Example 1 with OpenIDConnectConfig
use of com.tremolosecurity.idp.providers.oidc.model.OpenIDConnectConfig in project OpenUnison by TremoloSecurity.
the class TokenData method doGet.
public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
if (request.getHeader("Accept") != null && request.getHeader("Accept").startsWith("application/json")) {
request.setAttribute("com.tremolosecurity.unison.proxy.noRedirectOnError", "com.tremolosecurity.unison.proxy.noRedirectOnError");
}
String action = (String) request.getAttribute(IDP.ACTION_NAME);
UrlHolder holder = (UrlHolder) request.getAttribute(ProxyConstants.AUTOIDM_CFG);
if (holder == null) {
throw new ServletException("Holder is null");
}
AuthController ac = ((AuthController) request.getSession().getAttribute(ProxyConstants.AUTH_CTL));
if (action.equalsIgnoreCase(".well-known/openid-configuration")) {
Gson gson = new GsonBuilder().setPrettyPrinting().create();
String json = gson.toJson(new OpenIDConnectConfig(this.authURI, request, mapper));
response.setContentType("application/json");
response.getWriter().print(json);
AccessLog.log(AccessEvent.AzSuccess, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
return;
} else if (action.equalsIgnoreCase("certs")) {
try {
X509Certificate cert = GlobalEntries.getGlobalEntries().getConfigManager().getCertificate(this.jwtSigningKeyName);
JsonWebKey jwk = JsonWebKey.Factory.newJwk(cert.getPublicKey());
String keyID = buildKID(cert);
jwk.setKeyId(keyID);
jwk.setUse("sig");
jwk.setAlgorithm("RS256");
response.setContentType("application/json");
response.getWriter().print(new JsonWebKeySet(jwk).toJson());
AccessLog.log(AccessEvent.AzSuccess, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
return;
} catch (JoseException e) {
throw new ServletException("Could not generate jwt", e);
}
} else if (action.equalsIgnoreCase("auth")) {
String clientID = request.getParameter("client_id");
String responseCode = request.getParameter("response_type");
String scope = request.getParameter("scope");
String redirectURI = request.getParameter("redirect_uri");
String state = request.getParameter("state");
String nonce = request.getParameter("nonce");
OpenIDConnectTransaction transaction = new OpenIDConnectTransaction();
transaction.setClientID(clientID);
transaction.setResponseCode(responseCode);
transaction.setNonce(nonce);
StringTokenizer toker = new StringTokenizer(scope, " ", false);
while (toker.hasMoreTokens()) {
String token = toker.nextToken();
transaction.getScope().add(token);
}
transaction.setRedirectURI(redirectURI);
transaction.setState(state);
OpenIDConnectTrust trust = trusts.get(clientID);
if (trust == null) {
StringBuffer b = new StringBuffer();
b.append(redirectURI).append("?error=unauthorized_client");
logger.warn("Trust '" + clientID + "' not found");
response.sendRedirect(b.toString());
return;
}
if (trust.isVerifyRedirect()) {
if (!trust.getRedirectURI().contains(redirectURI)) {
StringBuffer b = new StringBuffer();
b.append(redirectURI).append("?error=unauthorized_client");
logger.warn("Invalid redirect");
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
response.sendRedirect(b.toString());
return;
}
transaction.setRedirectURI(redirectURI);
} else {
transaction.setRedirectURI(redirectURI);
}
if (this.scopes == null) {
if (transaction.getScope().size() == 0 || !transaction.getScope().get(0).equals("openid")) {
StringBuffer b = new StringBuffer();
b.append(transaction.getRedirectURI()).append("?error=invalid_scope");
logger.warn("First scope not openid");
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
response.sendRedirect(b.toString());
return;
} else {
// we don't need the openid scope anymore
transaction.getScope().remove(0);
}
} else {
for (String indvScope : transaction.getScope()) {
if (!this.scopes.contains(indvScope)) {
StringBuffer b = new StringBuffer();
b.append(transaction.getRedirectURI()).append("?error=invalid_scope");
logger.warn(new StringBuilder().append("Scope '").append(indvScope).append("' not recognized"));
AccessLog.log(AccessEvent.AzFail, holder.getApp(), (HttpServletRequest) request, ac.getAuthInfo(), "NONE");
response.sendRedirect(b.toString());
