Merge pull request #27 from auth0/feature-update-token-endpoint

Allow /oauth/token for private clients

Author: hzalaz

auth0/src/main/java/com/auth0/authentication/AuthenticationAPIClient.java

@@ -46,6 +46,10 @@
 /**
  * API client for Auth0 Authentication API.
  *
+ * <pre><code>
+ * Auth0 auth0 = new Auth0("your_client_id", "your_domain");
+ * AuthenticationAPIClient client = new AuthenticationAPIClient(auth0);
+ * </code></pre>
  * @see <a href="https://auth0.com/docs/auth-api">Auth API docs</a>
  */
 public class AuthenticationAPIClient {
@@ -72,7 +76,6 @@ public class AuthenticationAPIClient {
     private static final String RESOURCE_OWNER_PATH = "ro";
     private static final String TOKEN_INFO_PATH = "tokeninfo";
     private static final String OAUTH_CODE_KEY = "code";
-    private static final String OAUTH_CODE_VERIFIER_KEY = "code_verifier";
     private static final String REDIRECT_URI_KEY = "redirect_uri";
 
     private final Auth0 auth0;
@@ -680,6 +683,52 @@ public ProfileRequest getProfileAfter(AuthenticationRequest authenticationReques
         return new ProfileRequest(authenticationRequest, profileRequest);
     }
 
+    /**
+     * Fetch the token information from Auth0, using the authorization_code grant type
+     *
+     * For Public Client, e.g. Android apps ,you need to provide the code_verifier
+     * used to generate the challenge sent to Auth0 {@literal /authorize} method like:
+     *
+     * <pre>{@code
+     * AuthenticationAPIClient client = new AuthenticationAPIClient(new Auth0("clientId", "domain"));
+     * client
+     *     .token("code", "redirect_uri")
+     *     .setCodeVerifier("code_verifier")
+     *     .start(new Callback<Credentials> {...});
+     * }</pre>
+     *
+     * For the rest of clients, clients who can safely keep a {@literal client_secret}, you need to provide it instead like:
+     *
+     * <pre>{@code
+     * AuthenticationAPIClient client = new AuthenticationAPIClient(new Auth0("clientId", "domain"));
+     * client
+     *     .token("code", "redirect_uri")
+     *     .setClientSecret("client_secret")
+     *     .start(new Callback<Credentials> {...});
+     * }</pre>
+     *
+     * @param authorizationCode the authorization code received from the /authorize call.
+     * @param redirectUri       the uri sent to /authorize as the 'redirect_uri'.
+     * @return a request to obtain access_token by exchanging a authorization code.
+     */
+    @SuppressWarnings("WeakerAccess")
+    public TokenRequest token(String authorizationCode, String redirectUri) {
+        Map<String, Object> parameters = ParameterBuilder.newBuilder()
+                .setClientId(getClientId())
+                .setGrantType(GRANT_TYPE_AUTHORIZATION_CODE)
+                .set(OAUTH_CODE_KEY, authorizationCode)
+                .set(REDIRECT_URI_KEY, redirectUri)
+                .asDictionary();
+
+        HttpUrl url = HttpUrl.parse(auth0.getDomainUrl()).newBuilder()
+                .addPathSegment(OAUTH_PATH)
+                .addPathSegment(TOKEN_PATH)
+                .build();
+
+        ParameterizableRequest<Credentials> request = factory.POST(url, client, gson, Credentials.class).addParameters(parameters);
+        return new TokenRequest(request);
+    }
+
     private AuthenticationRequest loginWithResourceOwner(Map<String, Object> parameters) {
         HttpUrl url = HttpUrl.parse(auth0.getDomainUrl()).newBuilder()
                 .addPathSegment(OAUTH_PATH)
@@ -703,29 +752,4 @@ private ParameterizableRequest<UserProfile> profileRequest() {
         return factory.POST(url, client, gson, UserProfile.class);
     }
 
-    /**
-     * Fetch the token information from Auth0, using the authorization_code grant type
-     *
-     * @param authorizationCode the authorization code received from the /authorize call.
-     * @param codeVerifier      the code verifier used when requesting a code to /authorize.
-     * @param redirectUri       the uri to redirect after a successful request.
-     * @return a request to configure and start
-     */
-    public AuthenticationRequest token(String authorizationCode, String codeVerifier, String redirectUri) {
-        Map<String, Object> parameters = ParameterBuilder.newBuilder()
-                .setClientId(getClientId())
-                .setGrantType(GRANT_TYPE_AUTHORIZATION_CODE)
-                .set(OAUTH_CODE_KEY, authorizationCode)
-                .set(OAUTH_CODE_VERIFIER_KEY, codeVerifier)
-                .set(REDIRECT_URI_KEY, redirectUri)
-                .asDictionary();
-
-        HttpUrl url = HttpUrl.parse(auth0.getDomainUrl()).newBuilder()
-                .addPathSegment(OAUTH_PATH)
-                .addPathSegment(TOKEN_PATH)
-                .build();
-
-        return factory.authenticationPOST(url, client, gson)
-                .addAuthenticationParameters(parameters);
-    }
 }

