API에 scope이 적용되어 있지 않은 경우, Client에 API 적용여부를 확인하도록 수정
This commit is contained in:
@@ -24,6 +24,8 @@ import com.nimbusds.jose.JWSVerifier;
|
||||
import com.nimbusds.jose.crypto.RSASSAVerifier;
|
||||
import com.nimbusds.jose.util.IOUtils;
|
||||
import com.nimbusds.jwt.SignedJWT;
|
||||
|
||||
import org.apache.commons.collections.CollectionUtils;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.springframework.core.io.ClassPathResource;
|
||||
import org.springframework.core.io.Resource;
|
||||
@@ -141,26 +143,32 @@ public class ApiAuthFilter implements HttpAdapterFilter {
|
||||
|
||||
OAuth2Manager manager = OAuth2Manager.getInstance();
|
||||
HashSet<String> scopeSet = manager.getApiScopeMap().get(apiId);
|
||||
|
||||
String[] scopeArr = signedJWT.getJWTClaimsSet().getStringArrayClaim(PAYLOAD_PARAM_NAME_SCOPE);
|
||||
if (scopeArr == null || scopeArr.length == 0) {
|
||||
throw new JwtAuthException(ERROR_AUTHORIZATION_FAIL,
|
||||
String.format("Insufficient [Scope](Allowed Scope=%s)", scopeSet.toString()));
|
||||
}
|
||||
|
||||
for (String scope : scopeArr) {
|
||||
if (StringUtils.equals(scope, "oob") || StringUtils.equals(scope, "public")) {
|
||||
isPassScope = true;
|
||||
}
|
||||
}
|
||||
// API에 scope 설정이 안되어 있는 경우, scope 체크를 pass하고 나중에 client API 맵을 체크한다.
|
||||
if(CollectionUtils.isEmpty(scopeSet))
|
||||
isPassScope = true;
|
||||
|
||||
if (!isPassScope) {
|
||||
if (!verifyScope(scopeSet, signedJWT)) {
|
||||
if(!isPassScope) {
|
||||
String[] scopeArr = signedJWT.getJWTClaimsSet().getStringArrayClaim(PAYLOAD_PARAM_NAME_SCOPE);
|
||||
if (scopeArr == null || scopeArr.length == 0) {
|
||||
throw new JwtAuthException(ERROR_AUTHORIZATION_FAIL,
|
||||
String.format("Insufficient [Scope](Allowed Scope=%s)", scopeSet.toString()));
|
||||
}
|
||||
|
||||
for (String scope : scopeArr) {
|
||||
if (StringUtils.equals(scope, "oob") || StringUtils.equals(scope, "public")) {
|
||||
isPassScope = true;
|
||||
}
|
||||
}
|
||||
|
||||
if (!isPassScope) {
|
||||
if (!verifyScope(scopeSet, signedJWT)) {
|
||||
throw new JwtAuthException(ERROR_AUTHORIZATION_FAIL,
|
||||
String.format("Insufficient [Scope](Allowed Scope=%s)", scopeSet.toString()));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// header 값으로 전송된 clientId와 토큰 소유 clientId check
|
||||
if (!verifyClientId(prop, signedJWT)) {
|
||||
throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "client_id not matched(header/token)");
|
||||
|
||||
Reference in New Issue
Block a user