Examples with Prompt com.nimbusds.openid.connect.sdk.Prompt used on opensource projects

Example 1 with Prompt

use of com.nimbusds.openid.connect.sdk.Prompt in project OpenConext-oidcng by OpenConext.

the class AuthorizationEndpoint method validatePrompt.

public static String validatePrompt(Map<String, List<String>> request) throws ParseException {
    List<String> promptValues = request.get("prompt");
    String promptValue = CollectionUtils.isEmpty(promptValues) ? null : promptValues.get(0);
    Prompt prompt = Prompt.parse(promptValue);
    return validatePrompt(prompt);
}

Example 2 with Prompt

use of com.nimbusds.openid.connect.sdk.Prompt in project OpenConext-oidcng by OpenConext.

the class AuthorizationEndpoint method doAuthorization.

private ModelAndView doAuthorization(MultiValueMap<String, String> parameters, OidcSamlAuthentication samlAuthentication, HttpServletRequest request, boolean consentRequired) throws ParseException, CertificateException, JOSEException, IOException, BadJOSEException, java.text.ParseException, URISyntaxException {
    AuthorizationRequest authenticationRequest = AuthorizationRequest.parse(parameters);
    Scope scope = authenticationRequest.getScope();
    boolean isOpenIdClient = scope != null && isOpenIDRequest(scope.toStringList());
    String clientId = authenticationRequest.getClientID().getValue();
    OpenIDClient client = openIDClientRepository.findOptionalByClientId(clientId).orElseThrow(() -> new UnknownClientException(clientId));
    MDCContext.mdcContext("action", "Authorize", "rp", client.getClientId());
    if (isOpenIdClient) {
        AuthenticationRequest oidcAuthenticationRequest = AuthenticationRequest.parse(parameters);
        if (oidcAuthenticationRequest.specifiesRequestObject()) {
            oidcAuthenticationRequest = JWTRequest.parse(oidcAuthenticationRequest, client);
            LOG.debug("/oidc/authorize with JWT 'request'");
        }
        // swap reference
        authenticationRequest = oidcAuthenticationRequest;
    }
    State state = authenticationRequest.getState();
    String redirectURI = validateRedirectionURI(authenticationRequest.getRedirectionURI(), client).getRedirectURI();
    List<String> scopes = validateScopes(openIDClientRepository, authenticationRequest.getScope(), client);
    ResponseType responseType = validateGrantType(authenticationRequest, client);
    User user = samlAuthentication.getUser();
    MDCContext.mdcContext(user);
    if (scope != null) {
        List<String> scopeList = scope.toStringList();
        boolean apiScopeRequested = !(scopeList.size() == 0 || (scopeList.size() == 1 && scopeList.contains("openid")));
        Set<String> filteredScopes = scopeList.stream().filter(s -> !s.equalsIgnoreCase("openid")).map(String::toLowerCase).collect(toSet());
        List<OpenIDClient> resourceServers = openIDClientRepository.findByScopes_NameIn(filteredScopes);
        Prompt prompt = authenticationRequest.getPrompt();
        boolean consentFromPrompt = prompt != null && prompt.toStringList().contains("consent");
        /*
             * We prompt for consent when the following conditions are met:
             *   Consent feature toggle is on
             *   The RP has requested scope(s) other then openid
             *   Manage attribute "oidc:consentRequired" is true for the RP or the RP has explicitly asked for consent
             *   There is at least one ResourceServer that has the requested scope(s) configured in manage
             */
        if (consentRequired && apiScopeRequested && (consentFromPrompt || client.isConsentRequired()) && resourceServers.size() > 0) {
            LOG.info("Asking for consent for User " + user + " and scopes " + scopes);
            return doConsent(parameters, client, filteredScopes, resourceServers);
        }
    }
    // We do not provide SSO as does EB not - up to the identity provider
    logout(request);
    ResponseMode responseMode = authenticationRequest.impliedResponseMode();
    if (responseType.impliesCodeFlow()) {
        AuthorizationCode authorizationCode = createAndSaveAuthorizationCode(authenticationRequest, client, user);
        LOG.debug(String.format("Returning authorizationCode flow %s %s", ResponseMode.FORM_POST, redirectURI));
        if (responseMode.equals(ResponseMode.FORM_POST)) {
            Map<String, String> body = new HashMap<>();
            body.put("redirect_uri", redirectURI);
            body.put("code", authorizationCode.getCode());
            if (state != null && StringUtils.hasText(state.getValue())) {
                body.put("state", state.getValue());
            }
            return new ModelAndView("form_post", body);
        }
        return new ModelAndView(new RedirectView(authorizationRedirect(redirectURI, state, authorizationCode.getCode(), responseMode.equals(ResponseMode.FRAGMENT))));
    } else if (responseType.impliesImplicitFlow() || responseType.impliesHybridFlow()) {
        if (responseType.impliesImplicitFlow()) {
            // User information is encrypted in access token
            LOG.debug("Deleting user " + user.getSub());
            userRepository.delete(user);
        }
        Map<String, Object> body = authorizationEndpointResponse(user, client, authenticationRequest, scopes, responseType, state);
        LOG.debug(String.format("Returning implicit flow %s %s", ResponseMode.FORM_POST, redirectURI));
        if (responseMode.equals(ResponseMode.FORM_POST)) {
            body.put("redirect_uri", redirectURI);
            return new ModelAndView("form_post", body);
        }
        if (responseMode.equals(ResponseMode.QUERY)) {
            UriComponentsBuilder builder = UriComponentsBuilder.fromUriString(redirectURI);
            body.forEach(builder::queryParam);
            return new ModelAndView(new RedirectView(builder.toUriString()));
        }
        if (responseMode.equals(ResponseMode.FRAGMENT)) {
            UriComponentsBuilder builder = UriComponentsBuilder.fromUriString(redirectURI);
            String fragment = body.entrySet().stream().map(entry -> String.format("%s=%s", entry.getKey(), entry.getValue())).collect(Collectors.joining("&"));
            builder.fragment(fragment);
            return new ModelAndView(new RedirectView(builder.toUriString()));
        }
        throw new IllegalArgumentException("Response mode " + responseMode + " not supported");
    }
    throw new IllegalArgumentException("Not yet implemented response_type: " + responseType.toString());
}

