Search in sources :

Example 36 with InvalidRequestException

use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.

the class ResourceRegistrationEndpointTest method update_invalidResourceBody.

@Test
public void update_invalidResourceBody() {
    when(context.getBodyAsJson()).thenReturn(new JsonObject("{\"description\":\"mydescription\"}"));
    endpoint.update(context);
    verify(context).fail(errCaptor.capture());
    Assert.assertTrue(errCaptor.getValue() instanceof InvalidRequestException);
}
Also used : JsonObject(io.vertx.core.json.JsonObject) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) Test(org.junit.Test)

Example 37 with InvalidRequestException

use of io.gravitee.am.common.exception.oauth2.InvalidRequestException in project gravitee-access-management by gravitee-io.

the class AbstractLogoutEndpoint method doRedirect.

/**
 * Redirection to RP After Logout
 *
 * In some cases, the RP will request that the End-User's User Agent to be redirected back to the RP after a logout has been performed.
 *
 * Post-logout redirection is only done when the logout is RP-initiated, in which case the redirection target is the post_logout_redirect_uri parameter value sent by the initiating RP.
 *
 * An id_token_hint carring an ID Token for the RP is also REQUIRED when requesting post-logout redirection;
 * if it is not supplied with post_logout_redirect_uri, the OP MUST NOT perform post-logout redirection.
 *
 * The OP also MUST NOT perform post-logout redirection if the post_logout_redirect_uri value supplied does not exactly match one of the previously registered post_logout_redirect_uris values.
 *
 * The post-logout redirection is performed after the OP has finished notifying the RPs that logged in with the OP for that End-User that they are to log out the End-User.
 *
 * @param client the OAuth 2.0 client
 * @param routingContext the routing context
 * @param endSessionEndpoint the End Session Endpoint of the OIDC provider providing the User info
 */
protected void doRedirect(Client client, RoutingContext routingContext, String endSessionEndpoint) {
    final HttpServerRequest request = routingContext.request();
    // validate request
    // see https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
    // An id_token_hint is REQUIRED when the post_logout_redirect_uri parameter is included.
    // for back-compatibility purpose, we skip this validation
    // see https://github.com/gravitee-io/issues/issues/5163
    /*if (request.getParam(Parameters.POST_LOGOUT_REDIRECT_URI) != null &&
                request.getParam(Parameters.ID_TOKEN_HINT) == null) {
            routingContext.fail(new InvalidRequestException("Missing parameter: id_token_hint"));
            return;
        }*/
    // redirect to target url
    String logoutRedirectUrl = getLogoutRedirectUrl(request.params());
    final MultiMap originalLogoutQueryParams = routingContext.get(ConstantKeys.PARAM_CONTEXT_KEY);
    if (originalLogoutQueryParams != null) {
        // redirect is trigger because of the LogoutCallbackEndpoint, extract the redirect URL from initial logout request
        logoutRedirectUrl = getLogoutRedirectUrl(originalLogoutQueryParams);
        // clear state set by AM during the OP EndUserSession call
        routingContext.request().params().remove(io.gravitee.am.common.oauth2.Parameters.STATE);
        // restore parameters from the original logout request
        for (Map.Entry<String, String> entry : originalLogoutQueryParams.entries()) {
            if (!(LOGOUT_URL_PARAMETER.equals(entry.getKey()) || Parameters.POST_LOGOUT_REDIRECT_URI.equals(entry.getKey()))) {
                routingContext.request().params().add(entry.getKey(), originalLogoutQueryParams.get(entry.getKey()));
            }
        }
    }
    // The OP also MUST NOT perform post-logout redirection if the post_logout_redirect_uri value supplied
    // does not exactly match one of the previously registered post_logout_redirect_uris values.
    // if client is null, check security domain options
    List<String> registeredUris = client != null ? client.getPostLogoutRedirectUris() : (domain.getOidc() != null ? domain.getOidc().getPostLogoutRedirectUris() : null);
    if (!isMatchingRedirectUri(logoutRedirectUrl, registeredUris)) {
        routingContext.fail(new InvalidRequestException("The post_logout_redirect_uri MUST match the registered callback URLs"));
        return;
    }
    // redirect the End-User
    doRedirect0(routingContext, endSessionEndpoint == null ? logoutRedirectUrl : endSessionEndpoint);
}
Also used : MultiMap(io.vertx.reactivex.core.MultiMap) HttpServerRequest(io.vertx.reactivex.core.http.HttpServerRequest) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) HashMap(java.util.HashMap) MultiMap(io.vertx.reactivex.core.MultiMap) Map(java.util.Map)

Aggregations

InvalidRequestException (io.gravitee.am.common.exception.oauth2.InvalidRequestException)37 Client (io.gravitee.am.model.oidc.Client)20 ConstantKeys (io.gravitee.am.common.utils.ConstantKeys)10 User (io.gravitee.am.model.User)9 RoutingContext (io.vertx.reactivex.ext.web.RoutingContext)9 JsonObject (io.vertx.core.json.JsonObject)8 Domain (io.gravitee.am.model.Domain)6 ParseException (java.text.ParseException)6 Date (java.util.Date)6 Parameters (io.gravitee.am.common.oauth2.Parameters)5 DefaultUser (io.gravitee.am.identityprovider.api.DefaultUser)5 Handler (io.vertx.core.Handler)5 Collectors (java.util.stream.Collectors)5 Logger (org.slf4j.Logger)5 LoggerFactory (org.slf4j.LoggerFactory)5 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)4 AsyncResult (io.vertx.core.AsyncResult)4 Future (io.vertx.core.Future)4 HttpServerRequest (io.vertx.reactivex.core.http.HttpServerRequest)4 StandardCharsets (java.nio.charset.StandardCharsets)4