Search in sources :

Example 1 with AuthenticationResponse

use of com.nimbusds.openid.connect.sdk.AuthenticationResponse in project pac4j by pac4j.

the class OidcExtractor method extract.

@Override
public Optional<Credentials> extract(final WebContext context, final SessionStore sessionStore) {
    final var logoutEndpoint = context.getRequestParameter(Pac4jConstants.LOGOUT_ENDPOINT_PARAMETER).isPresent();
    if (logoutEndpoint) {
        final var logoutToken = context.getRequestParameter("logout_token");
        // back-channel logout
        if (logoutToken.isPresent()) {
            try {
                final var jwt = JWTParser.parse(logoutToken.get());
                // we should use the tokenValidator, but we can't as validation fails on missing claims: exp, iat...
                // final IDTokenClaimsSet claims = configuration.findTokenValidator().validate(jwt, null);
                // final String sid = (String) claims.getClaim(Pac4jConstants.OIDC_CLAIM_SESSIONID);
                final var sid = (String) jwt.getJWTClaimsSet().getClaim(Pac4jConstants.OIDC_CLAIM_SESSIONID);
                logger.debug("Handling back-channel logout for sessionId: {}", sid);
                configuration.findLogoutHandler().destroySessionBack(context, sessionStore, sid);
            } catch (final java.text.ParseException e) {
                logger.error("Cannot validate JWT logout token", e);
                throw BadRequestAction.INSTANCE;
            }
        } else {
            final var sid = context.getRequestParameter(Pac4jConstants.OIDC_CLAIM_SESSIONID).orElse(null);
            logger.debug("Handling front-channel logout for sessionId: {}", sid);
            // front-channel logout
            configuration.findLogoutHandler().destroySessionFront(context, sessionStore, sid);
        }
        context.setResponseHeader("Cache-Control", "no-cache, no-store");
        context.setResponseHeader("Pragma", "no-cache");
        throw new OkAction("");
    } else {
        final var computedCallbackUrl = client.computeFinalCallbackUrl(context);
        final var parameters = retrieveParameters(context);
        AuthenticationResponse response;
        try {
            response = AuthenticationResponseParser.parse(new URI(computedCallbackUrl), parameters);
        } catch (final URISyntaxException | ParseException e) {
            throw new TechnicalException(e);
        }
        if (response instanceof AuthenticationErrorResponse) {
            logger.error("Bad authentication response, error={}", ((AuthenticationErrorResponse) response).getErrorObject());
            return Optional.empty();
        }
        logger.debug("Authentication response successful");
        var successResponse = (AuthenticationSuccessResponse) response;
        if (configuration.isWithState()) {
            // Validate state for CSRF mitigation
            final var requestState = (State) configuration.getValueRetriever().retrieve(client.getStateSessionAttributeName(), client, context, sessionStore).orElseThrow(() -> new TechnicalException("State cannot be determined"));
            final var responseState = successResponse.getState();
            if (responseState == null) {
                throw new TechnicalException("Missing state parameter");
            }
            logger.debug("Request state: {}/response state: {}", requestState, responseState);
            if (!requestState.equals(responseState)) {
                throw new TechnicalException("State parameter is different from the one sent in authentication request.");
            }
        }
        final var credentials = new OidcCredentials();
        // get authorization code
        final var code = successResponse.getAuthorizationCode();
        if (code != null) {
            credentials.setCode(code);
        }
        // get ID token
        final var idToken = successResponse.getIDToken();
        if (idToken != null) {
            credentials.setIdToken(idToken);
        }
        // get access token
        final var accessToken = successResponse.getAccessToken();
        if (accessToken != null) {
            credentials.setAccessToken(accessToken);
        }
        return Optional.of(credentials);
    }
}
Also used : TechnicalException(org.pac4j.core.exception.TechnicalException) AuthenticationErrorResponse(com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse) URISyntaxException(java.net.URISyntaxException) AuthenticationResponse(com.nimbusds.openid.connect.sdk.AuthenticationResponse) URI(java.net.URI) AuthenticationSuccessResponse(com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse) OidcCredentials(org.pac4j.oidc.credentials.OidcCredentials) State(com.nimbusds.oauth2.sdk.id.State) WebContext(org.pac4j.core.context.WebContext) ParseException(com.nimbusds.oauth2.sdk.ParseException) OkAction(org.pac4j.core.exception.http.OkAction)

Aggregations

ParseException (com.nimbusds.oauth2.sdk.ParseException)1 State (com.nimbusds.oauth2.sdk.id.State)1 AuthenticationErrorResponse (com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse)1 AuthenticationResponse (com.nimbusds.openid.connect.sdk.AuthenticationResponse)1 AuthenticationSuccessResponse (com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse)1 URI (java.net.URI)1 URISyntaxException (java.net.URISyntaxException)1 WebContext (org.pac4j.core.context.WebContext)1 TechnicalException (org.pac4j.core.exception.TechnicalException)1 OkAction (org.pac4j.core.exception.http.OkAction)1 OidcCredentials (org.pac4j.oidc.credentials.OidcCredentials)1