Example 3 with Prompt

use of com.nimbusds.openid.connect.sdk.Prompt in project OpenConext-oidcng by OpenConext.

the class AuthnRequestConverter method enhanceAuthenticationRequest.

private AuthnRequest enhanceAuthenticationRequest(AuthnRequest authnRequest, Map<String, List<String>> request) throws ParseException, UnsupportedEncodingException {
    String clientId = param("client_id", request);
    String entityId = ServiceProviderTranslation.translateClientId(clientId);
    authnRequest.setScoping(getScoping(Arrays.asList(entityId)));
    String prompt = AuthorizationEndpoint.validatePrompt(request);
    authnRequest.setForceAuthn(prompt != null && prompt.contains("login"));
    /**
     * Based on the ongoing discussion with the certification committee
     * authenticationRequest.setPassive("none".equals(prompt));
     */
    if (!authnRequest.isForceAuthn() && StringUtils.hasText(param("max_age", request))) {
        authnRequest.setForceAuthn(true);
    }
    String acrValues = param("acr_values", request);
    if (StringUtils.hasText(acrValues)) {
        List<ACR> acrList = Arrays.stream(acrValues.split(" ")).map(ACR::new).collect(Collectors.toList());
        parseAcrValues(authnRequest, acrList);
    }
    String requestP = param("request", request);
    String requestUrlP = param("request_uri", request);
    if (StringUtils.hasText(requestP) || StringUtils.hasText(requestUrlP)) {
        OpenIDClient openIDClient = openIDClientRepository.findOptionalByClientId(clientId).orElseThrow(() -> new UnknownClientException(clientId));
        try {
            com.nimbusds.openid.connect.sdk.AuthenticationRequest authRequest = com.nimbusds.openid.connect.sdk.AuthenticationRequest.parse(request);
            authRequest = JWTRequest.parse(authRequest, openIDClient);
            List<ACR> acrValuesObjects = authRequest.getACRValues();
            parseAcrValues(authnRequest, acrValuesObjects);
            Prompt authRequestPrompt = authRequest.getPrompt();
            prompt = AuthorizationEndpoint.validatePrompt(authRequestPrompt);
            if (!authnRequest.isForceAuthn() && authRequest.getMaxAge() > -1) {
                authnRequest.setForceAuthn(true);
            }
            if (!authnRequest.isForceAuthn() && prompt != null) {
                authnRequest.setForceAuthn(prompt.contains("login"));
            }
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
    String loginHint = param("login_hint", request);
    if (StringUtils.hasText(loginHint)) {
        loginHint = URLDecoder.decode(loginHint, Charset.defaultCharset().name());
        IDPList idpList = addIdpEntries(loginHint);
        Scoping scoping = authnRequest.getScoping();
        scoping.setIDPList(idpList);
    }
    return authnRequest;
}