return;
}
}
}
String authChain = trust.getAuthChain();
if (authChain == null) {
StringBuffer b = new StringBuffer();
b.append("IdP does not have an authenticaiton chain configured");
throw new ServletException(b.toString());
}
HttpSession session = request.getSession();
AuthInfo authData = ((AuthController) session.getAttribute(ProxyConstants.AUTH_CTL)).getAuthInfo();
AuthChainType act = holder.getConfig().getAuthChains().get(authChain);
session.setAttribute(OpenIDConnectIdP.TRANSACTION_DATA, transaction);
if (authData == null || !authData.isAuthComplete() && !(authData.getAuthLevel() < act.getLevel())) {
nextAuth(request, response, session, false, act);
} else {
if (authData.getAuthLevel() < act.getLevel()) {
// step up authentication, clear existing auth data
session.removeAttribute(ProxyConstants.AUTH_CTL);
holder.getConfig().createAnonUser(session);
nextAuth(request, response, session, false, act);
} else {
StringBuffer b = genFinalURL(request);
response.sendRedirect(b.toString());
// TODO if session already exists extend the life of the id_token
}
}
} else if (action.contentEquals("completefed")) {
this.completeFederation(request, response);
} else if (action.equalsIgnoreCase("userinfo")) {
try {
processUserInfoRequest(request, response);
} catch (Exception e) {
throw new ServletException("Could not process userinfo request", e);
}
}
}
Also used :
AuthInfo(com.tremolosecurity.proxy.auth.AuthInfo)
OpenIDConnectConfig(com.tremolosecurity.idp.providers.oidc.model.OpenIDConnectConfig)
GsonBuilder(com.google.gson.GsonBuilder)
JoseException(org.jose4j.lang.JoseException)
HttpSession(javax.servlet.http.HttpSession)
JsonWebKey(org.jose4j.jwk.JsonWebKey)
Gson(com.google.gson.Gson)
JsonWebKeySet(org.jose4j.jwk.JsonWebKeySet)
AuthController(com.tremolosecurity.proxy.auth.AuthController)
X509Certificate(java.security.cert.X509Certificate)
ProvisioningException(com.tremolosecurity.provisioning.core.ProvisioningException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
LDAPException(com.novell.ldap.LDAPException)
InvalidAlgorithmParameterException(java.security.InvalidAlgorithmParameterException)
IOException(java.io.IOException)
ServletException(javax.servlet.ServletException)
URISyntaxException(java.net.URISyntaxException)
InvalidJwtException(org.jose4j.jwt.consumer.InvalidJwtException)
IllegalBlockSizeException(javax.crypto.IllegalBlockSizeException)
JoseException(org.jose4j.lang.JoseException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
ParseException(org.json.simple.parser.ParseException)
NoSuchPaddingException(javax.crypto.NoSuchPaddingException)
MalformedURLException(java.net.MalformedURLException)
BadPaddingException(javax.crypto.BadPaddingException)
UrlHolder(com.tremolosecurity.config.util.UrlHolder)
ServletException(javax.servlet.ServletException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
StringTokenizer(java.util.StringTokenizer)
AuthChainType(com.tremolosecurity.config.xml.AuthChainType)
Aggregations
Gson (com.google.gson.Gson)1
GsonBuilder (com.google.gson.GsonBuilder)1
LDAPException (com.novell.ldap.LDAPException)1
UrlHolder (com.tremolosecurity.config.util.UrlHolder)1
AuthChainType (com.tremolosecurity.config.xml.AuthChainType)1
OpenIDConnectConfig (com.tremolosecurity.idp.providers.oidc.model.OpenIDConnectConfig)1
ProvisioningException (com.tremolosecurity.provisioning.core.ProvisioningException)1
AuthController (com.tremolosecurity.proxy.auth.AuthController)1
AuthInfo (com.tremolosecurity.proxy.auth.AuthInfo)1
IOException (java.io.IOException)1
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
MalformedURLException (java.net.MalformedURLException)1
URISyntaxException (java.net.URISyntaxException)1
InvalidAlgorithmParameterException (java.security.InvalidAlgorithmParameterException)1
InvalidKeyException (java.security.InvalidKeyException)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
X509Certificate (java.security.cert.X509Certificate)1
StringTokenizer (java.util.StringTokenizer)1
BadPaddingException (javax.crypto.BadPaddingException)1
IllegalBlockSizeException (javax.crypto.IllegalBlockSizeException)1
