use of io.gravitee.am.common.exception.oauth2.ExpiredLoginHintTokenException in project gravitee-access-management by gravitee-io.
the class CibaAuthenticationRequestResolver method validateLoginHintToken.
private Single<CibaAuthenticationRequest> validateLoginHintToken(CibaAuthenticationRequest authRequest, JWT jwt) {
try {
final Date expirationTime = jwt.getJWTClaimsSet().getExpirationTime();
if (expirationTime != null) {
evaluateExp(expirationTime.toInstant().getEpochSecond(), Instant.now(), 0);
}
final JSONObject subIdObject = jwt.getJWTClaimsSet().getJSONObjectClaim("sub_id");
/*
sub_id is an object specifying the field identifying the user (through format entry)
Supported format : email and username
{
"sub_id": {
"format": "email",
"email": "user@acme.fr"
}
}
*/
final FilterCriteria criteria = new FilterCriteria();
criteria.setQuoteFilterValue(false);
final String field = subIdObject.getAsString("format");
if (!"email".equals(field) && !"username".equals(field)) {
return Single.error(new InvalidRequestException("Invalid hint, only email and username are supported"));
}
criteria.setFilterName(field);
criteria.setFilterValue(subIdObject.getAsString(field));
return userService.findByDomainAndCriteria(domain.getId(), criteria).flatMap(users -> {
if (users.size() != 1) {
LOGGER.warn("login_hint_token match multiple users or no one");
return Single.error(new InvalidRequestException("Invalid hint"));
}
authRequest.setSubject(users.get(0).getId());
return Single.just(authRequest);
});
} catch (ExpiredJWTException e) {
return Single.error(new ExpiredLoginHintTokenException("login_token_hint expired"));
} catch (ParseException e) {
// should never happen
LOGGER.warn("login_hint_token can't be read", e);
return Single.error(new ExpiredLoginHintTokenException("invalid login_token_hint"));
}
}
Aggregations