amontenegro/PD-2487 PD-2486 PD-2483 PD-2485 PD-2484 Oauth fix multiple bugs (#7375)

* redirect_uri is optional on auth code exchange

* Redirect uri is not a parameter on the client credentials grant

* Fix 500 error when scope is empty

* Fix 500 error on missing grant_type

* Fix unit tests

Author: amontenegro

orcid-api-common/src/main/java/org/orcid/api/common/OrcidApiCommonEndpoints.java

@@ -29,6 +29,7 @@
 import org.orcid.persistence.jpa.entities.OrcidOauth2TokenDetail;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpHeaders;
+import org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException;
 import org.springframework.stereotype.Component;
 import org.springframework.web.bind.annotation.RequestParam;
 
@@ -64,6 +65,10 @@ public Response obtainOauth2TokenPost(@HeaderParam("Authorization") @DefaultValu
         throws IOException, URISyntaxException, InterruptedException {
 
         // Token delegation is not implemented in the authorization server
+        if(grantType == null) {
+            throw new UnsupportedGrantTypeException("grant_type is missing");
+        }
+
         if(Features.OAUTH_AUTHORIZATION_CODE_EXCHANGE.isActive() && AuthCodeExchangeForwardUtil.AUTH_SERVER_ALLOWED_GRANT_TYPES.contains(grantType)) {
             Response response = null;
             switch (grantType) {

orcid-web/src/main/java/org/orcid/frontend/web/controllers/OauthGenericCallsController.java

@@ -32,6 +32,7 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -61,6 +62,13 @@ public class OauthGenericCallsController extends OauthControllerBase {
     @RequestMapping(value = "/oauth/token", consumes = MediaType.APPLICATION_FORM_URLENCODED, produces = MediaType.APPLICATION_JSON)
     public ResponseEntity<?> obtainOauth2TokenPost(HttpServletRequest request) throws IOException, URISyntaxException, InterruptedException {
         String grantType = request.getParameter("grant_type");
+        if(grantType == null) {
+            OAuthError error = new OAuthError();
+            error.setErrorDescription("grant_type is missing");
+            error.setError(OAuthError.UNSUPPORTED_GRANT_TYPE);
+            error.setResponseStatus(Response.Status.BAD_REQUEST);
+            return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(error);
+        }
         if(Features.OAUTH_AUTHORIZATION_CODE_EXCHANGE.isActive() && AuthCodeExchangeForwardUtil.AUTH_SERVER_ALLOWED_GRANT_TYPES.contains(grantType)) {
             String clientId = request.getParameter("client_id");
             String clientSecret = request.getParameter("client_secret");
@@ -73,26 +81,30 @@ public ResponseEntity<?> obtainOauth2TokenPost(HttpServletRequest request) throw
             String requestedTokenType = request.getParameter("requested_token_type");
 
