Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BA3701810E for ; Thu, 21 Jan 2016 13:07:20 +0000 (UTC) Received: (qmail 60487 invoked by uid 500); 21 Jan 2016 13:07:20 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 60427 invoked by uid 500); 21 Jan 2016 13:07:20 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 60417 invoked by uid 99); 21 Jan 2016 13:07:20 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 Jan 2016 13:07:20 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 50298DFF94; Thu, 21 Jan 2016 13:07:20 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: [CXF-6753] OAuth2 audience related changes, more likely to follow Date: Thu, 21 Jan 2016 13:07:20 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/3.1.x-fixes e0b56c9e6 -> 73cce96fa [CXF-6753] OAuth2 audience related changes, more likely to follow Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/73cce96f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/73cce96f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/73cce96f Branch: refs/heads/3.1.x-fixes Commit: 73cce96fa123c8a4245269157692fb6f596dfc9b Parents: e0b56c9 Author: Sergey Beryozkin Authored: Thu Jan 21 13:02:09 2016 +0000 Committer: Sergey Beryozkin Committed: Thu Jan 21 13:07:00 2016 +0000 ---------------------------------------------------------------------- .../oauth2/common/AccessTokenRegistration.java | 13 +++-- .../oauth2/common/AccessTokenValidation.java | 20 ++++---- .../rs/security/oauth2/common/OAuthContext.java | 12 ++--- .../oauth2/common/ServerAccessToken.java | 14 +++--- .../oauth2/common/TokenIntrospection.java | 7 +-- .../filters/AccessTokenIntrospectionClient.java | 2 +- .../oauth2/filters/OAuthRequestFilter.java | 52 +++++++++++++++----- .../oauth2/grants/AbstractGrantHandler.java | 34 +++++++++---- .../code/AuthorizationCodeGrantHandler.java | 30 ++++++++--- .../code/ServerAuthorizationCodeGrant.java | 9 ---- .../provider/AbstractOAuthDataProvider.java | 6 +-- .../oauth2/provider/OAuthJSONProvider.java | 35 +++++++++++-- .../services/AbstractAccessTokenValidator.java | 19 +------ .../services/AbstractImplicitGrantService.java | 3 +- .../oauth2/services/AccessTokenService.java | 31 ++---------- .../services/RedirectionBasedGrantService.java | 8 ++- .../services/TokenIntrospectionService.java | 5 +- .../rs/security/oauth2/utils/OAuthUtils.java | 12 ++++- .../utils/crypto/ModelEncryptionSupport.java | 4 +- .../oauth2/utils/crypto/CryptoUtilsTest.java | 4 +- .../utils/crypto/EncryptingDataProvider.java | 2 +- 21 files changed, 186 insertions(+), 136 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java index db443da..a4a4a2c 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java @@ -30,7 +30,7 @@ public class AccessTokenRegistration { private List approvedScope = new LinkedList(); private String grantType; private UserSubject subject; - private String audience; + private List audiences = new LinkedList(); private String nonce; private String clientCodeVerifier; @@ -115,14 +115,14 @@ public class AccessTokenRegistration { return grantType; } - public String getAudience() { - return audience; + public List getAudiences() { + return audiences; } - public void setAudience(String audience) { - this.audience = audience; + public void setAudiences(List audiences) { + this.audiences = audiences; } - + public String getClientCodeVerifier() { return clientCodeVerifier; } @@ -138,5 +138,4 @@ public class AccessTokenRegistration { public void setNonce(String nonce) { this.nonce = nonce; } - } http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java index 508b37f..6a33e2b 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java @@ -55,7 +55,7 @@ public class AccessTokenValidation { private long tokenLifetime; private UserSubject tokenSubject; private List tokenScopes = new LinkedList(); - private String audience; + private List audiences = new LinkedList(); private String clientCodeVerifier; private Map extraProps = new HashMap(); @@ -76,7 +76,7 @@ public class AccessTokenValidation { this.tokenSubject = token.getSubject(); this.tokenScopes = token.getScopes(); - this.audience = token.getAudience(); + this.setAudiences(token.getAudiences()); this.clientCodeVerifier = token.getClientCodeVerifier(); } @@ -137,14 +137,6 @@ public class AccessTokenValidation { this.tokenType = tokenType; } - public String getAudience() { - return