Make TokenService responsible for not set properties to make framework adoption easier

Add InvalidRequestException for missing fields
IdentityService should also be able to validate scopes for more flexibility
BasicAuth should return nullables

Author: adhesivee

kotlin-oauth2-server-core/pom.xml

@@ -10,4 +10,25 @@
     <modelVersion>4.0.0</modelVersion>
 
     <artifactId>kotlin-oauth2-server-core</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-engine</artifactId>
+            <version>5.2.0</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.mockk</groupId>
+            <artifactId>mockk</artifactId>
+            <version>1.8.6</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.hamcrest</groupId>
+            <artifactId>hamcrest-library</artifactId>
+            <version>1.3</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
 </project>

kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/TokenService.kt

@@ -1,10 +1,7 @@
 package nl.myndocs.oauth2
 
 import nl.myndocs.oauth2.client.ClientService
-import nl.myndocs.oauth2.exception.InvalidClientException
-import nl.myndocs.oauth2.exception.InvalidGrantException
-import nl.myndocs.oauth2.exception.InvalidIdentityException
-import nl.myndocs.oauth2.exception.InvalidScopeException
+import nl.myndocs.oauth2.exception.*
 import nl.myndocs.oauth2.identity.IdentityService
 import nl.myndocs.oauth2.request.*
 import nl.myndocs.oauth2.response.TokenResponse
@@ -24,6 +21,7 @@ class TokenService(
         private val refreshTokenConverter: RefreshTokenConverter,
         private val codeTokenConverter: CodeTokenConverter
 ) {
+    private val INVALID_REQUEST_FIELD_MESSAGE = "'%s' field is missing"
     /**
      * @throws InvalidIdentityException
      * @throws InvalidClientException
@@ -32,28 +30,40 @@ class TokenService(
     fun authorize(passwordGrantRequest: PasswordGrantRequest): TokenResponse {
         throwExceptionIfUnverifiedClient(passwordGrantRequest)
 
+        if (passwordGrantRequest.username == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("username"))
+        }
+
+        if (passwordGrantRequest.password == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("password"))
+        }
+
         val requestedClient = clientService.clientOf(
-                passwordGrantRequest.clientId
+                passwordGrantRequest.clientId!!
         )!!
         val requestedIdentity = identityService.identityOf(
                 requestedClient, passwordGrantRequest.username
         )
 
-        if (requestedIdentity == null || !identityService.validIdentity(requestedClient, requestedIdentity, passwordGrantRequest.password)) {
+        if (requestedIdentity == null || !identityService.validCredentials(requestedClient, requestedIdentity, passwordGrantRequest.password)) {
             throw InvalidIdentityException()
         }
 
         var requestedScopes = ScopeParser.parseScopes(passwordGrantRequest.scope)
                 .toSet()
 
-        if (requestedScopes.isEmpty()) {
+        if (passwordGrantRequest.scope == null) {
             requestedScopes = requestedClient.clientScopes
         }
 
-        val clientDiffScopes = diffScopes(requestedClient.clientScopes, requestedScopes)
+        val scopesAllowed = scopesAllowed(requestedClient.clientScopes, requestedScopes)
 
-        if (clientDiffScopes.isNotEmpty()) {
-            throw InvalidScopeException(clientDiffScopes)
+        if (!scopesAllowed) {
+            throw InvalidScopeException(requestedScopes.minus(requestedClient.clientScopes))
+        }
+
+        if (!identityService.validScopes(requestedClient, requestedIdentity, requestedScopes)) {
+            throw InvalidScopeException(requestedScopes)
         }
 
         val accessToken = accessTokenConverter.convertToToken(
@@ -75,6 +85,14 @@ class TokenService(
     fun authorize(authorizationCodeRequest: AuthorizationCodeRequest): TokenResponse {
         throwExceptionIfUnverifiedClient(authorizationCodeRequest)
 
+        if (authorizationCodeRequest.code == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("code"))
+        }
+
+        if (authorizationCodeRequest.redirectUri == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("redirect_uri"))
+        }
+
         val consumeCodeToken = tokenStore.consumeCodeToken(authorizationCodeRequest.code)
                 ?: throw InvalidGrantException()
 
@@ -102,6 +120,10 @@ class TokenService(
     fun refresh(refreshTokenRequest: RefreshTokenRequest): TokenResponse {
         throwExceptionIfUnverifiedClient(refreshTokenRequest)
 
+        if (refreshTokenRequest.refreshToken == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("refresh_token"))
+        }
+
         val refreshToken = tokenStore.refreshToken(refreshTokenRequest.refreshToken) ?: throw InvalidGrantException()
 
         val accessToken = accessTokenConverter.convertToToken(
@@ -117,20 +139,40 @@ class TokenService(
     }
 
     fun redirect(redirect: RedirectAuthorizationCodeRequest): CodeToken {
+        if (redirect.clientId == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("client_id"))
+        }
+
+        if (redirect.username == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("username"))
+        }
+
+        if (redirect.password == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("password"))
+        }
+        if (redirect.redirectUri == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("redirect_uri"))
+        }
+
         val clientOf = clientService.clientOf(redirect.clientId) ?: throw InvalidClientException()
+
+        if (!clientOf.redirectUris.contains(redirect.redirectUri)) {
+            throw InvalidGrantException("invalid 'redirect_uri'")
+        }
+
         val identityOf = identityService.identityOf(clientOf, redirect.username) ?: throw InvalidIdentityException()
 
