com.google.auth.oauth2.UserAuthorizer Maven / Gradle / Ivy
/*
* Copyright 2015, Google Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following disclaimer
* in the documentation and/or other materials provided with the
* distribution.
*
* * Neither the name of Google Inc. nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
package com.google.auth.oauth2;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestFactory;
import com.google.api.client.http.HttpResponse;
import com.google.api.client.http.UrlEncodedContent;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.JsonObjectParser;
import com.google.api.client.util.GenericData;
import com.google.api.client.util.Joiner;
import com.google.api.client.util.Preconditions;
import com.google.auth.http.HttpTransportFactory;
import com.google.common.collect.ImmutableList;
import com.google.errorprone.annotations.CanIgnoreReturnValue;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.Map;
/** Handles an interactive 3-Legged-OAuth2 (3LO) user consent authorization. */
public class UserAuthorizer {
static final URI DEFAULT_CALLBACK_URI = URI.create("/oauth2callback");
private final String TOKEN_STORE_ERROR = "Error parsing stored token data.";
private final String FETCH_TOKEN_ERROR = "Error reading result of Token API:";
private final ClientId clientId;
private final Collection scopes;
private final TokenStore tokenStore;
private final URI callbackUri;
private final HttpTransportFactory transportFactory;
private final URI tokenServerUri;
private final URI userAuthUri;
private final PKCEProvider pkce;
/**
* Constructor with all parameters.
*
* @param clientId Client ID to identify the OAuth2 consent prompt
* @param scopes OAuth2 scopes defining the user consent
* @param tokenStore Implementation of a component for long term storage of tokens
* @param callbackUri URI for implementation of the OAuth2 web callback
* @param transportFactory HTTP transport factory, creates the transport used to get access
* tokens.
* @param tokenServerUri URI of the end point that provides tokens
* @param userAuthUri URI of the Web UI for user consent
* @param pkce PKCE implementation
*/
private UserAuthorizer(
ClientId clientId,
Collection scopes,
TokenStore tokenStore,
URI callbackUri,
HttpTransportFactory transportFactory,
URI tokenServerUri,
URI userAuthUri,
PKCEProvider pkce) {
this.clientId = Preconditions.checkNotNull(clientId);
this.scopes = ImmutableList.copyOf(Preconditions.checkNotNull(scopes));
this.callbackUri = (callbackUri == null) ? DEFAULT_CALLBACK_URI : callbackUri;
this.transportFactory =
(transportFactory == null) ? OAuth2Utils.HTTP_TRANSPORT_FACTORY : transportFactory;
this.tokenServerUri = (tokenServerUri == null) ? OAuth2Utils.TOKEN_SERVER_URI : tokenServerUri;
this.userAuthUri = (userAuthUri == null) ? OAuth2Utils.USER_AUTH_URI : userAuthUri;
this.tokenStore = (tokenStore == null) ? new MemoryTokensStorage() : tokenStore;
this.pkce = pkce;
}
/**
* Returns the Client ID user to identify the OAuth2 consent prompt.
*
* @return The Client ID.
*/
public ClientId getClientId() {
return clientId;
}
/**
* Returns the scopes defining the user consent.
*
* @return The collection of scopes defining the user consent.
*/
public Collection getScopes() {
return scopes;
}
/**
* Returns the URI for implementation of the OAuth2 web callback.
*
* @return The URI for the OAuth2 web callback.
*/
public URI getCallbackUri() {
return callbackUri;
}
/**
* Returns the URI for implementation of the OAuth2 web callback, optionally relative to the
* specified URI.
*
* The callback URI is often relative to enable an application to be tested from more than one
* place so this can be used to resolve it relative to another URI.
*
* @param baseUri The URI to resolve the callback URI relative to.
* @return The resolved URI.
*/
public URI getCallbackUri(URI baseUri) {
if (callbackUri.isAbsolute()) {
return callbackUri;
}
if (baseUri == null || !baseUri.isAbsolute()) {
throw new IllegalStateException(
"If the callback URI is relative, the baseUri passed must" + " be an absolute URI");
}
return baseUri.resolve(callbackUri);
}
/**
* Returns the implementation of a component for long term storage of tokens.
*
* @return The token storage implementation for long term storage of tokens.
*/
public TokenStore getTokenStore() {
return tokenStore;
}
/**
* Return an URL that performs the authorization consent prompt web UI.
*
* @param userId Application's identifier for the end user.
* @param state State that is passed on to the OAuth2 callback URI after the consent.
* @param baseUri The URI to resolve the OAuth2 callback URI relative to.
* @return The URL that can be navigated or redirected to.
*/
public URL getAuthorizationUrl(String userId, String state, URI baseUri) {
return this.getAuthorizationUrl(userId, state, baseUri, null);
}
/**
* Return an URL that performs the authorization consent prompt web UI.
