Search in sources :

Example 26 with InvalidRequestException

use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.

the class AuthorizationRequestParseParametersHandler method parseClaimsParameter.

private void parseClaimsParameter(RoutingContext context) {
    String claims = getOAuthParameter(context, Parameters.CLAIMS);
    OpenIDProviderMetadata openIDProviderMetadata = context.get(PROVIDER_METADATA_CONTEXT_KEY);
    if (claims != null) {
        try {
            ClaimsRequest claimsRequest = claimsRequestResolver.resolve(claims);
            // check acr_values supported
            List<String> acrValuesSupported = openIDProviderMetadata.getAcrValuesSupported();
            if (claimsRequest.getIdTokenClaims() != null && claimsRequest.getIdTokenClaims().get(Claims.acr) != null) {
                ClaimRequest claimRequest = claimsRequest.getIdTokenClaims().get(Claims.acr);
                List<String> acrValuesRequested = claimRequest.getValue() != null ? Collections.singletonList(claimRequest.getValue()) : claimRequest.getValues() != null ? claimRequest.getValues() : Collections.emptyList();
                if (!acrValuesSupported.containsAll(acrValuesRequested)) {
                    throw new InvalidRequestException("Invalid parameter: claims, acr_values requested not supported");
                }
            }
            // save claims request as json string value (will be use for id_token and/or UserInfo endpoint)
            context.request().params().set(Parameters.CLAIMS, Json.encode(claimsRequest));
        } catch (ClaimsRequestSyntaxException e) {
            throw new InvalidRequestException("Invalid parameter: claims");
        }
    }
}
Also used : ClaimRequest(io.gravitee.am.gateway.handler.oidc.service.request.ClaimRequest) OpenIDProviderMetadata(io.gravitee.am.gateway.handler.oidc.service.discovery.OpenIDProviderMetadata) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) ClaimsRequestSyntaxException(io.gravitee.am.gateway.handler.oidc.exception.ClaimsRequestSyntaxException) ClaimsRequest(io.gravitee.am.gateway.handler.oidc.service.request.ClaimsRequest)

Example 27 with InvalidRequestException

use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.

the class AuthorizationRequestParseRequestObjectHandler method handle.

@Override
public void handle(RoutingContext context) {
    final String request = context.request().getParam(Parameters.REQUEST);
    final String requestUri = context.request().getParam(Parameters.REQUEST_URI);
    final Client client = context.get(CLIENT_CONTEXT_KEY);
    if (StringUtils.isEmpty(requestUri)) {
        if (client != null && client.isRequireParRequest()) {
            context.fail(new InvalidRequestException("Client requires pushed authorization requests, request_uri is expected"));
            return;
        }
        if (StringUtils.isEmpty(request)) {
            if (this.domain.usePlainFapiProfile()) {
                // according to https://openid.net/specs/openid-financial-api-part-2-1_0.html#authorization-server
                // Authorization Server shall require a JWS signed JWT request object passed by value with the request parameter or by reference with the request_uri parameter;
                context.fail(new InvalidRequestException("Missing parameter: request or request_uri is required for FAPI"));
                return;
            }
            // if there is no request or request_uri parameters, continue
            context.next();
            return;
        }
    }
    // check request object parameters
    checkRequestObjectParameters(request, requestUri);
    // Proceed request and request_uri parameters
    Maybe<JWT> requestObject;
    if (!StringUtils.isEmpty(request)) {
        context.put(REQUEST_OBJECT_FROM_URI, false);
        requestObject = handleRequestObjectValue(context, request);
    } else {
        context.put(REQUEST_OBJECT_FROM_URI, true);
        requestObject = handleRequestObjectURI(context, requestUri);
    }
    requestObject.subscribe(jwt -> {
        try {
            // Check OAuth2 parameters
            checkOAuthParameters(context, jwt);
            context.next();
        } catch (Exception ex) {
            context.fail(ex);
        }
    }, context::fail, context::next);
}
Also used : JWT(com.nimbusds.jwt.JWT) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) Client(io.gravitee.am.model.oidc.Client) InvalidRequestObjectException(io.gravitee.am.common.exception.oauth2.InvalidRequestObjectException) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) OAuth2Exception(io.gravitee.am.common.exception.oauth2.OAuth2Exception) InvalidRequestUriException(io.gravitee.am.common.exception.oauth2.InvalidRequestUriException) ParseException(java.text.ParseException)

