myndocs
diff --git a/‎kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/TokenService.kt‎
Lines changed: 31 additions & 2 deletions b/‎kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/TokenService.kt‎
Lines changed: 31 additions & 2 deletions
diff --git a/‎kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/exception/OauthExceptionUtil.kt‎
Lines changed: 14 additions & 0 deletions b/‎kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/exception/OauthExceptionUtil.kt‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/identity/UserInfo.kt‎
Lines changed: 9 additions & 0 deletions b/‎kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/identity/UserInfo.kt‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/token/TokenResponseUtil.kt‎
Lines changed: 10 additions & 0 deletions b/‎kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/token/TokenResponseUtil.kt‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎kotlin-oauth2-server-javalin/pom.xml‎
Lines changed: 29 additions & 0 deletions b/‎kotlin-oauth2-server-javalin/pom.xml‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎kotlin-oauth2-server-javalin/src/main/java/nl/myndocs/oauth2/javalin/Oauth2Server.kt‎
Lines changed: 123 additions & 0 deletions b/‎kotlin-oauth2-server-javalin/src/main/java/nl/myndocs/oauth2/javalin/Oauth2Server.kt‎
Lines changed: 123 additions & 0 deletions
diff --git a/‎kotlin-oauth2-server-javalin/src/main/java/nl/myndocs/oauth2/javalin/routing/AuthorizeRouting.kt‎
Lines changed: 59 additions & 0 deletions b/‎kotlin-oauth2-server-javalin/src/main/java/nl/myndocs/oauth2/javalin/routing/AuthorizeRouting.kt‎
Lines changed: 59 additions & 0 deletions
diff --git a/‎kotlin-oauth2-server-javalin/src/main/java/nl/myndocs/oauth2/javalin/routing/TokenRouting.kt‎
Lines changed: 48 additions & 0 deletions b/‎kotlin-oauth2-server-javalin/src/main/java/nl/myndocs/oauth2/javalin/routing/TokenRouting.kt‎
Lines changed: 48 additions & 0 deletions
@@ -3,6 +3,7 @@ package nl.myndocs.oauth2
 import nl.myndocs.oauth2.client.ClientService
 import nl.myndocs.oauth2.exception.*
 import nl.myndocs.oauth2.identity.IdentityService
+import nl.myndocs.oauth2.identity.UserInfo
 import nl.myndocs.oauth2.request.*
 import nl.myndocs.oauth2.response.TokenResponse
 import nl.myndocs.oauth2.scope.ScopeParser
@@ -168,13 +169,21 @@ class TokenService(
             throw InvalidIdentityException()
         }
 
-        val requestedScopes = ScopeParser.parseScopes(redirect.scope)
+        var requestedScopes = ScopeParser.parseScopes(redirect.scope)
+
+        if (redirect.scope == null) {
+            requestedScopes = clientOf.clientScopes
+        }
 
         val scopesAllowed = scopesAllowed(clientOf.clientScopes, requestedScopes)
         if (!scopesAllowed) {
             throw InvalidScopeException(requestedScopes.minus(clientOf.clientScopes))
         }
 
+        if (!identityService.validScopes(clientOf, identityOf, requestedScopes)) {
+            throw InvalidScopeException(requestedScopes)
+        }
+
         val codeToken = codeTokenConverter.convertToToken(
                 identityOf.username,
                 clientOf.clientId,
@@ -217,13 +226,21 @@ class TokenService(
             throw InvalidIdentityException()
         }
 
-        val requestedScopes = ScopeParser.parseScopes(redirect.scope)
+        var requestedScopes = ScopeParser.parseScopes(redirect.scope)
+
+        if (redirect.scope == null) {
+            requestedScopes = clientOf.clientScopes
+        }
 
         val scopesAllowed = scopesAllowed(clientOf.clientScopes, requestedScopes)
         if (!scopesAllowed) {
             throw InvalidScopeException(requestedScopes.minus(clientOf.clientScopes))
         }
 
