use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.
the class AuthorizationRequestParseParametersHandler method parseClaimsParameter.
private void parseClaimsParameter(RoutingContext context) {
String claims = getOAuthParameter(context, Parameters.CLAIMS);
OpenIDProviderMetadata openIDProviderMetadata = context.get(PROVIDER_METADATA_CONTEXT_KEY);
if (claims != null) {
try {
ClaimsRequest claimsRequest = claimsRequestResolver.resolve(claims);
// check acr_values supported
List<String> acrValuesSupported = openIDProviderMetadata.getAcrValuesSupported();
if (claimsRequest.getIdTokenClaims() != null && claimsRequest.getIdTokenClaims().get(Claims.acr) != null) {
ClaimRequest claimRequest = claimsRequest.getIdTokenClaims().get(Claims.acr);
List<String> acrValuesRequested = claimRequest.getValue() != null ? Collections.singletonList(claimRequest.getValue()) : claimRequest.getValues() != null ? claimRequest.getValues() : Collections.emptyList();
if (!acrValuesSupported.containsAll(acrValuesRequested)) {
throw new InvalidRequestException("Invalid parameter: claims, acr_values requested not supported");
}
}
// save claims request as json string value (will be use for id_token and/or UserInfo endpoint)
context.request().params().set(Parameters.CLAIMS, Json.encode(claimsRequest));
} catch (ClaimsRequestSyntaxException e) {
throw new InvalidRequestException("Invalid parameter: claims");
}
}
}
use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.
the class AuthorizationRequestParseRequestObjectHandler method handle.
@Override
public void handle(RoutingContext context) {
final String request = context.request().getParam(Parameters.REQUEST);
final String requestUri = context.request().getParam(Parameters.REQUEST_URI);
final Client client = context.get(CLIENT_CONTEXT_KEY);
if (StringUtils.isEmpty(requestUri)) {
if (client != null && client.isRequireParRequest()) {
context.fail(new InvalidRequestException("Client requires pushed authorization requests, request_uri is expected"));
return;
}
if (StringUtils.isEmpty(request)) {
if (this.domain.usePlainFapiProfile()) {
// according to https://openid.net/specs/openid-financial-api-part-2-1_0.html#authorization-server
// Authorization Server shall require a JWS signed JWT request object passed by value with the request parameter or by reference with the request_uri parameter;
context.fail(new InvalidRequestException("Missing parameter: request or request_uri is required for FAPI"));
return;
}
// if there is no request or request_uri parameters, continue
context.next();
return;
}
}
// check request object parameters
checkRequestObjectParameters(request, requestUri);
// Proceed request and request_uri parameters
Maybe<JWT> requestObject;
if (!StringUtils.isEmpty(request)) {
context.put(REQUEST_OBJECT_FROM_URI, false);
requestObject = handleRequestObjectValue(context, request);
} else {
context.put(REQUEST_OBJECT_FROM_URI, true);
requestObject = handleRequestObjectURI(context, requestUri);
}
requestObject.subscribe(jwt -> {
try {
// Check OAuth2 parameters
checkOAuthParameters(context, jwt);
context.next();
} catch (Exception ex) {
context.fail(ex);
}
}, context::fail, context::next);
}
use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.
the class AuthorizationRequestParseRequestObjectHandler method validateRequestObjectClaims.
private Single<JWT> validateRequestObjectClaims(RoutingContext context, JWT jwt) {
if (this.domain.usePlainFapiProfile()) {
try {
final boolean fromRequestUri = context.get(REQUEST_OBJECT_FROM_URI);
final JWTClaimsSet jwtClaimsSet = jwt.getJWTClaimsSet();
// in addition FAPI requires some claims that are optional in the OIDC core spec (like exp, nbf...)
