• Home
• com.sap.cloud.security.xsuaa
• spring-xsuaa
• 1.2.0
• source code
• XsuaaAudienceValidator.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

com.sap.cloud.security.xsuaa.token.authentication.XsuaaAudienceValidator Maven / Gradle / Ivy

package com.sap.cloud.security.xsuaa.token.authentication;

import java.util.ArrayList;
import java.util.List;

import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;

import com.sap.cloud.security.xsuaa.XsuaaServiceConfiguration;
import com.sap.cloud.security.xsuaa.token.Token;

/**
 * Validate audience using audience field content. in case this field is empty, the audience is derived from the scope field
 *
 */
public class XsuaaAudienceValidator implements OAuth2TokenValidator {
	private XsuaaServiceConfiguration xsuaaServiceConfiguration;

	public XsuaaAudienceValidator(XsuaaServiceConfiguration xsuaaServiceConfiguration) {
		this.xsuaaServiceConfiguration = xsuaaServiceConfiguration;
	}

	@Override
	public OAuth2TokenValidatorResult validate(Jwt token) {
		// case 1 : token issued by own client
		if (xsuaaServiceConfiguration.getClientId().equals(token.getClaimAsString("client_id"))) {
			return OAuth2TokenValidatorResult.success();
		} else {
			// case 2: foreign token
			List allowedAudiences = allowedAudiences(token);
			if (allowedAudiences.contains(xsuaaServiceConfiguration.getAppId())) {
				return OAuth2TokenValidatorResult.success();
			} else {
				return OAuth2TokenValidatorResult.failure(new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT, "Missing audience " + xsuaaServiceConfiguration.getAppId(), null));
			}
		}
	}

	/**
	 * Retrieve audiences from token. In case the audience list is empty, take audiences based on the scope names.
	 *
	 * @param token
	 * @return (empty) list of audiences
	 */
	private List allowedAudiences(Jwt token) {
		List allAudiences = new ArrayList<>();
		List tokenAudiences = token.getAudience();

		if (tokenAudiences != null) {
			for (String audience : tokenAudiences) {
				if (audience.contains(".")) {
					String aud = audience.substring(0, audience.indexOf("."));
					allAudiences.add(aud);
				} else {
					allAudiences.add(audience);
				}
			}
		}

		// extract audience (app-id) from scopes
		if (allAudiences.size() == 0) {
			for (String scope : getScopes(token)) {
				if (scope.contains(".")) {
					String aud = scope.substring(0, scope.indexOf("."));
					allAudiences.add(aud);
				}
			}
		}
		return allAudiences;
	}

	private List getScopes(Jwt token) {
		List scopes = null;
		scopes = token.getClaimAsStringList(Token.CLAIM_SCOPES);
		return scopes != null ? scopes : new ArrayList<>();
	}
}