Search in sources :

Example 1 with InvalidRequestException

use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.

the class UserAuthProviderImpl method parseClient.

private void parseClient(String clientId, Handler<AsyncResult<Client>> authHandler) {
    logger.debug("Attempt authentication with client " + clientId);
    clientSyncService.findByClientId(clientId).subscribe(client -> authHandler.handle(Future.succeededFuture(client)), error -> authHandler.handle(Future.failedFuture(new ServerErrorException("Server error: unable to find client with client_id " + clientId))), () -> authHandler.handle(Future.failedFuture(new InvalidRequestException("No client found for client_id " + clientId))));
}
Also used : InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) ServerErrorException(io.gravitee.am.common.exception.oauth2.ServerErrorException)

Example 2 with InvalidRequestException

use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.

the class SSOSessionHandler method checkClient.

private void checkClient(RoutingContext context, io.gravitee.am.model.User user, Handler<AsyncResult<Void>> handler) {
    final String clientId = context.request().getParam(Parameters.CLIENT_ID);
    // no client to check, continue
    if (clientId == null) {
        handler.handle(Future.succeededFuture());
        return;
    }
    // no client to check for the user, continue
    if (user.getClient() == null) {
        handler.handle(Future.succeededFuture());
        return;
    }
    // check if both clients (requested and user client) share the same identity provider
    Single.zip(getClient(clientId), getClient(user.getClient()), (optRequestedClient, optUserClient) -> {
        Client requestedClient = optRequestedClient.get();
        Client userClient = optUserClient.get();
        // no client to check, continue
        if (requestedClient == null) {
            return Completable.complete();
        }
        // no client to check for the user, continue
        if (userClient == null) {
            return Completable.complete();
        }
        // if same client, nothing to do, continue
        if (userClient.getId().equals(requestedClient.getId())) {
            return Completable.complete();
        }
        // both clients are sharing the same provider, continue
        if (requestedClient.getClientId() != null && requestedClient.getIdentityProviders().stream().anyMatch(appIdp -> appIdp.getIdentity().equals(user.getSource()))) {
            return Completable.complete();
        }
        // throw error
        throw new InvalidRequestException("User is not on a shared identity provider");
    }).subscribe(__ -> handler.handle(Future.succeededFuture()), error -> handler.handle(Future.failedFuture(error)));
}
Also used : AccountStatusException(io.gravitee.am.common.exception.authentication.AccountStatusException) AccountIllegalStateException(io.gravitee.am.common.exception.authentication.AccountIllegalStateException) AuthenticationFlowContextService(io.gravitee.am.service.AuthenticationFlowContextService) Logger(org.slf4j.Logger) User(io.vertx.reactivex.ext.auth.User) Client(io.gravitee.am.model.oidc.Client) AccountDisabledException(io.gravitee.am.common.exception.authentication.AccountDisabledException) Completable(io.reactivex.Completable) Maybe(io.reactivex.Maybe) LoggerFactory(org.slf4j.LoggerFactory) ConstantKeys(io.gravitee.am.common.utils.ConstantKeys) CookieSession(io.gravitee.am.gateway.handler.common.vertx.web.handler.impl.CookieSession) Single(io.reactivex.Single) Future(io.vertx.core.Future) RoutingContext(io.vertx.reactivex.ext.web.RoutingContext) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) Optional(java.util.Optional) ClientSyncService(io.gravitee.am.gateway.handler.common.client.ClientSyncService) AsyncResult(io.vertx.core.AsyncResult) Handler(io.vertx.core.Handler) Parameters(io.gravitee.am.common.oauth2.Parameters) HttpException(io.vertx.ext.web.handler.HttpException) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) Client(io.gravitee.am.model.oidc.Client)

Example 3 with InvalidRequestException

use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.

the class ClientRequestParseHandler method handle.

@Override
public void handle(RoutingContext context) {
    final String clientId = context.request().getParam(Parameters.CLIENT_ID);
    if (clientId == null || clientId.isEmpty()) {
        if (required) {
            context.fail(new InvalidRequestException("Missing parameter: client_id is required"));
        } else {
            context.next();
        }
        return;
    }
    authenticate(clientId, authHandler -> {
        if (authHandler.failed()) {
            if (continueOnError) {
                context.next();
            } else {
                context.fail(authHandler.cause());
            }
            return;
        }
        Client safeClient = new Client(authHandler.result());
        safeClient.setClientSecret(null);
        context.put(CLIENT_CONTEXT_KEY, safeClient);
        context.next();
    });
}
Also used : InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) Client(io.gravitee.am.model.oidc.Client)

Example 4 with InvalidRequestException

use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.

the class LogoutCallbackEndpoint method restoreCurrentSession.