audience; - } - - public void setAudience(String audience) { - this.audience = audience; - } - public String getClientIpAddress() { return clientIpAddress; } @@ -183,5 +175,13 @@ public class AccessTokenValidation { public void setInitialValidationSuccessful(boolean localValidationSuccessful) { this.initialValidationSuccessful = localValidationSuccessful; } + + public List getAudiences() { + return audiences; + } + + public void setAudiences(List audiences) { + this.audiences = audiences; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java index 492ca25..6e83e08 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java @@ -35,7 +35,7 @@ public class OAuthContext { private String clientId; private boolean isClientConfidential; private String tokenKey; - private String tokenAudience; + private List tokenAudiences; private String[] tokenRequestParts; public OAuthContext(UserSubject resourceOwnerSubject, @@ -113,14 +113,14 @@ public class OAuthContext { this.tokenKey = tokenKey; } - public String getTokenAudience() { - return tokenAudience; + public List getTokenAudiences() { + return tokenAudiences; } - public void setTokenAudience(String tokenAudience) { - this.tokenAudience = tokenAudience; + public void setTokenAudiences(List audiences) { + this.tokenAudiences = audiences; } - + public String[] getTokenRequestParts() { return tokenRequestParts; } http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java index 7c64a51..89220f3 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java @@ -35,7 +35,7 @@ public abstract class ServerAccessToken extends AccessToken { private Client client; private List scopes = new LinkedList(); private UserSubject subject; - private String audience; + private List audiences = new LinkedList(); private String clientCodeVerifier; private String nonce; @@ -69,7 +69,7 @@ public abstract class ServerAccessToken extends AccessToken { this.client = token.getClient(); this.grantType = token.getGrantType(); this.scopes = token.getScopes(); - this.audience = token.getAudience(); + this.audiences = token.getAudiences(); this.subject = token.getSubject(); } @@ -137,14 +137,14 @@ public abstract class ServerAccessToken extends AccessToken { return grantType; } - public String getAudience() { - return audience; + public List getAudiences() { + return audiences; } - public void setAudience(String audience) { - this.audience = audience; + public void setAudiences(List audiences) { + this.audiences = audiences; } - + protected static ServerAccessToken validateTokenType(ServerAccessToken token, String expectedType) { if (!token.getTokenType().equals(expectedType)) { throw new OAuthServiceException(OAuthConstants.SERVER_ERROR); http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java index 4e3911f..1a172a9 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java @@ -19,6 +19,7 @@ package org.apache.cxf.rs.security.oauth2.common; import java.util.HashMap; +import java.util.List; import java.util.Map; // RFC 7622 Introspection Response @@ -32,7 +33,7 @@ public class TokenIntrospection { private Long exp; private Long nbf; private String sub; - private String aud; + private List aud; private String iss; private String jti; @@ -100,10 +101,10 @@ public class TokenIntrospection { public void setSub(String sub) { this.sub = sub; } - public String getAud() { + public List getAud() { return aud; } - public void setAud(String aud) { + public void setAud(List aud) { this.aud = aud; } public String getIss() { http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java index c730c9c..0b1a267 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java @@ -68,7 +68,7 @@ public class AccessTokenIntrospectionClient implements AccessTokenValidator { atv.setClientId(response.getClientId()); atv.setTokenIssuedAt(response.getIat()); atv.setTokenLifetime(response.getExp() - response.getIat()); - atv.setAudience(response.getAud()); + atv.setAudiences(response.getAud()); if (response.getScope() != null) { String[] scopes = response.getScope().split(" "); List perms = new LinkedList(); http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java index 3963a1f..498dd02 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java @@ -38,6 +38,7 @@ import javax.ws.rs.ext.Provider; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.common.security.SimplePrincipal; +import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.jaxrs.provider.FormEncodingProvider; import