Package com.linecorp.armeria.server.auth.oauth2

Class OAuth2TokenScopeValidator

java.lang.Object

com.linecorp.armeria.server.auth.oauth2.OAuth2TokenScopeValidator

public final class OAuth2TokenScopeValidator
extends Object

A helper class that allows handling optional validation of the OAuth 2 token within specific execution context (e.g. to implement fine-grained access control).

Method Summary

Modifier and Type	Method	Description
static HttpResponse	insufficientScopeErrorResponse()	Returns an HttpResponse with HttpStatus.FORBIDDEN result code and formatted error response as below.
static boolean	validateScope(OAuth2TokenDescriptor tokenDescriptor, Set<String> permittedScope)	Validates given OAuth2TokenDescriptor against permitted scope of the given execution context.
static boolean	validateScope(ServiceRequestContext ctx, Set<String> permittedScope)	Validates given ServiceRequestContext against permitted scope of the given execution context.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

validateScope

public static boolean validateScope(ServiceRequestContext ctx,
 Set<String> permittedScope)

Validates given ServiceRequestContext against permitted scope of the given execution context. This operation assumes that there is a valid OAuth2TokenDescriptor attached to ServiceRequestContext by the OAuth 2 subsystem.

Parameters:

ctx - ServiceRequestContext that contains valid OAuth2TokenDescriptor.

permittedScope - A Set of scope tokens (roles) to validate against. This Set could be empty, which means that any valid token will be permitted.

Returns:

true if the OAuth2TokenDescriptor includes non-empty scope, which contains all elements of the permittedScope.

validateScope

public static boolean validateScope(OAuth2TokenDescriptor tokenDescriptor,
 Set<String> permittedScope)

Validates given OAuth2TokenDescriptor against permitted scope of the given execution context.

Parameters:

tokenDescriptor - An instance of OAuth2TokenDescriptor to validate.

permittedScope - A Set of scope tokens (roles) to validate against. This Set could be empty, which means that any valid token will be permitted.

Returns:

true if the OAuth2TokenDescriptor includes non-empty scope, which contains all elements of the permittedScope.

insufficientScopeErrorResponse

public static HttpResponse insufficientScopeErrorResponse()

Returns an HttpResponse with HttpStatus.FORBIDDEN result code and formatted error response as below.

     HTTP/1.1 403 Forbidden
     Content-Type: application/json;charset=UTF-8
     {"error":"insufficient_scope"}
 

This response indicates that the request requires higher privileges than provided by the access token. The resource server SHOULD respond with the HTTP 403 (Forbidden) status code and MAY include the "scope" attribute with the scope necessary to access the protected resource.