if (jwtClaimsSet.getExpirationTime() == null || jwtClaimsSet.getExpirationTime().before(new Date())) {
throw generateException(jwtClaimsSet.getExpirationTime() == null && fromRequestUri, "Request object must contains valid exp claim");
}
List<String> redirectUri = context.queryParam(io.gravitee.am.common.oauth2.Parameters.REDIRECT_URI);
final String redirectUriClaim = jwtClaimsSet.getStringClaim(io.gravitee.am.common.oauth2.Parameters.REDIRECT_URI);
if (redirectUriClaim == null || (redirectUriClaim != null && redirectUri != null && !redirectUri.isEmpty() && !redirectUriClaim.equals(redirectUri.get(0)))) {
// remove redirect_uri provided as parameter and continue to let AuthorizationRequestParseParametersHandler
// throws the right error according to the client configuration
context.request().params().remove(io.gravitee.am.common.oauth2.Parameters.REDIRECT_URI);
throw new InvalidRequestException("Missing or invalid redirect_uri");
}
final Date nbf = jwtClaimsSet.getNotBeforeTime();
if (nbf == null || (nbf.getTime() + ONE_HOUR_IN_MILLIS) < jwtClaimsSet.getExpirationTime().getTime()) {
throw generateException(fromRequestUri, "Request object older than 60 minutes");
}
List<String> state = context.queryParam(io.gravitee.am.common.oauth2.Parameters.STATE);
final String stateClaim = jwtClaimsSet.getStringClaim(io.gravitee.am.common.oauth2.Parameters.STATE);
if (state != null && !state.isEmpty() && (stateClaim == null || !stateClaim.equals(state.get(0)))) {
throw generateException(fromRequestUri, "Request object must contains valid state claim");
}
final OpenIDProviderMetadata openIDProviderMetadata = context.get(PROVIDER_METADATA_CONTEXT_KEY);
if (jwtClaimsSet.getAudience() == null || (openIDProviderMetadata != null && !jwtClaimsSet.getAudience().contains(openIDProviderMetadata.getIssuer()))) {
// the aud claim in the request object shall be, or shall be an array containing, the OP’s Issuer Identifier URL;
throw generateException(fromRequestUri, "Invalid audience claim");
}
List<String> scope = context.queryParam(io.gravitee.am.common.oauth2.Parameters.SCOPE);
final String scopeClaim = jwtClaimsSet.getStringClaim(Claims.scope);
if (scope != null && !scope.isEmpty() && (scopeClaim == null || !scopeClaim.equals(scope.get(0)))) {
throw generateException(fromRequestUri, "Request object must contains valid scope claim");
}
// String scopeClaim = jwtClaimsSet.getStringClaim(Claims.scope);
if (scopeClaim != null && scopeClaim.contains("openid") && StringUtils.isEmpty(jwtClaimsSet.getStringClaim(Parameters.NONCE))) {
// If the client requests the openid scope, the authorization server shall require the nonce parameter defined
throw generateException(fromRequestUri, "Scope openid expect the nonce parameter defined");
} else if ((scopeClaim == null || !scopeClaim.contains("openid")) && StringUtils.isEmpty(jwtClaimsSet.getStringClaim(io.gravitee.am.common.oauth2.Parameters.STATE))) {
// If the client does not request the openid scope, the authorization server shall require the state parameter defined
throw generateException(fromRequestUri, "Absence of scope openid expect the state parameter defined");
}
} catch (OAuth2Exception e) {
return Single.error(e);
} catch (ParseException e) {
return Single.error(new InvalidRequestObjectException());
}
}
return Single.just(jwt);
}
use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.
the class PushedAuthorizationRequestEndpoint method handle.
@Override
public void handle(RoutingContext context) {
// Confidential clients or other clients issued client credentials MUST
// authenticate with the authorization server when making requests to the pushed authorization request endpoint.
Client client = context.get(CLIENT_CONTEXT_KEY);
if (client == null) {
throw new InvalidClientException();
}
final String contentType = context.request().getHeader(HttpHeaders.CONTENT_TYPE);
if (contentType == null || !contentType.startsWith(URLEncodedUtils.CONTENT_TYPE)) {
throw new InvalidRequestException("Unsupported Content-Type");
}
PushedAuthorizationRequest request = new PushedAuthorizationRequest();
request.setParameters(extractRequestParameters(context.request()));
request.setClient(client.getClientId());
parService.registerParameters(request, client).subscribe(response -> {
context.response().setStatusCode(HttpStatusCode.CREATED_201).putHeader(io.gravitee.common.http.HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON).putHeader(io.gravitee.common.http.HttpHeaders.CACHE_CONTROL, "no-store").putHeader(io.gravitee.common.http.HttpHeaders.PRAGMA, "no-cache").end(Json.encodePrettily(response));
}, throwable -> {
context.fail(throwable);
});
}
use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.
the class TokenRequestParseHandler method parseRequestParameters.
private void parseRequestParameters(RoutingContext context) {
// invalid_request if the request is missing a required parameter, includes an
// invalid parameter value, includes a parameter more than once, or is otherwise malformed.
MultiMap requestParameters = context.request().params();
Set<String> requestParametersNames = requestParameters.names();
requestParametersNames.forEach(requestParameterName -> {
List<String> requestParameterValue = requestParameters.getAll(requestParameterName);
if (requestParameterValue.size() > 1) {
throw new InvalidRequestException("Parameter [" + requestParameterName + "] is included more than once");
}
});
}
Aggregations