Source code

001/**
002 * Copyright 2014 Tampere University of Technology, Pori Department
003 * 
004 * Licensed under the Apache License, Version 2.0 (the "License");
005 * you may not use this file except in compliance with the License.
006 * You may obtain a copy of the License at
007 * 
008 *   http://www.apache.org/licenses/LICENSE-2.0
009 * 
010 * Unless required by applicable law or agreed to in writing, software
011 * distributed under the License is distributed on an "AS IS" BASIS,
012 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013 * See the License for the specific language governing permissions and
014 * limitations under the License.
015 */
016package service.tut.pori.users.google;
017
018import core.tut.pori.http.Response;
019import core.tut.pori.http.Response.Status;
020import core.tut.pori.http.annotations.HTTPAuthenticationParameter;
021import core.tut.pori.http.annotations.HTTPMethodParameter;
022import core.tut.pori.http.annotations.HTTPService;
023import core.tut.pori.http.annotations.HTTPServiceMethod;
024import core.tut.pori.http.parameters.AuthenticationParameter;
025import core.tut.pori.http.parameters.StringParameter;
026import core.tut.pori.users.UserIdentity;
027
028/**
029 * Google User Service method definitions.
030 * 
031 * This class defines the APIs for registering a new account with the system and authentication using Google credentials, or more precisely, using the Google OAuth 2.0 authentication. The methods also describe the means for granting the system authorization for accessing content of the Google account.
032 * 
033 * Creating an account or authenticating with Google credentials does not automatically grant the system persistent permissions for accessing the account contents.
034 * 
035 * Note that the Google User Service does not contain a method for removing an existing user account. An existing account can be removed using the User Service 
036 */
037@HTTPService(name=Definitions.SERVICE_USERS_GOOGLE) 
038public class GoogleUserService {
039  
040  /**
041   * This method is called by Google after user has either denied or granted the service permission to his/her Google account, and is not meant to be used directly by the end-users. The method implements the OAuth2 authorization process as defined by Google.
042   * 
043   * @param authorizationCode OAuth2 authorization code generated by Google.
044   * @param errorCode Optional error message as reported by Google.
045   * @param nonce Short-lived nonce value randomly generated by the authorization process.
046   * @return response
047   */
048  @HTTPServiceMethod(name=Definitions.METHOD_OAUTH2_CALLBACK)
049  public Response oAuth2Callback(
050      @HTTPMethodParameter(name=Definitions.PARAMETER_OAUTH2_AUTHORIZATION_CODE, required=false) StringParameter authorizationCode,
051      @HTTPMethodParameter(name=Definitions.PARAMETER_OAUTH2_ERROR_CODE, required=false) StringParameter errorCode,
052      @HTTPMethodParameter(name=Definitions.PARAMETER_OAUTH2_STATE) StringParameter nonce
053      )
054  {
055    return GoogleUserCore.processOAuth2Callback(authorizationCode.getValue(), errorCode.getValue(), nonce.getValue());
056  }
057  
058  /**
059   * This method allows a user to revoke the previously given authorization permissions. Note that calling this method does not prevent user from authenticating (logging in) using the credentials, nor will it remove the user account from the system, but calling this method will prevent the system from accessing the user's content stored in the Google account. 
060   * 
061   * In practice this means, that no synchronization can be performed for the account until authorization is restored. <i>All</i> previously synchronized content will be removed from the system.
062   * 
063   * @param authenticatedUser
064   * @return response
065   */
066  @HTTPServiceMethod(name=Definitions.METHOD_UNAUTHORIZE)
067  public Response unauthorize(
068      @HTTPAuthenticationParameter AuthenticationParameter authenticatedUser)
069  {
070    return GoogleUserCore.removeAuthorization(authenticatedUser.getUserIdentity());
071  }
072  
073  /**
074   * This method can be used to authenticate the user using Google credentials. The external account connection must be created either by registering the user as a new user using Google credentials or by authorizing the use of the Google account before the login functionality can be used.
075   * 
076   * The passed access token is used to validate the user identity. The token scope should contain at least <i>profile</i>. Additional Google OAuth2 scopes can be present, but are not required.
077   * 
078   * @param authenticatedUser
079   * @param accessToken OAuth2 access token as provided by Google.
080   * @return response
081   */
082  @HTTPServiceMethod(name=Definitions.METHOD_LOGIN)
083  public Response login(
084      @HTTPAuthenticationParameter(required=false) AuthenticationParameter authenticatedUser,
085      @HTTPMethodParameter(name=Definitions.PARAMETER_OAUTH2_ACCESS_TOKEN) StringParameter accessToken
086      )
087  {
088    if(UserIdentity.isValid(authenticatedUser.getUserIdentity())){
089      return new Response(Status.BAD_REQUEST, "Already logged in. Please logout first.");
090    }
091    return GoogleUserCore.login(authenticatedUser.getSession(), accessToken.getValue());
092  }
093  
094  /**
095   * This method can be used to register a new user using a Google account. The passed access token is used to retrieve the required registration details from the account. The token scope should contain at least profile, additional Google OAuth2 scopes can be present, but are not required.
096   * 
097   * The Google account is assumed to be personal, and an attempt to use the same account to create multiple accounts will result in an error.
098   * 
099   * @param accessToken OAuth2 access token as provided by Google.
100   * @return response
101   */
102  @HTTPServiceMethod(name=service.tut.pori.users.Definitions.METHOD_REGISTER)
103  public Response register(@HTTPMethodParameter(name=Definitions.PARAMETER_OAUTH2_ACCESS_TOKEN) StringParameter accessToken)
104  {
105    return GoogleUserCore.register(accessToken.getValue());
106  }
107  
108  /**
109   * This method can be used to grant the service access to the authenticated user's Google account. This method will redirect to Google's consent page asking user's permission to access the account. The default configuration will ask permissions for <i>https://picasaweb.google.com/data/</i> and <i>profile</i> Google OAuth2 scopes, though the actual scopes required will depend on the services to be used.
110   * 
111   * The authorization process will use the default OAuth2 authentication flow as implemented by Google, firstly redirecting the user to the consent page, which in turn will redirect the user back to the OAuth2 callback method. The callback method will show status message notifying the result of the authorization.
112   * 
113   * The method assumes that Google accounts are personal and an attempt to authorize the same Google account for multiple users will result in error.
114   * 
115   * @param authenticatedUser
116   * @return response
117   */
118  @HTTPServiceMethod(name=Definitions.METHOD_OAUTH2_AUTHORIZATION_REDIRECT)
119  public Response authorize(@HTTPAuthenticationParameter AuthenticationParameter authenticatedUser){
120    return GoogleUserCore.createAuthorizationRedirection(authenticatedUser.getUserIdentity());
121  }
122}