Examples with AccessToken edu.uiuc.ncsa.security.delegation.token.AccessToken used on opensource projects

Example 6 with AccessToken

use of edu.uiuc.ncsa.security.delegation.token.AccessToken in project OA4MP by ncsa.

the class OA2CertServlet method verifyAndGet.

public ServiceTransaction verifyAndGet(IssuerResponse iResponse) throws IOException {
    PAIResponse2 par = (PAIResponse2) iResponse;
    AccessToken accessToken = par.getAccessToken();
    OA2ServiceTransaction t = (OA2ServiceTransaction) getTransactionStore().get(accessToken);
    // an HTTP status code of 200 with no other information.
    if (t == null) {
        throw new GeneralException("Invalid access token. Request refused");
    }
    if (!t.getScopes().contains(OA2Scopes.SCOPE_MYPROXY)) {
        // Note that this requires a state, but none is sent in the OA4MP cert request.
        throw new GeneralException("Certificate request is not in scope.");
    }
    if (t == null) {
        throw new GeneralException("No transaction found for access token \"" + accessToken + "\"");
    }
    if (!t.isAccessTokenValid()) {
        throw new GeneralException("Invalid access token. Request refused");
    }
    checkClientApproval(t.getClient());
    // Access tokens must be valid in order to get a cert. If the token is invalid, the user must
    // get a valid one using the refresh token.
    checkTimestamp(accessToken.getToken());
    return t;
}

Example 7 with AccessToken

use of edu.uiuc.ncsa.security.delegation.token.AccessToken in project OA4MP by ncsa.

the class UserInfoServlet method doIt.

@Override
protected void doIt(HttpServletRequest request, HttpServletResponse response) throws Throwable {
    // The access token is sent in the authorization header and should look like
    // Bearer oa4mp:...
    AccessToken at = getAT(request);
    ServiceTransaction transaction = (ServiceTransaction) getTransactionStore().get(at);
    if (((OA2Client) transaction.getClient()).isPublicClient()) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "public client not authorized to access user information", HttpStatus.SC_UNAUTHORIZED);
    }
    if (transaction == null) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "no transaction for the access token was found.", HttpStatus.SC_BAD_REQUEST);
    }
    if (!transaction.isAccessTokenValid()) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "invalid access token.", HttpStatus.SC_BAD_REQUEST);
    }
    try {
        checkTimestamp(at.getToken());
    } catch (InvalidTimestampException itx) {
        throw new OA2GeneralError(OA2Errors.INVALID_REQUEST, "token expired.", HttpStatus.SC_BAD_REQUEST);
    }
    OA2SE oa2SE = (OA2SE) getServiceEnvironment();
    UII2 uis = new UII2(oa2SE.getTokenForge(), getServiceEnvironment().getServiceAddress());
    UIIRequest2 uireq = new UIIRequest2(request, at);
    uireq.setUsername(getUsername(transaction));
    // Now we figure out which scope handler to use.
    UIIResponse2 uiresp = (UIIResponse2) uis.process(uireq);
    LinkedList<ClaimSource> claimSources = OA2ATServlet.setupScopeHandlers((OA2ServiceTransaction) transaction, oa2SE);
    DebugUtil.dbg(this, "Invoking scope handler");
    if (claimSources == null || claimSources.isEmpty()) {
        DebugUtil.dbg(this, " ***** NO SCOPE HANDLERS ");
    }
    for (ClaimSource claimSource : claimSources) {
        DebugUtil.dbg(this, " scope handler=" + claimSource.getClass().getSimpleName());
        claimSource.process(uiresp.getUserInfo(), transaction);
    }
    uiresp.write(response);
}

Example 8 with AccessToken

use of edu.uiuc.ncsa.security.delegation.token.AccessToken in project OA4MP by ncsa.

the class OA2ATServlet method doRefresh.

protected TransactionState doRefresh(OA2Client c, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
    RefreshToken oldRT = getTF2().getRefreshToken(request.getParameter(OA2Constants.REFRESH_TOKEN));
    if (c == null) {
        throw new InvalidTokenException("Could not find the client associated with refresh token \"" + oldRT + "\"");
    }
    OA2ServiceTransaction t = getByRT(oldRT);
    if ((!((OA2SE) getServiceEnvironment()).isRefreshTokenEnabled()) || (!c.isRTLifetimeEnabled())) {
        throw new OA2ATException(OA2Errors.REQUEST_NOT_SUPPORTED, "Refresh tokens are not supported on this server");
    }
    if (t == null || !t.isRefreshTokenValid()) {
        throw new OA2ATException(OA2Errors.INVALID_REQUEST, "Error: The refresh token is no longer valid.");
    }
    // this way if it fails at some point we know it is invalid.
    t.setRefreshTokenValid(false);
    AccessToken at = t.getAccessToken();
    RTIRequest rtiRequest = new RTIRequest(request, c, at);
    RTI2 rtIsuuer = new RTI2(getTF2(), getServiceEnvironment().getServiceAddress());
    RTIResponse rtiResponse = (RTIResponse) rtIsuuer.process(rtiRequest);
    rtiResponse.setSignToken(c.isSignTokens());
    populateClaims(request, rtiResponse.getParameters(), t);
    RefreshToken rt = rtiResponse.getRefreshToken();
    rt.setExpiresIn(computeRefreshLifetime(t));
    t.setRefreshToken(rtiResponse.getRefreshToken());
    t.setRefreshTokenValid(true);
    t.setAccessToken(rtiResponse.getAccessToken());
    // At this point, key in the transaction store is the grant, so changing the access token
    // over-writes the current value. This practically invalidates the previous access token.
    // this is necessary to clear any caches.
    getTransactionStore().remove(t.getIdentifier());
    ArrayList<String> targetScopes = new ArrayList<>();
    OA2SE oa2SE = (OA2SE) getServiceEnvironment();
    // set true if something is requested we don't support
    boolean returnScopes = false;
    for (String s : t.getScopes()) {
        if (oa2SE.getScopes().contains(s)) {
            targetScopes.add(s);
        } else {
            returnScopes = true;
        }
    }
    if (returnScopes) {
        rtiResponse.setSupportedScopes(targetScopes);
    }
    rtiResponse.setScopeHandlers(setupScopeHandlers(t, oa2SE));
    rtiResponse.setServiceTransaction(t);
    rtiResponse.setJsonWebKey(oa2SE.getJsonWebKeys().getDefault());
    getTransactionStore().save(t);
    rtiResponse.write(response);
    IssuerTransactionState state = new IssuerTransactionState(request, response, rtiResponse.getParameters(), t, rtiResponse);
    return state;
}

Example 9 with AccessToken

use of edu.uiuc.ncsa.security.delegation.token.AccessToken in project OA4MP by ncsa.

the class NewTransactionTest method newAT.

protected AccessToken newAT(TokenForge tokenForge, String... x) {
    AccessToken at = tokenForge.getAccessToken(x);
    at.setSharedSecret(null);
    return at;
}

Example 10 with AccessToken

use of edu.uiuc.ncsa.security.delegation.token.AccessToken in project OA4MP by ncsa.

the class TransactionStoreTest method newAT.

protected AccessToken newAT(String... x) {
    AccessToken at = getTSProvider().getTokenForge().getAccessToken(x);
    at.setSharedSecret(null);
    return at;
}