-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for rich authorization requests #2511
base: master
Are you sure you want to change the base?
Add support for rich authorization requests #2511
Conversation
75f66df
to
f9d06d5
Compare
- Accept 'authorization_details' field in the authorization request. - Persist code and consent authorization details in the database. - Add support for oauth.rar and oauth.rar.common modules. - Read custom implementations of AuthorizationDetailsProvider from SPI. - Display rich authorization details in the consent UI.
f9d06d5
to
c8d568e
Compare
@@ -2980,6 +3014,22 @@ private String doUserAuthorization(OAuthMessage oAuthMessage, String sessionData | |||
return handleAuthorizationFailureBeforeConsent(oAuthMessage, oauth2Params, authorizeRespDTO); | |||
} | |||
|
|||
try { | |||
validateAuthorizationDetailsBeforeConsent(oAuthMessage, oauth2Params, authzReqDTO); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make sure to add diagnostic logs
OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext = | ||
oAuthMessage.getSessionDataCacheEntry().getAuthzReqMsgCtx(); | ||
oAuthAuthzReqMessageContext.setAuthorizationDetails(validatedAuthorizationDetails); | ||
} catch (IdentityOAuth2Exception | InvalidOAuthClientException e) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why we catch client exception and throw system exception here?
// Append authorization details to consent page url | ||
if (AuthorizationDetailsUtils.isRichAuthorizationRequest(params)) { | ||
consentPageUrl = consentPageUrl + "&" + AuthorizationDetailsConstants.AUTHORIZATION_DETAILS + "=" | ||
+ URLEncoder.encode(params.getAuthorizationDetails().toJsonString(), UTF_8); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it good to encode an entire JSON string and send it as a parameter? This can cause several issues
public int[] addUserConsentedAuthorizationDetails( | ||
final List<AuthorizationDetailsConsentDTO> authorizationDetailsConsentDTOs) throws SQLException { | ||
|
||
try (final Connection connection = IdentityDatabaseUtil.getDBConnection(false); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not apply a transaction here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please check the other places
// Private constructor to prevent instantiation | ||
} | ||
|
||
public static final String ADD_OAUTH2_CODE_AUTHORIZATION_DETAILS = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please make sure to check json persist with all db types
* @throws OAuthSystemException If there is an error during the validation process. | ||
* @throws AuthorizationDetailsProcessingException If there is an error processing the authorization details. | ||
*/ | ||
private void validateAuthorizationDetailsBeforeConsent(final OAuthMessage oAuthMessage, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we move this validation logic to service layer where we validate scopes?
Please clearly specify the following:
|
- Accept 'authorization_details' field in the token request - Persist access token authorization details in the database - Moving common logic from oauth.rar.common module to a new rar package within oauth module - Adds RAR support for hybrid authorization flows
47c6ba1
to
87e7c19
Compare
87e7c19
to
dd8f27f
Compare
- Add unit tests - Add 'authorization_details_types_supported' to /.well-known response
8319668
to
faa5e31
Compare
Please take one of the following actions:
Your prompt attention to this matter is greatly appreciated. Thank you for your understanding and collaboration! 🙏 |
Proposed changes in this pull request
This PR introduces several enhancements and features related to managing
authorization_details
:Related Issues
When should this PR be merged
[Please describe any preconditions that need to be addressed before we
can merge this pull request.]
Follow up actions
[List any possible follow-up actions here; for instance, testing data
migrations, software that we need to install on staging and production
environments.]
Checklist (for reviewing)
General
Functionality
Code
Tests
Security
Documentation