OAuth2CodeGrantFlow.java
/*
* Copyright (c) 2013, 2018 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0, which is available at
* http://www.eclipse.org/legal/epl-2.0.
*
* This Source Code may also be made available under the following Secondary
* Licenses when the conditions for such availability set forth in the
* Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
* version 2 with the GNU Classpath Exception, which is available at
* https://www.gnu.org/software/classpath/license.html.
*
* SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
*/
package org.glassfish.jersey.client.oauth2;
import java.util.Map;
import javax.ws.rs.client.Client;
import javax.ws.rs.core.Feature;
/**
* The interface that defines OAuth 2 Authorization Code Grant Flow.
* <p>
* The implementation of this interface is capable of performing of the user
* authorization defined in the OAuth2 specification as "Authorization Code Grant Flow" (OAuth 2 spec defines more
* Authorization Flows). The result of the authorization
* is the {@link TokenResult}. The implementation starts the authorization process by construction of a redirect URI
* to which the user should
* be redirected (the URI points to authorization consent page hosted by Service Provider). The user
* grants an access using this page. Service Provider redirects the user back to the
* our server and the authorization process is finished using the same instance of the interface implementation.
* </p>
* <p>
* To perform the authorization follow these steps:
* <list>
* <li>Get the instance of this interface using {@link OAuth2ClientSupport}.</li>
* <li>Call {@link #start()} method. The method returns redirection uri as a String.</li>
* <li>Redirect the user to the redirect URI returned from the {@code start} method. If your application deployment
* does not allow redirection (for example the app is a console application), then provide the redirection URI
* to the user in other ways.</li>
* <li>User should authorize your application on the redirect URI.</li>
* <li>After authorization the Authorization Server redirects the user back to the URI specified
* by {@link OAuth2CodeGrantFlow.Builder#redirectUri(String)} and provide the {@code code} and {@code state} as
* a request query parameter. Extract these parameter from the request. If your deployment does not support
* redirection (your app is not a web server) then Authorization Server will provide the user with
* {@code code} in other ways (for example display on the html page). You need to get
* this code from the user. The {@code state} parameter is added to the redirect URI in the {@code start} method and
* and the same parameter should be returned from the authorization response as a protection against CSRF attacks.</li>
* <li>Use the {@code code} and {@code state} to finish the authorization process by calling the method
* {@link #finish(String, String)} supplying the {@code code} and the {@code state} parameter. The method will internally request
* the access token from the Authorization Server and return it.</li>
* <li>You can use access token from {@code TokenResult} together with {@link ClientIdentifier} to
* perform the authenticated requests to the Service Provider. You can also call
* methods {@link #getAuthorizedClient()} to get {@link Client client} already configured with support
* for authentication from consumer credentials and access token received during authorization process.
* </li>
* </list>
* </p>
* <p>
* Important note: one instance of the interface can be used only for one authorization process. The methods
* must be called exactly in the order specified by the list above. Therefore the instance is also not
* thread safe and no concurrent access is expected.
* </p>
* <p>
* Instance must be stored between method calls (between {@code start} and {@code finish})
* for one user authorization process as the instance keeps
* internal state of the authorization process.
* </p>
*
* @author Miroslav Fuksa
* @since 2.3
*/
public interface OAuth2CodeGrantFlow {
/**
* Start the authorization process and return redirection URI on which the user should give a consent
* for our application to access resources.
*
* @return URI to which user should be redirected.
*/
String start();
/**
* Finish the authorization process and return the {@link TokenResult}. The method must be called on the
* same instance after the {@link #start()} method was called and user granted access to this application.
* <p>
* The method makes a request to the Authorization Server in order to exchange {@code code} for access token.
* </p>
* @param code Code received from the user authorization process.
* @param state State received from the user authorization response.
* @return Token result.
*/
TokenResult finish(String code, String state);
/**
* Refresh the access token using a refresh token. This method can be called on newly created instance or on
* instance on which the authorization flow was already performed.
*
* @param refreshToken Refresh token.
* @return Token result.
*/
TokenResult refreshAccessToken(String refreshToken);
/**
* Return the client configured for performing authorized requests to the Service Provider. The
* authorization process must be successfully finished by instance by calling methods {@link #start()} and
* {@link #finish(String, String)}.
*
* @return Client configured to add correct {@code Authorization} header to requests.
*/
public Client getAuthorizedClient();
/**
* Return the {@link Feature oauth filter feature} that can be used to configure
* {@link Client client} instances to perform authenticated requests to the Service Provider.
* <p>
* The
* authorization process must be successfully finished by instance by calling methods {@link #start()} and
* {@link #finish(String, String)}.
* </p>
*
* @return oauth filter feature configured with received {@code AccessToken}.
*/
public Feature getOAuth2Feature();
/**
* Phase of the Authorization Code Grant Flow.
*/
enum Phase {
/**
* Authorization phase. The phase when user is redirected to the authorization server to authorize
* the application.
*/
AUTHORIZATION {
@Override
public void property(String key, String value, Map<String, String> authorizationProps,
Map<String, String> accessTokenProps, Map<String, String> refreshTokenProps) {
nonNullProperty(key, value, authorizationProps);
}
},
/**
* Requesting the access token phase.
