Java tutorial
package org.springframework.security.oauth2.client.token.grant.implicit; import java.io.IOException; import java.net.URI; import java.util.Collections; import java.util.Iterator; import java.util.List; import org.springframework.http.HttpHeaders; import org.springframework.http.client.ClientHttpResponse; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException; import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails; import org.springframework.security.oauth2.client.resource.UserRedirectRequiredException; import org.springframework.security.oauth2.client.token.AccessTokenProvider; import org.springframework.security.oauth2.client.token.AccessTokenRequest; import org.springframework.security.oauth2.client.token.DefaultAccessTokenRequest; import org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport; import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken; import org.springframework.security.oauth2.common.OAuth2AccessToken; import org.springframework.security.oauth2.common.OAuth2RefreshToken; import org.springframework.security.oauth2.common.util.OAuth2Utils; import org.springframework.util.LinkedMultiValueMap; import org.springframework.util.MultiValueMap; import org.springframework.web.client.ResponseExtractor; /** * Provider for obtaining an oauth2 access token by using implicit grant. Normally the implicit grant is used by script * clients in a browser or device, but it can also be useful for native clients generally, so if those clients were * written in Java this would be a nice convenience. Web application clients are also a possiblity, although the * authorization code grant type is probably more common there, and requires no special customizations on the * authorization server. Callers add any additional form parameters they need to the {@link DefaultAccessTokenRequest} * and these will be passed onto the authorization endpoint on the server. The server then has to interpret those * parameters, together with any other information available (e.g. from a cookie), and decide if a user can be * authenticated and if the user has approved the grant of the access token. Only if those two conditions are met should * an access token be available through this provider. * * @author Dave Syer */ public class ImplicitAccessTokenProvider extends OAuth2AccessTokenSupport implements AccessTokenProvider { public boolean supportsResource(OAuth2ProtectedResourceDetails resource) { return resource instanceof ImplicitResourceDetails && "implicit".equals(resource.getGrantType()); } public boolean supportsRefresh(OAuth2ProtectedResourceDetails resource) { return false; } public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails resource, OAuth2RefreshToken refreshToken, AccessTokenRequest request) throws UserRedirectRequiredException { return null; } public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails details, AccessTokenRequest request) throws UserRedirectRequiredException, AccessDeniedException, OAuth2AccessDeniedException { ImplicitResourceDetails resource = (ImplicitResourceDetails) details; try { // We can assume here that the request contains all the parameters needed for authentication etc. OAuth2AccessToken token = retrieveToken(request, resource, getParametersForTokenRequest(resource, request), getHeadersForTokenRequest(request)); if (token == null) { // Probably an authenticated request, but approval is required. TODO: prompt somehow? throw new UserRedirectRequiredException(resource.getUserAuthorizationUri(), request.toSingleValueMap()); } return token; } catch (UserRedirectRequiredException e) { // ... but if it doesn't then capture the request parameters for the redirect throw new UserRedirectRequiredException(e.getRedirectUri(), request.toSingleValueMap()); } } @Override protected ResponseExtractor<OAuth2AccessToken> getResponseExtractor() { return new ImplicitResponseExtractor(); } private HttpHeaders getHeadersForTokenRequest(AccessTokenRequest request) { HttpHeaders headers = new HttpHeaders(); headers.putAll(request.getHeaders()); if (request.getCookie() != null) { headers.set("Cookie", request.getCookie()); } return headers; } private MultiValueMap<String, String> getParametersForTokenRequest(ImplicitResourceDetails resource, AccessTokenRequest request) { MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>(); form.set("response_type", "token"); form.set("client_id", resource.getClientId()); if (resource.isScoped()) { StringBuilder builder = new StringBuilder(); List<String> scope = resource.getScope(); if (scope != null) { Iterator<String> scopeIt = scope.iterator(); while (scopeIt.hasNext()) { builder.append(scopeIt.next()); if (scopeIt.hasNext()) { builder.append(' '); } } } form.set("scope", builder.toString()); } for (String key : request.keySet()) { form.put(key, request.get(key)); } String redirectUri = resource.getRedirectUri(request); if (redirectUri == null) { throw new IllegalStateException("No redirect URI available in request"); } form.set("redirect_uri", redirectUri); return form; } private final class ImplicitResponseExtractor implements ResponseExtractor<OAuth2AccessToken> { public OAuth2AccessToken extractData(ClientHttpResponse response) throws IOException { // TODO: this should actually be a 401 if the request asked for JSON URI location = response.getHeaders().getLocation(); if (location == null) { return null; } String fragment = location.getFragment(); OAuth2AccessToken accessToken = DefaultOAuth2AccessToken.valueOf(OAuth2Utils.extractMap(fragment)); if (accessToken.getValue() == null) { throw new UserRedirectRequiredException(location.toString(), Collections.<String, String>emptyMap()); } return accessToken; } } }