Example 28 with InvalidRequestException

use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.

the class AuthorizationRequestParseRequestObjectHandler method validateRequestObjectClaims.

private Single<JWT> validateRequestObjectClaims(RoutingContext context, JWT jwt) {
    if (this.domain.usePlainFapiProfile()) {
        try {
            final boolean fromRequestUri = context.get(REQUEST_OBJECT_FROM_URI);
            final JWTClaimsSet jwtClaimsSet = jwt.getJWTClaimsSet();
            // in addition FAPI requires some claims that are optional in the OIDC core spec (like exp, nbf...)
            if (jwtClaimsSet.getExpirationTime() == null || jwtClaimsSet.getExpirationTime().before(new Date())) {
                throw generateException(jwtClaimsSet.getExpirationTime() == null && fromRequestUri, "Request object must contains valid exp claim");
            }
            List<String> redirectUri = context.queryParam(io.gravitee.am.common.oauth2.Parameters.REDIRECT_URI);
            final String redirectUriClaim = jwtClaimsSet.getStringClaim(io.gravitee.am.common.oauth2.Parameters.REDIRECT_URI);
            if (redirectUriClaim == null || (redirectUriClaim != null && redirectUri != null && !redirectUri.isEmpty() && !redirectUriClaim.equals(redirectUri.get(0)))) {
                // remove redirect_uri provided as parameter and continue to let AuthorizationRequestParseParametersHandler
                // throws the right error according to the client configuration
                context.request().params().remove(io.gravitee.am.common.oauth2.Parameters.REDIRECT_URI);
                throw new InvalidRequestException("Missing or invalid redirect_uri");
            }
            final Date nbf = jwtClaimsSet.getNotBeforeTime();
            if (nbf == null || (nbf.getTime() + ONE_HOUR_IN_MILLIS) < jwtClaimsSet.getExpirationTime().getTime()) {
                throw generateException(fromRequestUri, "Request object older than 60 minutes");
            }
            List<String> state = context.queryParam(io.gravitee.am.common.oauth2.Parameters.STATE);
            final String stateClaim = jwtClaimsSet.getStringClaim(io.gravitee.am.common.oauth2.Parameters.STATE);
            if (state != null && !state.isEmpty() && (stateClaim == null || !stateClaim.equals(state.get(0)))) {
                throw generateException(fromRequestUri, "Request object must contains valid state claim");
            }
            final OpenIDProviderMetadata openIDProviderMetadata = context.get(PROVIDER_METADATA_CONTEXT_KEY);
            if (jwtClaimsSet.getAudience() == null || (openIDProviderMetadata != null && !jwtClaimsSet.getAudience().contains(openIDProviderMetadata.getIssuer()))) {
                // the aud claim in the request object shall be, or shall be an array containing, the OP’s Issuer Identifier URL;
                throw generateException(fromRequestUri, "Invalid audience claim");
            }
            List<String> scope = context.queryParam(io.gravitee.am.common.oauth2.Parameters.SCOPE);
            final String scopeClaim = jwtClaimsSet.getStringClaim(Claims.scope);
            if (scope != null && !scope.isEmpty() && (scopeClaim == null || !scopeClaim.equals(scope.get(0)))) {
                throw generateException(fromRequestUri, "Request object must contains valid scope claim");
            }
            // String scopeClaim = jwtClaimsSet.getStringClaim(Claims.scope);
            if (scopeClaim != null && scopeClaim.contains("openid") && StringUtils.isEmpty(jwtClaimsSet.getStringClaim(Parameters.NONCE))) {
                // If the client requests the openid scope, the authorization server shall require the nonce parameter defined
                throw generateException(fromRequestUri, "Scope openid expect the nonce parameter defined");
            } else if ((scopeClaim == null || !scopeClaim.contains("openid")) && StringUtils.isEmpty(jwtClaimsSet.getStringClaim(io.gravitee.am.common.oauth2.Parameters.STATE))) {
                // If the client does not request the openid scope, the authorization server shall require the state parameter defined
                throw generateException(fromRequestUri, "Absence of scope openid expect the state parameter defined");
            }
        } catch (OAuth2Exception e) {
            return Single.error(e);
        } catch (ParseException e) {
            return Single.error(new InvalidRequestObjectException());
        }
    }
    return Single.just(jwt);
}
Also used : JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) OpenIDProviderMetadata(io.gravitee.am.gateway.handler.oidc.service.discovery.OpenIDProviderMetadata) ParseException(java.text.ParseException) InvalidRequestObjectException(io.gravitee.am.common.exception.oauth2.InvalidRequestObjectException) OAuth2Exception(io.gravitee.am.common.exception.oauth2.OAuth2Exception)

Example 29 with InvalidRequestException

use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.

the class PushedAuthorizationRequestEndpoint method handle.

@Override
public void handle(RoutingContext context) {
    // Confidential clients or other clients issued client credentials MUST
    // authenticate with the authorization server when making requests to the pushed authorization request endpoint.
    Client client = context.get(CLIENT_CONTEXT_KEY);
    if (client == null) {
        throw new InvalidClientException();
    }
    final String contentType = context.request().getHeader(HttpHeaders.CONTENT_TYPE);
    if (contentType == null || !contentType.startsWith(URLEncodedUtils.CONTENT_TYPE)) {
        throw new InvalidRequestException("Unsupported Content-Type");
    }
    PushedAuthorizationRequest request = new PushedAuthorizationRequest();
    request.setParameters(extractRequestParameters(context.request()));
    request.setClient(client.getClientId());
    parService.registerParameters(request, client).subscribe(response -> {
        context.response().setStatusCode(HttpStatusCode.CREATED_201).putHeader(io.gravitee.common.http.HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON).putHeader(io.gravitee.common.http.HttpHeaders.CACHE_CONTROL, "no-store").putHeader(io.gravitee.common.http.HttpHeaders.PRAGMA, "no-cache").end(Json.encodePrettily(response));
    }, throwable -> {
        context.fail(throwable);
    });
}
Also used : PushedAuthorizationRequest(io.gravitee.am.repository.oauth2.model.PushedAuthorizationRequest) InvalidClientException(io.gravitee.am.gateway.handler.oauth2.exception.InvalidClientException) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) Client(io.gravitee.am.model.oidc.Client)

Example 30 with InvalidRequestException

use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.

the class TokenRequestParseHandler method parseRequestParameters.

private void parseRequestParameters(RoutingContext context) {
    // invalid_request if the request is missing a required parameter, includes an
    // invalid parameter value, includes a parameter more than once, or is otherwise malformed.
    MultiMap requestParameters = context.request().params();
    Set<String> requestParametersNames = requestParameters.names();
    requestParametersNames.forEach(requestParameterName -> {
        List<String> requestParameterValue = requestParameters.getAll(requestParameterName);
        if (requestParameterValue.size() > 1) {
            throw new InvalidRequestException("Parameter [" + requestParameterName + "] is included more than once");
        }
    });
}
Also used : MultiMap(io.vertx.reactivex.core.MultiMap) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException)

Aggregations

InvalidRequestException (io.gravitee.am.common.exception.oauth2.InvalidRequestException)37 Client (io.gravitee.am.model.oidc.Client)20 ConstantKeys (io.gravitee.am.common.utils.ConstantKeys)10 User (io.gravitee.am.model.User)9 RoutingContext (io.vertx.reactivex.ext.web.RoutingContext)9 JsonObject (io.vertx.core.json.JsonObject)8 Domain (io.gravitee.am.model.Domain)6 ParseException (java.text.ParseException)6 Date (java.util.Date)6 Parameters (io.gravitee.am.common.oauth2.Parameters)5 DefaultUser (io.gravitee.am.identityprovider.api.DefaultUser)5 Handler (io.vertx.core.Handler)5 Collectors (java.util.stream.Collectors)5 Logger (org.slf4j.Logger)5 LoggerFactory (org.slf4j.LoggerFactory)5 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)4 AsyncResult (io.vertx.core.AsyncResult)4 Future (io.vertx.core.Future)4 HttpServerRequest (io.vertx.reactivex.core.http.HttpServerRequest)4 StandardCharsets (java.nio.charset.StandardCharsets)4