33
44import javax .servlet .http .HttpServletRequest ;
55import javax .ws .rs .Consumes ;
6- import javax .ws .rs .HeaderParam ;
76import javax .ws .rs .POST ;
87import javax .ws .rs .Path ;
98import javax .ws .rs .core .Context ;
109import javax .ws .rs .core .HttpHeaders ;
1110import javax .ws .rs .core .MediaType ;
1211import javax .ws .rs .core .MultivaluedMap ;
1312import javax .ws .rs .core .Response ;
13+ import com .authlete .common .api .AuthleteApi ;
1414import com .authlete .common .api .AuthleteApiFactory ;
1515import com .authlete .jaxrs .BasePushedAuthReqEndpoint ;
16+ import com .authlete .jaxrs .PushedAuthReqHandler .Params ;
1617
1718
1819/**
1920 * An implementation of a pushed authorization endpoint.
20- *
21+ *
2122 * @see <a href="https://tools.ietf.org/html/draft-lodderstedt-oauth-par"
2223 * >OAuth 2.0 Pushed Authorization Requests</a>
23- *
24+ *
2425 * @author Justin Richer
2526 *
2627 */
@@ -35,13 +36,56 @@ public class PushedAuthReqEndpoint extends BasePushedAuthReqEndpoint
3536 @ POST
3637 @ Consumes (MediaType .APPLICATION_FORM_URLENCODED )
3738 public Response post (
38- @ HeaderParam (HttpHeaders .AUTHORIZATION ) String authorization ,
39- MultivaluedMap <String , String > parameters ,
40- @ Context HttpServletRequest request )
39+ @ Context HttpServletRequest request ,
40+ MultivaluedMap <String , String > parameters )
4141 {
42- String [] clientCertificates = extractClientCertificateChain (request );
42+ // Authlete API
43+ AuthleteApi authleteApi = AuthleteApiFactory .getDefaultApi ();
44+
45+ // Parameters for Authlete's pushed_auth_req API.
46+ Params params = buildParams (request , parameters );
47+
48+ // Handle the PAR request.
49+ return handle (authleteApi , params );
50+ }
51+
52+
53+ private Params buildParams (
54+ HttpServletRequest request , MultivaluedMap <String , String > parameters )
55+ {
56+ Params params = new Params ();
57+
58+ // RFC 6749
59+ // The OAuth 2.0 Authorization Framework
60+ params .setParameters (parameters )
61+ .setAuthorization (request .getHeader (HttpHeaders .AUTHORIZATION ))
62+ ;
63+
64+ // MTLS
65+ // RFC 8705 : OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
66+ params .setClientCertificatePath (extractClientCertificateChain (request ));
67+
68+ // DPoP
69+ // RFC 9449 : OAuth 2.0 Demonstrating Proof of Possession (DPoP)
70+ params .setDpop (request .getHeader ("DPoP" ))
71+ .setHtm ("POST" )
72+ //.setHtu(request.getRequestURL().toString())
73+ ;
74+
75+ // We can reconstruct the URL of the PAR endpoint by calling
76+ // request.getRequestURL().toString() and set it to params by the
77+ // setHtu(String) method. However, the calculated URL may be invalid
78+ // behind proxies.
79+ //
80+ // If "htu" is not set here, the "pushedAuthReqEndpoint" property of
81+ // "Service" (which can be configured by using Authlete's web console)
82+ // is referred to as the default value. Therefore, we don't call the
83+ // setHtu(String) method here intentionally. Note that this means you
84+ // have to set "pushedAuthReqEndpoint" properly to support DPoP.
85+
86+ // Even the call of the setHtm(String) method can be omitted, too.
87+ // When "htm" is not set, "POST" is used as the default value.
4388
44- return handle (AuthleteApiFactory .getDefaultApi (),
45- parameters , authorization , clientCertificates );
89+ return params ;
4690 }
4791}
0 commit comments