/**
 * Restore current session (user and application) to properly sign out the user.
 *
 * @param routingContext the routing context
 * @param handler handler holding the potential current session
 */
private void restoreCurrentSession(RoutingContext routingContext, Handler<AsyncResult<UserToken>> handler) {
    // The OP SHOULD accept ID Tokens when the RP identified by the ID Token's aud claim and/or sid claim has a current session
    // or had a recent session at the OP, even when the exp time has passed.
    final MultiMap originalLogoutQueryParams = routingContext.get(ConstantKeys.PARAM_CONTEXT_KEY);
    if (originalLogoutQueryParams != null && originalLogoutQueryParams.contains(ConstantKeys.ID_TOKEN_HINT_KEY)) {
        final String idToken = originalLogoutQueryParams.get(ConstantKeys.ID_TOKEN_HINT_KEY);
        userService.extractSessionFromIdToken(idToken).map(userToken -> {
            // check if the user ids match
            if (userToken.getUser() != null && routingContext.user() != null) {
                User endUser = ((io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User) routingContext.user().getDelegate()).getUser();
                if (!userToken.getUser().getId().equals(endUser.getId())) {
                    throw new UserNotFoundException(userToken.getUser().getId());
                }
            }
            return userToken;
        }).subscribe(currentSession -> handler.handle(Future.succeededFuture(currentSession)), error -> handler.handle(Future.succeededFuture(new UserToken())));
        return;
    }
    if (routingContext.get(Parameters.CLIENT_ID) == null) {
        logger.error("Unable to restore client for logout callback");
        handler.handle(Future.failedFuture(new InvalidRequestException("Invalid state")));
        return;
    }
    final User endUser = routingContext.user() != null ? ((io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User) routingContext.user().getDelegate()).getUser() : null;
    final String clientId = routingContext.get(Parameters.CLIENT_ID);
    clientSyncService.findByClientId(clientId).subscribe(client -> handler.handle(Future.succeededFuture(new UserToken(endUser, client))), ex -> {
        logger.error("An error has occurred when getting client {}", clientId, ex);
        handler.handle(Future.failedFuture(new BadClientCredentialsException()));
    }, () -> {
        logger.error("Unknown client {}", clientId);
        handler.handle(Future.failedFuture(new BadClientCredentialsException()));
    });
}
Also used : BadClientCredentialsException(io.gravitee.am.common.exception.oauth2.BadClientCredentialsException) AuthenticationFlowContextService(io.gravitee.am.service.AuthenticationFlowContextService) RequestUtils(io.gravitee.am.gateway.handler.common.vertx.utils.RequestUtils) Logger(org.slf4j.Logger) HttpServerRequest(io.vertx.reactivex.core.http.HttpServerRequest) Client(io.gravitee.am.model.oidc.Client) CertificateManager(io.gravitee.am.gateway.handler.common.certificate.CertificateManager) LoggerFactory(org.slf4j.LoggerFactory) UserService(io.gravitee.am.gateway.handler.root.service.user.UserService) ConstantKeys(io.gravitee.am.common.utils.ConstantKeys) Domain(io.gravitee.am.model.Domain) Future(io.vertx.core.Future) RoutingContext(io.vertx.reactivex.ext.web.RoutingContext) UserNotFoundException(io.gravitee.am.service.exception.UserNotFoundException) MultiMap(io.vertx.reactivex.core.MultiMap) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) UserToken(io.gravitee.am.gateway.handler.root.service.user.model.UserToken) JWTService(io.gravitee.am.gateway.handler.common.jwt.JWTService) ClientSyncService(io.gravitee.am.gateway.handler.common.client.ClientSyncService) AsyncResult(io.vertx.core.AsyncResult) User(io.gravitee.am.model.User) Handler(io.vertx.core.Handler) Parameters(io.gravitee.am.common.oauth2.Parameters) StringUtils(org.springframework.util.StringUtils) UserNotFoundException(io.gravitee.am.service.exception.UserNotFoundException) User(io.gravitee.am.model.User) MultiMap(io.vertx.reactivex.core.MultiMap) BadClientCredentialsException(io.gravitee.am.common.exception.oauth2.BadClientCredentialsException) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) UserToken(io.gravitee.am.gateway.handler.root.service.user.model.UserToken)

Example 5 with InvalidRequestException

use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.

the class LoginSocialAuthenticationHandler method handle.

