Examples with OIDCRegistrationResponse com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse used on opensource projects

Example 11 with OIDCRegistrationResponse

use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.

the class MatlsRequestVerificationService method verifyMATLSMatchesRequest.

public PairClientIDAuthMethod verifyMATLSMatchesRequest(MultiValueMap paramMap, String authorization, Principal principal) throws OBErrorResponseException {
    UserDetails currentUser = (UserDetails) ((Authentication) principal).getPrincipal();
    PairClientIDAuthMethod pairClientIDAuthMethod;
    String clientAssertion = (String) paramMap.getFirst(OIDCConstants.OIDCClaim.CLIENT_ASSERTION);
    if (clientAssertion != null) {
        pairClientIDAuthMethod = getPairClientIdAuthMethodFromClientAssertion(clientAssertion, paramMap);
    } else if (authorization != null) {
        pairClientIDAuthMethod = getPairClientIdAuthMethodFromAuthorization(authorization, paramMap);
    } else if (paramMap.get("client_secret") != null) {
        pairClientIDAuthMethod = getPairClientIdAuthMethodWhenClientSecret(paramMap);
    } else {
        pairClientIDAuthMethod = getPairClientIdAuthMethodDefault(paramMap);
    }
    String authClientId = pairClientIDAuthMethod.clientId;
    Tpp tpp = getTppRegistered(authClientId);
    if (!matlsIdMatchesTppId(principal.getName(), tpp)) {
        log.info("The clientId found via the authentication method did not belong to the Tpp identified by the " + "MATLS certificate's principal (authorisationNumber). authorisationNumber '{}', clientId '{}'", principal.getName(), tpp.getAuthorisationNumber());
        throw new OBErrorResponseException(OBRIErrorType.ACCESS_TOKEN_CREDENTIAL_NOT_MATCHING_CLIENT_CERTS.getHttpStatus(), OBRIErrorResponseCategory.ACCESS_TOKEN, OBRIErrorType.ACCESS_TOKEN_CREDENTIAL_NOT_MATCHING_CLIENT_CERTS.toOBError1(tpp.getClientId(), pairClientIDAuthMethod.clientId, pairClientIDAuthMethod.authMethod.type));
    }
    // can throw UnsupportedOIDCAuthMethodsException
    OIDCRegistrationResponse registrationResponse = tpp.getRegistrationResponse();
    String tokenEndpointAuthMethod = registrationResponse.getTokenEndpointAuthMethod();
    OIDCConstants.TokenEndpointAuthMethods authMethodsFromTpp = OIDCConstants.TokenEndpointAuthMethods.fromType(tokenEndpointAuthMethod);
    if (!authMethodsFromTpp.equals(pairClientIDAuthMethod.authMethod)) {
        log.info("The authorisation method specified in the token differend from that in the Tpp registration " + "response");
        throw new OBErrorResponseException(OBRIErrorType.ACCESS_TOKEN_WRONG_AUTH_METHOD.getHttpStatus(), OBRIErrorResponseCategory.ACCESS_TOKEN, OBRIErrorType.ACCESS_TOKEN_WRONG_AUTH_METHOD.toOBError1(pairClientIDAuthMethod.authMethod.type, authMethodsFromTpp.type));
    }
    return pairClientIDAuthMethod;
}

Example 12 with OIDCRegistrationResponse

use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.

the class AuthorisationApiControllerTest method shouldNotThrowExceptionContainAllScopesAnyOrder.

@Test
public void shouldNotThrowExceptionContainAllScopesAnyOrder() throws OBErrorException, OBErrorResponseException, InvalidTokenException, ParseException, IOException {
    // Given
    String clientId = "98e119f6-196f-4296-98d4-f1a2f445bca2";
    List<String> responseTypes = List.of("code id_token");
    given(discoveryConfig.getSupportedResponseTypes()).willReturn(responseTypes);
    String jwt = toEncodedSignedTestJwt("jwt/authorisation.jwt");
    Tpp tpp = new Tpp();
    OIDCRegistrationResponse registrationResponse = new OIDCRegistrationResponse();
    registrationResponse.setJwks_uri("url");
    tpp.setRegistrationResponse(registrationResponse);
    given(tppStoreService.findByClientId(clientId)).willReturn(Optional.of(tpp));
    SignedJWT signedJwt = mock(SignedJWT.class);
    given(cryptoApiClient.validateJws(anyString(), anyString(), anyString())).willReturn(signedJwt);
    // When
    authorisationApiController.getAuthorisation(responseTypes.get(0), clientId, null, null, "payments openid accounts", null, jwt, true, null, null, null, null, null);
// Then no exception
}

Example 13 with OIDCRegistrationResponse

use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.

the class AuthorisationApiControllerTest method shouldNotThrowExceptionWhen_responseTypesMatch.

