Example 6 with AccessTokenResponse
use of com.forgerock.openbanking.model.oidc.AccessTokenResponse in project openbanking-aspsp by OpenBankingToolkit.
the class AccessTokenApiController method getAccessToken.
@Override
@PreAuthorize("hasAnyAuthority('ROLE_PISP', 'ROLE_AISP', 'ROLE_CBPII')")
public ResponseEntity getAccessToken(MultiValueMap<String, String> paramMap, String authorization, Principal principal, HttpServletRequest request) throws OBErrorResponseException, OBErrorException {
log.debug("getAccessToken(), paramMap {}", paramMap);
PairClientIDAuthMethod clientIDAuthMethod = matlsRequestVerificationService.verifyMATLSMatchesRequest(paramMap, authorization, principal);
AMGateway amGateway = this.amGateway;
// The token endpoint can also be used as audience, as per OIDC spec
if (clientIDAuthMethod.getAuthMethod() == PRIVATE_KEY_JWT) {
String clientAssertion = paramMap.getFirst(CLIENT_ASSERTION);
if (clientAssertion == null || clientAssertion.isBlank()) {
log.debug("getAccessToken() clientAssertion was null or blank");
throw new OBErrorResponseException(OBRIErrorType.ACCESS_TOKEN_INVALID.getHttpStatus(), OBRIErrorResponseCategory.ACCESS_TOKEN, OBRIErrorType.ACCESS_TOKEN_INVALID.toOBError1("No client_assertion in body"));
}
amGateway = amGatewayService.getAmGateway(clientAssertion);
}
// can throw a UnsupportedOIDCGrantTypeException
GrantType grantType = GrantType.fromType(paramMap.getFirst(OIDCConstants.OIDCClaim.GRANT_TYPE));
ResponseEntity<AccessTokenResponse> responseEntity = getAccessToken(paramMap, request, clientIDAuthMethod, amGateway, grantType);
try {
responseEntity = jwtOverridingService.rewriteAccessTokenResponseIdToken(responseEntity);
} catch (AccessTokenReWriteException e) {
log.debug("Failed to rewrite the access token response's id_token.", e);
String supportUID = UUID.randomUUID().toString();
throw new OBErrorResponseException(OBRIErrorType.ACCESS_TOKEN_INVALID_ID_TOKEN.getHttpStatus(), OBRIErrorResponseCategory.ACCESS_TOKEN, OBRIErrorType.ACCESS_TOKEN_INVALID_ID_TOKEN.toOBError1(supportUID));
}
return responseEntity;
}
Also used :
AMGateway(com.forgerock.openbanking.am.gateway.AMGateway)
OBErrorResponseException(com.forgerock.openbanking.exceptions.OBErrorResponseException)
AccessTokenReWriteException(com.forgerock.openbanking.common.error.exception.AccessTokenReWriteException)
GrantType(com.forgerock.openbanking.constants.OIDCConstants.GrantType)
AccessTokenResponse(com.forgerock.openbanking.model.oidc.AccessTokenResponse)
PairClientIDAuthMethod(com.forgerock.openbanking.aspsp.as.service.PairClientIDAuthMethod)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
Example 7 with AccessTokenResponse
use of com.forgerock.openbanking.model.oidc.AccessTokenResponse in project openbanking-aspsp by OpenBankingToolkit.
the class HeadLessAccessTokenServiceTest method failWhenNoAuthorisation_getAccessToken.
@Test
public void failWhenNoAuthorisation_getAccessToken() throws OBErrorResponseException, OBErrorException {
// Given
PairClientIDAuthMethod clientIdAuthMethod = getClientIDAuthMethod(TokenEndpointAuthMethods.CLIENT_SECRET_BASIC);
MultiValueMap<String, String> params = getParamsMap(GrantType.HEADLESS_AUTH);
HttpHeaders httpHeaders = new HttpHeaders();
AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
ResponseEntity<String> responseEntity = new ResponseEntity<>("{\"error\":\"broken stuff\"}", httpHeaders, HttpStatus.BAD_REQUEST);
given(authorisationApi.getAuthorisation(params.getFirst(OIDCClaim.RESPONSE_TYPE), params.getFirst(OIDCClaim.CLIENT_ID), params.getFirst(OIDCClaim.STATE), params.getFirst(OIDCClaim.NONCE), params.getFirst(OIDCClaim.SCOPE), params.getFirst(OIDCClaim.REDIRECT_URI), params.getFirst(OIDCClaim.REQUEST), true, params.getFirst(OIDCClaim.USERNAME), params.getFirst(OIDCClaim.PASSWORD), "", null, request)).willReturn(responseEntity);
// When
OBErrorResponseException exception = catchThrowableOfType(() -> headlessAccessTokenService.getAccessToken(amGateway, clientIdAuthMethod, params, request), OBErrorResponseException.class);
// Then
assertThat(exception).isNotNull();
assertThat(exception.getCategory()).isEqualTo(OBRIErrorResponseCategory.HEADLESS_AUTH);
assertThat(exception.getErrors().get(0).getErrorCode()).isEqualTo(ErrorCode.OBRI_HEADLESS_AS_ERROR.toString());
}
Also used :
HttpHeaders(org.springframework.http.HttpHeaders)
ResponseEntity(org.springframework.http.ResponseEntity)
OBErrorResponseException(com.forgerock.openbanking.exceptions.OBErrorResponseException)
AccessTokenResponse(com.forgerock.openbanking.model.oidc.AccessTokenResponse)
PairClientIDAuthMethod(com.forgerock.openbanking.aspsp.as.service.PairClientIDAuthMethod)
Test(org.junit.Test)
Example 8 with AccessTokenResponse
use of com.forgerock.openbanking.model.oidc.AccessTokenResponse in project openbanking-aspsp by OpenBankingToolkit.
