Support implicit flow

Author: adhesivee

kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/TokenService.kt

@@ -184,10 +184,58 @@ class TokenService(
 
         tokenStore.storeCodeToken(codeToken)
 
-
         return codeToken
     }
 
+    fun redirect(redirect: RedirectTokenRequest): AccessToken {
+        if (redirect.clientId == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("client_id"))
+        }
+
+        if (redirect.username == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("username"))
+        }
+
+        if (redirect.password == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("password"))
+        }
+        if (redirect.redirectUri == null) {
+            throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("redirect_uri"))
+        }
+
+        val clientOf = clientService.clientOf(redirect.clientId) ?: throw InvalidClientException()
+
+        if (!clientOf.redirectUris.contains(redirect.redirectUri)) {
+            throw InvalidGrantException("invalid 'redirect_uri'")
+        }
+
+        val identityOf = identityService.identityOf(clientOf, redirect.username) ?: throw InvalidIdentityException()
+
+        var validIdentity = identityService.validCredentials(clientOf, identityOf, redirect.password)
+
+        if (!validIdentity) {
+            throw InvalidIdentityException()
+        }
+
+        val requestedScopes = ScopeParser.parseScopes(redirect.scope)
+
+        val scopesAllowed = scopesAllowed(clientOf.clientScopes, requestedScopes)
+        if (!scopesAllowed) {
+            throw InvalidScopeException(requestedScopes.minus(clientOf.clientScopes))
+        }
+
+        val accessToken = accessTokenConverter.convertToToken(
+                identityOf.username,
+                clientOf.clientId,
+                requestedScopes,
+                null
+        )
+
+        tokenStore.storeAccessToken(accessToken)
+
+        return accessToken
+    }
+
     private fun throwExceptionIfUnverifiedClient(clientRequest: ClientRequest) {
         if (clientRequest.clientId == null) {
             throw InvalidRequestException(INVALID_REQUEST_FIELD_MESSAGE.format("client_id"))

kotlin-oauth2-server-core/src/main/java/nl/myndocs/oauth2/request/RedirectTokenRequest.kt

@@ -0,0 +1,9 @@
+package nl.myndocs.oauth2.request
+
+class RedirectTokenRequest(
+        val clientId: String?,
+        val redirectUri: String?,
+        val username: String?,
+        val password: String?,
+        val scope: String?
+)

kotlin-oauth2-server-ktor/src/main/java/nl/myndocs/oauth2/ktor/feature/Oauth2ServerFeature.kt

@@ -6,7 +6,7 @@ import io.ktor.util.AttributeKey
 import nl.myndocs.oauth2.TokenService
 import nl.myndocs.oauth2.client.ClientService
 import nl.myndocs.oauth2.identity.IdentityService
-import nl.myndocs.oauth2.ktor.feature.routing.authorize.configureAuthorizationCodeGranting
+import nl.myndocs.oauth2.ktor.feature.routing.authorize.configureAuthorizeEndpoint
 import nl.myndocs.oauth2.ktor.feature.routing.token.configureTokenEndpoint
 import nl.myndocs.oauth2.token.TokenStore
 import nl.myndocs.oauth2.token.converter.*
@@ -51,7 +51,7 @@ class Oauth2ServerFeature(configuration: Configuration) {
 
             pipeline.intercept(ApplicationCallPipeline.Infrastructure) {
                 configureTokenEndpoint(feature)
-                configureAuthorizationCodeGranting(feature)
+                configureAuthorizeEndpoint(feature)
             }
 
             return feature

kotlin-oauth2-server-ktor/src/main/java/nl/myndocs/oauth2/ktor/feature/routing/authorize/AuthorizeEndpointRouting.kt

