use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.
the class RefreshTokenRetentionPolicy method retain.
@Override
public boolean retain(Object key, Object value) {
OA2ServiceTransaction st2 = (OA2ServiceTransaction) value;
RefreshToken rt = st2.getRefreshToken();
long timeout = st2.getRefreshTokenLifetime();
if (rt == null || rt.getToken() == null) {
// fall back to looking at the access token timestamp. Failing that, fall back to the creation time from
// the identifier.
String token;
token = (st2.getAccessToken() == null ? st2.getIdentifierString() : st2.getAccessToken().getToken());
try {
DateUtils.checkTimestamp(token);
} catch (InvalidTimestampException its) {
return false;
}
return true;
}
try {
if (timeout <= 0) {
// use default????
DateUtils.checkTimestamp(rt.getToken());
} else {
DateUtils.checkTimestamp(rt.getToken(), timeout);
}
return true;
} catch (InvalidTimestampException its) {
return false;
}
}
use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.
the class XsedeClaimsSource method process.
@Override
public UserInfo process(UserInfo userInfo, ServiceTransaction transaction) throws UnsupportedScopeException {
OA2ServiceTransaction t = (OA2ServiceTransaction) transaction;
myLogger.info("In XSEDE scope handler9: " + getScopes());
String subject = t.getUsername();
if (subject == null) {
myLogger.debug("No subject available in transaction");
// nothing can be done without subject info
return userInfo;
}
// See if userInfo already has the requisite info
myLogger.debug("Profile:" + t.getScopes().contains(SCOPE_PROFILE) + ":" + userInfo.getGiven_name() + ":" + userInfo.getMiddle_name() + ":" + userInfo.getFamily_name());
myLogger.debug("EMAIL:" + userInfo.getEmail());
myLogger.debug("XSEDE:" + userInfo.getString("xsedeHomeOrganization".toString()));
if ((!t.getScopes().contains(SCOPE_PROFILE) || (userInfo.getGiven_name() != null && userInfo.getMiddle_name() != null && userInfo.getFamily_name() != null)) && (!t.getScopes().contains(SCOPE_EMAIL) || (userInfo.getEmail() != null)) && (!t.getScopes().contains(SCOPE_XSEDE) || (userInfo.getString("xsedeHomeOrganization".toString()) != null))) {
myLogger.info("Info for all claims in requested scopes already " + "available in userInfo; skipping call to XDCDB");
return userInfo;
}
// One or more requisite info missing; retrieve from XCDB and set
JsonObject profile = getUserInfo(subject);
String firstName = profile.isNull("first_name".toString()) ? "".toString() : profile.getString("first_name".toString());
String middleName = profile.isNull("middle_name".toString()) ? "".toString() : profile.getString("middle_name".toString());
String lastName = profile.isNull("last_name".toString()) ? "".toString() : profile.getString("last_name".toString());
String email = profile.isNull("email".toString()) ? "".toString() : profile.getString("email".toString());
String organization = profile.isNull("organization".toString()) ? "".toString() : profile.getString("organization".toString());
if (t.getScopes().contains(SCOPE_PROFILE)) {
myLogger.info("Processing profile scope in XSEDE handler");
userInfo.setGiven_name(firstName);
userInfo.setMiddle_name(middleName);
userInfo.setFamily_name(lastName);
}
if (t.getScopes().contains(SCOPE_EMAIL)) {
myLogger.info("Processing email scope in XSEDE handler");
userInfo.setEmail(email);
}
if (t.getScopes().contains(SCOPE_XSEDE)) {
myLogger.info("Processing xsede scope in XSEDE handler");
userInfo.put("xsedeHomeOrganization".toString(), organization);
}
return userInfo;
}
use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.
the class OA2AuthorizationServer method createRedirect.
@Override
protected void createRedirect(HttpServletRequest request, HttpServletResponse response, ServiceTransaction trans) throws Throwable {
String rawrtl = request.getParameter(AUTHORIZATION_REFRESH_TOKEN_LIFETIME_KEY);
OA2ServiceTransaction st2 = (OA2ServiceTransaction) trans;
try {
if (rawrtl != null) {
st2.setRefreshTokenLifetime(Long.parseLong(rawrtl) * 1000);
}
} catch (Throwable t) {
st2.setRefreshTokenLifetime(0L);
}
super.createRedirect(request, response, trans);
}
use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.
the class OA2AuthorizedServlet method verifyAndGet.
@Override
public ServiceTransaction verifyAndGet(IssuerResponse iResponse) throws UnsupportedEncodingException {
AGResponse agResponse = (AGResponse) iResponse;
Map<String, String> params = agResponse.getParameters();
// Since the state (if present) has to be returned with any error message, we have to see if there is one
// there first.
String state = null;
if (params.containsKey(STATE)) {
state = params.get(STATE);
}
// Spec says that the redirect must match one of the ones stored and if not, the request is rejected.
