use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.
the class DynamicRegistrationApiController method register.
@Override
public ResponseEntity<OIDCRegistrationResponse> register(@ApiParam(value = "A request to register a Software Statement Assertion with an ASPSP") @Valid @RequestBody String registrationRequestJwtSerialised, Principal principal) throws OAuth2InvalidClientException, DynamicClientRegistrationException {
String methodName = "register()";
log.info("{} Received request to create a new client registration. {}", methodName, registrationRequestJwtSerialised);
try {
ApiClientIdentity apiClientIdentity = this.apiClientIdentityFactory.getApiClientIdentity(principal);
String tppIdentifier = apiClientIdentity.getTppIdentifier();
RegistrationRequest registrationRequest = registrationRequestFactory.getRegistrationRequestFromJwt(registrationRequestJwtSerialised);
// delete client ID
registrationRequest.setClientId(null);
if (!apiClientIdentity.wasIssuedWith(registrationRequest)) {
String errorString = "The MATLS transport certificate and the SSA were not issued to the same " + "organisation";
log.info("register() {}", errorString);
throw new OAuth2InvalidClientException(errorString);
}
verifyRegistrationRequest(apiClientIdentity, registrationRequest);
registrationRequest.overwriteRegistrationRequestFieldsFromSSAClaims(apiClientIdentity);
Tpp tpp = tppRegistrationService.registerTpp(apiClientIdentity, registrationRequest);
OIDCRegistrationResponse registrationResponse = tpp.getRegistrationResponse();
log.info("{} Registration succeeded. tpp {} now has OAuth2 ClientId of {}", methodName, tppIdentifier, tpp.getClientId());
return ResponseEntity.status(HttpStatus.CREATED).body(registrationResponse);
} catch (ApiClientException e) {
log.info("Failed to create new client registration. There was an error related to the client requesting " + "the registration; '{}'", e.getMessage());
log.debug("register() caught ApiClientException.", e);
throw new OAuth2InvalidClientException("Invalid certificate presented. Error was " + e.getMessage());
}
}
use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.
the class AuthorisationApiController method validateRequestParameter.
private SignedJWT validateRequestParameter(String responseType, String clientId, String state, String nonce, String scopes, String redirectUri, String requestParametersSerialised) throws OBErrorException {
SignedJWT requestParameters;
try {
try {
EncryptedJWT.parse(requestParametersSerialised);
log.debug("Request parameter {} is encrypted (JWE).", requestParametersSerialised);
requestParameters = cryptoApiClient.decryptJwe(requestParametersSerialised);
requestParametersSerialised = requestParameters.serialize();
log.debug("Request parameter {} decrypted (JWS).", requestParametersSerialised);
} catch (ParseException | JOSEException e) {
// If we got an exception, it means it's a JWS
log.debug("Request parameter {} is just signed (JWS).", requestParametersSerialised);
requestParameters = SignedJWT.parse(requestParametersSerialised);
}
verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "client_id", clientId);
Optional<Tpp> byClientId = tppStoreService.findByClientId(clientId);
if (byClientId.isEmpty()) {
throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_JWT_FORMAT_INVALID, "Unknown client id '" + clientId + "'");
}
Tpp tpp = byClientId.get();
log.debug("Validate the request parameter signature");
boolean validated = false;
OIDCRegistrationResponse registrationResponse = tpp.getRegistrationResponse();
if (registrationResponse != null) {
JWKSet jwkSet = registrationResponse.getJwks();
if (jwkSet != null) {