+        if (!identityService.validScopes(clientOf, identityOf, requestedScopes)) {
+            throw InvalidScopeException(requestedScopes)
+        }
+
         val accessToken = accessTokenConverter.convertToToken(
                 identityOf.username,
                 clientOf.clientId,
@@ -236,6 +253,18 @@ class TokenService(
         return accessToken
     }
 
+    fun userInfo(accessToken: String): UserInfo {
+        val storedAccessToken = tokenStore.accessToken(accessToken)!!
+        val client = clientService.clientOf(storedAccessToken.clientId)!!
+        val identity = identityService.identityOf(client, storedAccessToken.username)!!
+
+        return UserInfo(
+                identity,
+                client,
+                storedAccessToken.scopes
+        )
+    }
+
     private fun throwExceptionIfUnverifiedClient(clientRequest: ClientRequest) {
         if (clientRequest.clientId == null) {
             throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("client_id"))
 
@@ -0,0 +1,14 @@
+package nl.myndocs.oauth2.exception
+
+fun OauthException.toMap(): Map<String, String> {
+
+    val mutableMapOf = mutableMapOf<String, String>(
+            "error" to this.error.errorName
+    )
+
+    if (this.errorDescription != null) {
+        mutableMapOf["error_description"] = this.errorDescription
+    }
+
+    return mutableMapOf.toMap()
+}
@@ -0,0 +1,9 @@
+package nl.myndocs.oauth2.identity
+
+import nl.myndocs.oauth2.client.Client
+
+data class UserInfo(
+        val identity: Identity,
+        val client: Client,
+        val scopes: Set<String>
+)
@@ -0,0 +1,10 @@
+package nl.myndocs.oauth2.token
+
+import nl.myndocs.oauth2.response.TokenResponse
+
+fun TokenResponse.toMap() = mapOf(
+        "access_token" to this.accessToken,
+        "token_type" to this.tokenType,
+        "expires_in" to this.expiresIn,
+        "refresh_token" to this.refreshToken
+)
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <parent>
+        <artifactId>kotlin-oauth2-server</artifactId>
+        <groupId>nl.myndocs</groupId>
+        <version>0.1.0</version>
+    </parent>
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>kotlin-oauth2-server-javalin</artifactId>
+
+
+    <dependencies>
+        <dependency>
+            <groupId>nl.myndocs</groupId>
+            <artifactId>kotlin-oauth2-server-core</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.javalin</groupId>
+            <artifactId>javalin</artifactId>
+            <version>2.0.0</version>
+            <scope>provided</scope>
+        </dependency>
+    </dependencies>
+</project>
@@ -0,0 +1,123 @@
+package nl.myndocs.oauth2.javalin
+
+import io.javalin.Javalin
+import io.javalin.apibuilder.ApiBuilder.*
+import nl.myndocs.oauth2.TokenService
+import nl.myndocs.oauth2.client.ClientService
+import nl.myndocs.oauth2.exception.InvalidGrantException
+import nl.myndocs.oauth2.exception.InvalidRequestException
+import nl.myndocs.oauth2.exception.OauthException
+import nl.myndocs.oauth2.exception.toMap
+import nl.myndocs.oauth2.identity.IdentityService
+import nl.myndocs.oauth2.identity.UserInfo
+import nl.myndocs.oauth2.javalin.routing.*
+import nl.myndocs.oauth2.token.TokenStore
+import nl.myndocs.oauth2.token.converter.*
+
+data class OauthConfiguration(
+        var identityService: IdentityService? = null,
+        var clientService: ClientService? = null,
+        var tokenStore: TokenStore? = null,
+        var tokenEndpoint: String = "/oauth/token",
+        var authorizeEndpoint: String = "/oauth/authorize",
+        var userInfoEndpoint: String = "/oauth/userinfo",
+        var accessTokenConverter: AccessTokenConverter = UUIDAccessTokenConverter(),
+        var refreshTokenConverter: RefreshTokenConverter = UUIDRefreshTokenConverter(),
+        var codeTokenConverter: CodeTokenConverter = UUIDCodeTokenConverter(),