the class HeadLessAccessTokenServiceTest method success_getAccessToken.
@Test
public void success_getAccessToken() throws OBErrorResponseException, OBErrorException, URISyntaxException {
// Given
PairClientIDAuthMethod clientIdAuthMethod = getClientIDAuthMethod(TokenEndpointAuthMethods.CLIENT_SECRET_BASIC);
MultiValueMap<String, String> params = getParamsMap(GrantType.HEADLESS_AUTH);
HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.setLocation(new URI("http://acme.com/#code=access_code"));
AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
ResponseEntity<AccessTokenResponse> responseEntity = new ResponseEntity<>(accessTokenResponse, httpHeaders, HttpStatus.OK);
given(authorisationApi.getAuthorisation(params.getFirst(OIDCClaim.RESPONSE_TYPE), params.getFirst(OIDCClaim.CLIENT_ID), params.getFirst(OIDCClaim.STATE), params.getFirst(OIDCClaim.NONCE), params.getFirst(OIDCClaim.SCOPE), params.getFirst(OIDCClaim.REDIRECT_URI), params.getFirst(OIDCClaim.REQUEST), true, params.getFirst(OIDCClaim.USERNAME), params.getFirst(OIDCClaim.PASSWORD), "", null, request)).willReturn(responseEntity);
String requestBody = "grant_type=authorization_code&redirect_uri=https%3A%2F%2Facme.co.uk&code=access_code";
given(amGateway.toAM(request, new HttpHeaders(), this.typeReference, requestBody)).willReturn(responseEntity);
// When
ResponseEntity<AccessTokenResponse> response = headlessAccessTokenService.getAccessToken(amGateway, clientIdAuthMethod, params, request);
// Then
assertThat(response).isNotNull();
assertThat(response.getStatusCode()).isEqualTo(HttpStatus.OK);
}
Also used :
HttpHeaders(org.springframework.http.HttpHeaders)
ResponseEntity(org.springframework.http.ResponseEntity)
URI(java.net.URI)
AccessTokenResponse(com.forgerock.openbanking.model.oidc.AccessTokenResponse)
PairClientIDAuthMethod(com.forgerock.openbanking.aspsp.as.service.PairClientIDAuthMethod)
Test(org.junit.Test)
Example 9 with AccessTokenResponse
use of com.forgerock.openbanking.model.oidc.AccessTokenResponse in project openbanking-aspsp by OpenBankingToolkit.
the class HeadLessAccessTokenServiceTest method failWhenNoLocationHeader_getAccessToken.
@Test
public void failWhenNoLocationHeader_getAccessToken() throws OBErrorResponseException, OBErrorException {
// Given
PairClientIDAuthMethod clientIdAuthMethod = getClientIDAuthMethod(TokenEndpointAuthMethods.CLIENT_SECRET_BASIC);
MultiValueMap<String, String> params = getParamsMap(GrantType.HEADLESS_AUTH);
HttpHeaders httpHeaders = new HttpHeaders();
// httpHeaders.setLocation(new URI("http://acme.com/#code=access_code"));
AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
ResponseEntity<AccessTokenResponse> responseEntity = new ResponseEntity<>(accessTokenResponse, httpHeaders, HttpStatus.OK);
given(authorisationApi.getAuthorisation(params.getFirst(OIDCClaim.RESPONSE_TYPE), params.getFirst(OIDCClaim.CLIENT_ID), params.getFirst(OIDCClaim.STATE), params.getFirst(OIDCClaim.NONCE), params.getFirst(OIDCClaim.SCOPE), params.getFirst(OIDCClaim.REDIRECT_URI), params.getFirst(OIDCClaim.REQUEST), true, params.getFirst(OIDCClaim.USERNAME), params.getFirst(OIDCClaim.PASSWORD), "", null, request)).willReturn(responseEntity);
// When
OBErrorResponseException exception = catchThrowableOfType(() -> headlessAccessTokenService.getAccessToken(amGateway, clientIdAuthMethod, params, request), OBErrorResponseException.class);
// Then
assertThat(exception).isNotNull();
assertThat(exception.getCategory()).isEqualTo(OBRIErrorResponseCategory.HEADLESS_AUTH);
}
Also used :
HttpHeaders(org.springframework.http.HttpHeaders)
ResponseEntity(org.springframework.http.ResponseEntity)
OBErrorResponseException(com.forgerock.openbanking.exceptions.OBErrorResponseException)
AccessTokenResponse(com.forgerock.openbanking.model.oidc.AccessTokenResponse)
PairClientIDAuthMethod(com.forgerock.openbanking.aspsp.as.service.PairClientIDAuthMethod)
Test(org.junit.Test)
Example 10 with AccessTokenResponse
use of com.forgerock.openbanking.model.oidc.AccessTokenResponse in project openbanking-aspsp by OpenBankingToolkit.