org.apache.cxf.jaxrs.utils.ExceptionUtils; import org.apache.cxf.jaxrs.utils.FormUtils; @@ -68,7 +69,9 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator private static final Logger LOG = LogUtils.getL7dLogger(OAuthRequestFilter.class); private boolean useUserSubject; - private boolean audienceIsEndpointAddress; + private String audience; + private boolean completeAudienceMatch; + private boolean checkFormData; private List requiredScopes = Collections.emptyList(); private boolean allPermissionsMatch; @@ -98,6 +101,10 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator if (!accessTokenV.isInitialValidationSuccessful()) { throw ExceptionUtils.toNotAuthorizedException(null, null); } + // Check audiences + if (!validateAudiences(accessTokenV.getAudiences())) { + AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); + } // Find the scopes which match the current request List permissions = accessTokenV.getTokenScopes(); @@ -155,7 +162,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator oauthContext.setClientId(accessTokenV.getClientId()); oauthContext.setClientConfidential(accessTokenV.isClientConfidential()); oauthContext.setTokenKey(accessTokenV.getTokenKey()); - oauthContext.setTokenAudience(accessTokenV.getAudience()); + oauthContext.setTokenAudiences(accessTokenV.getAudiences()); oauthContext.setTokenRequestParts(authParts); m.setContent(OAuthContext.class, oauthContext); } @@ -234,21 +241,24 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator return MessageUtils.isTrue(m.get("local_preflight")); } - protected boolean validateAudience(String audience) { - if (audience == null) { + protected boolean validateAudiences(List audiences) { + if (StringUtils.isEmpty(audiences) && audience == null) { return true; } + if (audience != null) { + return audiences.contains(audience); + } - boolean isValid = super.validateAudience(audience); - if (isValid && audienceIsEndpointAddress) { - String requestPath = (String)PhaseInterceptorChain.getCurrentMessage().get(Message.REQUEST_URL); - isValid = requestPath.startsWith(audience); + boolean matched = false; + String requestPath = (String)PhaseInterceptorChain.getCurrentMessage().get(Message.REQUEST_URL); + for (String s : audiences) { + matched = completeAudienceMatch ? requestPath.equals(s) : requestPath.startsWith(s); + if (matched) { + break; + } } - return isValid; - } - - public void setAudienceIsEndpointAddress(boolean audienceIsEndpointAddress) { - this.audienceIsEndpointAddress = audienceIsEndpointAddress; + return matched; + } public void setCheckFormData(boolean checkFormData) { @@ -299,5 +309,21 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator public void setTokenSubjectAuthenticationMethod(AuthenticationMethod method) { this.am = method; } + + public String getAudience() { + return audience; + } + + public void setAudience(String audience) { + this.audience = audience; + } + + public boolean isCompleteAudienceMatch() { + return completeAudienceMatch; + } + + public void setCompleteAudienceMatch(boolean completeAudienceMatch) { + this.completeAudienceMatch = completeAudienceMatch; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java index c3c34af..fe57233 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java @@ -100,7 +100,7 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler { return doCreateAccessToken(client, subject, OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE)), - params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); + getAudiences(client, params.getFirst(OAuthConstants.CLIENT_AUDIENCE))); } protected ServerAccessToken doCreateAccessToken(Client client, @@ -113,10 +113,10 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler { protected ServerAccessToken doCreateAccessToken(Client client, UserSubject subject, List requestedScopes, - String audience) { + List audiences) { return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScopes, - audience); + audiences); } protected ServerAccessToken doCreateAccessToken(Client client, @@ -130,9 +130,9 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler { UserSubject subject, String requestedGrant, List requestedScopes, - String audience) { + List audiences) { ServerAccessToken token = getPreAuthorizedToken(client, subject, requestedGrant, - requestedScopes, audience); + requestedScopes, audiences); if (token != null) { return token; } @@ -143,9 +143,9 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler { reg.setGrantType(requestedGrant); reg.setSubject(subject); reg.setRequestedScope(requestedScopes); - List approvedScopes = Collections.emptyList(); - reg.setApprovedScope(approvedScopes); - reg.setAudience(audience); + List scopes = Collections.emptyList(); + reg.setApprovedScope(scopes); + reg.setAudiences(audiences); return dataProvider.createAccessToken(reg); } @@ -153,12 +153,12 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler { UserSubject subject, String requestedGrant, List requestedScopes, - String audience) { + List audiences) { if (!OAuthUtils.validateScopes(requestedScopes, client.getRegisteredScopes(), partialMatchScopeValidation)) { throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE)); } - if (!OAuthUtils.validateAudience(audience, client.getRegisteredAudiences())) { + if (!OAuthUtils.validateAudiences(audiences, client.getRegisteredAudiences())) { throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_GRANT)); } @@ -182,4 +182,18 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler { public boolean isCanSupportPublicClients() { return canSupportPublicClients; } + protected List getAudiences(Client client, String clientAudience) { + if (client.getRegisteredAudiences().isEmpty() && clientAudience == null) { + return Collections.emptyList(); + } + if (clientAudience != null) { + List audiences = Collections.singletonList(clientAudience); + if (!OAuthUtils.validateAudiences(audiences, client.getRegisteredAudiences())) { + throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); + } + return audiences; + } else { + return client.getRegisteredAudiences(); + } + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java index fb4bd5d..c9fe6d9 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java @@ -81,16 +81,34 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler { if (!compareCodeVerifierWithChallenge(client, clientCodeVerifier, clientCodeChallenge)) { throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); } - - return doCreateAccessToken(client, grant, getSingleGrantType(), clientCodeVerifier); + List audiences = getAudiences(client, params, grant.getAudience()); + return doCreateAccessToken(client, grant, getSingleGrantType(), clientCodeVerifier, audiences); } + protected List getAudiences(Client client, MultivaluedMap params, + String grantAudience) { + String clientAudience = params.getFirst(OAuthConstants.CLIENT_AUDIENCE); + if (client.getRegisteredAudiences().isEmpty() && clientAudience == null && grantAudience == null) { + return Collections.emptyList(); + } + // if the audience was approved at the grant creation time and the audience is also + // sent to the token endpoint then both values must match + if (grantAudience != null && clientAudience != null && !grantAudience.equals(clientAudience)) { + throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST); + } + return getAudiences(client, clientAudience == null ? grantAudience : clientAudience); + } + private ServerAccessToken doCreateAccessToken(Client client, ServerAuthorizationCodeGrant grant, String requestedGrant, - String codeVerifier) { - ServerAccessToken token = getPreAuthorizedToken(client, grant.getSubject(), requestedGrant, - grant.getRequestedScopes(), grant.getAudience()); + String codeVerifier, + List audiences) { + ServerAccessToken token = getPreAuthorizedToken(client, + grant.getSubject(), + requestedGrant, + grant.getRequestedScopes(), + getAudiences(client, grant.getAudience())); if (token != null) { return token; } @@ -108,7 +126,7 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler { List approvedScopes = Collections.emptyList(); reg.setApprovedScope(approvedScopes); } - reg.setAudience(grant.getAudience()); + reg.setAudiences(audiences); reg.setClientCodeVerifier(codeVerifier); return getDataProvider().createAccessToken(reg); } http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java index 5b8bca9..026a835 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java @@ -78,15 +78,6 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant { * Returns the number of seconds this grant can be valid after it was issued * @return the seconds this grant will be valid for */ - @Deprecated - public long getLifetime() { - return