Search in sources :

Example 16 with OIDCRegistrationResponse

use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.

the class DynamicRegistrationApiController method register.

@Override
public ResponseEntity<OIDCRegistrationResponse> register(@ApiParam(value = "A request to register a Software Statement Assertion with an ASPSP") @Valid @RequestBody String registrationRequestJwtSerialised, Principal principal) throws OAuth2InvalidClientException, DynamicClientRegistrationException {
    String methodName = "register()";
    log.info("{} Received request to create a new client registration. {}", methodName, registrationRequestJwtSerialised);
    try {
        ApiClientIdentity apiClientIdentity = this.apiClientIdentityFactory.getApiClientIdentity(principal);
        String tppIdentifier = apiClientIdentity.getTppIdentifier();
        RegistrationRequest registrationRequest = registrationRequestFactory.getRegistrationRequestFromJwt(registrationRequestJwtSerialised);
        // delete client ID
        registrationRequest.setClientId(null);
        if (!apiClientIdentity.wasIssuedWith(registrationRequest)) {
            String errorString = "The MATLS transport certificate and the SSA were not issued to the same " + "organisation";
            log.info("register() {}", errorString);
            throw new OAuth2InvalidClientException(errorString);
        }
        verifyRegistrationRequest(apiClientIdentity, registrationRequest);
        registrationRequest.overwriteRegistrationRequestFieldsFromSSAClaims(apiClientIdentity);
        Tpp tpp = tppRegistrationService.registerTpp(apiClientIdentity, registrationRequest);
        OIDCRegistrationResponse registrationResponse = tpp.getRegistrationResponse();
        log.info("{} Registration succeeded. tpp {} now has OAuth2 ClientId of {}", methodName, tppIdentifier, tpp.getClientId());
        return ResponseEntity.status(HttpStatus.CREATED).body(registrationResponse);
    } catch (ApiClientException e) {
        log.info("Failed to create new client registration. There was an error related to the client requesting " + "the registration; '{}'", e.getMessage());
        log.debug("register() caught ApiClientException.", e);
        throw new OAuth2InvalidClientException("Invalid certificate presented. Error was " + e.getMessage());
    }
}
Also used : Tpp(com.forgerock.openbanking.model.Tpp) ApiClientException(com.forgerock.openbanking.common.services.onboarding.apiclient.ApiClientException) OIDCRegistrationResponse(com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse) OAuth2InvalidClientException(com.forgerock.openbanking.common.error.exception.oauth2.OAuth2InvalidClientException) ApiClientIdentity(com.forgerock.openbanking.common.services.onboarding.apiclient.ApiClientIdentity) RegistrationRequest(com.forgerock.openbanking.common.services.onboarding.registrationrequest.RegistrationRequest)

Example 17 with OIDCRegistrationResponse

use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.

the class AuthorisationApiController method validateRequestParameter.