String givenRedirect = params.get(REDIRECT_URI);
OA2ClientCheck.check(agResponse.getClient(), givenRedirect);
// by this point it has been verified that the redirect uri is valid.
String rawSecret = params.get(CLIENT_SECRET);
if (rawSecret != null) {
info("Client is sending secret in initial request. Though not forbidden by the protocol this is discouraged.");
if (!agResponse.getClient().getSecret().equals(rawSecret)) {
info("And for what it is worth, the client sent along an incorrect secret too...");
}
}
String nonce = params.get(NONCE);
// FIX for OAUTH-180. Server must support clients that do not use a nonce. Just log it and rock on.
if (nonce == null || nonce.length() == 0) {
info("No nonce in initial request for " + ((AGResponse) iResponse).getClient().getIdentifierString());
} else {
// Don't check it, just store it and return it later.
NonceHerder.putNonce(nonce);
}
if (params.containsKey(DISPLAY)) {
if (!params.get(DISPLAY).equals(DISPLAY_PAGE)) {
throw new OA2RedirectableError(OA2Errors.INVALID_REQUEST, "Only " + DISPLAY + "=" + DISPLAY_PAGE + " is supported", state, givenRedirect);
}
}
OA2ServiceTransaction st = createNewTransaction(agResponse.getGrant());
info("Created new unsaved transaction with id=" + st.getIdentifierString());
ArrayList<String> scopes = resolveScopes(st, params, state, givenRedirect);
st.setScopes(scopes);
st.setAuthGrantValid(false);
st.setAccessTokenValid(false);
st.setCallback(URI.create(params.get(REDIRECT_URI)));
// fine if the nonce is null or empty, just set what they sent.
st.setNonce(nonce);
// in all subsequent attempts. Since all requests have an expiration date, this parameter is redundant in any case.
if (agResponse.getParameters().containsKey(OA2Constants.MAX_AGE)) {
throw new OA2RedirectableError(OA2Errors.INVALID_REQUEST, "The " + OA2Constants.MAX_AGE + " parameter is not supported at this time.", state, givenRedirect);
}
// Store the callback the user needs to use for this request, since the spec allows for many.
// and now check for a bunch of stuff that might fail.
checkPrompts(params);
if (params.containsKey(REQUEST)) {
throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "The \"request\" parameter is not supported on this server", state, givenRedirect);
}
if (params.containsKey(REQUEST_URI)) {
throw new OA2RedirectableError(OA2Errors.REQUEST_URI_NOT_SUPPORTED, "The \"request_uri\" parameter is not supported on this server", state, givenRedirect);
}
return st;
}
use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction in project OA4MP by ncsa.
the class OA2AuthorizedServlet method CheckIdTokenHint.
/**
* In this case, a previous request to the token endpoint returned an ID token. If this is sent to
* this endpoint, we are to check that there is an active logon for the user (=there is a transaction
* for that name here) and return a success but no body. Otherwise, we throw an exception.
*
* @param httpServletRequest
* @param httpServletResponse
* @param callback
* @return
*/
protected boolean CheckIdTokenHint(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String callback) {
if (!httpServletRequest.getParameterMap().containsKey(ID_TOKEN_HINT)) {
return false;
}
UsernameFindable ufStore = null;
String rawIDToken = String.valueOf(httpServletRequest.getParameterMap().get(ID_TOKEN_HINT));
JSONObject idToken = null;
try {
idToken = JWTUtil.verifyAndReadJWT(rawIDToken, ((OA2SE) getServiceEnvironment()).getJsonWebKeys());
} catch (Throwable e) {
throw new GeneralException("Error: Cannot read ID token hint", e);
}
String state = httpServletRequest.getParameter(STATE);
String username = null;
if (idToken.containsKey(OA2Claims.SUBJECT)) {
username = idToken.getString(OA2Claims.SUBJECT);
} else {
}
try {
ufStore = (UsernameFindable) getTransactionStore();
OA2ServiceTransaction t = ufStore.getByUsername(username);
if (t != null) {
// Then there is a transaction, so the user authenticated successfully.
if (idToken.containsKey(OA2Claims.AUDIENCE)) {
if (!t.getClient().getIdentifierString().equals(idToken.getString(OA2Claims.AUDIENCE))) {
// The wrong client for this user is attempting the request. That is not allowed.
throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "Incorrect aud parameter in the ID token. This request is not supported on this server", state, callback);
}
} else {
// The client that is associated with this user must be supplied.
throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "No aud parameter in the ID token. This request is not supported on this server", state, callback);
}
httpServletResponse.setStatus(HttpStatus.SC_OK);
// The spec does not state that anything is returned, just a positive response.
return true;
}
} catch (IOException e) {
// Really something is probably wrong with the class structure is this fails...
throw new NFWException("Internal error: Could not cast the store to a username findable store.");
}
throw new OA2RedirectableError(OA2Errors.LOGIN_REQUIRED, "Login required.", state, callback);
}
Aggregations