Search in sources :

Example 6 with InvalidTokenException

use of com.forgerock.openbanking.jwt.exceptions.InvalidTokenException in project openbanking-aspsp by OpenBankingToolkit.

the class EventNotificationsApiEndpointWrapper method verifyAccessToken.

@Override
public void verifyAccessToken(List<String> expectedScopes, List<OIDCConstants.GrantType> expectedGrantTypes) throws OBErrorException {
    try {
        // Verify access token
        log.info("Verify the access token {}", authorization);
        accessToken = rsEndpointWrapperService.amResourceServerService.verifyAccessToken(authorization);
        List<String> scopes = (List<String>) accessToken.getJWTClaimsSet().getClaim(OBConstants.OIDCClaim.SCOPE);
        String grantTypeSerialised = accessToken.getJWTClaimsSet().getStringClaim(OBConstants.OIDCClaim.GRANT_TYPE);
        if (grantTypeSerialised == null) {
            log.error("We managed to get an access token that doesn't have a grant type claim defined: {}", authorization);
            throw new OBErrorException(SERVER_ERROR, "Access token grant type is undefined");
        }
        OIDCConstants.GrantType grantType = OIDCConstants.GrantType.fromType(grantTypeSerialised);
        if (!OIDCConstants.GrantType.REFRESH_TOKEN.equals(grantType) && !expectedGrantTypes.contains(grantType)) {
            log.debug("The access token grant type {} doesn't match one of the expected grant types {}", grantType, expectedGrantTypes);
            throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_GRANT_TYPE, grantType, expectedGrantTypes);
        }
        if (scopes.stream().noneMatch(expectedScopes::contains)) {
            log.warn("The access token {} contains scopes: {} but needs at least one of the expected scopes: {}", authorization, scopes, expectedScopes);
            throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_SCOPE, expectedScopes);
        }
    } catch (ParseException e) {
        log.warn("Couldn't parse the the access token {}. It's probably not stateless and therefore, not " + "an access token generated by our ASPSP-AS", authorization);
        throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_FORMAT);
    } catch (InvalidTokenException e) {
        log.warn("Invalid access token {}", authorization);
        throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID, e.getMessage());
    } catch (IOException e) {
        log.error("IO exception", e);
        throw new OBErrorException(SERVER_ERROR, e.getMessage());
    }
}
Also used : InvalidTokenException(com.forgerock.openbanking.jwt.exceptions.InvalidTokenException) OIDCConstants(com.forgerock.openbanking.constants.OIDCConstants) List(java.util.List) OBErrorException(com.forgerock.openbanking.exceptions.OBErrorException) ParseException(java.text.ParseException) IOException(java.io.IOException)

Example 7 with InvalidTokenException

use of com.forgerock.openbanking.jwt.exceptions.InvalidTokenException in project openbanking-aspsp by OpenBankingToolkit.

the class TppRegistrationService method verifyTPPRegistrationRequestSignature.

/**
 * Verifies the registration request jwt against the jwks_uri and checks that the ssaSoftwareClient id matches
 * the software_client_id claim in the software statement provided in the registration request is the same as the
 * issuer of the registration request jwt.
 * @param registrationRequestJwsSerialised - the serialised registration request jwt as received in the request
 * @param ssaSoftwareClientId - the software_client_id claim from the software statement in the registration request
 * @param jwks_uri - the jwks_uri claim taken from the software statement in the registration request
 * @throws DynamicClientRegistrationException Thrown if the registration request can't be validated
 */
public void verifyTPPRegistrationRequestSignature(String registrationRequestJwsSerialised, String ssaSoftwareClientId, String jwks_uri) throws DynamicClientRegistrationException {
    String methodName = "verifyTPPRegistrationRequestSignature()";
    try {
        log.debug("{} validating registration request JWT issued by '{}' against jwks_uri; '{}'", methodName, ssaSoftwareClientId, jwks_uri);
        cryptoApiClient.validateJws(registrationRequestJwsSerialised, ssaSoftwareClientId, jwks_uri);
        log.info("{} Registration request JWT signature is valid, issuer & ssa's client Id is '{}', jwks_uri; '{}'", methodName, ssaSoftwareClientId, jwks_uri);
    } catch (InvalidTokenException | ParseException | IOException e) {
        String errorMessage = "Invalid TPP registration request JWT. Failed to verify signature of Registration " + "Request with SSA for software client Id of " + ssaSoftwareClientId + " against jwks_uri '" + jwks_uri + "'. Error; " + e.getMessage();
        log.info("{}; {}", methodName, errorMessage, e);
        throw new DynamicClientRegistrationException(errorMessage, DynamicClientRegistrationErrorType.INVALID_SOFTWARE_STATEMENT);
    }
}
Also used : OAuth2BearerTokenUsageInvalidTokenException(com.forgerock.openbanking.common.error.exception.oauth2.OAuth2BearerTokenUsageInvalidTokenException) InvalidTokenException(com.forgerock.openbanking.jwt.exceptions.InvalidTokenException) DynamicClientRegistrationException(com.forgerock.openbanking.common.error.exception.dynamicclientregistration.DynamicClientRegistrationException) ParseException(java.text.ParseException) IOException(java.io.IOException)