*
* @param userId Application's identifier for the end user.
* @param state State that is passed on to the OAuth2 callback URI after the consent.
* @param baseUri The URI to resolve the OAuth2 callback URI relative to.
* @param additionalParameters Additional query parameters to be added to the authorization URL.
* @return The URL that can be navigated or redirected to.
*/
public URL getAuthorizationUrl(
String userId, String state, URI baseUri, Map additionalParameters) {
URI resolvedCallbackUri = getCallbackUri(baseUri);
String scopesString = Joiner.on(' ').join(scopes);
GenericUrl url = new GenericUrl(userAuthUri);
url.put("response_type", "code");
url.put("client_id", clientId.getClientId());
url.put("redirect_uri", resolvedCallbackUri);
url.put("scope", scopesString);
if (state != null) {
url.put("state", state);
}
url.put("access_type", "offline");
url.put("approval_prompt", "force");
if (userId != null) {
url.put("login_hint", userId);
}
url.put("include_granted_scopes", true);
if (additionalParameters != null) {
for (Map.Entry entry : additionalParameters.entrySet()) {
url.put(entry.getKey(), entry.getValue());
}
}
if (pkce != null) {
url.put("code_challenge", pkce.getCodeChallenge());
url.put("code_challenge_method", pkce.getCodeChallengeMethod());
}
return url.toURL();
}
/**
* Attempts to retrieve credentials for the approved end user consent.
*
* @param userId Application's identifier for the end user.
* @return The loaded credentials or null if there are no valid approved credentials.
* @throws IOException If there is error retrieving or loading the credentials.
*/
public UserCredentials getCredentials(String userId) throws IOException {
Preconditions.checkNotNull(userId);
if (tokenStore == null) {
throw new IllegalStateException("Method cannot be called if token store is not specified.");
}
String tokenData = tokenStore.load(userId);
if (tokenData == null) {
return null;
}
GenericJson tokenJson = OAuth2Utils.parseJson(tokenData);
String accessTokenValue =
OAuth2Utils.validateString(tokenJson, "access_token", TOKEN_STORE_ERROR);
Long expirationMillis =
OAuth2Utils.validateLong(tokenJson, "expiration_time_millis", TOKEN_STORE_ERROR);
Date expirationTime = new Date(expirationMillis);
List scopes =
OAuth2Utils.validateOptionalListString(
tokenJson, OAuth2Utils.TOKEN_RESPONSE_SCOPE, FETCH_TOKEN_ERROR);
AccessToken accessToken =
AccessToken.newBuilder()
.setExpirationTime(expirationTime)
.setTokenValue(accessTokenValue)
.setScopes(scopes)
.build();
String refreshToken =
OAuth2Utils.validateOptionalString(tokenJson, "refresh_token", TOKEN_STORE_ERROR);
UserCredentials credentials =
UserCredentials.newBuilder()
.setClientId(clientId.getClientId())
.setClientSecret(clientId.getClientSecret())
.setRefreshToken(refreshToken)
.setAccessToken(accessToken)
.setHttpTransportFactory(transportFactory)
.setTokenServerUri(tokenServerUri)
.build();
monitorCredentials(userId, credentials);
return credentials;
}
/**
* Returns a UserCredentials instance by exchanging an OAuth2 authorization code for tokens.
*
* @param code Code returned from OAuth2 consent prompt.
* @param baseUri The URI to resolve the OAuth2 callback URI relative to.
* @return the UserCredentials instance created from the authorization code.
* @throws IOException An error from the server API call to get the tokens.
*/
public UserCredentials getCredentialsFromCode(String code, URI baseUri) throws IOException {
return getCredentialsFromCode(code, baseUri, null);
}
/**
* Returns a UserCredentials instance by exchanging an OAuth2 authorization code for tokens.
*
* @param code Code returned from OAuth2 consent prompt.
* @param baseUri The URI to resolve the OAuth2 callback URI relative to.
* @param additionalParameters Additional parameters to be added to the post body of token
* endpoint request.
* @return the UserCredentials instance created from the authorization code.
* @throws IOException An error from the server API call to get the tokens.
