl(String userId, String state, URI baseUri) {
URI resolvedCallbackUri = getCallbackUri(baseUri);
String scopesString = Joiner.on(' ').join(scopes);
GenericUrl url = new GenericUrl(userAuthUri);
url.put("response_type", "code");
url.put("client_id", clientId.getClientId());
url.put("redirect_uri", resolvedCallbackUri);
url.put("scope", scopesString);
if (state != null) {
url.put("state", state);
}
url.put("access_type", "offline");
url.put("approval_prompt", "force");
if (userId != null) {
url.put("login_hint", userId);
}
url.put("include_granted_scopes", true);
return url.toURL();
}
/**
* Attempts to retrieve credentials for the approved end user consent.
*
* @param userId Application's identifier for the end user.
* @return The loaded credentials or null if there are no valid approved credentials.
* @throws IOException If there is error retrieving or loading the credentials.
*/
public UserCredentials getCredentials(String userId) throws IOException {
Preconditions.checkNotNull(userId);
if (tokenStore == null) {
throw new IllegalStateException("Method cannot be called if token store is not specified.");
}
String tokenData = tokenStore.load(userId);
if (tokenData == null) {
return null;
}
GenericJson tokenJson = OAuth2Utils.parseJson(tokenData);
String accessTokenValue =
OAuth2Utils.validateString(tokenJson, "access_token", TOKEN_STORE_ERROR);
Long expirationMillis =
OAuth2Utils.validateLong(tokenJson, "expiration_time_millis", TOKEN_STORE_ERROR);
Date expirationTime = new Date(expirationMillis);
AccessToken accessToken = new AccessToken(accessTokenValue, expirationTime);
String refreshToken =
OAuth2Utils.validateOptionalString(tokenJson, "refresh_token", TOKEN_STORE_ERROR);
UserCredentials credentials =
UserCredentials.newBuilder()
.setClientId(clientId.getClientId())
.setClientSecret(clientId.getClientSecret())
.setRefreshToken(refreshToken)
.setAccessToken(accessToken)
.setHttpTransportFactory(transportFactory)
.setTokenServerUri(tokenServerUri)
.build();
monitorCredentials(userId, credentials);
return credentials;
}
/**
* Returns a UserCredentials instance by exchanging an OAuth2 authorization code for tokens.
*
* @param code Code returned from OAuth2 consent prompt.
* @param baseUri The URI to resolve the OAuth2 callback URI relative to.
* @return the UserCredentials instance created from the authorization code.
* @throws IOException An error from the server API call to get the tokens.
*/
public UserCredentials getCredentialsFromCode(String code, URI baseUri) throws IOException {
Preconditions.checkNotNull(code);
URI resolvedCallbackUri = getCallbackUri(baseUri);
GenericData tokenData = new GenericData();
tokenData.put("code", code);
tokenData.put("client_id", clientId.getClientId());
tokenData.put("client_secret", clientId.getClientSecret());
tokenData.put("redirect_uri", resolvedCallbackUri);
tokenData.put("grant_type", "authorization_code");
UrlEncodedContent tokenContent = new UrlEncodedContent(tokenData);
HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
HttpRequest tokenRequest =
requestFactory.buildPostRequest(new GenericUrl(tokenServerUri), tokenContent);
tokenRequest.setParser(new JsonObjectParser(OAuth2Utils.JSON_FACTORY));
HttpResponse tokenResponse = tokenRequest.execute();
GenericJson parsedTokens = tokenResponse.parseAs(GenericJson.class);
String accessTokenValue =
OAuth2Utils.validateString(parsedTokens, "access_token", FETCH_TOKEN_ERROR);
int expiresInSecs = OAuth2Utils.validateInt32(parsedTokens, "expires_in", FETCH_TOKEN_ERROR);
Date expirationTime = new Date(new Date().getTime() + expiresInSecs * 1000);
AccessToken accessToken = new AccessToken(accessTokenValue, expirationTime);
String refreshToken =
OAuth2Utils.validateOptionalString(parsedTokens, "refresh_token", FETCH_TOKEN_ERROR);
return UserCredentials.newBuilder()
.setClientId(clientId.getClientId())
.setClientSecret(clientId.getClientSecret())
.setRefreshToken(refreshToken)
.setAccessToken(accessToken)
.setHttpTransportFactory(transportFactory)
.setTokenServerUri(tokenServerUri)
.build();
}
/**
* Exchanges an authorization code for tokens and stores them.
*
* @param userId Application's identifier for the end user.
* @param code Code returned from OAuth2 consent prompt.
* @param baseUri The URI to resolve the OAuth2 callback URI relative to.
* @return UserCredentials instance created from the authorization code.
* @throws IOException An error from the server API call to get the tokens or store the tokens.
*/
public UserCredentials getAndStoreCredentialsFromCode(String userId, String code, URI baseUri)
throws IOException {
Preconditions.checkNotNull(userId);
Preconditions.checkNotNull(code);
UserCredentials credentials = getCredentialsFromCode(code, baseUri);
storeCredentials(userId, credentials);
monitorCredentials(userId, credentials);
return credentials;
}
/**
* Revokes the authorization for tokens stored for the user.
*
* @param userId Application's identifier for the end user.
* @throws IOException An error calling the revoke API or deleting the state.
