Examples with InvalidTokenException com.forgerock.openbanking.jwt.exceptions.InvalidTokenException used on opensource projects

Example 6 with InvalidTokenException

use of com.forgerock.openbanking.jwt.exceptions.InvalidTokenException in project openbanking-aspsp by OpenBankingToolkit.

the class EventNotificationsApiEndpointWrapper method verifyAccessToken.

@Override
public void verifyAccessToken(List<String> expectedScopes, List<OIDCConstants.GrantType> expectedGrantTypes) throws OBErrorException {
    try {
        // Verify access token
        log.info("Verify the access token {}", authorization);
        accessToken = rsEndpointWrapperService.amResourceServerService.verifyAccessToken(authorization);
        List<String> scopes = (List<String>) accessToken.getJWTClaimsSet().getClaim(OBConstants.OIDCClaim.SCOPE);
        String grantTypeSerialised = accessToken.getJWTClaimsSet().getStringClaim(OBConstants.OIDCClaim.GRANT_TYPE);
        if (grantTypeSerialised == null) {
            log.error("We managed to get an access token that doesn't have a grant type claim defined: {}", authorization);
            throw new OBErrorException(SERVER_ERROR, "Access token grant type is undefined");
        }
        OIDCConstants.GrantType grantType = OIDCConstants.GrantType.fromType(grantTypeSerialised);
        if (!OIDCConstants.GrantType.REFRESH_TOKEN.equals(grantType) && !expectedGrantTypes.contains(grantType)) {
            log.debug("The access token grant type {} doesn't match one of the expected grant types {}", grantType, expectedGrantTypes);
            throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_GRANT_TYPE, grantType, expectedGrantTypes);
        }
        if (scopes.stream().noneMatch(expectedScopes::contains)) {
            log.warn("The access token {} contains scopes: {} but needs at least one of the expected scopes: {}", authorization, scopes, expectedScopes);
            throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_SCOPE, expectedScopes);
        }
    } catch (ParseException e) {
        log.warn("Couldn't parse the the access token {}. It's probably not stateless and therefore, not " + "an access token generated by our ASPSP-AS", authorization);
        throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID_FORMAT);
    } catch (InvalidTokenException e) {
        log.warn("Invalid access token {}", authorization);
        throw new OBErrorException(OBRIErrorType.ACCESS_TOKEN_INVALID, e.getMessage());
    } catch (IOException e) {
        log.error("IO exception", e);
        throw new OBErrorException(SERVER_ERROR, e.getMessage());
    }
}

Example 7 with InvalidTokenException

use of com.forgerock.openbanking.jwt.exceptions.InvalidTokenException in project openbanking-aspsp by OpenBankingToolkit.

the class TppRegistrationService method verifyTPPRegistrationRequestSignature.

/**
 * Verifies the registration request jwt against the jwks_uri and checks that the ssaSoftwareClient id matches
 * the software_client_id claim in the software statement provided in the registration request is the same as the
 * issuer of the registration request jwt.
 * @param registrationRequestJwsSerialised - the serialised registration request jwt as received in the request
 * @param ssaSoftwareClientId - the software_client_id claim from the software statement in the registration request
 * @param jwks_uri - the jwks_uri claim taken from the software statement in the registration request
 * @throws DynamicClientRegistrationException Thrown if the registration request can't be validated
 */
public void verifyTPPRegistrationRequestSignature(String registrationRequestJwsSerialised, String ssaSoftwareClientId, String jwks_uri) throws DynamicClientRegistrationException {
    String methodName = "verifyTPPRegistrationRequestSignature()";
    try {
        log.debug("{} validating registration request JWT issued by '{}' against jwks_uri; '{}'", methodName, ssaSoftwareClientId, jwks_uri);
        cryptoApiClient.validateJws(registrationRequestJwsSerialised, ssaSoftwareClientId, jwks_uri);
        log.info("{} Registration request JWT signature is valid, issuer & ssa's client Id is '{}', jwks_uri; '{}'", methodName, ssaSoftwareClientId, jwks_uri);
    } catch (InvalidTokenException | ParseException | IOException e) {
        String errorMessage = "Invalid TPP registration request JWT. Failed to verify signature of Registration " + "Request with SSA for software client Id of " + ssaSoftwareClientId + " against jwks_uri '" + jwks_uri + "'. Error; " + e.getMessage();
        log.info("{}; {}", methodName, errorMessage, e);
        throw new DynamicClientRegistrationException(errorMessage, DynamicClientRegistrationErrorType.INVALID_SOFTWARE_STATEMENT);
    }
}

Example 8 with InvalidTokenException

use of com.forgerock.openbanking.jwt.exceptions.InvalidTokenException in project openbanking-aspsp by OpenBankingToolkit.

the class AccessTokenService method validateAccessTokenWithAM.

public SignedJWT validateAccessTokenWithAM(String authorizationHeaderValue) throws OAuth2BearerTokenUsageInvalidTokenException {
    try {
        SignedJWT parsedAccessToken = amResourceServerService.verifyAccessToken(authorizationHeaderValue);
        log.debug("validateAccessTokenWithAM() returning '{}'", parsedAccessToken);
        return parsedAccessToken;
    } catch (ParseException e) {
        log.info("validateAccessTokenWithAM() failed to parse access token '{}'", authorizationHeaderValue, e);
        throw new OAuth2BearerTokenUsageInvalidTokenException("Failed to parse access token");
    } catch (InvalidTokenException e) {
        log.info("validateAccessTokenWithAM() token does not contain the expected audience", e);
        throw new OAuth2BearerTokenUsageInvalidTokenException(e.getMessage());
    } catch (IOException e) {
        log.info("validateAccessTokenWithAM() Failed to validate access token.", e);
        throw new OAuth2BearerTokenUsageInvalidTokenException("Failed to validate access token");
    }
}