*/
public UserCredentials getCredentialsFromCode(
String code, URI baseUri, Map additionalParameters) throws IOException {
Preconditions.checkNotNull(code);
URI resolvedCallbackUri = getCallbackUri(baseUri);
GenericData tokenData = new GenericData();
tokenData.put("code", code);
tokenData.put("client_id", clientId.getClientId());
tokenData.put("client_secret", clientId.getClientSecret());
tokenData.put("redirect_uri", resolvedCallbackUri);
tokenData.put("grant_type", "authorization_code");
if (additionalParameters != null) {
for (Map.Entry entry : additionalParameters.entrySet()) {
tokenData.put(entry.getKey(), entry.getValue());
}
}
if (pkce != null) {
tokenData.put("code_verifier", pkce.getCodeVerifier());
}
UrlEncodedContent tokenContent = new UrlEncodedContent(tokenData);
HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
HttpRequest tokenRequest =
requestFactory.buildPostRequest(new GenericUrl(tokenServerUri), tokenContent);
tokenRequest.setParser(new JsonObjectParser(OAuth2Utils.JSON_FACTORY));
HttpResponse tokenResponse = tokenRequest.execute();
GenericJson parsedTokens = tokenResponse.parseAs(GenericJson.class);
String accessTokenValue =
OAuth2Utils.validateString(parsedTokens, "access_token", FETCH_TOKEN_ERROR);
int expiresInSecs = OAuth2Utils.validateInt32(parsedTokens, "expires_in", FETCH_TOKEN_ERROR);
Date expirationTime = new Date(new Date().getTime() + expiresInSecs * 1000);
String scopes =
OAuth2Utils.validateOptionalString(
parsedTokens, OAuth2Utils.TOKEN_RESPONSE_SCOPE, FETCH_TOKEN_ERROR);
AccessToken accessToken =
AccessToken.newBuilder()
.setExpirationTime(expirationTime)
.setTokenValue(accessTokenValue)
.setScopes(scopes)
.build();
String refreshToken =
OAuth2Utils.validateOptionalString(parsedTokens, "refresh_token", FETCH_TOKEN_ERROR);
return UserCredentials.newBuilder()
.setClientId(clientId.getClientId())
.setClientSecret(clientId.getClientSecret())
.setRefreshToken(refreshToken)
.setAccessToken(accessToken)
.setHttpTransportFactory(transportFactory)
.setTokenServerUri(tokenServerUri)
.build();
}
/**
* Exchanges an authorization code for tokens and stores them.
*
* @param userId Application's identifier for the end user.
* @param code Code returned from OAuth2 consent prompt.
* @param baseUri The URI to resolve the OAuth2 callback URI relative to.
* @return UserCredentials instance created from the authorization code.
* @throws IOException An error from the server API call to get the tokens or store the tokens.
*/
public UserCredentials getAndStoreCredentialsFromCode(String userId, String code, URI baseUri)
throws IOException {
Preconditions.checkNotNull(userId);
Preconditions.checkNotNull(code);
UserCredentials credentials = getCredentialsFromCode(code, baseUri);
storeCredentials(userId, credentials);
monitorCredentials(userId, credentials);
return credentials;
}
/**
* Revokes the authorization for tokens stored for the user.
*
* @param userId Application's identifier for the end user.
* @throws IOException An error calling the revoke API or deleting the state.
*/
public void revokeAuthorization(String userId) throws IOException {
Preconditions.checkNotNull(userId);
if (tokenStore == null) {
throw new IllegalStateException("Method cannot be called if token store is not specified.");
}
String tokenData = tokenStore.load(userId);
if (tokenData == null) {
return;
}
IOException deleteTokenException = null;
try {
// Delete the stored version first. If token reversion fails it is less harmful to have an
// non revoked token to hold on to a potentially revoked token.
tokenStore.delete(userId);
} catch (IOException e) {
deleteTokenException = e;
}
GenericJson tokenJson = OAuth2Utils.parseJson(tokenData);
String accessTokenValue =
OAuth2Utils.validateOptionalString(tokenJson, "access_token", TOKEN_STORE_ERROR);
String refreshToken =
OAuth2Utils.validateOptionalString(tokenJson, "refresh_token", TOKEN_STORE_ERROR);
// If both tokens are present, either can be used
String revokeToken = (refreshToken != null) ? refreshToken : accessTokenValue;
GenericUrl revokeUrl = new GenericUrl(OAuth2Utils.TOKEN_REVOKE_URI);
GenericData genericData = new GenericData();
genericData.put("token", revokeToken);
UrlEncodedContent content = new UrlEncodedContent(genericData);
HttpRequestFactory requestFactory = transportFactory.create().createRequestFactory();
HttpRequest tokenRequest = requestFactory.buildPostRequest(revokeUrl, content);
tokenRequest.execute();
if (deleteTokenException != null) {
throw deleteTokenException;
}
}
/**
* Puts the end user credentials in long term storage.
*
* @param userId Application's identifier for the end user.
* @param credentials UserCredentials instance for the authorized consent.
* @throws IOException An error storing the credentials.