@@ -0,0 +1,58 @@
+package nl.myndocs.oauth2.ktor.feature.routing.authorize
+
+import io.ktor.application.ApplicationCall
+import io.ktor.application.call
+import io.ktor.http.HttpMethod
+import io.ktor.http.HttpStatusCode
+import io.ktor.pipeline.PipelineContext
+import io.ktor.request.httpMethod
+import io.ktor.request.path
+import io.ktor.response.respond
+import io.ktor.response.respondText
+import nl.myndocs.oauth2.exception.OauthException
+import nl.myndocs.oauth2.ktor.feature.Oauth2ServerFeature
+import nl.myndocs.oauth2.ktor.feature.util.toJson
+
+suspend fun PipelineContext<Unit, ApplicationCall>.configureAuthorizeEndpoint(feature: Oauth2ServerFeature) {
+    try {
+        if (call.request.httpMethod != HttpMethod.Get) {
+            proceed()
+            return
+        }
+
+        val requestPath = call.request.path()
+        if (requestPath != feature.authorizeEndpoint) {
+            proceed()
+            return
+        }
+
+        val allowedResponseTypes = setOf("code", "token")
+        val responseType = call.request.queryParameters["response_type"]
+
+        if (responseType == null) {
+            call.respond(HttpStatusCode.BadRequest, "'response_type' not given")
+            finish()
+            return
+        }
+
+        if (!allowedResponseTypes.contains(responseType)) {
+            call.respond(HttpStatusCode.BadRequest, "'response_type' with value '$responseType' not allowed")
+            finish()
+            return
+        }
+
+        try {
+            when (responseType) {
+                "code" -> configureAuthorizationCodeGranting(feature)
+                "token" -> configureImplicitTokenGranting(feature)
+            }
+        } catch (oauthException: OauthException) {
+            call.respondText(text = oauthException.toJson(), status = HttpStatusCode.BadRequest)
+            finish()
+            return
+        }
+
+    } catch (t: Throwable) {
+        t.printStackTrace()
+    }
+}

kotlin-oauth2-server-ktor/src/main/java/nl/myndocs/oauth2/ktor/feature/routing/authorize/TokenRouting.kt

@@ -0,0 +1,47 @@
+package nl.myndocs.oauth2.ktor.feature.routing.authorize
+
+import io.ktor.application.ApplicationCall
+import io.ktor.application.call
+import io.ktor.http.HttpStatusCode
+import io.ktor.pipeline.PipelineContext
+import io.ktor.request.header
+import io.ktor.response.header
+import io.ktor.response.respond
+import io.ktor.response.respondRedirect
+import nl.myndocs.oauth2.exception.InvalidIdentityException
+import nl.myndocs.oauth2.ktor.feature.Oauth2ServerFeature
+import nl.myndocs.oauth2.ktor.feature.util.BasicAuth
+import nl.myndocs.oauth2.request.RedirectTokenRequest
+
+suspend fun PipelineContext<Unit, ApplicationCall>.configureImplicitTokenGranting(feature: Oauth2ServerFeature) {
+    val queryParameters = call.request.queryParameters
+
+    val authorizationHeader = call.request.header("authorization") ?: ""
+    val credentials = BasicAuth.parse(authorizationHeader)
+
+    try {
+        val redirect = feature.tokenService.redirect(
+                RedirectTokenRequest(
+                        queryParameters["client_id"],
+                        queryParameters["redirect_uri"],
+                        credentials.username ?: "",
+                        credentials.password ?: "",
+                        queryParameters["scope"]
+                )
+        )
+
+
+        call.respondRedirect(
+                queryParameters["redirect_uri"] + "#access_token=${redirect.accessToken}" +
+                        "&token_type=bearer&expires_in=${redirect.expiresIn()}"
+        )
+
+        finish()
+        return
+    } catch (unverifiedIdentityException: InvalidIdentityException) {
+        call.response.header("WWW-Authenticate", "Basic realm=\"${queryParameters["client_id"]}\"")
+        call.respond(HttpStatusCode.Unauthorized)
+        finish()
+        return
+    }
+}

kotlin-oauth2-server-ktor/src/main/java/nl/myndocs/oauth2/ktor/feature/routing/token/TokenEndpointRouting.kt

@@ -27,7 +27,7 @@ suspend fun PipelineContext<Unit, ApplicationCall>.configureTokenEndpoint(featur
         }
         val formParams = call.receiveParameters()
 
-        val allowedGrantTypes = setOf("password", "implicit", "authorization_code", "refresh_token")
+        val allowedGrantTypes = setOf("password", "authorization_code", "refresh_token")
         val grantType = formParams["grant_type"]
         if (grantType == null) {
             call.respond(HttpStatusCode.BadRequest, "'grant_type' not given")