Source code

001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2016, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.oauth2.sdk.auth;
019
020
021import java.io.UnsupportedEncodingException;
022import java.net.URLDecoder;
023import java.net.URLEncoder;
024import java.nio.charset.Charset;
025
026import net.jcip.annotations.Immutable;
027
028import com.nimbusds.jose.util.Base64;
029
030import com.nimbusds.oauth2.sdk.ParseException;
031import com.nimbusds.oauth2.sdk.id.ClientID;
032import com.nimbusds.oauth2.sdk.http.HTTPRequest;
033
034
035/**
036 * Client secret basic authentication at the Token endpoint. Implements
037 * {@link ClientAuthenticationMethod#CLIENT_SECRET_BASIC}.
038 *
039 * <p>Example HTTP Authorization header (for client identifier "s6BhdRkqt3" and
040 * secret "7Fjfp0ZBr1KtDRbnfVdmIw"):
041 *
042 * <pre>
043 * Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
044 * </pre>
045 *
046 * <p>Related specifications:
047 *
048 * <ul>
049 *     <li>OAuth 2.0 (RFC 6749), sections 2.3.1 and 3.2.1.
050 *     <li>OpenID Connect Core 1.0, section 9.
051 *     <li>HTTP Authentication: Basic and Digest Access Authentication 
052 *         (RFC 2617).
053 * </ul>
054 */
055@Immutable
056public final class ClientSecretBasic extends PlainClientSecret {
057
058
059        /**
060         * The default character set for the client ID and secret encoding.
061         */
062        private static final Charset UTF8_CHARSET = Charset.forName("UTF-8");
063        
064        
065        /**
066         * Creates a new client secret basic authentication.
067         *
068         * @param clientID The client identifier. Must not be {@code null}.
069         * @param secret   The client secret. Must not be {@code null}.
070         */
071        public ClientSecretBasic(final ClientID clientID, final Secret secret) {
072        
073                super(ClientAuthenticationMethod.CLIENT_SECRET_BASIC, clientID, secret);
074        }
075        
076        
077        /**
078         * Returns the HTTP Authorization header representation of this client
079         * secret basic authentication.
080         *
081         * <p>Note that OAuth 2.0 (RFC 6749, section 2.3.1) requires the client
082         * ID and secret to be {@code application/x-www-form-urlencoded} before
083         * passing them to the HTTP basic authentication algorithm. This
084         * behaviour differs from the original HTTP Basic Authentication
085         * specification (RFC 2617).
086         *
087         * <p>Example HTTP Authorization header (for client identifier
088         * "Aladdin" and password "open sesame"):
089         *
090         * <pre>
091         *
092         * Authorization: Basic QWxhZGRpbjpvcGVuK3Nlc2FtZQ==
093         * </pre>
094         *
095         * <p>See RFC 2617, section 2.
096         *
097         * @return The HTTP Authorization header.
098         */
099        public String toHTTPAuthorizationHeader() {
100
101                StringBuilder sb = new StringBuilder();
102
103                try {
104                        sb.append(URLEncoder.encode(getClientID().getValue(), UTF8_CHARSET.name()));
105                        sb.append(':');
106                        sb.append(URLEncoder.encode(getClientSecret().getValue(), UTF8_CHARSET.name()));
107
108                } catch (UnsupportedEncodingException e) {
109
110                        // UTF-8 should always be supported
111                }
112
113                return "Basic " + Base64.encode(sb.toString().getBytes(UTF8_CHARSET));
114        }
115        
116        
117        @Override
118        public void applyTo(final HTTPRequest httpRequest) {
119        
120                httpRequest.setAuthorization(toHTTPAuthorizationHeader());
121        }
122        
123        
124        /**
125         * Parses a client secret basic authentication from the specified HTTP
126         * Authorization header.
127         *
128         * @param header The HTTP Authorization header to parse. Must not be 
129         *               {@code null}.
130         *
131         * @return The client secret basic authentication.
132         *
133         * @throws ParseException If the header couldn't be parsed to a client
134         *                        secret basic authentication.
135         */
136        public static ClientSecretBasic parse(final String header)
137                throws ParseException {
138                
139                String[] parts = header.split("\\s");
140                
141                if (parts.length != 2)
142                        throw new ParseException("Malformed client secret basic authentication (see RFC 6749, section 2.3.1): Unexpected number of HTTP Authorization header value parts: " + parts.length);
143                
144                if (! parts[0].equalsIgnoreCase("Basic"))
145                        throw new ParseException("HTTP authentication must be \"Basic\"");
146                
147                String credentialsString = new String(new Base64(parts[1]).decode(), UTF8_CHARSET);
148
149                String[] credentials = credentialsString.split(":", 2);
150                
151                if (credentials.length != 2)
152                        throw new ParseException("Malformed client secret basic authentication (see RFC 6749, section 2.3.1): Missing credentials delimiter \":\"");
153
154                try {
155                        String decodedClientID = URLDecoder.decode(credentials[0], UTF8_CHARSET.name());
156                        String decodedSecret = URLDecoder.decode(credentials[1], UTF8_CHARSET.name());
157                        
158                        return new ClientSecretBasic(new ClientID(decodedClientID), new Secret(decodedSecret));
159                        
160                } catch (IllegalArgumentException | UnsupportedEncodingException e) {
161                
162                        throw new ParseException("Malformed client secret basic authentication (see RFC 6749, section 2.3.1): Invalid URL encoding", e);
163                }
164        }
165        
166        
167        /**
168         * Parses a client secret basic authentication from the specified HTTP
169         * request.
170         *
171         * @param httpRequest The HTTP request to parse. Must not be 
172         *                    {@code null} and must contain a valid 
173         *                    Authorization header.
174         *
175         * @return The client secret basic authentication.
176         *
177         * @throws ParseException If the HTTP Authorization header couldn't be 
178         *                        parsed to a client secret basic 
179         *                        authentication.
180         */
181        public static ClientSecretBasic parse(final HTTPRequest httpRequest)
182                throws ParseException {
183                
184                String header = httpRequest.getAuthorization();
185                
186                if (header == null)
187                        throw new ParseException("Missing HTTP Authorization header");
188                        
189                return parse(header);
190        }
191}