private SignedJWT validateRequestParameter(String responseType, String clientId, String state, String nonce, String scopes, String redirectUri, String requestParametersSerialised) throws OBErrorException {
    SignedJWT requestParameters;
    try {
        try {
            EncryptedJWT.parse(requestParametersSerialised);
            log.debug("Request parameter {} is encrypted (JWE).", requestParametersSerialised);
            requestParameters = cryptoApiClient.decryptJwe(requestParametersSerialised);
            requestParametersSerialised = requestParameters.serialize();
            log.debug("Request parameter {} decrypted (JWS).", requestParametersSerialised);
        } catch (ParseException | JOSEException e) {
            // If we got an exception, it means it's a JWS
            log.debug("Request parameter {} is just signed (JWS).", requestParametersSerialised);
            requestParameters = SignedJWT.parse(requestParametersSerialised);
        }
        verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "client_id", clientId);
        Optional<Tpp> byClientId = tppStoreService.findByClientId(clientId);
        if (byClientId.isEmpty()) {
            throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_JWT_FORMAT_INVALID, "Unknown client id '" + clientId + "'");
        }
        Tpp tpp = byClientId.get();
        log.debug("Validate the request parameter signature");
        boolean validated = false;
        OIDCRegistrationResponse registrationResponse = tpp.getRegistrationResponse();
        if (registrationResponse != null) {
            JWKSet jwkSet = registrationResponse.getJwks();
            if (jwkSet != null) {
                List<JWK> jwkSetKeys = jwkSet.getKeys();
                if (jwkSetKeys != null && !jwkSetKeys.isEmpty()) {
                    JWK jwk = jwkSetKeys.get(0);
                    String jwksKeys = jwk.toString();
                    log.debug("validateRequestParameters() tpp has jwksKeys as part of registraiton. They will be" + " used to validate the request parameter.");
                    cryptoApiClient.validateJwsWithJWK(requestParametersSerialised, clientId, jwksKeys);
                    validated = true;
                } else {
                    log.debug("validateRequestParameter() tpp has no jwkSetKeys; {}", tpp);
                }
            }
            if (!validated) {
                String jwks_uri = tpp.getRegistrationResponse().getJwks_uri();
                if (jwks_uri == null || jwks_uri.isBlank()) {
                    log.error("validateRequestparameters() tpp does no have a jwksKeys, or a jwks_uri in it's " + "registration details; {}", tpp);
                    throw new InvalidTokenException("Tpp does no have a jwksKeys, or a jwks_uri in it's " + "registration details");
                } else {
                    log.debug("validateRequestParameter() Validating request parameter using jwks_uri: " + "requestParametersSerialised: '{}', clientId; '{}', jwks_url: {}", requestParametersSerialised, clientId, jwks_uri);
                    cryptoApiClient.validateJws(requestParametersSerialised, clientId, jwks_uri);
                    validated = true;
                }
            }
        } else {
            log.error("validateRequestParameter() tpp has no registration response; {}", tpp);
            throw new InvalidTokenException("Tpp is not registered");
        }
        List<String> MANDATORY_CLAIMS = Arrays.asList(OpenBankingConstants.RequestParameterClaim.AUD, OpenBankingConstants.RequestParameterClaim.SCOPE, OpenBankingConstants.RequestParameterClaim.ISS, OpenBankingConstants.RequestParameterClaim.CLAIMS, OpenBankingConstants.RequestParameterClaim.RESPONSE_TYPE, OpenBankingConstants.RequestParameterClaim.REDIRECT_URI, OpenBankingConstants.RequestParameterClaim.EXP, OpenBankingConstants.RequestParameterClaim.NONCE, OpenBankingConstants.RequestParameterClaim.CLIENT_ID);
        for (String mandatoryClaim : MANDATORY_CLAIMS) {
            if (requestParameters.getJWTClaimsSet().getClaim(mandatoryClaim) == null) {
                throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_CLAIM_MANDATORY, mandatoryClaim);
            }
        }
        verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "response_type", responseType);
        verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "state", state);
        verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "nonce", nonce);
        verifyQueryParameterMatchesRequestParameterClaim(requestParameters, "redirect_uri", redirectUri);
        verifyScopeQueryParameterMatchesRequestParameterClaim(requestParameters, scopes);
        verifyRequestparameterClaims(requestParameters);
    } catch (ParseException | IOException e) {
        log.error("Invalid Request parameter {}. Reason: {}", requestParametersSerialised, e.getMessage(), e);
        throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_JWT_FORMAT_INVALID, e.getMessage());
    } catch (InvalidTokenException e) {
        log.error("Invalid Request parameter {}. Reason: {}", requestParametersSerialised, e.getMessage(), e);
        throw new OBErrorException(OBRIErrorType.REQUEST_PARAMETER_JWT_INVALID, e.getMessage());
    }
    return requestParameters;
}
Also used : InvalidTokenException(com.forgerock.openbanking.jwt.exceptions.InvalidTokenException) OIDCRegistrationResponse(com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse) OBErrorException(com.forgerock.openbanking.exceptions.OBErrorException) SignedJWT(com.nimbusds.jwt.SignedJWT) IOException(java.io.IOException) Tpp(com.forgerock.openbanking.model.Tpp) JWKSet(com.nimbusds.jose.jwk.JWKSet) ParseException(java.text.ParseException) JOSEException(com.nimbusds.jose.JOSEException) JWK(com.nimbusds.jose.jwk.JWK)

Example 18 with OIDCRegistrationResponse

use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.

the class DynamicRegistrationApiControllerTest method getValidTpp.