+        var userInfoCallback: (UserInfo) -> Map<String, Any?> = { userInfo ->
+            mapOf(
+                    "username" to userInfo.identity.username,
+                    "scopes" to userInfo.scopes
+            )
+        }
+)
+
+fun Javalin.enableOauthServer(configurationCallback: OauthConfiguration.() -> Unit) {
+    val configuration = OauthConfiguration()
+    configuration.configurationCallback()
+
+    val tokenService = TokenService(
+            configuration.identityService!!,
+            configuration.clientService!!,
+            configuration.tokenStore!!,
+            configuration.accessTokenConverter,
+            configuration.refreshTokenConverter,
+            configuration.codeTokenConverter
+    )
+
+    this.routes {
+        path(configuration.tokenEndpoint) {
+            post { ctx ->
+                try {
+                    val allowedGrantTypes = setOf("password", "authorization_code", "refresh_token")
+                    val grantType = ctx.formParam("grant_type")
+                            ?: throw InvalidRequestException("'grant_type' not given")
+
+                    if (!allowedGrantTypes.contains(grantType)) {
+                        throw InvalidGrantException("'grant_type' with value '$grantType' not allowed")
+                    }
+
+                    val paramMap = ctx.formParamMap()
+                            .mapValues { ctx.formParam(it.key) }
+
+                    when (grantType) {
+                        "password" -> routePasswordGrant(ctx, tokenService, paramMap)
+                        "authorization_code" -> routeAuthorizationCodeGrant(ctx, tokenService, paramMap)
+                        "refresh_token" -> routeRefreshTokenGrant(ctx, tokenService, paramMap)
+                    }
+                } catch (oauthException: OauthException) {
+                    ctx.status(400)
+                    ctx.json(oauthException.toMap())
+                }
+
+            }
+        }
+
+        path(configuration.authorizeEndpoint) {
+            get { ctx ->
+                try {
+                    val allowedResponseTypes = setOf("code", "token")
+                    val responseType = ctx.queryParam("response_type")
+                            ?: throw InvalidRequestException("'response_type' not given")
+
+                    if (!allowedResponseTypes.contains(responseType)) {
+                        throw InvalidGrantException("'grant_type' with value '$responseType' not allowed")
+                    }
+
+                    val paramMap = ctx.queryParamMap()
+                            .mapValues { ctx.queryParam(it.key) }
+
+                    when (responseType) {
+                        "code" -> routeAuthorizationCodeRedirect(ctx, tokenService, paramMap)
+                        "token" -> routeAccessTokenRedirect(ctx, tokenService, paramMap)
+                    }
+                } catch (oauthException: OauthException) {
+                    ctx.status(400)
+                    ctx.json(oauthException.toMap())
+                }
+            }
+        }
+
+        path(configuration.userInfoEndpoint) {
+            get { ctx ->
+                val authorization = ctx.header("Authorization")
+
+                if (authorization == null) {
+                    ctx.status(401)
+                    return@get
+                }
+
+                if (!authorization.startsWith("bearer ", true)) {
+                    ctx.status(401)
+                    return@get
+                }
+
+                val token = authorization.substring(7)
+
+                val userInfoCallback = configuration.userInfoCallback(tokenService.userInfo(token))
+
+                ctx.json(userInfoCallback)
+            }
+        }
+    }
+}
@@ -0,0 +1,59 @@
+package nl.myndocs.oauth2.javalin.routing
+
+import io.javalin.Context
+import nl.myndocs.oauth2.TokenService
