• Home
• com.nimbusds
• oauth2-grant-handlers
• 1.2.3
• source code
• ScopeUtils.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.nimbusds.openid.connect.provider.spi.impl.common.ScopeUtils Maven / Gradle / Ivy

package com.nimbusds.openid.connect.provider.spi.impl.common;

import com.nimbusds.oauth2.sdk.GeneralException;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import org.checkerframework.checker.nullness.qual.Nullable;


/**
 * OAuth 2.0 scope utilities.
 */
public class ScopeUtils {


        /**
         * Resolves the authorised scope for a token request based on the
         * registered {@code scope} client metadata parameter.
         *
         * 
Processing rules:
         *
         * 

         *     
If no scope values are registered in the metadata for the
         *         requesting client, an {@code invalid_scope} OAuth 2.0 error
         *         is returned. See RFC 6749, section 5.2.
         *     
If no scope is explicitly requested (with the {@code scope}
         *         parameter of the token request), the authorised scope
         *         defaults to the registered scope values for the client.
         *     
If an explicit scope if requested (with the {@code scope}
         *         parameter of the token request), the authorised scope is
         *         reduced to those scope values for which the client is
         *         registered. See RFC 6749, section 3.3.
         * 
         *
         * @param requestedScope        The requested, scope, {@code null} if
         *                              none.
         * @param clientRegisteredScope The registered {@code scope} client
         *                              metadata parameter, {@code null} if
         *                              none.
         *
         * @return The authorised scope, empty if none was requested.
         *
         * @throws GeneralException If access is denied.
         */
        public static Scope resolveAuthorizedScope(final @Nullable Scope requestedScope,
                                                   final @Nullable Scope clientRegisteredScope)
                throws GeneralException {

                if (CollectionUtils.isEmpty(clientRegisteredScope)) {
                        throw new GeneralException(
                                "Access denied",
                                OAuth2Error.INVALID_SCOPE.setDescription("Access denied")
                        );
                }

                if (CollectionUtils.isEmpty(requestedScope)) {
                        // Default to registered scope values
                        return clientRegisteredScope;
                } else {
                        // Discard non-registered scope values
                        var authorizedScope = new Scope(requestedScope);
                        authorizedScope.retainAll(clientRegisteredScope);

                        if (authorizedScope.isEmpty()) {
                                throw new GeneralException(
                                        "Access denied",
                                        OAuth2Error.INVALID_SCOPE.setDescription("Access denied")
                                );
                        }

                        return authorizedScope;
                }
        }


        private ScopeUtils() {}
}