Announcement Announcement Module
Collapse
No announcement yet.
Oauth modify scope before access_confirmation page Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Oauth modify scope before access_confirmation page

    Folks:

    Is it possible to hijack the AuthorizationRequest object to modify the Scopes before the user gets a chance for approval? Objective is to determine if those requested scopes are approved and if not, show the ones that are approved on the access confirmation page.

  • #2
    It is the weekend. Maybe it is reasonable to expect less traffic out of working hours?

    Comment


    • #3
      Originally posted by deanclkclk View Post
      Is it possible to hijack the AuthorizationRequest object to modify the Scopes before the user gets a chance for approval?
      UserApprovalHandler and/or AuthorizationRequestManager would be the normal places to start.

      Note that the 1.0 code does not contain an abstraction that represents individual approvals per scope, but that should be coming in 1.1. In the meantime I know of more than one implementation that adds this abstraction to 1.0 as customizations of the two strategies above (and possibly AuthorizationServerTokenServices as well), so it's not a huge amount of work.

      Comment


      • #4
        Thanks for the reply Dave Syer.

        I look at the UserApprovalHandler, specifically TokenServicesUserApprovalHandler. I saw it had a method updateBeforeApproval but, this signature does not exist on "UserApprovalHandler" on my local Spring. I've search everywhere for AuthorizationRequestManager but, not seeing any documentation on this online. Also. I am using 1.0 Spring. It would be lovely to use the UserApprovalHandler->updateBeforeApproval but, it seems (based on what I read online) the TokenServiceUserApprovalHandler only gets invoked when user already has a token and is being consulted when they are not going through the Oauth process; I could be wrong and can you confirm? I would want the updateBeforeApproval method to be invoked when Tokens are newly generated or not. But, again, I am not seeing any updateBeforeApproval method signature in the UserApprovalHandler Interface locally.

        Originally posted by Dave Syer View Post
        UserApprovalHandler and/or AuthorizationRequestManager would be the normal places to start.

        Note that the 1.0 code does not contain an abstraction that represents individual approvals per scope, but that should be coming in 1.1. In the meantime I know of more than one implementation that adds this abstraction to 1.0 as customizations of the two strategies above (and possibly AuthorizationServerTokenServices as well), so it's not a huge amount of work.
        Last edited by deanclkclk; Jul 15th, 2013, 11:11 AM.

        Comment


        • #5
          Originally posted by Dave Syer View Post
          UserApprovalHandler and/or AuthorizationRequestManager would be the normal places to start.

          Note that the 1.0 code does not contain an abstraction that represents individual approvals per scope, but that should be coming in 1.1. In the meantime I know of more than one implementation that adds this abstraction to 1.0 as customizations of the two strategies above (and possibly AuthorizationServerTokenServices as well), so it's not a huge amount of work.
          Also, when I mean modify before the user gets the chance of approval, I am also referring to the oauth/confiirm_access page. It list the scope to the user the app is requesting. I want to only list the approved scope there and this will necessitate updating the scopes in teh AuthorizationRequest object.

          Comment


          • #6
            I'm not sure what version you are using, but the one that is current is 1.0.5, and it lives in Github: https://github.com/SpringSource/spring-security-oauth. Read the docs there for more information and study the samples.

            Originally posted by deanclkclk View Post
            Thanks for the reply Dave Syer.
            I look at the UserApprovalHandler, specifically TokenServicesUserApprovalHandler. I saw it had a method updateBeforeApproval but, this signature does not exist on "UserApprovalHandler" on my local Spring.
            https://github.com/SpringSource/spri...ndler.java#L26

            I've search everywhere for AuthorizationRequestManager but, not seeing any documentation on this online.
            https://github.com/SpringSource/spri...stManager.java

            Comment


            • #7
              Thanks again Dave:

              So for the bean configuration of the AuthorizationRequestManager. When I override the DefaultAuthorizationRequestManager, should I just create the bean and Spring will inject it into container bean or do I need to set it to some other bean's property? I check my .xml configuration and I'm not seeing a bean define for AuthorizationRequestManager (maybe a default is being used and does not necessitate a bean declaration).
              Last edited by deanclkclk; Jul 16th, 2013, 07:44 PM.

              Comment


              • #8
                Hi Again Dave:

                I decided to use the UserApprovalHandler. There is a TokenServiceApprovalHandler being used by my project. When I check the source for UserApprovalHandler, this is it http://pastie.org/8147582. As you can see, there is no method signature for updateBeforeApproval. Hence, the TokenServiceApprovalHandler does not implement it either. This is the pastie for the TokenServiceApprovalHandler from my source http://pastie.org/8147598

                Comment


                • #9
                  What version are you using and where did you get the code from? Git log shows that method being added in October 2012. You should be using 1.0.* and (apart from 1.0.5, but I'll fix that today) they are all in Maven Central, plus you can get the code from github: https://github.com/SpringSource/spring-security-oauth.

                  Comment


                  • #10
                    Originally posted by Dave Syer View Post
                    What version are you using and where did you get the code from? Git log shows that method being added in October 2012. You should be using 1.0.* and (apart from 1.0.5, but I'll fix that today) they are all in Maven Central, plus you can get the code from github: https://github.com/SpringSource/spring-security-oauth.

                    This was of much help Dave. Thanks a lot for the reply. So, I got to update to 1.0.2.Release which has those method definition but, I realize between 1.0.0.M6 and 1.0.2.RELEASE, there is a lot of deprecated classes. Example, what is being used for 1.0.2 for the OAuth2ProtectedResourceFilter?

                    Comment


                    • #11
                      Nevermind Dave, I found the answer. The new class is Oauth2AuthenticationProcessFilter. Thanks alot and this can be marked as resolved .

                      Comment


                      • #12
                        Hey Dave:

                        One last issue on this thread. In my older 1.0.0 spring security oauth, I saw that there was a static method Oauth2AccessToken.valueOf. I am upgrading my code base and I was looking into the 1.0.2 package for a valueOf and not seeing it. Know of anything that is used to replace this method?

                        Thanks Again

                        Comment


                        • #13
                          org.springframework.security.oauth2.common.Default OAuth2AccessToken.valueOf(Map<String, String>) ?

                          Comment


                          • #14
                            Originally posted by Dave Syer View Post
                            org.springframework.security.oauth2.common.Default OAuth2AccessToken.valueOf(Map<String, String>) ?
                            Perfect! Thanks again Dave.

                            Comment


                            • #15
                              Hey Dave:

                              What replaces org.springframework.security.oauth2.provider.filte r.Oauth2ExceptionHandlerFilter in 1.0.x? This is being used in my springSecurityFilterChain <security:filter-chain-map><security:filter-chain pattern="/**" filters="Ouath2ExceptionHandlerFilter".....this is under spring-security-oauth 1.0.0 and again, I am trying to upgrade.
                              Last edited by deanclkclk; Jul 26th, 2013, 02:08 PM.

                              Comment

                              Working...
                              X