com.nimbusds.oauth2.sdk.PushedAuthorizationRequest Maven / Gradle / Ivy

Show more of this group Show more artifacts with this name
Show all versions of oauth2-oidc-sdk Show documentation
OAuth 2.0 SDK with OpenID Connection extensions for developing client and server applications.
There is a newer version: 11.19.1
/*
 * oauth2-oidc-sdk
 *
 * Copyright 2012-2016, Connect2id Ltd and contributors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 * this file except in compliance with the License. You may obtain a copy of the
 * License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed
 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations under the License.
 */

package com.nimbusds.oauth2.sdk;


import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.Collections;
import java.util.List;
import java.util.Map;

import net.jcip.annotations.Immutable;

import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.http.CommonContentTypes;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.util.MultivaluedMapUtils;
import com.nimbusds.oauth2.sdk.util.StringUtils;
import com.nimbusds.oauth2.sdk.util.URLUtils;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.op.AuthenticationRequestDetector;


/**
 * Pushed authorisation request.
 *
 * Example HTTP request:
 *
 * 
 * POST /as/par HTTP/1.1
 * Host: as.example.com
 * Content-Type: application/x-www-form-urlencoded
 * Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
 *
 * response_type=code
 * &client_id=s6BhdRkqt3&state=af0ifjsldkj
 * &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
 * 
 *
 * Related specifications:
 *
 * 

 *     OAuth 2.0 Pushed Authorization Requests
 *         (draft-lodderstedt-oauth-par-01)
 * 
 */
@Immutable
public class PushedAuthorizationRequest extends AbstractOptionallyAuthenticatedRequest {
	
	
	/**
	 * The pushed authorisation request.
	 */
	private final AuthorizationRequest authzRequest;
	
	
	/**
	 * Creates a new authenticated pushed authorisation request for a
	 * confidential client.
	 *
	 * @param uri          The URI of the token endpoint. May be
	 *                     {@code null} if the {@link #toHTTPRequest}
	 *                     method will not be used.
	 * @param clientAuth   The client authentication. Must not be
	 *                     {@code null}.
	 * @param authzRequest The authorisation request. Must not be
	 *                     {@code null}.
	 */
	public PushedAuthorizationRequest(final URI uri,
					  final ClientAuthentication clientAuth,
					  final AuthorizationRequest authzRequest) {
		super(uri, clientAuth);
		
		if (clientAuth == null)
			throw new IllegalArgumentException("The client authentication must not be null");
		
		if (authzRequest == null) {
			throw new IllegalArgumentException("The authorization request must not be null");
		}
		if (authzRequest.getRequestURI() != null) {
			throw new IllegalArgumentException("Authorization request_uri parameter not allowed");
		}
		this.authzRequest = authzRequest;
	}
	
	
	/**
	 * Creates a new pushed authorisation request for a public client.
	 *
	 * @param uri          The URI of the token endpoint. May be
	 *                     {@code null} if the {@link #toHTTPRequest}
	 *                     method will not be used.
	 * @param authzRequest The authorisation request. Must not be
	 *                     {@code null}.
	 */
	public PushedAuthorizationRequest(final URI uri,
					  final AuthorizationRequest authzRequest) {
		
		super(uri, null);
		if (authzRequest == null) {
			throw new IllegalArgumentException("The authorization request must not be null");
		}
		if (authzRequest.getRequestURI() != null) {
			throw new IllegalArgumentException("Authorization request_uri parameter not allowed");
		}
		this.authzRequest = authzRequest;
	}
	
	
	/**
	 * Returns the pushed authorisation request.
	 *
	 * @return The pushed authorisation request.
	 */
	public AuthorizationRequest getAuthorizationRequest() {
		return authzRequest;
	}
	
	
	@Override
	public HTTPRequest toHTTPRequest() {
		
		if (getEndpointURI() == null)
			throw new SerializeException("The endpoint URI is not specified");
		
		URL url;
		try {
			url = getEndpointURI().toURL();
		} catch (MalformedURLException e) {
			throw new SerializeException(e.getMessage(), e);
		}
		
		HTTPRequest httpRequest = new HTTPRequest(HTTPRequest.Method.POST, url);
		httpRequest.setContentType(CommonContentTypes.APPLICATION_URLENCODED);
		
		if (getClientAuthentication() != null) {
			getClientAuthentication().applyTo(httpRequest);
		}
		
		Map> params = httpRequest.getQueryParameters();
		params.putAll(authzRequest.toParameters());
		httpRequest.setQuery(URLUtils.serializeParameters(params));
		
		return httpRequest;
	}
	
	
	/**
	 * Parses a pushed authorisation request from the specified HTTP
	 * request.
	 *
	 * @param httpRequest The HTTP request. Must not be {@code null}.
	 *
	 * @return The pushed authorisation request.
	 *
	 * @throws ParseException If the HTTP request couldn't be parsed to a
	 *                        pushed authorisation request.
	 */
	public static PushedAuthorizationRequest parse(final HTTPRequest httpRequest)
		throws ParseException {
		
		// Only HTTP POST accepted
		URI uri;
		try {
			uri = httpRequest.getURL().toURI();
		} catch (URISyntaxException e) {
			throw new ParseException(e.getMessage(), e);
		}
		
		httpRequest.ensureMethod(HTTPRequest.Method.POST);
		httpRequest.ensureContentType(CommonContentTypes.APPLICATION_URLENCODED);
		
		// Parse client authentication, if any
		ClientAuthentication clientAuth;
		try {
			clientAuth = ClientAuthentication.parse(httpRequest);
		} catch (ParseException e) {
			throw new ParseException(e.getMessage(), OAuth2Error.INVALID_REQUEST.appendDescription(": " + e.getMessage()));
		}
		
		// No fragment! May use query component!
		Map> params = httpRequest.getQueryParameters();
		
		// Multiple conflicting client auth methods (issue #203)?
		if (clientAuth instanceof ClientSecretBasic) {
			if (StringUtils.isNotBlank(MultivaluedMapUtils.getFirstValue(params, "client_assertion")) || StringUtils.isNotBlank(MultivaluedMapUtils.getFirstValue(params, "client_assertion_type"))) {
				String msg = "Multiple conflicting client authentication methods found: Basic and JWT assertion";
				throw new ParseException(msg, OAuth2Error.INVALID_REQUEST.appendDescription(": " + msg));
			}
		}
		
		// client_id not required in authZ params if auth is present
		if (! params.containsKey("client_id") && clientAuth != null) {
			params.put("client_id", Collections.singletonList(clientAuth.getClientID().getValue()));
		}
		
		// Parse the authZ request, allow for OpenID
		AuthorizationRequest authzRequest;
		if (AuthenticationRequestDetector.isLikelyOpenID(params)) {
			authzRequest = AuthenticationRequest.parse(params);
		} else {
			authzRequest = AuthorizationRequest.parse(params);
		}
		
		if (authzRequest.getRequestURI() != null) {
			String msg = "Authorization request_uri parameter not allowed";
			throw new ParseException(msg, OAuth2Error.INVALID_REQUEST.appendDescription(": " + msg));
		}
		
		if (clientAuth != null) {
			return new PushedAuthorizationRequest(uri, clientAuth, authzRequest);
		} else {
			return new PushedAuthorizationRequest(uri, authzRequest);
		}
	}
}