74 lines
3.3 KiB
Java
74 lines
3.3 KiB
Java
package org.gcube.portlets.admin;
|
|
|
|
import java.io.UnsupportedEncodingException;
|
|
import java.net.URL;
|
|
import java.net.URLEncoder;
|
|
import java.util.Arrays;
|
|
import java.util.HashMap;
|
|
import java.util.List;
|
|
import java.util.Map;
|
|
import java.util.stream.Collectors;
|
|
|
|
import org.gcube.oidc.rest.JWTToken;
|
|
import org.gcube.oidc.rest.OpenIdConnectRESTHelper;
|
|
import org.gcube.oidc.rest.OpenIdConnectRESTHelperException;
|
|
import org.slf4j.Logger;
|
|
import org.slf4j.LoggerFactory;
|
|
|
|
public class OpenIdConnectRESTHelperExtended extends OpenIdConnectRESTHelper {
|
|
protected static final Logger logger = LoggerFactory.getLogger(OpenIdConnectRESTHelperExtended.class);
|
|
|
|
|
|
/**
|
|
* Queries from the OIDC server an exchanged token by using provided access token, for the given audience (context),
|
|
* in URLEncoded form or not, and optionally a list of permissions.
|
|
*
|
|
* @param tokenUrl the token endpoint {@link URL} of the OIDC server
|
|
* @param authorization the auth token (the access token URLEncoded by the "Bearer " string)
|
|
* @param audience the audience (context) where to request the issuing of the ticket (URLEncoded)
|
|
* @param permissions a list of permissions, can be <code>null</code>
|
|
* @return the issued token
|
|
* @throws OpenIdConnectRESTHelperException if an error occurs (also an unauthorized call), inspect the exception for details
|
|
*/
|
|
public static JWTToken queryExchangeToken(URL tokenUrl, String authorization, String audience, String client_id, String client_secret,
|
|
List<String> permissions) throws OpenIdConnectRESTHelperException {
|
|
|
|
logger.info("Queried exchangeToken for context " + audience);
|
|
|
|
Map<String, List<String>> params = new HashMap<>();
|
|
|
|
params.put("subject_token", Arrays.asList(authorization));
|
|
params.put("client_id", Arrays.asList(client_id));
|
|
params.put("client_secret", Arrays.asList(client_secret));
|
|
params.put("grant_type", Arrays.asList("urn:ietf:params:oauth:grant-type:token-exchange"));
|
|
params.put("subject_token_type", Arrays.asList("urn:ietf:params:oauth:token-type:access_token"));
|
|
params.put("requested_token_type", Arrays.asList("urn:ietf:params:oauth:token-type:access_token"));
|
|
|
|
if (audience.startsWith("/")) {
|
|
try {
|
|
logger.trace("Audience was provided in non URL encoded form, encoding it");
|
|
audience = URLEncoder.encode(audience, "UTF-8");
|
|
} catch (UnsupportedEncodingException e) {
|
|
logger.error("Cannot URL encode 'audience'", e);
|
|
}
|
|
}
|
|
try {
|
|
params.put("audience", Arrays.asList(URLEncoder.encode(audience, "UTF-8")));
|
|
} catch (UnsupportedEncodingException e) {
|
|
logger.error("Cannot URL encode 'audience'", e);
|
|
}
|
|
if (permissions != null && !permissions.isEmpty()) {
|
|
params.put(
|
|
"permission", permissions.stream().map(s -> {
|
|
try {
|
|
return URLEncoder.encode(s, "UTF-8");
|
|
} catch (UnsupportedEncodingException e) {
|
|
return "";
|
|
}
|
|
}).collect(Collectors.toList()));
|
|
}
|
|
|
|
return performQueryTokenWithPOST(tokenUrl, null, params);
|
|
}
|
|
}
|