Examples with State com.nimbusds.oauth2.sdk.id.State used on opensource projects

Example 1 with State

use of com.nimbusds.oauth2.sdk.id.State in project nifi by apache.

the class AccessResource method oidcCallback.

@GET
@Consumes(MediaType.WILDCARD)
@Produces(MediaType.WILDCARD)
@Path("oidc/callback")
@ApiOperation(value = "Redirect/callback URI for processing the result of the OpenId Connect login sequence.", notes = NON_GUARANTEED_ENDPOINT)
public void oidcCallback(@Context HttpServletRequest httpServletRequest, @Context HttpServletResponse httpServletResponse) throws Exception {
    // only consider user specific access over https
    if (!httpServletRequest.isSecure()) {
        forwardToMessagePage(httpServletRequest, httpServletResponse, "User authentication/authorization is only supported when running over HTTPS.");
        return;
    }
    // ensure oidc is enabled
    if (!oidcService.isOidcEnabled()) {
        forwardToMessagePage(httpServletRequest, httpServletResponse, "OpenId Connect is not configured.");
        return;
    }
    final String oidcRequestIdentifier = getCookieValue(httpServletRequest.getCookies(), OIDC_REQUEST_IDENTIFIER);
    if (oidcRequestIdentifier == null) {
        forwardToMessagePage(httpServletRequest, httpServletResponse, "The login request identifier was not found in the request. Unable to continue.");
        return;
    }
    final com.nimbusds.openid.connect.sdk.AuthenticationResponse oidcResponse;
    try {
        oidcResponse = AuthenticationResponseParser.parse(getRequestUri());
    } catch (final ParseException e) {
        logger.error("Unable to parse the redirect URI from the OpenId Connect Provider. Unable to continue login process.");
        // remove the oidc request cookie
        removeOidcRequestCookie(httpServletResponse);
        // forward to the error page
        forwardToMessagePage(httpServletRequest, httpServletResponse, "Unable to parse the redirect URI from the OpenId Connect Provider. Unable to continue login process.");
        return;
    }
    if (oidcResponse.indicatesSuccess()) {
        final AuthenticationSuccessResponse successfulOidcResponse = (AuthenticationSuccessResponse) oidcResponse;
        // confirm state
        final State state = successfulOidcResponse.getState();
        if (state == null || !oidcService.isStateValid(oidcRequestIdentifier, state)) {
            logger.error("The state value returned by the OpenId Connect Provider does not match the stored state. Unable to continue login process.");
            // remove the oidc request cookie
            removeOidcRequestCookie(httpServletResponse);
            // forward to the error page
            forwardToMessagePage(httpServletRequest, httpServletResponse, "Purposed state does not match the stored state. Unable to continue login process.");
            return;
        }
        try {
            // exchange authorization code for id token
            final AuthorizationCode authorizationCode = successfulOidcResponse.getAuthorizationCode();
            final AuthorizationGrant authorizationGrant = new AuthorizationCodeGrant(authorizationCode, URI.create(getOidcCallback()));
            oidcService.exchangeAuthorizationCode(oidcRequestIdentifier, authorizationGrant);
        } catch (final Exception e) {
            logger.error("Unable to exchange authorization for ID token: " + e.getMessage(), e);
            // remove the oidc request cookie
            removeOidcRequestCookie(httpServletResponse);
            // forward to the error page
            forwardToMessagePage(httpServletRequest, httpServletResponse, "Unable to exchange authorization for ID token: " + e.getMessage());
            return;
        }
        // redirect to the name page
        httpServletResponse.sendRedirect("../../../nifi");
    } else {
        // remove the oidc request cookie
        removeOidcRequestCookie(httpServletResponse);
        // report the unsuccessful login
        final AuthenticationErrorResponse errorOidcResponse = (AuthenticationErrorResponse) oidcResponse;
        forwardToMessagePage(httpServletRequest, httpServletResponse, "Unsuccessful login attempt: " + errorOidcResponse.getErrorObject().getDescription());
    }
}

Example 2 with State

use of com.nimbusds.oauth2.sdk.id.State in project nifi by apache.

the class OidcServiceTest method testOidcNotEnabledValidateState.

