Package edu.uiuc.ncsa.myproxy.oa4mp.oauth2.servlet

Class ClientUtils

  • public class ClientUtils
extends Object

    Created by Jeff Gaynor
    on 2/9/21 at 3:09 PM

    • Constructor Detail

      • ClientUtils

        public ClientUtils()

    • Method Detail

      • computeATLifetime

        public static long computeATLifetime​(OA2ServiceTransaction st2,
                                     OA2Client client,
                                     OA2SE oa2SE)
        Scorecard: 
                      server default | oa2SE.getAccessTokenLifetime()
          server default max | oa2SE.getMaxATLifetime();
          client default max | client.getAtLifetime()
 value in cfg access element | client.getAccessTokensConfig().getLifetime()
        value in the request | st2.getRequestedATLifetime()
     actual definitive value | st2.getAccessTokenLifetime()
                      result | actual definitive value

        Policies: no lifetime can exceed the non-zero max of the server and client defaults. These are hard limits placed there by administrators.

        Note that inside of scripts, these can be reset to anything, so

        st2.getAtData()

        has the final, definitive values. Once this has been set in the first pass, it **must** be authoritative.

        Parameters:
        st2 -
        Returns:

      • computeRefreshLifetime

        public static long computeRefreshLifetime​(OA2ServiceTransaction st2,
                                          OA2Client client,
                                          OA2SE oa2SE)
        The lifetime of the refresh token. This is the non-zero minimum of the client's requested lifetime, the user's request at authorization time and the server global limit.
        Parameters:
        st2 -
        Returns:

      • verifyClientSecret

        public static void verifyClientSecret​(OA2Client client,
                                      String rawSecret,
                                      boolean isAT)
        This verifies secrets only call if the client has a secret (e.g. do not call this if the client is public). This is because it will do various checks in the assumption that the client must have a secret and raise errors if it is missing, etc.
        Parameters:
        client -
        rawSecret -
        isAT -

      • getClientSecret

        public static String getClientSecret​(javax.servlet.http.HttpServletRequest request,
                                     String raw)
        This either peels the secret off the parameter list if it is there or from the headers. It merely returns the raw string that is the secret. No checking against a client is done. Also, a null is a perfectly acceptable return value if there is no secret, e.g. the client is public.
        Parameters:
        request -
        Returns:

      • resolveScopes

        public static Collection<String> resolveScopes​(TransactionState transactionState,
                                               OA2Client oa2Client,
                                               boolean isRFC8628)
        This method will take the scopes that the client sends in its request and inspect the scopes that it is allowed to request. The result will be a list of permitted scopes. This is also where omitting the openid scope causes the request to be rejected.
        Parameters:
        transactionState -
        Returns: