Search in sources :

Example 1 with RefreshTokenGrant

use of com.nimbusds.oauth2.sdk.RefreshTokenGrant in project ddf by codice.

the class OAuthPlugin method refreshTokens.

/**
 * Attempts to refresh the user's access token and saves the new tokens in the token storage
 *
 * @param refreshToken refresh token used to refresh access token
 * @param oauthSource source being queried
 * @throws OAuthPluginException if the access token could not be renewed
 */
private void refreshTokens(String refreshToken, OAuthFederatedSource oauthSource, String sessionId, OIDCProviderMetadata metadata) throws StopProcessingException {
    if (refreshToken == null) {
        throw createNoAuthException(oauthSource, sessionId, metadata, "unable to find the user's refresh token.");
    }
    ClientAccessToken clientAccessToken;
    try {
        LOGGER.debug("Attempting to refresh the user's access token.");
        WebClient webClient = createWebclient(metadata.getTokenEndpointURI().toURL().toString());
        Consumer consumer = new Consumer(oauthSource.getOauthClientId(), oauthSource.getOauthClientSecret());
        AccessTokenGrant accessTokenGrant = new RefreshTokenGrant(refreshToken);
        clientAccessToken = OAuthClientUtils.getAccessToken(webClient, consumer, accessTokenGrant);
    } catch (OAuthServiceException e) {
        String error = e.getError() != null ? e.getError().getError() : "";
        throw createNoAuthException(oauthSource, sessionId, metadata, "failed to refresh access token " + error);
    } catch (MalformedURLException e) {
        throw createNoAuthException(oauthSource, sessionId, metadata, "malformed token endpoint URL. " + e.getMessage());
    }
    // Validate new access token
    try {
        AccessToken accessToken = convertCxfAccessTokenToNimbusdsToken(clientAccessToken);
        OidcTokenValidator.validateAccessToken(accessToken, null, resourceRetriever, metadata, null);
    } catch (OidcValidationException e) {
        throw createNoAuthException(oauthSource, sessionId, metadata, "failed to validate refreshed access token.");
    }
    // Store new tokens
    String newAccessToken = clientAccessToken.getTokenKey();
    String newRefreshToken = clientAccessToken.getRefreshToken();
    int status = tokenStorage.create(sessionId, oauthSource.getId(), newAccessToken, newRefreshToken, oauthSource.getOauthDiscoveryUrl());
    if (status != SC_OK) {
        LOGGER.warn("Error updating the token information.");
    }
}
Also used : MalformedURLException(java.net.MalformedURLException) Consumer(org.apache.cxf.rs.security.oauth2.client.Consumer) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException) RefreshTokenGrant(org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrant) ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken) AccessToken(com.nimbusds.oauth2.sdk.token.AccessToken) BearerAccessToken(com.nimbusds.oauth2.sdk.token.BearerAccessToken) TypelessAccessToken(com.nimbusds.oauth2.sdk.token.TypelessAccessToken) ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken) AccessTokenGrant(org.apache.cxf.rs.security.oauth2.common.AccessTokenGrant) WebClient(org.apache.cxf.jaxrs.client.WebClient) OidcValidationException(org.codice.ddf.security.oidc.validator.OidcValidationException)

Example 2 with RefreshTokenGrant

use of com.nimbusds.oauth2.sdk.RefreshTokenGrant in project ddf by codice.

the class OAuthSecurityImpl method refreshToken.