expiresIn; - } - - /** - * Returns the number of seconds this grant can be valid after it was issued - * @return the seconds this grant will be valid for - */ public long getExpiresIn() { return expiresIn; } http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java index 88c34ac..73ec127 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java @@ -62,7 +62,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration accessToken) { ServerAccessToken at = createNewAccessToken(accessToken.getClient()); - at.setAudience(accessToken.getAudience()); + at.setAudiences(accessToken.getAudiences()); at.setGrantType(accessToken.getGrantType()); List theScopes = accessToken.getApprovedScope(); List thePermissions = @@ -206,7 +206,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl } protected RefreshToken doCreateNewRefreshToken(ServerAccessToken at) { RefreshToken rt = new RefreshToken(at.getClient(), refreshTokenLifetime); - rt.setAudience(at.getAudience()); + rt.setAudiences(at.getAudiences()); rt.setGrantType(at.getGrantType()); rt.setScopes(at.getScopes()); rt.setSubject(at.getSubject()); @@ -224,7 +224,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl RefreshToken oldRefreshToken, List restrictedScopes) { ServerAccessToken at = createNewAccessToken(client); - at.setAudience(oldRefreshToken.getAudience()); + at.setAudiences(oldRefreshToken.getAudiences()); at.setGrantType(oldRefreshToken.getGrantType()); at.setSubject(oldRefreshToken.getSubject()); if (restrictedScopes.isEmpty()) { http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java index fb02230..d2a6766 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java @@ -26,6 +26,8 @@ import java.lang.reflect.Type; import java.nio.charset.StandardCharsets; import java.util.Collections; import java.util.LinkedHashMap; +import java.util.LinkedList; +import java.util.List; import java.util.Map; import javax.ws.rs.Consumes; @@ -37,6 +39,7 @@ import javax.ws.rs.ext.MessageBodyReader; import javax.ws.rs.ext.MessageBodyWriter; import javax.ws.rs.ext.Provider; +import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.helpers.IOUtils; import org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils; import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken; @@ -91,9 +94,24 @@ public class OAuthJSONProvider implements MessageBodyWriter, sb.append(","); appendJsonPair(sb, OAuthConstants.SCOPE, obj.getScope()); } - if (obj.getAud() != null) { + if (StringUtils.isEmpty(obj.getAud())) { sb.append(","); - appendJsonPair(sb, "aud", obj.getAud()); + if (obj.getAud().size() == 1) { + appendJsonPair(sb, "aud", obj.getAud()); + } else { + sb.append("["); + StringBuilder arr = new StringBuilder(); + List auds = obj.getAud(); + for (int i = 0; i < auds.size(); i++) { + if (i > 0) { + arr.append(","); + } + arr.append("\"").append(auds.get(i)).append("\""); + } + sb.append("]"); + appendJsonPair(sb, "aud", arr.toString(), false); + + } } sb.append(","); appendJsonPair(sb, "iat", obj.getIat(), false); @@ -219,7 +237,18 @@ public class OAuthJSONProvider implements MessageBodyWriter, } String aud = params.get("aud"); if (aud != null) { - resp.setAud(aud); + if (aud.startsWith("[") && aud.endsWith("]")) { + String[] auds = aud.substring(1, aud.length() - 1).split(","); + List list = new LinkedList(); + for (String s : auds) { + if (!s.trim().isEmpty()) { + list.add(s.trim()); + } + } + resp.setAud(list); + } else { + resp.setAud(Collections.singletonList(aud)); + } } String iat = params.get("iat"); if (iat != null) { http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java index 666e7e4..bfe459e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java @@ -20,7 +20,6 @@ package org.apache.cxf.rs.security.oauth2.services; import java.util.Collections; import java.util.HashSet; -import java.util.LinkedList; import java.util.List; import java.util.Set; @@ -50,7 +49,6 @@ public abstract class AbstractAccessTokenValidator { private MessageContext mc; private List tokenHandlers = Collections.emptyList(); - private List audiences = new LinkedList(); private OAuthDataProvider dataProvider; public void setTokenValidator(AccessTokenValidator validator) { @@ -136,11 +134,6 @@ public abstract class AbstractAccessTokenValidator { AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); } - // Check audiences - if (!validateAudience(accessTokenV.getAudience())) { - AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); - } - return