Search in sources :

Example 1 with UsernameFindable

use of edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.UsernameFindable in project OA4MP by ncsa.

the class OA2AuthorizedServlet method CheckIdTokenHint.

/**
 * In this case, a previous request to the token endpoint returned an ID token. If this is sent to
 * this endpoint, we are to check that there is an active logon for the user (=there is a transaction
 * for that name here) and return a success but no body. Otherwise, we throw an exception.
 *
 * @param httpServletRequest
 * @param httpServletResponse
 * @param callback
 * @return
 */
protected boolean CheckIdTokenHint(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String callback) {
    if (!httpServletRequest.getParameterMap().containsKey(ID_TOKEN_HINT)) {
        return false;
    }
    UsernameFindable ufStore = null;
    String rawIDToken = String.valueOf(httpServletRequest.getParameterMap().get(ID_TOKEN_HINT));
    JSONObject idToken = null;
    try {
        idToken = JWTUtil.verifyAndReadJWT(rawIDToken, ((OA2SE) getServiceEnvironment()).getJsonWebKeys());
    } catch (Throwable e) {
        throw new GeneralException("Error: Cannot read ID token hint", e);
    }
    String state = httpServletRequest.getParameter(STATE);
    String username = null;
    if (idToken.containsKey(OA2Claims.SUBJECT)) {
        username = idToken.getString(OA2Claims.SUBJECT);
    } else {
    }
    try {
        ufStore = (UsernameFindable) getTransactionStore();
        OA2ServiceTransaction t = ufStore.getByUsername(username);
        if (t != null) {
            // Then there is a transaction, so the user authenticated successfully.
            if (idToken.containsKey(OA2Claims.AUDIENCE)) {
                if (!t.getClient().getIdentifierString().equals(idToken.getString(OA2Claims.AUDIENCE))) {
                    // The wrong client for this user is attempting the request. That is not allowed.
                    throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "Incorrect aud parameter in the ID token. This request is not supported on this server", state, callback);
                }
            } else {
                // The client that is associated with this user must be supplied.
                throw new OA2RedirectableError(OA2Errors.REQUEST_NOT_SUPPORTED, "No aud parameter in the ID token. This request is not supported on this server", state, callback);
            }
            httpServletResponse.setStatus(HttpStatus.SC_OK);
            // The spec does not state that anything is returned, just a positive response.
            return true;
        }
    } catch (IOException e) {
        // Really something is probably wrong with the class structure is this fails...
        throw new NFWException("Internal error: Could not cast the store to a username findable store.");
    }
    throw new OA2RedirectableError(OA2Errors.LOGIN_REQUIRED, "Login required.", state, callback);
}
Also used : NFWException(edu.uiuc.ncsa.security.core.exceptions.NFWException) GeneralException(edu.uiuc.ncsa.security.core.exceptions.GeneralException) JSONObject(net.sf.json.JSONObject) OA2SE(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE) UsernameFindable(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.UsernameFindable) OA2ServiceTransaction(edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction) IOException(java.io.IOException)

Aggregations

OA2SE (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2SE)1 OA2ServiceTransaction (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.OA2ServiceTransaction)1 UsernameFindable (edu.uiuc.ncsa.myproxy.oa4mp.oauth2.storage.UsernameFindable)1 GeneralException (edu.uiuc.ncsa.security.core.exceptions.GeneralException)1 NFWException (edu.uiuc.ncsa.security.core.exceptions.NFWException)1 IOException (java.io.IOException)1 JSONObject (net.sf.json.JSONObject)1