/**
 * Attempts to refresh an expired access token
 *
 * @param id The ID to use when storing tokens
 * @param sourceId The ID of the source using OAuth to use when storing tokens
 * @param clientId The client ID registered with the OAuth provider
 * @param clientSecret The client secret registered with the OAuth provider
 * @param discoveryUrl The URL where the OAuth provider's metadata is hosted
 * @param refreshToken The unexpired refresh token to use
 * @param metadata The OAuh provider's metadata
 * @return refreshed access token
 */
private String refreshToken(String id, String sourceId, String clientId, String clientSecret, String discoveryUrl, String refreshToken, OIDCProviderMetadata metadata) {
    if (refreshToken == null || isExpired(refreshToken)) {
        LOGGER.debug("Error refreshing access token: unable to find an unexpired refresh token.");
        return null;
    }
    ClientAccessToken clientAccessToken;
    try {
        LOGGER.debug("Attempting to refresh the user's access token.");
        WebClient webClient = createWebClient(metadata.getTokenEndpointURI());
        Consumer consumer = new Consumer(clientId, clientSecret);
        AccessTokenGrant accessTokenGrant = new RefreshTokenGrant(refreshToken);
        clientAccessToken = OAuthClientUtils.getAccessToken(webClient, consumer, accessTokenGrant);
    } catch (OAuthServiceException e) {
        LOGGER.debug("Error refreshing access token.", e);
        return null;
    }
    // Validate new access token
    try {
        AccessToken accessToken = convertCxfAccessTokenToNimbusdsToken(clientAccessToken);
        OidcTokenValidator.validateAccessToken(accessToken, null, resourceRetriever, metadata, null);
    } catch (OidcValidationException e) {
        LOGGER.debug("Error validating access token.");
        return null;
    }
    // Store new tokens
    String newAccessToken = clientAccessToken.getTokenKey();
    String newRefreshToken = clientAccessToken.getRefreshToken();
    int status = tokenStorage.create(id, sourceId, newAccessToken, newRefreshToken, discoveryUrl);
    if (status != SC_OK) {
        LOGGER.warn("Error updating the token information.");
    }
    return newAccessToken;
}
Also used : Consumer(org.apache.cxf.rs.security.oauth2.client.Consumer) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException) RefreshTokenGrant(org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrant) ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken) AccessToken(com.nimbusds.oauth2.sdk.token.AccessToken) BearerAccessToken(com.nimbusds.oauth2.sdk.token.BearerAccessToken) TypelessAccessToken(com.nimbusds.oauth2.sdk.token.TypelessAccessToken) ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken) AccessTokenGrant(org.apache.cxf.rs.security.oauth2.common.AccessTokenGrant) WebClient(org.apache.cxf.jaxrs.client.WebClient) OidcValidationException(org.codice.ddf.security.oidc.validator.OidcValidationException)

Example 3 with RefreshTokenGrant

use of com.nimbusds.oauth2.sdk.RefreshTokenGrant in project ddf by codice.

the class OidcCredentialsResolver method resolveIdToken.

