Search in sources :

Example 1 with OAuth2AuthResponse

use of io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.OAuth2AuthResponse in project gravitee-access-management by gravitee-io.

the class OAuth2AuthHandlerImpl method handle.

@Override
public void handle(RoutingContext context) {
    parseAuthorization(context, parseHandler -> {
        if (parseHandler.failed()) {
            processException(context, parseHandler.cause());
            return;
        }
        final String jwtToken = parseHandler.result();
        // set raw token to the current context
        if (extractRawToken) {
            context.put(ConstantKeys.RAW_TOKEN_CONTEXT_KEY, jwtToken);
        }
        oAuth2AuthProvider.decodeToken(jwtToken, offlineVerification, handler -> {
            if (handler.failed()) {
                processException(context, handler.cause());
                return;
            }
            OAuth2AuthResponse response = handler.result();
            JWT token = response.getToken();
            Client client = response.getClient();
            // set token to the current context
            if (extractToken) {
                context.put(ConstantKeys.TOKEN_CONTEXT_KEY, token);
            }
            // set client to the current context
            if (extractClient) {
                context.put(ConstantKeys.CLIENT_CONTEXT_KEY, client);
            }
            // check if current subject can access its own resources
            if (selfResource) {
                final String resourceId = context.request().getParam(resourceParameter);
                if (resourceId != null && resourceId.equals(token.getSub())) {
                    if (resourceRequiredScope == null || token.hasScope(resourceRequiredScope)) {
                        context.next();
                        return;
                    }
                }
            }
            if (forceEndUserToken) {
                if (token.getSub().equals(token.getAud())) {
                    // token for end user must not contain clientId as subject
                    processException(context, new InvalidTokenException("The access token was not issued for an End-User"));
                    return;
                }
            }
            if (forceClientToken) {
                if (!token.getSub().equals(token.getAud())) {
                    // token for end user must not contain clientId as subject
                    processException(context, new InvalidTokenException("The access token was not issued for a Client"));
                    return;
                }
            }
            // check required scope
            if (requiredScope != null) {
                if (!token.hasScope(requiredScope)) {
                    processException(context, new InsufficientScopeException("Invalid access token scopes. The access token should have at least '" + requiredScope + "' scope"));
                    return;
                }
            }
            context.next();
        });
    });
}
Also used : OAuth2AuthResponse(io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.OAuth2AuthResponse) InvalidTokenException(io.gravitee.am.common.exception.oauth2.InvalidTokenException) InsufficientScopeException(io.gravitee.am.common.exception.oauth2.InsufficientScopeException) JWT(io.gravitee.am.common.jwt.JWT) Client(io.gravitee.am.model.oidc.Client)

Aggregations

InsufficientScopeException (io.gravitee.am.common.exception.oauth2.InsufficientScopeException)1 InvalidTokenException (io.gravitee.am.common.exception.oauth2.InvalidTokenException)1 JWT (io.gravitee.am.common.jwt.JWT)1 OAuth2AuthResponse (io.gravitee.am.gateway.handler.common.vertx.web.auth.handler.OAuth2AuthResponse)1 Client (io.gravitee.am.model.oidc.Client)1