*/
public void storeCredentials(String userId, UserCredentials credentials) throws IOException {
if (tokenStore == null) {
throw new IllegalStateException("Cannot store tokens if tokenStore is not specified.");
}
AccessToken accessToken = credentials.getAccessToken();
String acessTokenValue = null;
String scopes = null;
Date expiresBy = null;
List grantedScopes = new ArrayList<>();
if (accessToken != null) {
acessTokenValue = accessToken.getTokenValue();
expiresBy = accessToken.getExpirationTime();
grantedScopes = accessToken.getScopes();
}
String refreshToken = credentials.getRefreshToken();
GenericJson tokenStateJson = new GenericJson();
tokenStateJson.setFactory(OAuth2Utils.JSON_FACTORY);
tokenStateJson.put("access_token", acessTokenValue);
tokenStateJson.put(OAuth2Utils.TOKEN_RESPONSE_SCOPE, grantedScopes);
tokenStateJson.put("expiration_time_millis", expiresBy.getTime());
if (refreshToken != null) {
tokenStateJson.put("refresh_token", refreshToken);
}
String tokenState = tokenStateJson.toString();
tokenStore.store(userId, tokenState);
}
/**
* Adds a listen to rewrite the credentials when the tokens are refreshed.
*
* @param userId Application's identifier for the end user.
* @param credentials UserCredentials instance to listen to.
*/
protected void monitorCredentials(String userId, UserCredentials credentials) {
credentials.addChangeListener(new UserCredentialsListener(userId));
}
/**
* Implementation of listener used by monitorCredentials to rewrite the credentials when the
* tokens are refreshed.
*/
private class UserCredentialsListener implements OAuth2Credentials.CredentialsChangedListener {
private final String userId;
/** Construct new listener. */
public UserCredentialsListener(String userId) {
this.userId = userId;
}
/** Handle change event by rewriting to token store. */
@Override
public void onChanged(OAuth2Credentials credentials) throws IOException {
UserCredentials userCredentials = (UserCredentials) credentials;
storeCredentials(userId, userCredentials);
}
}
public static Builder newBuilder() {
return new Builder();
}
public Builder toBuilder() {
return new Builder(this);
}
public static class Builder {
private ClientId clientId;
private TokenStore tokenStore;
private URI callbackUri;
private URI tokenServerUri;
private URI userAuthUri;
private Collection scopes;
private HttpTransportFactory transportFactory;
private PKCEProvider pkce;
protected Builder() {}
protected Builder(UserAuthorizer authorizer) {
this.clientId = authorizer.clientId;
this.scopes = authorizer.scopes;
this.transportFactory = authorizer.transportFactory;
this.tokenServerUri = authorizer.tokenServerUri;
this.tokenStore = authorizer.tokenStore;
this.callbackUri = authorizer.callbackUri;
this.userAuthUri = authorizer.userAuthUri;
this.pkce = new DefaultPKCEProvider();
}
@CanIgnoreReturnValue
public Builder setClientId(ClientId clientId) {
this.clientId = clientId;
return this;
}
@CanIgnoreReturnValue
public Builder setTokenStore(TokenStore tokenStore) {
this.tokenStore = tokenStore;
return this;
}
@CanIgnoreReturnValue
public Builder setScopes(Collection scopes) {
this.scopes = scopes;
return this;
}
@CanIgnoreReturnValue
public Builder setTokenServerUri(URI tokenServerUri) {
this.tokenServerUri = tokenServerUri;
return this;
}
@CanIgnoreReturnValue
public Builder setCallbackUri(URI callbackUri) {
this.callbackUri = callbackUri;
return this;
}
@CanIgnoreReturnValue
public Builder setUserAuthUri(URI userAuthUri) {
this.userAuthUri = userAuthUri;
return this;
}
@CanIgnoreReturnValue
public Builder setHttpTransportFactory(HttpTransportFactory transportFactory) {
this.transportFactory = transportFactory;
return this;
}
@CanIgnoreReturnValue
public Builder setPKCEProvider(PKCEProvider pkce) {
if (pkce != null) {
if (pkce.getCodeChallenge() == null
|| pkce.getCodeVerifier() == null
|| pkce.getCodeChallengeMethod() == null) {
throw new IllegalArgumentException(
"PKCE provider contained null implementations. PKCE object must implement all PKCEProvider methods.");
}
}
this.pkce = pkce;
return this;
}
public ClientId getClientId() {
return clientId;
}
public TokenStore getTokenStore() {
return tokenStore;
}
public Collection getScopes() {
return scopes;
}
public URI getTokenServerUri() {
return tokenServerUri;
}
public URI getCallbackUri() {
return callbackUri;
}
public URI getUserAuthUri() {
return userAuthUri;
}
public HttpTransportFactory getHttpTransportFactory() {
return transportFactory;
}
public PKCEProvider getPKCEProvider() {
return pkce;
}
public UserAuthorizer build() {
return new UserAuthorizer(
clientId,
scopes,
tokenStore,
callbackUri,
transportFactory,
tokenServerUri,
userAuthUri,
pkce);
}
}
}