List<JWK> jwkSetKeys = jwkSet.getKeys();
if (jwkSetKeys != null && !jwkSetKeys.isEmpty()) {
JWK jwk = jwkSetKeys.get(0);
String jwksKeys = jwk.toString();
log.debug("validateRequestParameters() tpp has jwksKeys as part of registraiton. They will be" + " used to validate the request parameter.");
cryptoApiClient.validateJwsWithJWK(requestParametersSerialised, clientId, jwksKeys);
validated = true;
} else {
log.debug("validateRequestParameter() tpp has no jwkSetKeys; {}", tpp);
}
}
if (!validated) {
String jwks_uri = tpp.getRegistrationResponse().getJwks_uri();
if (jwks_uri == null || jwks_uri.isBlank()) {
log.error("validateRequestparameters() tpp does no have a jwksKeys, or a jwks_uri in it's " + "registration details; {}", tpp);
throw new InvalidTokenException("Tpp does no have a jwksKeys, or a jwks_uri in it's " + "registration details");
} else {
log.debug("validateRequestParameter() Validating request parameter using jwks_uri: " + "requestParametersSerialised: '{}', clientId; '{}', jwks_url: {}", requestParametersSerialised, clientId, jwks_uri);
cryptoApiClient.validateJws(requestParametersSerialised, clientId, jwks_uri);
validated = true;
}
}
} else {
log.error("validateRequestParameter() tpp has no registration response; {}", tpp);
throw new InvalidTokenException("Tpp is not registered");
}
List<String> MANDATORY_CLAIMS = Arrays.asList(OpenBankingConstants.RequestParameterClaim.AUD, OpenBankingConstants.RequestParameterClaim.SCOPE, OpenBankingConstants.RequestParameterClaim.ISS, OpenBankingConstants.RequestParameterClaim.CLAIMS, OpenBankingConstants.RequestParameterClaim.RESPONSE_TYPE, OpenBankingConstants.RequestParameterClaim.REDIRECT_URI, OpenBankingConstants.RequestParameterClaim.EXP, OpenBankingConstants.RequestParameterClaim.NONCE, OpenBankingConstants.RequestParameterClaim.CLIENT_ID);
for (String mandatoryClaim : MANDATORY_CLAIMS) {
if (requestParameters.getJWTClaimsSet().getClaim(mandatoryClaim) == null) {
throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_CLAIM_MANDATORY, mandatoryClaim);
}
}
verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "response_type", responseType);
verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "state", state);
verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "nonce", nonce);
verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "redirect_uri", redirectUri);
verifyScopeQueryParameterMatchesRequestParameterClaim(requestParameters, scopes);
verifyRequestparameterClaims(requestParameters);
} catch (ParseException | IOException e) {
log.error("Invalid Request parameter {}. Reason: {}", requestParametersSerialised, e.getMessage(), e);
throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_JWT_FORMAT_INVALID, e.getMessage());
} catch (InvalidTokenException e) {
log.error("Invalid Request parameter {}. Reason: {}", requestParametersSerialised, e.getMessage(), e);
throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_JWT_INVALID, e.getMessage());
}
return requestParameters;
}
use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.
the class DynamicRegistrationApiControllerTest method getValidTpp.
private Tpp getValidTpp() {
OIDCRegistrationResponse registrationResponse = new OIDCRegistrationResponse();
registrationResponse.setRegistrationAccessToken("tpps-registration-access-token");
Tpp tpp = new Tpp();
tpp.setRegistrationResponse(registrationResponse);
tpp.setClientId(this.clientId);
tpp.setName(this.tppName);
tpp.setAuthorisationNumber(this.tppName);
return tpp;
}
use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.
the class DynamicRegistrationApiControllerTest method willRegisterIfCertHasBeenUsedToPreviouslyRegister_register.