accessTokenV; } @@ -149,19 +142,9 @@ public abstract class AbstractAccessTokenValidator { dataProvider.removeAccessToken(localAccessToken); } - protected boolean validateAudience(String audience) { - return OAuthUtils.validateAudience(audience, audiences); - } - public void setRealm(String realm) { this.realm = realm; } - public List getAudiences() { - return audiences; - } - - public void setAudiences(List audiences) { - this.audiences = audiences; - } + } http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java index 5ee52cc..6f8a01f 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java @@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth2.services; import java.net.URI; +import java.util.Collections; import java.util.LinkedList; import java.util.List; import java.util.Map; @@ -77,7 +78,7 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant } else { reg.setApprovedScope(approvedScope); } - reg.setAudience(state.getAudience()); + reg.setAudiences(Collections.singletonList(state.getAudience())); reg.setNonce(state.getNonce()); token = getDataProvider().createAccessToken(reg); } http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java index 8af601a..61bac1c 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java @@ -19,8 +19,6 @@ package org.apache.cxf.rs.security.oauth2.services; -import java.net.MalformedURLException; -import java.net.URL; import java.util.LinkedList; import java.util.List; @@ -52,7 +50,6 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils; public class AccessTokenService extends AbstractTokenService { private List grantHandlers = new LinkedList(); private List responseHandlers = new LinkedList(); - private List audiences = new LinkedList(); /** * Sets the list of optional grant handlers @@ -97,7 +94,7 @@ public class AccessTokenService extends AbstractTokenService { } try { - checkAudience(params); + checkAudience(client, params); } catch (OAuthServiceException ex) { return super.createErrorResponseFromBean(ex.getError()); } @@ -139,23 +136,9 @@ public class AccessTokenService extends AbstractTokenService { filter.process(clientToken, serverToken); } } - protected void checkAudience(MultivaluedMap params) { - if (audiences.isEmpty()) { - return; - } - + protected void checkAudience(Client c, MultivaluedMap params) { String audienceParam = params.getFirst(OAuthConstants.CLIENT_AUDIENCE); - if (audienceParam == null) { - throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST)); - } - // must be URL - try { - new URL(audienceParam); - } catch (MalformedURLException ex) { - throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST)); - } - - if (!audiences.contains(audienceParam)) { + if (!OAuthUtils.validateAudience(audienceParam, c.getRegisteredAudiences())) { throw new OAuthServiceException(new OAuthError(OAuthConstants.ACCESS_DENIED)); } @@ -185,12 +168,4 @@ public class AccessTokenService extends AbstractTokenService { return null; } - - public List getAudiences() { - return audiences; - } - - public void setAudiences(List audiences) { - this.audiences = audiences; - } } \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java index 4d24346..5b050df 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java @@ -160,8 +160,10 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE); } // Validate the audience - if (!OAuthUtils.validateAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE), - client.getRegisteredAudiences())) { + String clientAudience = params.getFirst(OAuthConstants.CLIENT_AUDIENCE); + // Right now if the audience parameter is set it is expected to be contained + // in the list of Client audiences set at the Client registration time. + if (!OAuthUtils.validateAudience(clientAudience, client.getRegisteredAudiences())) { throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST)); } @@ -256,6 +258,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService state.setClientId(params.getFirst(OAuthConstants.CLIENT_ID)); state.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI)); state.