-        var validIdentity = identityService.validIdentity(clientOf, identityOf, redirect.password)
+        var validIdentity = identityService.validCredentials(clientOf, identityOf, redirect.password)
 
         if (!validIdentity) {
             throw InvalidIdentityException()
         }
 
         val requestedScopes = ScopeParser.parseScopes(redirect.scope)
 
-        val diffScopes = diffScopes(clientOf.clientScopes, requestedScopes)
-        if (diffScopes.isNotEmpty()) {
-            throw InvalidScopeException(diffScopes)
+        val scopesAllowed = scopesAllowed(clientOf.clientScopes, requestedScopes)
+        if (!scopesAllowed) {
+            throw InvalidScopeException(requestedScopes.minus(clientOf.clientScopes))
         }
 
         val codeToken = codeTokenConverter.convertToToken(
@@ -147,19 +189,23 @@ class TokenService(
     }
 
     private fun throwExceptionIfUnverifiedClient(clientRequest: ClientRequest) {
-        val client = clientService.clientOf(clientRequest.clientId) ?: throw InvalidClientException()
+        if (clientRequest.clientId == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("client_id"))
+        }
 
-        if (!clientService.validClient(client, clientRequest.clientSecret)) {
-            throw InvalidClientException()
+        if (clientRequest.clientSecret == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("client_secret"))
         }
-    }
 
-    private fun diffScopes(allowedScopes: Set<String>, validationScopes: Set<String>): Set<String> {
-        if (allowedScopes.containsAll(validationScopes)) {
-            return validationScopes.minus(allowedScopes)
+        val client = clientService.clientOf(clientRequest.clientId!!) ?: throw InvalidClientException()
+
+        if (!clientService.validClient(client, clientRequest.clientSecret!!)) {
+            throw InvalidClientException()
         }
+    }
 
-        return setOf()
+    private fun scopesAllowed(clientScopes: Set<String>, requestedScopes: Set<String>): Boolean {
+        return clientScopes.containsAll(requestedScopes)
     }
 
     private fun AccessToken.toTokenResponse() = TokenResponse(

kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/exception/InvalidGrantException.kt

@@ -1,3 +1,3 @@
 package nl.myndocs.oauth2.exception
 
-class InvalidGrantException : OauthException(OauthError.INVALID_GRANT)
+open class InvalidGrantException(message: String? = null) : OauthException(OauthError.INVALID_GRANT, message)

kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/exception/InvalidIdentityException.kt

@@ -1,3 +1,3 @@
 package nl.myndocs.oauth2.exception
 
-class InvalidIdentityException : Exception()
+class InvalidIdentityException : InvalidGrantException()

kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/exception/InvalidRequestException.kt

@@ -0,0 +1,3 @@
+package nl.myndocs.oauth2.exception
+
+class InvalidRequestException(message: String) : OauthException(OauthError.INVALID_REQUEST, message)

kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/identity/IdentityService.kt

@@ -5,5 +5,7 @@ import nl.myndocs.oauth2.client.Client
 interface IdentityService {
     fun identityOf(forClient: Client, username: String): Identity?
 
-    fun validIdentity(forClient: Client, identity: Identity, password: String): Boolean
+    fun validCredentials(forClient: Client, identity: Identity, password: String): Boolean
+
+    fun validScopes(forClient: Client, identity: Identity, scopes: Set<String>): Boolean
 }

kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/request/AuthorizationCodeRequest.kt

@@ -1,10 +1,10 @@
 package nl.myndocs.oauth2.request
 
 data class AuthorizationCodeRequest(
-        override val clientId: String,
-        override val clientSecret: String,
-        val code: String,
-        val redirectUri: String
+        override val clientId: String?,
+        override val clientSecret: String?,
+        val code: String?,
+        val redirectUri: String?
 ) : ClientRequest {
     val grant_type = "authorization_code"
 }

kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/request/ClientRequest.kt

@@ -1,6 +1,6 @@
 package nl.myndocs.oauth2.request
 
 interface ClientRequest {
-    val clientId: String
-    val clientSecret: String
+    val clientId: String?
+    val clientSecret: String?
 }

kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/request/PasswordGrantRequest.kt

@@ -1,10 +1,10 @@
 package nl.myndocs.oauth2.request
 
 data class PasswordGrantRequest(
-        override val clientId: String,
-        override val clientSecret: String,
-        val username: String,
-        val password: String,
+        override val clientId: String?,
+        override val clientSecret: String?,
+        val username: String?,
+        val password: String?,
         val scope: String?
 ) : ClientRequest {
     val grant_type = "password"

kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/request/RedirectAuthorizationCodeRequest.kt

@@ -1,9 +1,9 @@
 package nl.myndocs.oauth2.request
 
 class RedirectAuthorizationCodeRequest(
-        val clientId: String,
-        val redirectUri: String,
-        val username: String,
-        val password: String,
+        val clientId: String?,
+        val redirectUri: String?,
+        val username: String?,
+        val password: String?,
         val scope: String?
 )