+import nl.myndocs.oauth2.exception.InvalidIdentityException
+import nl.myndocs.oauth2.ktor.feature.util.BasicAuth
+import nl.myndocs.oauth2.request.RedirectAuthorizationCodeRequest
+import nl.myndocs.oauth2.request.RedirectTokenRequest
+
+
+fun routeAuthorizationCodeRedirect(ctx: Context, tokenService: TokenService, queryParameters: Map<String, String?>) {
+    val authorizationHeader = ctx.header("authorization") ?: ""
+    val credentials = BasicAuth.parse(authorizationHeader)
+
+    try {
+        val redirect = tokenService.redirect(
+                RedirectAuthorizationCodeRequest(
+                        queryParameters["client_id"],
+                        queryParameters["redirect_uri"],
+                        credentials.username ?: "",
+                        credentials.password ?: "",
+                        queryParameters["scope"]
+                )
+        )
+
+
+        ctx.redirect(queryParameters["redirect_uri"] + "?code=${redirect.codeToken}")
+    } catch (unverifiedIdentityException: InvalidIdentityException) {
+        ctx.header("WWW-Authenticate", "Basic realm=\"${queryParameters["client_id"]}\"")
+        ctx.status(401)
+    }
+}
+
+
+fun routeAccessTokenRedirect(ctx: Context, tokenService: TokenService, queryParameters: Map<String, String?>) {
+    val authorizationHeader = ctx.header("authorization") ?: ""
+    val credentials = BasicAuth.parse(authorizationHeader)
+
+    try {
+        val redirect = tokenService.redirect(
+                RedirectTokenRequest(
+                        queryParameters["client_id"],
+                        queryParameters["redirect_uri"],
+                        credentials.username ?: "",
+                        credentials.password ?: "",
+                        queryParameters["scope"]
+                )
+        )
+
+        ctx.redirect(
+                queryParameters["redirect_uri"] + "#access_token=${redirect.accessToken}" +
+                        "&token_type=bearer&expires_in=${redirect.expiresIn()}"
+        )
+
+    } catch (unverifiedIdentityException: InvalidIdentityException) {
+        ctx.header("WWW-Authenticate", "Basic realm=\"${queryParameters["client_id"]}\"")
+        ctx.status(401)
+    }
+}
@@ -0,0 +1,48 @@
+package nl.myndocs.oauth2.javalin.routing
+
+import io.javalin.Context
+import nl.myndocs.oauth2.TokenService
+import nl.myndocs.oauth2.request.AuthorizationCodeRequest
+import nl.myndocs.oauth2.request.PasswordGrantRequest
+import nl.myndocs.oauth2.request.RefreshTokenRequest
+import nl.myndocs.oauth2.token.toMap
+
+
+fun routePasswordGrant(ctx: Context, tokenService: TokenService, formParams: Map<String, String?>) {
+    val tokenResponse = tokenService.authorize(
+            PasswordGrantRequest(
+                    formParams["client_id"],
+                    formParams["client_secret"],
+                    formParams["username"],
+                    formParams["password"],
+                    formParams["scope"]
+            )
+    )
+
+    ctx.json(tokenResponse.toMap())
+}
+
+fun routeRefreshTokenGrant(ctx: Context, tokenService: TokenService, formParams: Map<String, String?>) {
+    val accessToken = tokenService.refresh(
+            RefreshTokenRequest(
+                    formParams["client_id"],
+                    formParams["client_secret"],
+                    formParams["refresh_token"]
+            )
+    )
+
+    ctx.json(accessToken.toMap())
+}
+
+fun routeAuthorizationCodeGrant(ctx: Context, tokenService: TokenService, formParams: Map<String, String?>) {
+    val accessToken = tokenService.authorize(
+            AuthorizationCodeRequest(
+                    formParams["client_id"],
+                    formParams["client_secret"],
+                    formParams["code"],
+                    formParams["redirect_uri"]
+            )
+    )
+
+    ctx.json(accessToken.toMap())
+}