public Response getToken()

in service/common/src/main/java/org/apache/polaris/service/auth/DefaultOAuth2ApiService.java [59:131]

• 69 lines of code
• 14 McCabe index (conditional complexity)

  public Response getToken(
      String authHeader,
      String grantType,
      String scope,
      String clientId,
      String clientSecret,
      TokenType requestedTokenType,
      String subjectToken,
      TokenType subjectTokenType,
      String actorToken,
      TokenType actorTokenType,
      RealmContext realmContext,
      SecurityContext securityContext) {

    if (!tokenBroker.supportsGrantType(grantType)) {
      return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.unsupported_grant_type);
    }
    if (!tokenBroker.supportsRequestedTokenType(requestedTokenType)) {
      return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
    }
    if (authHeader == null && clientSecret == null) {
      return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_client);
    }
    // token exchange with client id and client secret in the authorization header means the client
    // has previously attempted to refresh an access token, but refreshing was not supported by the
    // token broker. Accept the client id and secret and treat it as a new token request
    if (authHeader != null && clientSecret == null && authHeader.startsWith("Basic ")) {
      String credentials = new String(Base64.decodeBase64(authHeader.substring(6)), UTF_8);
      if (!credentials.contains(":")) {
        return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
      }
      LOGGER.debug("Found credentials in auth header - treating as client_credentials");
      String[] parts = credentials.split(":", 2);
      if (parts.length == 2) {
        clientId = parts[0];
        clientSecret = parts[1];
      } else {
        LOGGER.debug("Don't know how to parse Basic auth header");
        return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
      }
    }
    TokenResponse tokenResponse;
    if (clientSecret != null) {
      tokenResponse =
          tokenBroker.generateFromClientSecrets(
              clientId,
              clientSecret,
              grantType,
              scope,
              callContext.getPolarisCallContext(),
              requestedTokenType);
    } else if (subjectToken != null) {
      tokenResponse =
          tokenBroker.generateFromToken(
              subjectTokenType, subjectToken, grantType, scope, requestedTokenType);
    } else {
      return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.invalid_request);
    }
    if (tokenResponse == null) {
      return OAuthUtils.getResponseFromError(OAuthTokenErrorResponse.Error.unsupported_grant_type);
    }
    if (!tokenResponse.isValid()) {
      return OAuthUtils.getResponseFromError(tokenResponse.getError());
    }
    return Response.ok(
            OAuthTokenResponse.builder()
                .withToken(tokenResponse.getAccessToken())
                .withTokenType(BEARER)
                .withIssuedTokenType(tokenResponse.getTokenType())
                .setExpirationInSeconds(tokenResponse.getExpiresIn())
                .build())
        .build();
  }