@Override
public void handle(RoutingContext routingContext) {
    final Client client = routingContext.get(CLIENT_CONTEXT_KEY);
    // fetch client identity providers
    getSocialIdentityProviders(client.getIdentityProviders(), identityProvidersResultHandler -> {
        if (identityProvidersResultHandler.failed()) {
            logger.error("Unable to fetch client social identity providers", identityProvidersResultHandler.cause());
            routingContext.fail(new InvalidRequestException("Unable to fetch client social identity providers"));
        }
        List<IdentityProvider> socialIdentityProviders = identityProvidersResultHandler.result();
        // no social provider, continue
        if (socialIdentityProviders == null || socialIdentityProviders.isEmpty()) {
            routingContext.next();
            return;
        }
        // client enable social connect
        // get social identity providers information to correctly build the login page
        enhanceSocialIdentityProviders(socialIdentityProviders, routingContext, resultHandler -> {
            if (resultHandler.failed()) {
                logger.error("Unable to enhance client social identity providers", resultHandler.cause());
                routingContext.fail(new InvalidRequestException("Unable to enhance client social identity providers"));
            }
            // put social providers in context data
            final List<SocialProviderData> socialProviderData = resultHandler.result();
            if (socialProviderData != null) {
                List<SocialProviderData> filteredSocialProviderData = socialProviderData.stream().filter(providerData -> providerData.getIdentityProvider() != null && providerData.getAuthorizeUrl() != null).collect(Collectors.toList());
                List<IdentityProvider> providers = filteredSocialProviderData.stream().map(SocialProviderData::getIdentityProvider).collect(Collectors.toList());
                Map<String, String> authorizeUrls = filteredSocialProviderData.stream().collect(Collectors.toMap(o -> o.getIdentityProvider().getId(), SocialProviderData::getAuthorizeUrl));
                // backwards compatibility
                routingContext.put(OAUTH2_PROVIDER_CONTEXT_KEY, providers);
                routingContext.put(SOCIAL_PROVIDER_CONTEXT_KEY, providers);
                routingContext.put(SOCIAL_AUTHORIZE_URL_CONTEXT_KEY, authorizeUrls);
            }
            // continue
            routingContext.next();
        });
    });
}
Also used : java.util(java.util) Client(io.gravitee.am.model.oidc.Client) ACTION_KEY(io.gravitee.am.common.utils.ConstantKeys.ACTION_KEY) Maybe(io.reactivex.Maybe) LoggerFactory(org.slf4j.LoggerFactory) IdentityProviderManager(io.gravitee.am.gateway.handler.common.auth.idp.IdentityProviderManager) IdentityProvider(io.gravitee.am.model.IdentityProvider) ApplicationIdentityProvider(io.gravitee.am.model.idp.ApplicationIdentityProvider) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) JWTService(io.gravitee.am.gateway.handler.common.jwt.JWTService) Observable(io.reactivex.Observable) AsyncResult(io.vertx.core.AsyncResult) SocialAuthenticationProvider(io.gravitee.am.identityprovider.api.social.SocialAuthenticationProvider) UriBuilder(io.gravitee.am.common.web.UriBuilder) Logger(org.slf4j.Logger) JWT(io.gravitee.am.common.jwt.JWT) CertificateManager(io.gravitee.am.gateway.handler.common.certificate.CertificateManager) Request(io.gravitee.am.identityprovider.api.common.Request) Future(io.vertx.core.Future) RoutingContext(io.vertx.reactivex.ext.web.RoutingContext) Collectors(java.util.stream.Collectors) UriBuilderRequest(io.gravitee.am.gateway.handler.common.vertx.utils.UriBuilderRequest) HttpMethod(io.gravitee.common.http.HttpMethod) CLIENT_CONTEXT_KEY(io.gravitee.am.common.utils.ConstantKeys.CLIENT_CONTEXT_KEY) CONTEXT_PATH(io.gravitee.am.gateway.handler.common.vertx.utils.UriBuilderRequest.CONTEXT_PATH) Handler(io.vertx.core.Handler) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) IdentityProvider(io.gravitee.am.model.IdentityProvider) ApplicationIdentityProvider(io.gravitee.am.model.idp.ApplicationIdentityProvider) Client(io.gravitee.am.model.oidc.Client)

Aggregations

InvalidRequestException (io.gravitee.am.common.exception.oauth2.InvalidRequestException)37 Client (io.gravitee.am.model.oidc.Client)20 ConstantKeys (io.gravitee.am.common.utils.ConstantKeys)10 User (io.gravitee.am.model.User)9 RoutingContext (io.vertx.reactivex.ext.web.RoutingContext)9 JsonObject (io.vertx.core.json.JsonObject)8 Domain (io.gravitee.am.model.Domain)6 ParseException (java.text.ParseException)6 Date (java.util.Date)6 Parameters (io.gravitee.am.common.oauth2.Parameters)5 DefaultUser (io.gravitee.am.identityprovider.api.DefaultUser)5 Handler (io.vertx.core.Handler)5 Collectors (java.util.stream.Collectors)5 Logger (org.slf4j.Logger)5 LoggerFactory (org.slf4j.LoggerFactory)5 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)4 AsyncResult (io.vertx.core.AsyncResult)4 Future (io.vertx.core.Future)4 HttpServerRequest (io.vertx.reactivex.core.http.HttpServerRequest)4 StandardCharsets (java.nio.charset.StandardCharsets)4