use preexisiting scope by default but prevent overriding of builder scope and update unit tests

This commit is contained in:
Konstantin Schaper
2020-11-04 09:38:29 +01:00
parent 36b6b221a4
commit b5f042ad15
2 changed files with 14 additions and 6 deletions

View File

@@ -40,9 +40,7 @@ import java.time.Clock;
import java.time.Instant;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
/**
@@ -71,7 +69,6 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
private Instant refreshExpiration;
private String parentKeyId;
private Scope scope = Scope.empty();
private Set<String> groups = new HashSet<>();
private final Map<String,Object> custom = Maps.newHashMap();
@@ -155,8 +152,13 @@ public final class JwtAccessTokenBuilder implements AccessTokenBuilder {
@Override
public JwtAccessToken build() {
if (SecurityUtils.getSubject().getPrincipals().getRealmNames().contains(ApiKeyRealm.NAME)) {
scope = Scope.valueOf(SecurityUtils.getSubject().getPrincipals().oneByType(Scope.class));
final Scope principalScope = SecurityUtils.getSubject().getPrincipals().oneByType(Scope.class);
if (principalScope != null) {
if (scope != null && !scope.isEmpty()) {
throw new AuthorizationException(String.format("cannot merge builder scope (%s) with principal scope (%s)", scope, principalScope));
}
LOG.debug("using existing scope for new access token: {}", principalScope);
scope = principalScope;
}
String id = keyGenerator.createKey();