Examples with Action - com.authlete.common.dto.IntrospectionResponse.Action

Example 1 with Action

use of com.authlete.common.dto.IntrospectionResponse.Action in project java-oauth-server by authlete.

the class ObbUtils method validateAccessToken.

public static IntrospectionResponse validateAccessToken(String outgoingInteractionId, String code, AuthleteApi authleteApi, HttpServletRequest request, String... requiredScopes) {
    // Extract the access token from the Authorization header.
    String accessToken = extractAccessToken(request);
    // Extract the client certificate.
    String clientCertificate = CertificateUtils.extract(request);
    // Extract information required to validate any DPoP proof
    String dpop = request.getHeader("DPoP");
    String htm = request.getMethod();
    // This assumes that jetty has the correct incoming url; if running behind a reverse proxy it is important that
    // the jetty ForwardedRequestCustomizer is enabled and that the reverse proxy sets the relevants headers so
    // that jetty can determine the original url - e.g. in apache "RequestHeader set X-Forwarded-Proto https" is
    // required
    String htu = request.getRequestURL().toString();
    IntrospectionResponse response;
    try {
        // Call Authlete's /api/auth/introspection API.
        response = callIntrospection(authleteApi, accessToken, requiredScopes, dpop, htm, htu, clientCertificate);
    } catch (AuthleteApiException e) {
        // Failed to call Authlete's /api/auth/interaction API.
        e.printStackTrace();
        throw internalServerErrorException(outgoingInteractionId, code, e.getMessage());
    }
    // 'action' in the response denotes the next action which
    // this service implementation should take.
    Action action = response.getAction();
    // If the protected resource endpoint conforms to RFC 6750,
    // response.getResponseContent() can be used. However, the
    // protected resource endpoints of Open Banking Brasil behave
    // differently in error cases.
    String detail = response.getResultMessage();
    // Dispatch according to the action.
    switch(action) {
        case INTERNAL_SERVER_ERROR:
            // 500 Internal Server Error
            throw internalServerErrorException(outgoingInteractionId, code, detail);
        case BAD_REQUEST:
            // 400 Bad Request
            throw badRequestException(outgoingInteractionId, code, detail);
        case UNAUTHORIZED:
            // 401 Unauthorized
            throw unauthorizedException(outgoingInteractionId, code, detail);
        case FORBIDDEN:
            // 403 Forbidden
            throw forbiddenException(outgoingInteractionId, code, detail);
        case OK:
            // Return access token information.
            return response;
        default:
            // Unknown action. This never happens.
            throw unknownAction(outgoingInteractionId, code, action);
    }
}

Also used : Action(com.authlete.common.dto.IntrospectionResponse.Action) IntrospectionResponse(com.authlete.common.dto.IntrospectionResponse) AuthleteApiException(com.authlete.common.api.AuthleteApiException)

Aggregations

AuthleteApiException (com.authlete.common.api.AuthleteApiException)1 IntrospectionResponse (com.authlete.common.dto.IntrospectionResponse)1 Action (com.authlete.common.dto.IntrospectionResponse.Action)1