use of com.nimbusds.oauth2.sdk in project OpenConext-oidcng by OpenConext.
the class TokenGenerator method generateIDTokenForAuthorizationEndpoint.
@SneakyThrows
public TokenValue generateIDTokenForAuthorizationEndpoint(User user, OpenIDClient client, Nonce nonce, ResponseType responseType, String accessToken, List<String> claims, Optional<String> authorizationCode, State state) {
Map<String, Object> additionalClaims = new HashMap<>();
additionalClaims.put("auth_time", System.currentTimeMillis() / 1000L);
if (nonce != null) {
additionalClaims.put("nonce", nonce.getValue());
}
if (AccessTokenHash.isRequiredInIDTokenClaims(responseType)) {
additionalClaims.put("at_hash", AccessTokenHash.compute(new BearerAccessToken(accessToken), signingAlg).getValue());
}
if (CodeHash.isRequiredInIDTokenClaims(responseType) && authorizationCode.isPresent()) {
additionalClaims.put("c_hash", CodeHash.compute(new com.nimbusds.oauth2.sdk.AuthorizationCode(authorizationCode.get()), signingAlg));
}
if (state != null && StringUtils.hasText(state.getValue())) {
additionalClaims.put("s_hash", StateHash.compute(state, signingAlg));
}
String currentSigningKeyId = ensureLatestSigningKey();
return idToken(client, Optional.of(user), additionalClaims, claims, false, currentSigningKeyId, Collections.emptyList(), true);
}
use of com.nimbusds.oauth2.sdk in project di-ipv-cri-address-api by alphagov.
the class AddressSessionService method createTokenRequest.
public TokenRequest createTokenRequest(String requestBody) throws com.nimbusds.oauth2.sdk.ParseException {
// The URI is not needed/consumed in the resultant TokenRequest
// therefore any value can be passed here to ensure the parse method
// successfully materialises a TokenRequest
URI arbitraryUri = URI.create("https://gds");
HTTPRequest request = new HTTPRequest(HTTPRequest.Method.POST, arbitraryUri);
request.setQuery(requestBody);
boolean invalidTokenRequest = request.getQueryParameters().keySet().containsAll(List.of(CODE, CLIENT_ID, REDIRECT_URI, GRANT_TYPE));
if (!invalidTokenRequest) {
throw new AccessTokenRequestException(OAuth2Error.INVALID_REQUEST);
}
validateTokenRequest(request.getQueryParameters());
request.setContentType(ContentType.APPLICATION_URLENCODED.getType());
return TokenRequest.parse(request);
}
use of com.nimbusds.oauth2.sdk in project asgardeo-java-oidc-sdk by asgardeo.
the class OIDCRequestResolver method isAuthorizationCodeResponse.
/**
* Checks if the request is an Authorization Code response.
*
* @return True if the request is parsed as a valid Authorization response, false otherwise.
*/
public boolean isAuthorizationCodeResponse() {
AuthorizationResponse authorizationResponse;
AuthorizationSuccessResponse authorizationSuccessResponse;
try {
authorizationResponse = AuthorizationResponse.parse(ServletUtils.createHTTPRequest(request));
} catch (com.nimbusds.oauth2.sdk.ParseException | IOException e) {
logger.log(Level.ERROR, "Error occurred while parsing the authorization response.", e);
return false;
}
if (!authorizationResponse.indicatesSuccess()) {
logErrorAuthorizationResponse(authorizationResponse);
return false;
}
authorizationSuccessResponse = authorizationResponse.toSuccessResponse();
if (authorizationSuccessResponse.getAuthorizationCode() == null) {
return false;
}
return true;
}
use of com.nimbusds.oauth2.sdk in project spring-security by spring-projects.
the class NimbusAuthorizationCodeTokenResponseClient method getTokenResponse.
@Override
public OAuth2AccessTokenResponse getTokenResponse(OAuth2AuthorizationCodeGrantRequest authorizationGrantRequest) {
ClientRegistration clientRegistration = authorizationGrantRequest.getClientRegistration();
// Build the authorization code grant request for the token endpoint
AuthorizationCode authorizationCode = new AuthorizationCode(authorizationGrantRequest.getAuthorizationExchange().getAuthorizationResponse().getCode());
URI redirectUri = toURI(authorizationGrantRequest.getAuthorizationExchange().getAuthorizationRequest().getRedirectUri());
AuthorizationGrant authorizationCodeGrant = new AuthorizationCodeGrant(authorizationCode, redirectUri);
URI tokenUri = toURI(clientRegistration.getProviderDetails().getTokenUri());
// Set the credentials to authenticate the client at the token endpoint
ClientID clientId = new ClientID(clientRegistration.getClientId());
Secret clientSecret = new Secret(clientRegistration.getClientSecret());
boolean isPost = ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientRegistration.getClientAuthenticationMethod()) || ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod());
ClientAuthentication clientAuthentication = isPost ? new ClientSecretPost(clientId, clientSecret) : new ClientSecretBasic(clientId, clientSecret);
com.nimbusds.oauth2.sdk.TokenResponse tokenResponse = getTokenResponse(authorizationCodeGrant, tokenUri, clientAuthentication);
if (!tokenResponse.indicatesSuccess()) {
TokenErrorResponse tokenErrorResponse = (TokenErrorResponse) tokenResponse;
ErrorObject errorObject = tokenErrorResponse.getErrorObject();
throw new OAuth2AuthorizationException(getOAuthError(errorObject));
}
AccessTokenResponse accessTokenResponse = (AccessTokenResponse) tokenResponse;
String accessToken = accessTokenResponse.getTokens().getAccessToken().getValue();
OAuth2AccessToken.TokenType accessTokenType = null;
if (OAuth2AccessToken.TokenType.BEARER.getValue().equalsIgnoreCase(accessTokenResponse.getTokens().getAccessToken().getType().getValue())) {
accessTokenType = OAuth2AccessToken.TokenType.BEARER;
}
long expiresIn = accessTokenResponse.getTokens().getAccessToken().getLifetime();
// As per spec, in section 5.1 Successful Access Token Response
// https://tools.ietf.org/html/rfc6749#section-5.1
// If AccessTokenResponse.scope is empty, then default to the scope
// originally requested by the client in the Authorization Request
Set<String> scopes = getScopes(authorizationGrantRequest, accessTokenResponse);
String refreshToken = null;
if (accessTokenResponse.getTokens().getRefreshToken() != null) {
refreshToken = accessTokenResponse.getTokens().getRefreshToken().getValue();
}
Map<String, Object> additionalParameters = new LinkedHashMap<>(accessTokenResponse.getCustomParameters());
// @formatter:off
return OAuth2AccessTokenResponse.withToken(accessToken).tokenType(accessTokenType).expiresIn(expiresIn).scopes(scopes).refreshToken(refreshToken).additionalParameters(additionalParameters).build();
// @formatter:on
}
use of com.nimbusds.oauth2.sdk in project di-authentication-api by alphagov.
the class TokenService method generateIDToken.
private SignedJWT generateIDToken(String clientId, Subject subject, Map<String, Object> additionalTokenClaims, AccessTokenHash accessTokenHash, String vot, boolean isDocAppJourney) {
LOG.info("Generating IdToken");
URI trustMarkUri = buildURI(configService.getOidcApiBaseURL().get(), "/trustmark");
Date expiryDate = NowHelper.nowPlus(configService.getIDTokenExpiry(), ChronoUnit.SECONDS);
IDTokenClaimsSet idTokenClaims = new IDTokenClaimsSet(new Issuer(configService.getOidcApiBaseURL().get()), subject, List.of(new Audience(clientId)), expiryDate, NowHelper.now());
idTokenClaims.setAccessTokenHash(accessTokenHash);
idTokenClaims.putAll(additionalTokenClaims);
if (!isDocAppJourney) {
idTokenClaims.setClaim("vot", vot);
}
idTokenClaims.setClaim("vtm", trustMarkUri.toString());
try {
return generateSignedJWT(idTokenClaims.toJWTClaimsSet(), Optional.empty());
} catch (com.nimbusds.oauth2.sdk.ParseException e) {
LOG.error("Error when trying to parse IDTokenClaims to JWTClaimSet", e);
throw new RuntimeException(e);
}
}
Aggregations