oxAuth #441

Pre-Authorization + Persist Authorizations... don't write anything

Client/src/test/java/org/xdi/oxauth/ws/rs/PersistClientAuthorizationsHttpTest.java

@@ -26,7 +26,7 @@
 
 /**
  * @author Javier Rojas Blum
- * @version January 19, 2017
+ * @version January 20, 2017
  */
 public class PersistClientAuthorizationsHttpTest extends BaseTest {
 
@@ -278,4 +278,76 @@ public void persistentClientAuthorizations(
             assertNotNull(tokenResponse.getRefreshToken(), "The refresh token is null");
         }
     }
+
+    @Parameters({"userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri"})
+    @Test
+    public void doNotPersistAuthorizationWhenPreAuthorized(
+            final String userId, final String userSecret, final String redirectUris, final String redirectUri,
+            final String sectorIdentifierUri) throws Exception {
+        showTitle("doNotPersistAuthorizationWhenPreAuthorized");
+
+        List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.ID_TOKEN);
+
+        // 1. Register client
+        RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app",
+                StringUtils.spaceSeparatedToList(redirectUris));
+        registerRequest.setResponseTypes(responseTypes);
+        registerRequest.setSectorIdentifierUri(sectorIdentifierUri);
+        registerRequest.addCustomAttribute("oxAuthTrustedClient", "true");
+
+        RegisterClient registerClient = new RegisterClient(registrationEndpoint);
+        registerClient.setRequest(registerRequest);
+        RegisterResponse registerResponse = registerClient.exec();
+
+        showClient(registerClient);
+        assertEquals(registerResponse.getStatus(), 200, "Unexpected response code: " + registerResponse.getEntity());
+        assertNotNull(registerResponse.getClientId());
+        assertNotNull(registerResponse.getClientSecret());
+        assertNotNull(registerResponse.getRegistrationAccessToken());
+        assertNotNull(registerResponse.getClientIdIssuedAt());
+        assertNotNull(registerResponse.getClientSecretExpiresAt());
+
+        String clientId = registerResponse.getClientId();
+        String clientSecret = registerResponse.getClientSecret();
+
+        // 2. Request authorization
+        // Scopes: openid, profile
+        // Authenticate user with login password, do not show authorize page because the client is pre-authorized.
+        List<String> scopes = Arrays.asList("openid", "profile");
+        String nonce = UUID.randomUUID().toString();
+        String state = UUID.randomUUID().toString();
+
+        AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
+        authorizationRequest.setState(state);
+
+        AuthorizationResponse authorizationResponse = authenticateResourceOwner(
+                authorizationEndpoint, authorizationRequest, userId, userSecret, false);
+
+        assertNotNull(authorizationResponse.getLocation());
+        assertNotNull(authorizationResponse.getCode());
+        assertNotNull(authorizationResponse.getIdToken());
+        assertNotNull(authorizationResponse.getState());
+
+        String authorizationCode = authorizationResponse.getCode();
+
+        // 3. Request access token using the authorization code.
+        TokenRequest tokenRequest = new TokenRequest(GrantType.AUTHORIZATION_CODE);
+        tokenRequest.setCode(authorizationCode);
+        tokenRequest.setRedirectUri(redirectUri);
+        tokenRequest.setAuthUsername(clientId);
+        tokenRequest.setAuthPassword(clientSecret);
+        tokenRequest.setAuthenticationMethod(AuthenticationMethod.CLIENT_SECRET_BASIC);
+
+        TokenClient tokenClient = new TokenClient(tokenEndpoint);
+        tokenClient.setRequest(tokenRequest);
+        TokenResponse tokenResponse = tokenClient.exec();
+
+        showClient(tokenClient);
+        assertEquals(tokenResponse.getStatus(), 200, "Unexpected response code: " + tokenResponse.getStatus());
+        assertNotNull(tokenResponse.getEntity());
+        assertNotNull(tokenResponse.getAccessToken());
+        assertNotNull(tokenResponse.getExpiresIn());
+        assertNotNull(tokenResponse.getTokenType());
+        assertNotNull(tokenResponse.getRefreshToken());
+    }
 }

Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeAction.java

@@ -51,7 +51,7 @@
 /**
  * @author Javier Rojas Blum
  * @author Yuriy Movchan
- * @version January 19, 2017
+ * @version January 20, 2017
  */
 @Name("authorizeAction")
 @Scope(ScopeType.EVENT) // Do not change scope, we try to keep server without http sessions
@@ -644,7 +644,11 @@ public void permissionGranted(SessionState session) {
                 scope = session.getSessionAttributes().get(AuthorizeRequestParam.SCOPE);
             }
 
-            if (client.getPersistClientAuthorizations()) {
+            // oxAuth #441 Pre-Authorization + Persist Authorizations... don't write anything
+            // If a client has pre-authorization=true, there is no point to create the entry under
+            // ou=clientAuthorizations it will negatively impact performance, grow the size of the
+            // ldap database, and serve no purpose.
+            if (client.getPersistClientAuthorizations() && !client.getTrustedClient()) {
                 final Set<String> scopes = Sets.newHashSet(org.xdi.oxauth.model.util.StringUtils.spaceSeparatedToList(scope));
                 clientAuthorizationsService.add(user.getAttribute("inum"), client.getClientId(), scopes);
             }