Examples with AuthorizationRequest com.nimbusds.oauth2.sdk.AuthorizationRequest used on opensource projects

Example 1 with AuthorizationRequest

use of com.nimbusds.oauth2.sdk.AuthorizationRequest in project OpenConext-oidcng by OpenConext.

the class AuthorizationEndpoint method validateGrantType.

public static ResponseType validateGrantType(AuthorizationRequest authorizationRequest, OpenIDClient client) {
    ResponseType responseType = authorizationRequest.getResponseType();
    List<String> grants = client.getGrants();
    if ((responseType.impliesImplicitFlow() || responseType.impliesHybridFlow()) && !grants.contains(GrantType.IMPLICIT.getValue())) {
        throw new InvalidGrantException(String.format("Grant types %s does not allow for implicit / hybrid flow", grants));
    }
    if (responseType.impliesCodeFlow() && !grants.contains(GrantType.AUTHORIZATION_CODE.getValue())) {
        throw new InvalidGrantException(String.format("Grant types %s does not allow for authorization code flow", grants));
    }
    return responseType;
}

Example 2 with AuthorizationRequest

use of com.nimbusds.oauth2.sdk.AuthorizationRequest in project OpenConext-oidcng by OpenConext.

the class AuthorizationEndpoint method createAndSaveAuthorizationCode.

private AuthorizationCode createAndSaveAuthorizationCode(AuthorizationRequest authorizationRequest, OpenIDClient client, User user) {
    URI redirectionURI = authorizationRequest.getRedirectionURI();
    Scope scope = authorizationRequest.getScope();
    List<String> scopes = scope != null ? scope.toStringList() : Collections.emptyList();
    // Optional code challenges for PKCE
    CodeChallenge codeChallenge = authorizationRequest.getCodeChallenge();
    String codeChallengeValue = codeChallenge != null ? codeChallenge.getValue() : null;
    CodeChallengeMethod codeChallengeMethod = authorizationRequest.getCodeChallengeMethod();
    String codeChallengeMethodValue = codeChallengeMethod != null ? codeChallengeMethod.getValue() : (codeChallengeValue != null ? CodeChallengeMethod.getDefault().getValue() : null);
    List<String> idTokenClaims = getClaims(authorizationRequest);
    String code = tokenGenerator.generateAuthorizationCode();
    Nonce nonce = authorizationRequest instanceof AuthenticationRequest ? AuthenticationRequest.class.cast(authorizationRequest).getNonce() : null;
    AuthorizationCode authorizationCode = new AuthorizationCode(code, user.getSub(), client.getClientId(), scopes, redirectionURI, codeChallengeValue, codeChallengeMethodValue, nonce != null ? nonce.getValue() : null, idTokenClaims, redirectionURI != null, tokenValidity(10 * 60));
    authorizationCodeRepository.insert(authorizationCode);
    return authorizationCode;
}

Example 3 with AuthorizationRequest

use of com.nimbusds.oauth2.sdk.AuthorizationRequest in project Application-Gateway by gianlucafrei.

the class GitHubDriverTest method getCallbackTest.

@Test
public void getCallbackTest() throws ParseException {
    // Arrange
    var settings = GitHubDriverSettingsTest.getValidSettings();
    var driver = GitHubDriverSettingsTest.getDriver(settings);
    var callbackUri = URI.create("https://example/callback");
    // Act
    LoginDriverResult loginDriverResult1 = driver.startLogin(callbackUri);
    LoginDriverResult loginDriverResult2 = driver.startLogin(callbackUri);
    // Assert
    // Check if the values from the oauth2 request are expected
    AuthorizationRequest req1 = AuthorizationRequest.parse(loginDriverResult1.getAuthURI());
    assertEquals(req1.getState().toString(), loginDriverResult1.getState());
    assertEquals(req1.getClientID().toString(), settings.get("clientId"));
    assertTrue(req1.getScope().contains("email"));
    assertEquals(req1.getRedirectionURI(), callbackUri);
    // Check if the login states are not the same
    assertNotEquals(loginDriverResult1.getState(), loginDriverResult2.getState(), "State variables must not be equal");
}

Example 4 with AuthorizationRequest

use of com.nimbusds.oauth2.sdk.AuthorizationRequest in project OpenConext-oidcng by OpenConext.

the class AuthorizationEndpointUnitTest method doValidateScope.