             Response response = null;
-
-            switch (grantType) {
-                case OrcidOauth2Constants.GRANT_TYPE_AUTHORIZATION_CODE:
-                    response = authCodeExchangeForwardUtil.forwardAuthorizationCodeExchangeRequest(clientId, clientSecret, redirectUri, code);
-                    break;
-                case OrcidOauth2Constants.GRANT_TYPE_REFRESH_TOKEN:
-                    response = authCodeExchangeForwardUtil.forwardRefreshTokenRequest(clientId, clientSecret, refreshToken, scopeList);
-                    break;
-                case OrcidOauth2Constants.GRANT_TYPE_CLIENT_CREDENTIALS:
-                    response = authCodeExchangeForwardUtil.forwardClientCredentialsRequest(clientId, clientSecret, scopeList);
-                    break;
-                case IETF_EXCHANGE_GRANT_TYPE:
-                    response = authCodeExchangeForwardUtil.forwardTokenExchangeRequest(clientId, clientSecret, subjectToken, subjectTokenType, requestedTokenType, scopeList);
-                    break;
+            try {
+                switch (grantType) {
+                    case OrcidOauth2Constants.GRANT_TYPE_AUTHORIZATION_CODE:
+                        response = authCodeExchangeForwardUtil.forwardAuthorizationCodeExchangeRequest(clientId, clientSecret, redirectUri, code);
+                        break;
+                    case OrcidOauth2Constants.GRANT_TYPE_REFRESH_TOKEN:
+                        response = authCodeExchangeForwardUtil.forwardRefreshTokenRequest(clientId, clientSecret, refreshToken, scopeList);
+                        break;
+                    case OrcidOauth2Constants.GRANT_TYPE_CLIENT_CREDENTIALS:
+                        response = authCodeExchangeForwardUtil.forwardClientCredentialsRequest(clientId, clientSecret, scopeList);
+                        break;
+                    case IETF_EXCHANGE_GRANT_TYPE:
+                        response = authCodeExchangeForwardUtil.forwardTokenExchangeRequest(clientId, clientSecret, subjectToken, subjectTokenType, requestedTokenType, scopeList);
+                        break;
+                }
+                HttpHeaders responseHeaders = new HttpHeaders();
+                responseHeaders.set(Features.OAUTH_AUTHORIZATION_CODE_EXCHANGE.name(),
+                        "ON");
+                return ResponseEntity.status(response.getStatus()).headers(responseHeaders).body(response.getEntity());
+            } catch(Exception e) {
+                OAuthError error = OAuthErrorUtils.getOAuthError(e);
+                HttpStatus status = HttpStatus.valueOf(error.getResponseStatus().getStatusCode());
+                return ResponseEntity.status(status).body(error);
             }
-
-            HttpHeaders responseHeaders = new HttpHeaders();
-            responseHeaders.set(Features.OAUTH_AUTHORIZATION_CODE_EXCHANGE.name(),
-                    "ON");
-            return ResponseEntity.status(response.getStatus()).headers(responseHeaders).body(response.getEntity());
         } else {
             String authorization = request.getHeader("Authorization");
             Enumeration<String> paramNames = request.getParameterNames();

orcid-web/src/test/java/org/orcid/frontend/web/controllers/OauthGenericCallsControllerTest.java

@@ -46,7 +46,9 @@ public void setUp() {
     public void testObtainOauth2TokenPost() throws IOException, URISyntaxException, InterruptedException {
         when(orcidClientCredentialEndPointDelegator.obtainOauth2Token(isNull(), any())).thenReturn(
                 Response.ok("some-success-entity").build());
-        ResponseEntity<?> responseEntity = controller.obtainOauth2TokenPost(new MockHttpServletRequest());
+        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
+        mockHttpServletRequest.addParameter("grant_type", "client_credentials");
+        ResponseEntity<?> responseEntity = controller.obtainOauth2TokenPost(mockHttpServletRequest);
         assertNotNull(responseEntity);
         assertNotNull(responseEntity.getBody());
         assertEquals("some-success-entity", responseEntity.getBody());
@@ -56,7 +58,9 @@ public void testObtainOauth2TokenPost() throws IOException, URISyntaxException,
     public void testObtainOauth2TokenPostLockedClient() throws IOException, URISyntaxException, InterruptedException {
         when(orcidClientCredentialEndPointDelegator.obtainOauth2Token(isNull(), any())).thenThrow(
                 new LockedException("Client is locked"));
-        ResponseEntity<?> responseEntity = controller.obtainOauth2TokenPost(new MockHttpServletRequest());
+        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
+        mockHttpServletRequest.addParameter("grant_type", "client_credentials");
+        ResponseEntity<?> responseEntity = controller.obtainOauth2TokenPost(mockHttpServletRequest);
         assertNotNull(responseEntity);
         assertNotNull(responseEntity.getBody());
         assertTrue(responseEntity.getBody() instanceof OAuthError);