*/
ACCESS_TOKEN_REQUEST {
@Override
public void property(String key,
String value,
Map<String, String> authorizationProps,
Map<String, String> accessTokenProps,
Map<String, String> refreshTokenProps) {
nonNullProperty(key, value, accessTokenProps);
}
},
/**
* Refreshing the access token phase.
*/
REFRESH_ACCESS_TOKEN {
@Override
public void property(String key,
String value,
Map<String, String> authorizationProps,
Map<String, String> accessTokenProps,
Map<String, String> refreshTokenProps) {
nonNullProperty(key, value, refreshTokenProps);
}
},
/**
* All phases.
*/
ALL {
@Override
public void property(String key,
String value,
Map<String, String> authorizationProps,
Map<String, String> accessTokenProps,
Map<String, String> refreshTokenProps) {
nonNullProperty(key, value, authorizationProps);
nonNullProperty(key, value, accessTokenProps);
nonNullProperty(key, value, refreshTokenProps);
}
};
/**
* Set property defined by {@code key} and {@code value} to the appropriate
* property map based on this phase.
* @param key Property key.
* @param value Property value.
* @param authorizationProps Properties used in construction of redirect URI.
* @param accessTokenProps Properties (parameters) used in access token request.
* @param refreshTokenProps Properties (parameters) used in request for refreshing the access token.
*/
public abstract void property(String key, String value,
Map<String, String> authorizationProps,
Map<String, String> accessTokenProps,
Map<String, String> refreshTokenProps);
private static void nonNullProperty(String key, String value, Map<String, String> props) {
if (value == null) {
props.remove(key);
} else {
props.put(key, value);
}
}
}
/**
* The builder of {@link OAuth2CodeGrantFlow}.
*
* @param <T> Type of the builder implementation. This parameter is used for convenience to allow
* better implementations of the builders implementing this interface (builder can return
* their own specific type instead of type defined by this interface only).
*/
public interface Builder<T extends Builder> {
/**
* Set the access token URI on which the access token can be requested. The URI points to the
* authorization server and is defined by the Service Provider.
*
* @param accessTokenUri Access token URI.
* @return Builder instance.
*/
T accessTokenUri(String accessTokenUri);
/**
* Set the URI to which the user should be redirected to authorize our application. The URI points to the
* authorization server and is defined by the Service Provider.
*
* @param authorizationUri Authorization URI.
* @return Builder instance.
*/
T authorizationUri(String authorizationUri);
/**
* Set the redirect URI to which the user (resource owner) should be redirected after he/she
* grants access to our application. In most cases, the URI is under control of this application
* and request done on this URI will be used to extract query parameter {@code code} and {@code state}
* that will be used in
* {@link OAuth2CodeGrantFlow#finish(String, String)} method.
* <p>
* If URI is not defined by this method, the default value {@code urn:ietf:wg:oauth:2.0:oob} will be used
* in the Authorization
* Flow which should cause that {@code code} will be passed to application in other way than request
* redirection (for example shown to the user using html page).
* </p>
*
* @param redirectUri URI that should receive authorization response from the Service Provider.
* @return Builder instance.
*/
T redirectUri(String redirectUri);
/**
* Set client identifier of the application that should be authorized.
*
* @param clientIdentifier Client identifier.
* @return Builder instance.
*/
T clientIdentifier(ClientIdentifier clientIdentifier);
/**
* Set a scope to which the application will get authorization grant. Values of this parameter
* are defined by the Service Provider and defines usually subset of resource and operations available
* in the Service Provider.
* <p>
* The parameter is optional but ServiceProvider might require it.
* </p>
*
* @param scope Scope string.
* @return Builder instance.
*/
T scope(String scope);
/**
* Set the client that should be used internally by the {@code OAuth1AuthorizationFlow} to make requests to
* Authorization Server. If this method is not called, it is up to the implementation to create or get
* any private client instance to perform these requests. This method could be used mainly for
* performance reasons to avoid creation of new client instances and have control about created client
* instances used in the application.
*
* @param client Client instance.
* @return Builder instance.
*/
T client(Client client);
/**
* Set the refresh token URI on which the access token can be refreshed using a refresh token.
* The URI points to the
* authorization server and is defined by the Service Provider. If the URI is not defined by this method
* it will be the same as URI defined in {@link #accessTokenUri(String)} (which is the default value
* defined by the OAuth2 spec).
* Some providers do not support
* refreshing access tokens at all.
*
* @param refreshTokenUri Refresh token URI.
* @return Builder instance.
*/
T refreshTokenUri(String refreshTokenUri);
/**
* Set property (parameter) that will be added to requests or URIs as a query parameters during
* the Authorization Flow. Default parameters used during the Authorization Flow can be also
* overridden by this method.
*
* @param phase Phase of the flow in which the properties (parameters) should be used. For example by using
* a {@link Phase#ACCESS_TOKEN_REQUEST}, the parameter will be added only to the http request
* for access token.
* @param key Property key.
* @param value Property value.
* @return Builder instance.
*/
T property(Phase phase, String key, String value);
/**
* Build the {@code OAuth2CodeGrantFlow} instance.
*
* @return New instance of {@code OAuth2CodeGrantFlow}.
*/
OAuth2CodeGrantFlow build();
}
}