*/
public void revokeAuthorization(String userId) throws IOException {
Preconditions.checkNotNull(userId);
if (tokenStore == null) {
throw new IllegalStateException("Method cannot be called if token store is not specified.");
}
String tokenData = tokenStore.load(userId);
if (tokenData == null) {
return;
}
IOException deleteTokenException = null;
try {
// Delete the stored version first. If token reversion fails it is less harmful to have an
// non revoked token to hold on to a potentially revoked token.
tokenStore.delete(userId);
} catch (IOException e) {
deleteTokenException = e;
}
GenericJson tokenJson = OAuth2Utils.parseJson(tokenData);
String accessTokenValue =
OAuth2Utils.validateOptionalString(tokenJson, "access_token", TOKEN_STORE_ERROR);
String refreshToken =
OAuth2Utils.validateOptionalString(tokenJson, "refresh_token", TOKEN_STORE_ERROR);
// If both tokens are present, either can be used
String revokeToken = (refreshToken != null) ? refreshToken : accessTokenValue;
GenericUrl revokeUrl = new GenericUrl(OAuth2Utils.TOKEN_REVOKE_URI);
GenericData genericData = new GenericData();
genericData.put("token", revokeToken);
UrlEncodedContent content = new UrlEncodedContent(genericData);
HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
HttpRequest tokenRequest = requestFactory.buildPostRequest(revokeUrl, content);
tokenRequest.execute();
if (deleteTokenException != null) {
throw deleteTokenException;
}
}
/**
* Puts the end user credentials in long term storage.
*
* @param userId Application's identifier for the end user.
* @param credentials UserCredentials instance for the authorized consent.
* @throws IOException An error storing the credentials.
*/
public void storeCredentials(String userId, UserCredentials credentials) throws IOException {
if (tokenStore == null) {
throw new IllegalStateException("Cannot store tokens if tokenStore is not specified.");
}
AccessToken accessToken = credentials.getAccessToken();
String acessTokenValue = null;
Date expiresBy = null;
if (accessToken != null) {
acessTokenValue = accessToken.getTokenValue();
expiresBy = accessToken.getExpirationTime();
}
String refreshToken = credentials.getRefreshToken();
GenericJson tokenStateJson = new GenericJson();
tokenStateJson.setFactory(OAuth2Utils.JSON_FACTORY);
tokenStateJson.put("access_token", acessTokenValue);
tokenStateJson.put("expiration_time_millis", expiresBy.getTime());
if (refreshToken != null) {
tokenStateJson.put("refresh_token", refreshToken);
}
String tokenState = tokenStateJson.toString();
tokenStore.store(userId, tokenState);
}
/**
* Adds a listen to rewrite the credentials when the tokens are refreshed.
*
* @param userId Application's identifier for the end user.
* @param credentials UserCredentials instance to listen to.
*/
protected void monitorCredentials(String userId, UserCredentials credentials) {
credentials.addChangeListener(new UserCredentialsListener(userId));
}
/**
* Implementation of listener used by monitorCredentials to rewrite the credentials when the
* tokens are refreshed.
*/
private class UserCredentialsListener implements OAuth2Credentials.CredentialsChangedListener {
private final String userId;
/** Construct new listener. */
public UserCredentialsListener(String userId) {
this.userId = userId;
}
/** Handle change event by rewriting to token store. */
@Override
public void onChanged(OAuth2Credentials credentials) throws IOException {
UserCredentials userCredentials = (UserCredentials) credentials;
storeCredentials(userId, userCredentials);
}
}
public static Builder newBuilder() {
return new Builder();
}
public Builder toBuilder() {
return new Builder(this);
}
public static class Builder {
private ClientId clientId;
private TokenStore tokenStore;
private URI callbackUri;
private URI tokenServerUri;
private URI userAuthUri;
private Collection<String> scopes;
private HttpTransportFactory transportFactory;
protected Builder() {}
protected Builder(UserAuthorizer authorizer) {
this.clientId = authorizer.clientId;
this.scopes = authorizer.scopes;
this.transportFactory = authorizer.transportFactory;
this.tokenServerUri = authorizer.tokenServerUri;
this.tokenStore = authorizer.tokenStore;
this.callbackUri = authorizer.callbackUri;
this.userAuthUri = authorizer.userAuthUri;
}
public Builder setClientId(ClientId clientId) {
this.clientId = clientId;
return this;
}
public Builder setTokenStore(TokenStore tokenStore) {
this.tokenStore = tokenStore;
return this;
}
public Builder setScopes(Collection<String> scopes) {
this.scopes = scopes;
return this;
}
public Builder setTokenServerUri(URI tokenServerUri) {
this.tokenServerUri = tokenServerUri;
return this;
}
public Builder setCallbackUri(URI callbackUri) {
this.callbackUri = callbackUri;
return this;
}
public Builder setUserAuthUri(URI userAuthUri) {
this.userAuthUri = userAuthUri;
return this;
}
public Builder setHttpTransportFactory(HttpTransportFactory transportFactory) {
this.transportFactory = transportFactory;
return this;
}
public ClientId getClientId() {
return clientId;
}
public TokenStore getTokenStore() {
return tokenStore;
}
public Collection<String> getScopes() {
return scopes;
}
public URI getTokenServerUri() {
return tokenServerUri;
}
public URI getCallbackUri() {
return callbackUri;
}
public URI getUserAuthUri() {
return userAuthUri;
}
public HttpTransportFactory getHttpTransportFactory() {
return transportFactory;
}
public UserAuthorizer build() {
return new UserAuthorizer(
clientId, scopes, tokenStore, callbackUri, transportFactory, tokenServerUri, userAuthUri);
}
}
}