private Tpp getValidTpp() {
    OIDCRegistrationResponse registrationResponse = new OIDCRegistrationResponse();
    registrationResponse.setRegistrationAccessToken("tpps-registration-access-token");
    Tpp tpp = new Tpp();
    tpp.setRegistrationResponse(registrationResponse);
    tpp.setClientId(this.clientId);
    tpp.setName(this.tppName);
    tpp.setAuthorisationNumber(this.tppName);
    return tpp;
}
Also used : Tpp(com.forgerock.openbanking.model.Tpp) OIDCRegistrationResponse(com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse)

Example 19 with OIDCRegistrationResponse

use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.

the class DynamicRegistrationApiControllerTest method willRegisterIfCertHasBeenUsedToPreviouslyRegister_register.

@Test
public void willRegisterIfCertHasBeenUsedToPreviouslyRegister_register() throws InvalidPsd2EidasCertificate, OAuth2InvalidClientException, DynamicClientRegistrationException {
    // given
    Collection<OBRIRole> authorities = new ArrayList<>(List.of(OBRIRole.ROLE_AISP, OBRIRole.ROLE_AISP));
    X509Authentication principal = testSpec.getPrincipal(authorities);
    String authToken = "eyJ0eXAiOiJKV1QiLCJ6aXAiOiJOT05FIiwia2lkIjoiRm9sN0lwZEtlTFptekt0Q0VnaTFMRGhTSXpNPSIsImFsZyI6IkVTMjU2In0.eyJzdWIiOiIzMTA1ZjcwYi1iNDE3LTQyN2UtOTIyZC03YmEwNGQxNjI3OGEiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXVkaXRUcmFja2luZ0lkIjoiZTY2MDZiOGYtNDA2Ni00Y2U2LWIxZDAtYTQ1MzM0MDEzYjA5LTIwNTkiLCJpc3MiOiJodHRwczovL2FzLmFzcHNwLmRldi1vYi5mb3JnZXJvY2suZmluYW5jaWFsOjgwNzQvb2F1dGgyIiwidG9rZW5OYW1lIjoiYWNjZXNzX3Rva2VuIiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImF1dGhHcmFudElkIjoiMW9zekR5NTJxNlByUU51anpGVDhOT1U4U1VZIiwiYXVkIjoiMzEwNWY3MGItYjQxNy00MjdlLTkyMmQtN2JhMDRkMTYyNzhhIiwibmJmIjoxNjI2MzUxNzMxLCJzY29wZSI6W10sImF1dGhfdGltZSI6MTYyNjM1MTczMSwicmVhbG0iOiIvb3BlbmJhbmtpbmciLCJleHAiOjE2MjY0MzgxMzEsImlhdCI6MTYyNjM1MTczMSwiZXhwaXJlc19pbiI6ODY0MDAsImp0aSI6IldmYm13OGtkUFk1bEhZSldMa3lDS3RmekZ1NCJ9.vhH9AGDKbxK1R_tnq8_nOkIpPH7se68MxOC8y-Wq4SW4_ffMBj1ChkckU-q2wJ_4hh_l1sgdlCdkom_VQFvN9Q";
    Tpp tpp = new Tpp();
    tpp.setClientId("3105f70b-b417-427e-922d-7ba04d16278a");
    OIDCRegistrationResponse registrationResponse = new OIDCRegistrationResponse();
    registrationResponse.setRegistrationAccessToken(authToken);
    tpp.setRegistrationResponse(registrationResponse);
    given(tppStoreService.findByClientId("testname")).willReturn(Optional.of(tpp));
    given(this.tppRegistrationService.registerTpp(any(ApiClientIdentity.class), any(RegistrationRequest.class))).willReturn(tpp);
    // when
    ResponseEntity<OIDCRegistrationResponse> response = dynamicRegistrationApiController.register(registrationRequestJwtSerialised, principal);
    // then
    assertThat(response.getStatusCode()).isEqualTo(HttpStatus.CREATED);
}
Also used : OBRIRole(com.forgerock.openbanking.model.OBRIRole) Tpp(com.forgerock.openbanking.model.Tpp) OIDCRegistrationResponse(com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse) X509Authentication(com.forgerock.spring.security.multiauth.model.authentication.X509Authentication) ApiClientIdentity(com.forgerock.openbanking.common.services.onboarding.apiclient.ApiClientIdentity) RegistrationRequest(com.forgerock.openbanking.common.services.onboarding.registrationrequest.RegistrationRequest) Test(org.junit.Test)