auth0/src/main/java/com/auth0/authentication/TokenRequest.java

@@ -0,0 +1,55 @@
+package com.auth0.authentication;
+
+import com.auth0.Auth0Exception;
+import com.auth0.authentication.result.Credentials;
+import com.auth0.callback.BaseCallback;
+import com.auth0.request.ParameterizableRequest;
+import com.auth0.request.Request;
+
+/**
+ * Auth Request to obtain tokens using OAuth2 {@literal /oauth/token} method
+ */
+@SuppressWarnings("WeakerAccess")
+public class TokenRequest implements Request<Credentials> {
+
+    private static final String OAUTH_CODE_VERIFIER_KEY = "code_verifier";
+    private static final String OAUTH_CLIENT_SECRET_KEY = "client_secret";
+
+    private final ParameterizableRequest<Credentials> request;
+
+    TokenRequest(ParameterizableRequest<Credentials> request) {
+        this.request = request;
+    }
+
+    /**
+     * Adds the code verifier to the request (Public Clients)
+     * @param codeVerifier the code verifier used to generate the challenge sent to /authorize.
+     * @return itself
+     */
+    @SuppressWarnings("WeakerAccess")
+    public TokenRequest setCodeVerifier(String codeVerifier) {
+        this.request.addParameter(OAUTH_CODE_VERIFIER_KEY, codeVerifier);
+        return this;
+    }
+
+    /**
+     * Adds the client secret to the request (Private Clients)
+     * @param clientSecret the secret of the client used when making a request to /authorize
+     * @return iself
+     */
+    @SuppressWarnings("WeakerAccess")
+    public TokenRequest setClientSecret(String clientSecret) {
+        this.request.addParameter(OAUTH_CLIENT_SECRET_KEY, clientSecret);
+        return this;
+    }
+
+    @Override
+    public void start(BaseCallback<Credentials> callback) {
+        request.start(callback);
+    }
+
+    @Override
+    public Credentials execute() throws Auth0Exception {
+        return request.execute();
+    }
+}

auth0/src/main/java/com/auth0/authentication/UserProfileDeserializer.java

@@ -4,7 +4,6 @@
 import com.auth0.authentication.result.UserProfile;
 import com.google.gson.*;
 import com.google.gson.reflect.TypeToken;
-import com.sun.org.apache.xpath.internal.operations.Bool;
 
 import java.lang.reflect.Type;
 import java.util.Date;

auth0/src/test/java/com/auth0/authentication/AuthenticationAPIClientTest.java

@@ -31,6 +31,7 @@
 import com.auth0.authentication.result.DatabaseUser;
 import com.auth0.authentication.result.Delegation;
 import com.auth0.authentication.result.UserProfile;
+import com.auth0.request.ParameterizableRequest;
 import com.auth0.util.AuthenticationAPI;
 import com.auth0.util.MockBaseCallback;
 import com.google.gson.Gson;
@@ -1214,13 +1215,14 @@ public void shouldFetchProfileAfterLoginRequest() throws Exception {
     }
 
     @Test
-    public void shouldGetOAuthTokens() throws Exception {
+    public void shouldGetOAuthTokensUsingCodeVerifier() throws Exception {
         mockAPI
                 .willReturnTokens()
                 .willReturnTokenInfo();
 
         final MockBaseCallback<Credentials> callback = new MockBaseCallback<>();
-        client.token("code", "codeVerifier", "http://redirect.uri")
+        client.token("code", "http://redirect.uri")
+                .setCodeVerifier("codeVerifier")
                 .start(callback);
 
         final RecordedRequest request = mockAPI.takeRequest();
@@ -1236,6 +1238,30 @@ public void shouldGetOAuthTokens() throws Exception {
         assertThat(callback, hasPayloadOfType(Credentials.class));
     }
 
+    @Test
+    public void shouldGetOAuthTokensUsingClientSecret() throws Exception {
+        mockAPI
+                .willReturnTokens()
+                .willReturnTokenInfo();
+
+        final MockBaseCallback<Credentials> callback = new MockBaseCallback<>();
+        client.token("code", "http://redirect.uri")
+                .setClientSecret("clientSecret")
+                .start(callback);
+
+        final RecordedRequest request = mockAPI.takeRequest();
+        assertThat(request.getPath(), equalTo("/oauth/token"));
+
+        Map<String, String> body = bodyFromRequest(request);
+        assertThat(body, hasEntry("grant_type", ParameterBuilder.GRANT_TYPE_AUTHORIZATION_CODE));
+        assertThat(body, hasEntry("client_id", CLIENT_ID));
+        assertThat(body, hasEntry("code", "code"));
+        assertThat(body, hasEntry("client_secret", "clientSecret"));
+        assertThat(body, hasEntry("redirect_uri", "http://redirect.uri"));
+
+        assertThat(callback, hasPayloadOfType(Credentials.class));
+    }
+
     private Map<String, String> bodyFromRequest(RecordedRequest request) throws java.io.IOException {
         final Type mapType = new TypeToken<Map<String, String>>() {
         }.getType();

auth0/src/test/java/com/auth0/util/UserProfileMatcher.java

@@ -38,6 +38,6 @@ public void describeTo(Description description) {
     }
 
     public static Matcher<UserProfile> isNormalizedProfile(String id, String name, String nickname) {
-        return new UserProfileMatcher(equalTo(id), equalTo(name), equalTo(nickname), not(isEmptyOrNullString()));
+        return new UserProfileMatcher(equalTo(id), equalTo(name), equalTo(nickname), not(emptyOrNullString()));
     }
 }