@Test
public void willRegisterIfCertHasBeenUsedToPreviouslyRegister_register() throws InvalidPsd2EidasCertificate, OAuth2InvalidClientException, DynamicClientRegistrationException {
// given
Collection<OBRIRole> authorities = new ArrayList<>(List.of(OBRIRole.ROLE_AISP, OBRIRole.ROLE_AISP));
X509Authentication principal = testSpec.getPrincipal(authorities);
String authToken = "eyJ0eXAiOiJKV1QiLCJ6aXAiOiJOT05FIiwia2lkIjoiRm9sN0lwZEtlTFptekt0Q0VnaTFMRGhTSXpNPSIsImFsZyI6IkVTMjU2In0.eyJzdWIiOiIzMTA1ZjcwYi1iNDE3LTQyN2UtOTIyZC03YmEwNGQxNjI3OGEiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXVkaXRUcmFja2luZ0lkIjoiZTY2MDZiOGYtNDA2Ni00Y2U2LWIxZDAtYTQ1MzM0MDEzYjA5LTIwNTkiLCJpc3MiOiJodHRwczovL2FzLmFzcHNwLmRldi1vYi5mb3JnZXJvY2suZmluYW5jaWFsOjgwNzQvb2F1dGgyIiwidG9rZW5OYW1lIjoiYWNjZXNzX3Rva2VuIiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImF1dGhHcmFudElkIjoiMW9zekR5NTJxNlByUU51anpGVDhOT1U4U1VZIiwiYXVkIjoiMzEwNWY3MGItYjQxNy00MjdlLTkyMmQtN2JhMDRkMTYyNzhhIiwibmJmIjoxNjI2MzUxNzMxLCJzY29wZSI6W10sImF1dGhfdGltZSI6MTYyNjM1MTczMSwicmVhbG0iOiIvb3BlbmJhbmtpbmciLCJleHAiOjE2MjY0MzgxMzEsImlhdCI6MTYyNjM1MTczMSwiZXhwaXJlc19pbiI6ODY0MDAsImp0aSI6IldmYm13OGtkUFk1bEhZSldMa3lDS3RmekZ1NCJ9.vhH9AGDKbxK1R_tnq8_nOkIpPH7se68MxOC8y-Wq4SW4_ffMBj1ChkckU-q2wJ_4hh_l1sgdlCdkom_VQFvN9Q";
Tpp tpp = new Tpp();
tpp.setClientId("3105f70b-b417-427e-922d-7ba04d16278a");
OIDCRegistrationResponse registrationResponse = new OIDCRegistrationResponse();
registrationResponse.setRegistrationAccessToken(authToken);
tpp.setRegistrationResponse(registrationResponse);
given(tppStoreService.findByClientId("testname")).willReturn(Optional.of(tpp));
given(this.tppRegistrationService.registerTpp(any(ApiClientIdentity.class), any(RegistrationRequest.class))).willReturn(tpp);
// when
ResponseEntity<OIDCRegistrationResponse> response = dynamicRegistrationApiController.register(registrationRequestJwtSerialised, principal);
// then
assertThat(response.getStatusCode()).isEqualTo(HttpStatus.CREATED);
}
use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.
the class TppRegistrationService method registerTpp.
public Tpp registerTpp(ApiClientIdentity clientIdentity, RegistrationRequest oidcRegistrationRequest) throws DynamicClientRegistrationException {
log.debug("registerTpp() Send the OAuth2 dynamic registration request to the AS");
OIDCRegistrationResponse oidcRegistrationResponse = amoidcRegistrationService.register(oidcRegistrationRequest);
log.debug("registerTpp() Response from the AS: {}", oidcRegistrationResponse);
String cn = clientIdentity.getTransportCertificateCn();
// ToDo: Previously this came from the spring config and was either set to the value found in either
// openBankingDirectoryConfiguration.getIssuerID() or forgeRockDirectoryConfiguration.id()
String ssaIssuer = oidcRegistrationRequest.getSsaIssuer();
String directoryId = getDirectoryIdFromSsaIssuer(ssaIssuer);
removeSecretIfNeeded(oidcRegistrationResponse);
String officialName = getOrgSoftwareCombinedTppName(oidcRegistrationRequest, oidcRegistrationResponse);
// ToDo: Is this just the same as the SoftwareStatement
Tpp tpp = Tpp.builder().id(oidcRegistrationResponse.getClientId()).created(new Date()).certificateCn(cn).name(oidcRegistrationResponse.getClientName()).officialName(officialName).clientId(oidcRegistrationResponse.getClientId()).types(oidcRegistrationRequest.getSoftwareStatementRoles()).softwareId(oidcRegistrationRequest.getDirectorySoftwareStatement().getSoftware_id()).authorisationNumber(clientIdentity.getAuthorisationNumber().orElse(null)).directorySoftwareStatement(oidcRegistrationRequest.getDirectorySoftwareStatement()).tppRequest(oidcRegistrationRequest.toJson()).registrationResponse(oidcRegistrationResponse).directoryId(directoryId).build();
updateTppMetrics(tpp, false);
return tppStoreService.createTpp(tpp);
}
Aggregations