@SuppressWarnings("unchecked")
private void doValidateScope(String clientScope, String requestResponseScope) throws IOException, ParseException {
    AuthorizationRequest authorizationRequest = authorizationRequest(new FluentMap<String, String>().p("client_id", "http://oidc-rp").p("response_type", "code").p("scope", requestResponseScope));
    OpenIDClient client = openIDClient("http://redirect", clientScope, "authorization_code");
    OpenIDClientRepository openIDClientRepository = mock(OpenIDClientRepository.class);
    when(openIDClientRepository.findByClientIdIn(null)).thenReturn(Collections.singletonList(openIDClient("http://redirect", clientScope, "authorization_code")));
    List<String> scopes = AuthorizationEndpoint.validateScopes(openIDClientRepository, new Scope(requestResponseScope), client);
    assertEquals(singletonList(requestResponseScope), scopes);
}

Example 5 with AuthorizationRequest

use of com.nimbusds.oauth2.sdk.AuthorizationRequest in project Kustvakt by KorAP.

the class OpenIdAuthorizationService method handleAuthenticationRequest.

/**
 * Kustvakt does not support the following parameters:
 * <em>claims</em>, <em>requestURI</em>, <em>requestObject</em>,
 * <em>id_token_hint</em>, and ignores them if they are included
 * in an authentication request. Kustvakt provides minimum support
 * for <em>acr_values</em> by not throwing an error when it is
 * included in an authentication request.
 *
 * <p>Parameters related to user interface are also ignored,
 * namely <em>display</em>, <em>prompt</em>,
 * <em>ui_locales</em>, <em>login_hint</em>. However,
 * <em>display</em>, <em>prompt</em>, and <em>ui_locales</em>
 * must be supported by Kalamar. The minimum level of
 * support required for these parameters is simply that its use
 * must not result in an error.</p>
 *
 * <p>Some Authentication request parameters in addition to
 * OAuth2.0 authorization parameters according to OpenID connect
 * core 1.0 Specification:</p>
 *
 * <ul>
 *
 * <li>nonce</li>
 * <p> OPTIONAL. The value is passed through unmodified from the
 * Authentication Request to the ID Token.</p>
 *
 * <li>max_age</li>
 * <p>OPTIONAL. Maximum Authentication Age in seconds. If the
 * elapsed time is
 * greater than this value, the OpenID Provider MUST attempt
 * to actively re-authenticate the End-User. When max_age is used,
 * the ID Token returned MUST include an auth_time Claim
 * Value.</p>
 *
 * <li>claims</li>
 * <p>Support for the claims parameter is OPTIONAL. Should an OP
 * (openid provider) not support this parameter and an RP (relying
 * party /client) uses it, the OP SHOULD return a set of Claims to
 * the RP that it believes would be useful to the RP and the
 * End-User using whatever heuristics it believes are
 * appropriate.</p>
 *
 * </ul>
 *
 * @see "OpenID Connect Core 1.0 specification"
 *
 * @param authRequest
 * @param code
 * @param username
 * @param authenticationTime
 * @return
 * @throws KustvaktException
 */
private URI handleAuthenticationRequest(AuthenticationRequest authRequest, AuthorizationCode code, String username, ZonedDateTime authenticationTime) throws KustvaktException {
    // TO DO: extra checking for authentication params?
    Nonce nonce = authRequest.getNonce();
    String nonceValue = null;
    if (nonce != null && !nonce.getValue().isEmpty()) {
        nonceValue = nonce.getValue();
    }
    checkMaxAge(authRequest.getMaxAge(), authenticationTime);
    AuthorizationRequest request = authRequest;
    return handleAuthorizationRequest(request, code, username, authenticationTime, nonceValue);
}