Example 20 with OIDCRegistrationResponse

use of com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse in project openbanking-aspsp by OpenBankingToolkit.

the class TppRegistrationService method registerTpp.

public Tpp registerTpp(ApiClientIdentity clientIdentity, RegistrationRequest oidcRegistrationRequest) throws DynamicClientRegistrationException {
    log.debug("registerTpp() Send the OAuth2 dynamic registration request to the AS");
    OIDCRegistrationResponse oidcRegistrationResponse = amoidcRegistrationService.register(oidcRegistrationRequest);
    log.debug("registerTpp() Response from the AS: {}", oidcRegistrationResponse);
    String cn = clientIdentity.getTransportCertificateCn();
    // ToDo: Previously this came from the spring config and was either set to the value found in either
    // openBankingDirectoryConfiguration.getIssuerID() or forgeRockDirectoryConfiguration.id()
    String ssaIssuer = oidcRegistrationRequest.getSsaIssuer();
    String directoryId = getDirectoryIdFromSsaIssuer(ssaIssuer);
    removeSecretIfNeeded(oidcRegistrationResponse);
    String officialName = getOrgSoftwareCombinedTppName(oidcRegistrationRequest, oidcRegistrationResponse);
    // ToDo: Is this just the same as the SoftwareStatement
    Tpp tpp = Tpp.builder().id(oidcRegistrationResponse.getClientId()).created(new Date()).certificateCn(cn).name(oidcRegistrationResponse.getClientName()).officialName(officialName).clientId(oidcRegistrationResponse.getClientId()).types(oidcRegistrationRequest.getSoftwareStatementRoles()).softwareId(oidcRegistrationRequest.getDirectorySoftwareStatement().getSoftware_id()).authorisationNumber(clientIdentity.getAuthorisationNumber().orElse(null)).directorySoftwareStatement(oidcRegistrationRequest.getDirectorySoftwareStatement()).tppRequest(oidcRegistrationRequest.toJson()).registrationResponse(oidcRegistrationResponse).directoryId(directoryId).build();
    updateTppMetrics(tpp, false);
    return tppStoreService.createTpp(tpp);
}
Also used : Tpp(com.forgerock.openbanking.model.Tpp) OIDCRegistrationResponse(com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse) Date(java.util.Date)

Aggregations

OIDCRegistrationResponse (com.forgerock.openbanking.model.oidc.OIDCRegistrationResponse)22 Tpp (com.forgerock.openbanking.model.Tpp)19 Test (org.junit.Test)9 ArgumentMatchers.anyString (org.mockito.ArgumentMatchers.anyString)6 SignedJWT (com.nimbusds.jwt.SignedJWT)5 ApiClientIdentity (com.forgerock.openbanking.common.services.onboarding.apiclient.ApiClientIdentity)4 RegistrationRequest (com.forgerock.openbanking.common.services.onboarding.registrationrequest.RegistrationRequest)4 OAuth2InvalidClientException (com.forgerock.openbanking.common.error.exception.oauth2.OAuth2InvalidClientException)3 X509Authentication (com.forgerock.spring.security.multiauth.model.authentication.X509Authentication)3 OBRIRole (com.forgerock.openbanking.model.OBRIRole)2 URI (java.net.URI)2 ParseException (java.text.ParseException)2 ParameterizedTypeReference (org.springframework.core.ParameterizedTypeReference)2 ResponseEntity (org.springframework.http.ResponseEntity)2 UriComponentsBuilder (org.springframework.web.util.UriComponentsBuilder)2 RoleOfPsp (com.forgerock.cert.psd2.RoleOfPsp)1 AMGateway (com.forgerock.openbanking.am.gateway.AMGateway)1 ManualRegistrationApplication (com.forgerock.openbanking.common.model.onboarding.ManualRegistrationApplication)1 ManualRegistrationRequest (com.forgerock.openbanking.common.model.onboarding.ManualRegistrationRequest)1 RedirectionAction (com.forgerock.openbanking.common.model.rcs.RedirectionAction)1