Example 8 with InvalidTokenException

use of com.forgerock.openbanking.jwt.exceptions.InvalidTokenException in project openbanking-aspsp by OpenBankingToolkit.

the class AccessTokenService method validateAccessTokenWithAM.

public SignedJWT validateAccessTokenWithAM(String authorizationHeaderValue) throws OAuth2BearerTokenUsageInvalidTokenException {
    try {
        SignedJWT parsedAccessToken = amResourceServerService.verifyAccessToken(authorizationHeaderValue);
        log.debug("validateAccessTokenWithAM() returning '{}'", parsedAccessToken);
        return parsedAccessToken;
    } catch (ParseException e) {
        log.info("validateAccessTokenWithAM() failed to parse access token '{}'", authorizationHeaderValue, e);
        throw new OAuth2BearerTokenUsageInvalidTokenException("Failed to parse access token");
    } catch (InvalidTokenException e) {
        log.info("validateAccessTokenWithAM() token does not contain the expected audience", e);
        throw new OAuth2BearerTokenUsageInvalidTokenException(e.getMessage());
    } catch (IOException e) {
        log.info("validateAccessTokenWithAM() Failed to validate access token.", e);
        throw new OAuth2BearerTokenUsageInvalidTokenException("Failed to validate access token");
    }
}
Also used : OAuth2BearerTokenUsageInvalidTokenException(com.forgerock.openbanking.common.error.exception.oauth2.OAuth2BearerTokenUsageInvalidTokenException) InvalidTokenException(com.forgerock.openbanking.jwt.exceptions.InvalidTokenException) OAuth2BearerTokenUsageInvalidTokenException(com.forgerock.openbanking.common.error.exception.oauth2.OAuth2BearerTokenUsageInvalidTokenException) SignedJWT(com.nimbusds.jwt.SignedJWT) ParseException(java.text.ParseException) IOException(java.io.IOException)

Aggregations

InvalidTokenException (com.forgerock.openbanking.jwt.exceptions.InvalidTokenException)8 IOException (java.io.IOException)8 ParseException (java.text.ParseException)8 OBErrorException (com.forgerock.openbanking.exceptions.OBErrorException)5 OAuth2BearerTokenUsageInvalidTokenException (com.forgerock.openbanking.common.error.exception.oauth2.OAuth2BearerTokenUsageInvalidTokenException)3 OIDCConstants (com.forgerock.openbanking.constants.OIDCConstants)3 List (java.util.List)3 DynamicClientRegistrationException (com.forgerock.openbanking.common.error.exception.dynamicclientregistration.DynamicClientRegistrationException)2 Tpp (com.forgerock.openbanking.model.Tpp)2 SignedJWT (com.nimbusds.jwt.SignedJWT)2 MultiReadHttpServletRequest (com.forgerock.openbanking.aspsp.rs.filter.MultiReadHttpServletRequest)1 DirectorySoftwareStatement (com.forgerock.openbanking.model.DirectorySoftwareStatement)1 OIDCRegistrationResponse (com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse)1 JOSEException (com.nimbusds.jose.JOSEException)1 JWK (com.nimbusds.jose.jwk.JWK)1 JWKSet (com.nimbusds.jose.jwk.JWKSet)1 HttpClientErrorException (org.springframework.web.client.HttpClientErrorException)1