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE)); + // or if no audience parameter is available, set the list of client + // audiences for the users to see ? state.setProposedScope(params.getFirst(OAuthConstants.SCOPE)); state.setState(params.getFirst(OAuthConstants.STATE)); state.setNonce(params.getFirst(OAuthConstants.NONCE)); http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java index 11485fe..645e3a4 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java @@ -31,6 +31,7 @@ import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.SecurityContext; import org.apache.cxf.common.logging.LogUtils; +import org.apache.cxf.common.util.StringUtils; import org.apache.cxf.jaxrs.ext.MessageContext; import org.apache.cxf.jaxrs.utils.ExceptionUtils; import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; @@ -64,8 +65,8 @@ public class TokenIntrospectionService { if (at.getSubject() != null) { response.setUsername(at.getSubject().getLogin()); } - if (at.getAudience() != null) { - response.setAud(at.getAudience()); + if (!StringUtils.isEmpty(at.getAudiences())) { + response.setAud(at.getAudiences()); } response.setIat(at.getIssuedAt()); response.setExp(at.getIssuedAt() + at.getExpiresIn()); http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java index 066cec0..1857bf3 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java @@ -191,8 +191,16 @@ public final class OAuthUtils { && issuedAt + lifetime < System.currentTimeMillis() / 1000L; } - public static boolean validateAudience(String audience, List audiences) { - return audience == null || !audiences.isEmpty() && audiences.contains(audience); + public static boolean validateAudience(String providedAudience, + List allowedAudiences) { + return providedAudience == null + || validateAudiences(Collections.singletonList(providedAudience), allowedAudiences); + } + public static boolean validateAudiences(List providedAudiences, + List allowedAudiences) { + return StringUtils.isEmpty(providedAudiences) + && StringUtils.isEmpty(allowedAudiences) + || allowedAudiences.contains(providedAudiences); } public static boolean checkRequestURI(String servletPath, String uri) { http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java index 2b3a798..c23f421 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java @@ -236,7 +236,7 @@ public final class ModelEncryptionSupport { newToken.setRefreshToken(getStringPart(parts[5])); newToken.setGrantType(getStringPart(parts[6])); - newToken.setAudience(getStringPart(parts[7])); + newToken.setAudiences(parseSimpleList(parts[7])); newToken.setParameters(parseSimpleMap(parts[8])); // Permissions @@ -289,7 +289,7 @@ public final class ModelEncryptionSupport { state.append(tokenizeString(token.getGrantType())); // 7: audience state.append(SEP); - state.append(tokenizeString(token.getAudience())); + state.append(token.getAudiences().toString()); // 8: other parameters state.append(SEP); // {key=value, key=value} http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java index fd00e06..9df30fa 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java +++ b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java @@ -228,7 +228,7 @@ public class CryptoUtilsTest extends Assert { assertEquals(endUser1.getRoles(), endUser2.getRoles()); assertEquals(token.getRefreshToken(), token2.getRefreshToken()); - assertEquals(token.getAudience(), token2.getAudience()); + assertEquals(token.getAudiences(), token2.getAudiences()); assertEquals(token.getGrantType(), token2.getGrantType()); assertEquals(token.getParameters(), token2.getParameters()); @@ -251,7 +251,7 @@ public class CryptoUtilsTest extends Assert { Client regClient = p.getClient("1"); atr.setClient(regClient); atr.setGrantType("code"); - atr.setAudience("http://localhost"); + atr.setAudiences(Collections.singletonList("http://localhost")); UserSubject endUser = new UserSubject("Barry", "BarryId"); atr.setSubject(endUser); endUser.setRoles(Collections.singletonList("role1")); http://git-wip-us.apache.org/repos/asf/cxf/blob/73cce96f/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java index e2e7b3e..4363325 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java +++ b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java @@ -124,7 +124,7 @@ public class EncryptingDataProvider implements OAuthDataProvider { createRefreshToken(token); token.setGrantType(accessTokenReg.getGrantType()); - token.setAudience(accessTokenReg.getAudience()); + token.setAudiences(accessTokenReg.getAudiences()); token.setParameters(Collections.singletonMap("param", "value")); token.setScopes(Collections.singletonList( new OAuthPermission("read", "read permission")));