@Test(expected = IllegalStateException.class)
public void testOidcNotEnabledValidateState() throws Exception {
    final OidcService service = getServiceWithNoOidcSupport();
    service.isStateValid(TEST_REQUEST_IDENTIFIER, new State(TEST_STATE));
}

Example 3 with State

use of com.nimbusds.oauth2.sdk.id.State in project nifi by apache.

the class OidcServiceTest method testValidateStateExpiration.

@Test
public void testValidateStateExpiration() throws Exception {
    final OidcService service = getServiceWithOidcSupportAndCustomExpiration(1, TimeUnit.SECONDS);
    final State state = service.createState(TEST_REQUEST_IDENTIFIER);
    Thread.sleep(3 * 1000);
    assertFalse(service.isStateValid(TEST_REQUEST_IDENTIFIER, state));
}

Example 4 with State

use of com.nimbusds.oauth2.sdk.id.State in project pac4j by pac4j.

the class OidcExtractor method extract.

@Override
public OidcCredentials extract(final WebContext context) {
    final String computedCallbackUrl = client.computeFinalCallbackUrl(context);
    final Map<String, String> parameters = retrieveParameters(context);
    AuthenticationResponse response;
    try {
        response = AuthenticationResponseParser.parse(new URI(computedCallbackUrl), parameters);
    } catch (final URISyntaxException | ParseException e) {
        throw new TechnicalException(e);
    }
    if (response instanceof AuthenticationErrorResponse) {
        logger.error("Bad authentication response, error={}", ((AuthenticationErrorResponse) response).getErrorObject());
        return null;
    }
    logger.debug("Authentication response successful");
    AuthenticationSuccessResponse successResponse = (AuthenticationSuccessResponse) response;
    final State state = successResponse.getState();
    if (state == null) {
        throw new TechnicalException("Missing state parameter");
    }
    if (!state.equals(context.getSessionStore().get(context, OidcConfiguration.STATE_SESSION_ATTRIBUTE))) {
        throw new TechnicalException("State parameter is different from the one sent in authentication request. " + "Session expired or possible threat of cross-site request forgery");
    }
    final OidcCredentials credentials = new OidcCredentials();
    // get authorization code
    final AuthorizationCode code = successResponse.getAuthorizationCode();
    if (code != null) {
        credentials.setCode(code);
    }
    // get ID token
    final JWT idToken = successResponse.getIDToken();
    if (idToken != null) {
        credentials.setIdToken(idToken);
    }
    // get access token
    final AccessToken accessToken = successResponse.getAccessToken();
    if (accessToken != null) {
        credentials.setAccessToken(accessToken);
    }
    return credentials;
}

Example 5 with State

use of com.nimbusds.oauth2.sdk.id.State in project pac4j by pac4j.

the class OidcRedirectActionBuilder method addStateAndNonceParameters.

protected void addStateAndNonceParameters(final WebContext context, final Map<String, String> params) {
    // Init state for CSRF mitigation
    final State state;
    if (configuration.isWithState()) {
        state = new State(configuration.getStateData());
    } else {
        state = new State();
    }
    params.put(OidcConfiguration.STATE, state.getValue());
    context.getSessionStore().set(context, OidcConfiguration.STATE_SESSION_ATTRIBUTE, state);
    // Init nonce for replay attack mitigation
    if (configuration.isUseNonce()) {
        final Nonce nonce = new Nonce();
        params.put(OidcConfiguration.NONCE, nonce.getValue());
        context.getSessionStore().set(context, OidcConfiguration.NONCE_SESSION_ATTRIBUTE, nonce.getValue());
    }
}