@Test
public void shouldNotThrowExceptionWhen_responseTypesMatch() throws OBErrorException, OBErrorResponseException, InvalidTokenException, ParseException, IOException {
    // Given
    String clientId = "98e119f6-196f-4296-98d4-f1a2f445bca2";
    List<String> responseTypes = List.of("code id_token");
    given(discoveryConfig.getSupportedResponseTypes()).willReturn(responseTypes);
    String jwt = toEncodedSignedTestJwt("jwt/authorisation.jwt");
    Tpp tpp = new Tpp();
    OIDCRegistrationResponse registrationResponse = new OIDCRegistrationResponse();
    registrationResponse.setJwks_uri("url");
    tpp.setRegistrationResponse(registrationResponse);
    given(tppStoreService.findByClientId(clientId)).willReturn(Optional.of(tpp));
    String responseType = responseTypes.get(0);
    SignedJWT signedJwt = mock(SignedJWT.class);
    given(cryptoApiClient.validateJws(anyString(), anyString(), anyString())).willReturn(signedJwt);
    // When
    authorisationApiController.getAuthorisation(responseType, clientId, null, null, "openid accounts payments", null, jwt, true, null, null, null, null, null);
// Then no exception
}

Example 14 with OIDCRegistrationResponse

use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.

the class AuthorisationApiControllerTest method shouldReturnRedirectActionWhenResponseTypeNotMatch.

@Test
public void shouldReturnRedirectActionWhenResponseTypeNotMatch() throws OBErrorException, OBErrorResponseException {
    // Given
    List<String> responseTypes = List.of("code id_token");
    given(discoveryConfig.getSupportedResponseTypes()).willReturn(responseTypes);
    String jwt = toEncodedSignedTestJwt("jwt/authorisation.jwt");
    OIDCRegistrationResponse registrationResponse = new OIDCRegistrationResponse();
    registrationResponse.setJwks_uri("url");
    Tpp tpp = new Tpp();
    tpp.setRegistrationResponse(registrationResponse);
    // When
    ResponseEntity<RedirectionAction> responseEntity = authorisationApiController.getAuthorisation("responseTypes.get(0)", "98e119f6-196f-4296-98d4-f1a2f445bca2", "98e119f6-xxxx-yyyy-zzzz-f1a2f445bca2", null, "openid accounts", "https://www.google.com", jwt, true, null, null, null, null, null);
    // Then
    assertThat(responseEntity).isNotNull();
    assertThat(responseEntity.getHeaders().getLocation()).isNotNull();
    assertTrue(responseEntity.getHeaders().getLocation().toString().contains("error"));
}

Example 15 with OIDCRegistrationResponse

use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.

the class DynamicRegistrationApiController method getRegistration.

/**
 * Implementation of the GET /register endpoint
 * @param clientId      the id of the client registration resource to be returned.
 * @param authorization the value of the authorization header - this must match the registration_access_token
 *        issued when the client registered.
 * @param principal     the Principal of the certificate used in the TLS connection used to call the endpoint. This
 *        is used to identify the client that is making the request
 * @return
 * @throws OAuth2InvalidClientException - the OAuth2 Dynamic Client Registration spec says "When an OAuth 2.0
 * error condition occurs, such as the client presenting an invalid initial access token, the authorization server
 *    returns an error response appropriate to the OAuth 2.0 token type. This exception will be thrown if the
 *    principal was not present. This is likely because an incorrect or no SSL certificate was provided.
 * @throws OAuth2BearerTokenUsageInvalidTokenException -
 * @throws OAuth2BearerTokenUsageMissingAuthInfoException
 */
@Override
public ResponseEntity<OIDCRegistrationResponse> getRegistration(String clientId, String authorization, Principal principal) throws OAuth2InvalidClientException, OAuth2BearerTokenUsageInvalidTokenException, OAuth2BearerTokenUsageMissingAuthInfoException {
    log.info("Received a request to get registration information for clientId {}, principal is {}", clientId, principal);
    checkAuthArgsContainValidInformation(principal, authorization);
    if (clientId == null) {
        throw new OAuth2InvalidClientException("No client id provided. Request must be of the form " + "/register/{clientId) where client Id is taken from the client_id in the registration response");
    }
    Tpp tpp = tppRegistrationService.getTpp(clientId);
    tppRegistrationService.ensureTppOwnsOidcRegistration(tpp, principal.getName());
    String accessToken = tppRegistrationService.validateAccessTokenIsValidForOidcRegistration(tpp, authorization);
    OIDCRegistrationResponse registrationResponse = tppRegistrationService.getOIDCClient(accessToken, tpp);
    log.info("Successfully returning registration information for clientId {}", registrationResponse.getClientId());
    return ResponseEntity.ok(registrationResponse);
}