the class JwtOverridingServiceTest method shouldRewriteAccessTokenResponseIdToken.
@Test
public void shouldRewriteAccessTokenResponseIdToken() throws AccessTokenReWriteException {
// Given
this.amOpenBankingConfiguration.issuerId = "acme bank Ltd";
HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.add("Location", "https://location");
AccessTokenResponse accessTokenResponse = new AccessTokenResponse();
accessTokenResponse.setId_token("eyJraWQiOiIzYmEwYjRjMGRjOGNiOTg3YTE5ZjNiNDgwZDFiODlmMWNiODA4MDI5IiwiYWxnIjoi" + "UFMyNTYifQ.eyJzdWIiOiJmMjU5MDlmZC01MzEwLTRiNjgtYTI5Yy0zM2QyYjE1OWMzNzUiLCJhdWQiOiJodHRwczpcL1wvYXMuY" + "XNwc3AuZGV2LW9iLmZvcmdlcm9jay5maW5hbmNpYWw6ODA3NFwvb2F1dGgyIiwiaXNzIjoiZjI1OTA5ZmQtNTMxMC00YjY4LWEyO" + "WMtMzNkMmIxNTljMzc1IiwiZXhwIjoxNjIxNDEwODU1LCJpYXQiOjE2MjE0MTA1NTUsImp0aSI6IjgzMDEwYzU4LTczNDYtNGJjM" + "S05OTVhLTg4NDI4NTRhMGEzOSJ9.PTnkBmKeWhT1kLlOkVJGrBKJHBksY16ynzP1KvHzwcYFMm6ixNd4iDc2aosSI7vH9ufamnR0" + "O9UoZzi3uWflWq9B2ah8m8rNNWYr-Y3B4Ev_nrKDDgozWZ_u0PY5Tzau0TVcVYyRkNTIXoVk-hYVLjuxZiMPQm7Ceid-KemK6Y04" + "UAiwGZou4KIKWXjGySOBlJEZO42LTZk0UKAC8AeXlQCo_QSzOchrD8wmJOeCH59VooZku5eubviKZ1UKo0hkDxLg13IjER-dansJ" + "tHqCcDCVV9n04Rvvs88yvvCWTcRsdEpUUg-e-sGVUR2ER9UyQMyY012_fA-R7W8H4jv_iQ");
ResponseEntity responseEntity = new ResponseEntity(accessTokenResponse, httpHeaders, HttpStatus.OK);
when(this.cryptoApiClient.signClaims(anyString(), any(JWTClaimsSet.class), anyBoolean())).thenReturn("RewrittenIdToken");
// Then
ResponseEntity<AccessTokenResponse> rewrittenResponseEntity = this.jwtOverridingService.rewriteAccessTokenResponseIdToken(responseEntity);
// When
assertThat(rewrittenResponseEntity.getBody().getId_token()).isEqualTo("RewrittenIdToken");
}
Also used :
HttpHeaders(org.springframework.http.HttpHeaders)
ResponseEntity(org.springframework.http.ResponseEntity)
JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet)
AccessTokenResponse(com.forgerock.openbanking.model.oidc.AccessTokenResponse)
Test(org.junit.Test)
Aggregations
AccessTokenResponse (com.forgerock.openbanking.model.oidc.AccessTokenResponse)10
ResponseEntity (org.springframework.http.ResponseEntity)9
Test (org.junit.Test)7
HttpHeaders (org.springframework.http.HttpHeaders)7
PairClientIDAuthMethod (com.forgerock.openbanking.aspsp.as.service.PairClientIDAuthMethod)5
OBErrorResponseException (com.forgerock.openbanking.exceptions.OBErrorResponseException)4
AccessTokenReWriteException (com.forgerock.openbanking.common.error.exception.AccessTokenReWriteException)3
AMGateway (com.forgerock.openbanking.am.gateway.AMGateway)1
GrantType (com.forgerock.openbanking.constants.OIDCConstants.GrantType)1
JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)1
URI (java.net.URI)1
ParseException (java.text.ParseException)1
HttpStatus (org.springframework.http.HttpStatus)1
PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)1