/* This methods job is to try and get an id token from a
  1. refresh token
  2. authorization code
  3. access token
  */
public void resolveIdToken(OidcCredentials credentials, WebContext webContext) {
    final AccessToken initialAccessToken = credentials.getAccessToken();
    final JWT initialIdToken = credentials.getIdToken();
    try {
        OidcTokenValidator.validateAccessToken(initialAccessToken, initialIdToken, resourceRetriever, metadata, configuration);
        if (initialIdToken != null) {
            OidcTokenValidator.validateIdTokens(initialIdToken, webContext, configuration, client);
            return;
        }
    } catch (OidcValidationException e) {
        throw new TechnicalException(e);
    }
    final RefreshToken initialRefreshToken = credentials.getRefreshToken();
    final AuthorizationCode initialAuthorizationCode = credentials.getCode();
    final List<AuthorizationGrant> grantList = new ArrayList<>();
    if (initialRefreshToken != null) {
        grantList.add(new RefreshTokenGrant(initialRefreshToken));
    }
    if (initialAuthorizationCode != null) {
        try {
            final URI callbackUri = new URI(client.computeFinalCallbackUrl(webContext));
            grantList.add(new AuthorizationCodeGrant(initialAuthorizationCode, callbackUri));
        } catch (URISyntaxException e) {
            LOGGER.debug("Problem computing callback url. Cannot add authorization code grant.");
        }
    }
    // try to get id token using refresh token and authorization code
    for (AuthorizationGrant grant : grantList) {
        try {
            trySendingGrantAndPopulatingCredentials(grant, credentials, webContext);
            if (credentials.getIdToken() != null) {
                break;
            }
        } catch (IOException | ParseException e) {
            LOGGER.debug("Problem sending grant ({}).", grant, e);
        }
    }
    // try to get id token using access token
    if (credentials.getIdToken() == null && initialAccessToken != null) {
        final UserInfoRequest userInfoRequest = new UserInfoRequest(metadata.getUserInfoEndpointURI(), Method.GET, new BearerAccessToken(initialAccessToken.toString()));
        final HTTPRequest userInfoHttpRequest = userInfoRequest.toHTTPRequest();
        try {
            final HTTPResponse httpResponse = userInfoHttpRequest.send();
            final UserInfoResponse userInfoResponse = UserInfoResponse.parse(httpResponse);
            if (userInfoResponse instanceof UserInfoSuccessResponse) {
                final UserInfoSuccessResponse userInfoSuccessResponse = (UserInfoSuccessResponse) userInfoResponse;
                JWT idToken = userInfoSuccessResponse.getUserInfoJWT();
                if (idToken == null && userInfoSuccessResponse.getUserInfo().toJWTClaimsSet() != null) {
                    idToken = new PlainJWT(userInfoSuccessResponse.getUserInfo().toJWTClaimsSet());
                }
                OidcTokenValidator.validateUserInfoIdToken(idToken, resourceRetriever, metadata);
                credentials.setIdToken(idToken);
            } else {
                throw new TechnicalException("Received a non-successful UserInfoResponse.");
            }
        } catch (IOException | ParseException | OidcValidationException e) {
            LOGGER.debug("Problem retrieving id token using access token.", e);
            throw new TechnicalException(e);
        }
    }
}
Also used : AuthorizationCode(com.nimbusds.oauth2.sdk.AuthorizationCode) HTTPRequest(com.nimbusds.oauth2.sdk.http.HTTPRequest) PlainJWT(com.nimbusds.jwt.PlainJWT) TechnicalException(org.pac4j.core.exception.TechnicalException) UserInfoSuccessResponse(com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse) PlainJWT(com.nimbusds.jwt.PlainJWT) JWT(com.nimbusds.jwt.JWT) RefreshTokenGrant(com.nimbusds.oauth2.sdk.RefreshTokenGrant) HTTPResponse(com.nimbusds.oauth2.sdk.http.HTTPResponse) ArrayList(java.util.ArrayList) UserInfoRequest(com.nimbusds.openid.connect.sdk.UserInfoRequest) URISyntaxException(java.net.URISyntaxException) IOException(java.io.IOException) URI(java.net.URI) OidcValidationException(org.codice.ddf.security.oidc.validator.OidcValidationException) RefreshToken(com.nimbusds.oauth2.sdk.token.RefreshToken) AuthorizationCodeGrant(com.nimbusds.oauth2.sdk.AuthorizationCodeGrant) AccessToken(com.nimbusds.oauth2.sdk.token.AccessToken) BearerAccessToken(com.nimbusds.oauth2.sdk.token.BearerAccessToken) ParseException(com.nimbusds.oauth2.sdk.ParseException) BearerAccessToken(com.nimbusds.oauth2.sdk.token.BearerAccessToken) UserInfoResponse(com.nimbusds.openid.connect.sdk.UserInfoResponse) AuthorizationGrant(com.nimbusds.oauth2.sdk.AuthorizationGrant)

Aggregations

AccessToken (com.nimbusds.oauth2.sdk.token.AccessToken)3 BearerAccessToken (com.nimbusds.oauth2.sdk.token.BearerAccessToken)3 OidcValidationException (org.codice.ddf.security.oidc.validator.OidcValidationException)3 TypelessAccessToken (com.nimbusds.oauth2.sdk.token.TypelessAccessToken)2 WebClient (org.apache.cxf.jaxrs.client.WebClient)2 Consumer (org.apache.cxf.rs.security.oauth2.client.Consumer)2 AccessTokenGrant (org.apache.cxf.rs.security.oauth2.common.AccessTokenGrant)2 ClientAccessToken (org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)2 RefreshTokenGrant (org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrant)2 OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)2 JWT (com.nimbusds.jwt.JWT)1 PlainJWT (com.nimbusds.jwt.PlainJWT)1 AuthorizationCode (com.nimbusds.oauth2.sdk.AuthorizationCode)1 AuthorizationCodeGrant (com.nimbusds.oauth2.sdk.AuthorizationCodeGrant)1 AuthorizationGrant (com.nimbusds.oauth2.sdk.AuthorizationGrant)1 ParseException (com.nimbusds.oauth2.sdk.ParseException)1 RefreshTokenGrant (com.nimbusds.oauth2.sdk.RefreshTokenGrant)1 HTTPRequest (com.nimbusds.oauth2.sdk.http.HTTPRequest)1 HTTPResponse (com.nimbusds.oauth2.sdk.http.HTTPResponse)1 RefreshToken (com.nimbusds.oauth2.sdk.token.RefreshToken)1