Package org.oa4mp.server.proxy

Class ProxyUtils

  • public class ProxyUtils
extends Object
    Class with shared proxy utilities. The client uses this to send requests via the proxy. The server hosting the proxy uses the RFC8628 servlets to process these.

    Created by Jeff Gaynor
    on 3/4/22 at 4:55 PM

    • Field Detail

      • LOCAL_DF_CONSENT_XA

        public static final String LOCAL_DF_CONSENT_XA
        For device flows, if requiring local consent is enabled, this is the parameter that is sent. It is the redirect on the proxy side back to this site's consent machinery.

    • Constructor Detail

      • ProxyUtils

        public ProxyUtils()

    • Method Detail

      • startProxyAuthCodeFlow

        protected static void startProxyAuthCodeFlow​(OA2SE oa2SE,
                                             OA2ServiceTransaction t,
                                             javax.servlet.http.HttpServletResponse response)
                                      throws Throwable
        Starts the authorization code flow in the proxy. It redirects the user's browser. When done, the callback the proxy uses is to the ProxyCallbackServlet's ready endpoint.
        Parameters:
        oa2SE -
        t -
        response -
        Throws:
        Throwable

      • getProxyAccessToken

        protected static void getProxyAccessToken​(OA2SE oa2SE,
                                          OA2ServiceTransaction t)
                                   throws Throwable
        Gets the access token from the Proxy. This then finishes setting up the claims locally.
        Parameters:
        oa2SE -
        t -
        Throws:
        Throwable

      • toOA2ATException

        protected static OA2ATException toOA2ATException​(edu.uiuc.ncsa.security.servlet.ServiceClientHTTPException serviceClientHTTPException,
                                                 OA2ServiceTransaction t)
        Handles various types of exceptions, transforming them to an OA2ATException.
        Parameters:
        serviceClientHTTPException -
        t -
        Returns:

      • setClaimsFromProxy

        protected static void setClaimsFromProxy​(OA2ServiceTransaction t,
                                         net.sf.json.JSONObject proxyClaims,
                                         edu.uiuc.ncsa.security.core.util.MetaDebugUtil debugger)
        Takes the claims returned fromthe proxy and adds them to the transaction
        Parameters:
        t -
        proxyClaims -
        debugger -

      • doProxyClaimsRefresh

        protected static void doProxyClaimsRefresh​(OA2SE oa2SE,
                                           OA2ServiceTransaction t)
                                    throws Throwable
        Attempt to do a refresh of the claims from the proxy server. This is not used yet since there are a lot of policy type decisions to make. For instance, what if the lifetimes of tokens on the proxy are much shorter than on the server? Then there has to be some way to communicate that no updates to the claims are possible.
        Parameters:
        oa2SE -
        t -
        Throws:
        Exception
        Throwable

      • getRequestScopes

        protected static Collection<String> getRequestScopes​(OA2ServiceTransaction t,
                                                     OA2CLCCommands clcCommands)
        This will take the various bits and determine the actual scopes that should be in the request to the proxy.

        Logic

        • forward scopes to proxy: true
               ⇒ forward everything allowed
        • forward scopes to proxy: false
          • OA2Client.getProxyRequestScopes() is trivial
                 ⇒ forward full set of configured scopes for the proxy
          • else
                 ⇒ forward intersection of this list with the configured scopes for the proxy
          • If the proxy requests scopes contains the reserved scope of NO_PROXY_SCOPES, then request no scopes at all from the proxy server.
        When we say above to forward everything allowed, we mean that the policies for scopes are applied to the request as per usual (e.g. a public client with strict scopes on cannot even make a request with extra scopes). On top of this, even if the client requests forwarding, the proxy itself may restrict scopes and is free to reject them.
        Parameters:
        t -
        clcCommands -
        Returns: