use of com.nimbusds.openid.connect.sdk.AuthenticationResponse in project pac4j by pac4j.
the class OidcExtractor method extract.
@Override
public Optional<Credentials> extract(final WebContext context, final SessionStore sessionStore) {
final var logoutEndpoint = context.getRequestParameter(Pac4jConstants.LOGOUT_ENDPOINT_PARAMETER).isPresent();
if (logoutEndpoint) {
final var logoutToken = context.getRequestParameter("logout_token");
// back-channel logout
if (logoutToken.isPresent()) {
try {
final var jwt = JWTParser.parse(logoutToken.get());
// we should use the tokenValidator, but we can't as validation fails on missing claims: exp, iat...
// final IDTokenClaimsSet claims = configuration.findTokenValidator().validate(jwt, null);
// final String sid = (String) claims.getClaim(Pac4jConstants.OIDC_CLAIM_SESSIONID);
final var sid = (String) jwt.getJWTClaimsSet().getClaim(Pac4jConstants.OIDC_CLAIM_SESSIONID);
logger.debug("Handling back-channel logout for sessionId: {}", sid);
configuration.findLogoutHandler().destroySessionBack(context, sessionStore, sid);
} catch (final java.text.ParseException e) {
logger.error("Cannot validate JWT logout token", e);
throw BadRequestAction.INSTANCE;
}
} else {
final var sid = context.getRequestParameter(Pac4jConstants.OIDC_CLAIM_SESSIONID).orElse(null);
logger.debug("Handling front-channel logout for sessionId: {}", sid);
// front-channel logout
configuration.findLogoutHandler().destroySessionFront(context, sessionStore, sid);
}
context.setResponseHeader("Cache-Control", "no-cache, no-store");
context.setResponseHeader("Pragma", "no-cache");
throw new OkAction("");
} else {
final var computedCallbackUrl = client.computeFinalCallbackUrl(context);
final var parameters = retrieveParameters(context);
AuthenticationResponse response;
try {
response = AuthenticationResponseParser.parse(new URI(computedCallbackUrl), parameters);
} catch (final URISyntaxException | ParseException e) {
throw new TechnicalException(e);
}
if (response instanceof AuthenticationErrorResponse) {
logger.error("Bad authentication response, error={}", ((AuthenticationErrorResponse) response).getErrorObject());
return Optional.empty();
}
logger.debug("Authentication response successful");
var successResponse = (AuthenticationSuccessResponse) response;
if (configuration.isWithState()) {
// Validate state for CSRF mitigation
final var requestState = (State) configuration.getValueRetriever().retrieve(client.getStateSessionAttributeName(), client, context, sessionStore).orElseThrow(() -> new TechnicalException("State cannot be determined"));
final var responseState = successResponse.getState();
if (responseState == null) {
throw new TechnicalException("Missing state parameter");
}
logger.debug("Request state: {}/response state: {}", requestState, responseState);
if (!requestState.equals(responseState)) {
throw new TechnicalException("State parameter is different from the one sent in authentication request.");
}
}
final var credentials = new OidcCredentials();
// get authorization code
final var code = successResponse.getAuthorizationCode();
if (code != null) {
credentials.setCode(code);
}
// get ID token
final var idToken = successResponse.getIDToken();
if (idToken != null) {
credentials.setIdToken(idToken);
}
// get access token
final var accessToken = successResponse.getAccessToken();
if (accessToken != null) {
credentials.setAccessToken(accessToken);
}
return Optional.of(credentials);
}
}
Aggregations