use of com.forgerock.openbanking.jwt.exceptions.InvalidTokenException in project openbanking-aspsp by OpenBankingToolkit.
the class EventNotificationsApiEndpointWrapper method verifyAccessToken.
@Override
public void verifyAccessToken(List<String> expectedScopes, List<OIDCConstants.GrantType> expectedGrantTypes) throws OBErrorException {
try {
// Verify access token
log.info("Verify the access token {}", authorization);
accessToken = rsEndpointWrapperService.amResourceServerService.verifyAccessToken(authorization);
List<String> scopes = (List<String>) accessToken.getJWTClaimsSet().getClaim(OBConstants.OIDCClaim.SCOPE);
String grantTypeSerialised = accessToken.getJWTClaimsSet().getStringClaim(OBConstants.OIDCClaim.GRANT_TYPE);
if (grantTypeSerialised == null) {
log.error("We managed to get an access token that doesn't have a grant type claim defined: {}", authorization);
throw new OBErrorException(SERVER_ERROR, "Access token grant type is undefined");
}
OIDCConstants.GrantType grantType = OIDCConstants.GrantType.fromType(grantTypeSerialised);
if (!OIDCConstants.GrantType.REFRESH_TOKEN.equals(grantType) && !expectedGrantTypes.contains(grantType)) {
log.debug("The access token grant type {} doesn't match one of the expected grant types {}", grantType, expectedGrantTypes);
throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_GRANT_TYPE, grantType, expectedGrantTypes);
}
if (scopes.stream().noneMatch(expectedScopes::contains)) {
log.warn("The access token {} contains scopes: {} but needs at least one of the expected scopes: {}", authorization, scopes, expectedScopes);
throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_SCOPE, expectedScopes);
}
} catch (ParseException e) {
log.warn("Couldn't parse the the access token {}. It's probably not stateless and therefore, not " + "an access token generated by our ASPSP-AS", authorization);
throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_FORMAT);
} catch (InvalidTokenException e) {
log.warn("Invalid access token {}", authorization);
throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID, e.getMessage());
} catch (IOException e) {
log.error("IO exception", e);
throw new OBErrorException(SERVER_ERROR, e.getMessage());
}
}
use of com.forgerock.openbanking.jwt.exceptions.InvalidTokenException in project openbanking-aspsp by OpenBankingToolkit.
the class TppRegistrationService method verifyTPPRegistrationRequestSignature.
/**
* Verifies the registration request jwt against the jwks_uri and checks that the ssaSoftwareClient id matches
* the software_client_id claim in the software statement provided in the registration request is the same as the
* issuer of the registration request jwt.
* @param registrationRequestJwsSerialised - the serialised registration request jwt as received in the request
* @param ssaSoftwareClientId - the software_client_id claim from the software statement in the registration request
* @param jwks_uri - the jwks_uri claim taken from the software statement in the registration request
* @throws DynamicClientRegistrationException Thrown if the registration request can't be validated
*/
public void verifyTPPRegistrationRequestSignature(String registrationRequestJwsSerialised, String ssaSoftwareClientId, String jwks_uri) throws DynamicClientRegistrationException {
String methodName = "verifyTPPRegistrationRequestSignature()";
try {
log.debug("{} validating registration request JWT issued by '{}' against jwks_uri; '{}'", methodName, ssaSoftwareClientId, jwks_uri);
cryptoApiClient.validateJws(registrationRequestJwsSerialised, ssaSoftwareClientId, jwks_uri);
log.info("{} Registration request JWT signature is valid, issuer & ssa's client Id is '{}', jwks_uri; '{}'", methodName, ssaSoftwareClientId, jwks_uri);
} catch (InvalidTokenException | ParseException | IOException e) {
String errorMessage = "Invalid TPP registration request JWT. Failed to verify signature of Registration " + "Request with SSA for software client Id of " + ssaSoftwareClientId + " against jwks_uri '" + jwks_uri + "'. Error; " + e.getMessage();
log.info("{}; {}", methodName, errorMessage, e);
throw new DynamicClientRegistrationException(errorMessage, DynamicClientRegistrationErrorType.INVALID_SOFTWARE_STATEMENT);
}
}
use of com.forgerock.openbanking.jwt.exceptions.InvalidTokenException in project openbanking-aspsp by OpenBankingToolkit.
the class AccessTokenService method validateAccessTokenWithAM.
public SignedJWT validateAccessTokenWithAM(String authorizationHeaderValue) throws OAuth2BearerTokenUsageInvalidTokenException {
try {
SignedJWT parsedAccessToken = amResourceServerService.verifyAccessToken(authorizationHeaderValue);
log.debug("validateAccessTokenWithAM() returning '{}'", parsedAccessToken);
return parsedAccessToken;
} catch (ParseException e) {
log.info("validateAccessTokenWithAM() failed to parse access token '{}'", authorizationHeaderValue, e);
throw new OAuth2BearerTokenUsageInvalidTokenException("Failed to parse access token");
} catch (InvalidTokenException e) {
log.info("validateAccessTokenWithAM() token does not contain the expected audience", e);
throw new OAuth2BearerTokenUsageInvalidTokenException(e.getMessage());
} catch (IOException e) {
log.info("validateAccessTokenWithAM() Failed to validate access token.", e);
throw new OAuth2BearerTokenUsageInvalidTokenException("Failed to validate access token");
}
}
Aggregations