diff --git a/src/main/java/com/eactive/eai/adapter/http/dynamic/filter/ApiAuthFilter.java b/src/main/java/com/eactive/eai/adapter/http/dynamic/filter/ApiAuthFilter.java index 569b64b..2babcee 100644 --- a/src/main/java/com/eactive/eai/adapter/http/dynamic/filter/ApiAuthFilter.java +++ b/src/main/java/com/eactive/eai/adapter/http/dynamic/filter/ApiAuthFilter.java @@ -109,6 +109,7 @@ public class ApiAuthFilter implements HttpAdapterFilter { return message; } + boolean isPassScope = false; switch (eaiMessage.getAuthType()){ case "oauth": try { @@ -127,10 +128,25 @@ public class ApiAuthFilter implements HttpAdapterFilter { OAuth2Manager manager = OAuth2Manager.getInstance(); HashSet scopeSet = manager.getApiScopeMap().get(apiId); - if (!verifyScope(scopeSet, signedJWT)) { + + String[] scopeArr = signedJWT.getJWTClaimsSet().getStringArrayClaim(PAYLOAD_PARAM_NAME_SCOPE); + if (scopeArr == null || scopeArr.length == 0) { throw new JwtAuthException(ERROR_AUTHORIZATION_FAIL, String.format("Insufficient [Scope](Allowed Scope=%s)", scopeSet.toString())); } + + for (String scope : scopeArr) { + if (StringUtils.equals(scope, "oob") || StringUtils.equals(scope, "public")) { + isPassScope = true; + } + } + + if (!isPassScope) { + if (!verifyScope(scopeSet, signedJWT)) { + throw new JwtAuthException(ERROR_AUTHORIZATION_FAIL, + String.format("Insufficient [Scope](Allowed Scope=%s)", scopeSet.toString())); + } + } // header 값으로 전송된 clientId와 토큰 소유 clientId check if (!verifyClientId(prop, signedJWT)) { @@ -144,26 +160,6 @@ public class ApiAuthFilter implements HttpAdapterFilter { throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Token invalid"); } break; -// case "bearer": -// try { -// String token = ApiAuthFilter.extractJWTToken(request); -// BearerTokenInfo CATokenInfo = CATokenStore.get(token); -// -// if (CATokenInfo == null) { -// throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Token invalid"); -// } -// -// if (CATokenInfo.isExpired()) { -// throw new JwtAuthException(ERROR_TOKEN_EXPIRED, "Access token expired"); -// } -// } catch (JwtAuthException e) { -// logger.debug(e.getMessage()); -// throw e; -// } catch (Exception e) { -// logger.error(e.getMessage()); -// throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Token invalid"); -// } -// break; case "api_key": String apiKeyName = PropManager.getInstance().getProperty("ApiConfig", "api.key.name", "x-api-key"); String apiKey = request.getHeader(apiKeyName); @@ -171,19 +167,22 @@ public class ApiAuthFilter implements HttpAdapterFilter { throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Invalid or missing API key \""+apiKeyName+"\" in Http Header"); } prop.setProperty(HttpAdapterServiceSupport.PROPERTIES_NAME_CLIENT_ID, apiKey); + isPassScope = true; break; case "none": return message; } - String clientId = prop.getProperty(HttpAdapterServiceSupport.PROPERTIES_NAME_CLIENT_ID); - ClientVO clientVO = OAuth2Manager.getInstance().getClientVO(clientId); - if(clientVO == null){ - throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Unregistered APP"); - } + if (isPassScope) { + String clientId = prop.getProperty(HttpAdapterServiceSupport.PROPERTIES_NAME_CLIENT_ID); + ClientVO clientVO = OAuth2Manager.getInstance().getClientVO(clientId); + if(clientVO == null){ + throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Unregistered APP"); + } - if(clientVO.getApiMap().containsKey(eaiSvcCd) == false){ - throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Unregistered API ["+eaiSvcCd+"] in ["+clientVO.getClientName()+"] APP"); + if(clientVO.getApiMap().containsKey(eaiSvcCd) == false){ + throw new JwtAuthException(ERROR_AUTHENTICATION_FAIL, "Unregistered API ["+eaiSvcCd+"] in ["+clientVO.getClientName()+"] APP"); + } } return message;