use of io.gravitee.am.gateway.handler.oauth2.exception.RedirectMismatchException in project gravitee-access-management by gravitee-io.
the class AuthorizationRequestFailureHandler method processOAuth2Exception.
private void processOAuth2Exception(AuthorizationRequest authorizationRequest, OAuth2Exception oAuth2Exception, Client client, String defaultErrorURL, RoutingContext context, Handler<AsyncResult<String>> handler) {
final String clientId = authorizationRequest.getClientId();
// no client available or missing redirect_uri, go to default error page
if (clientId == null || client == null || authorizationRequest.getRedirectUri() == null) {
authorizationRequest.setRedirectUri(defaultErrorURL);
}
// user set a wrong redirect_uri, go to default error page
if (oAuth2Exception instanceof RedirectMismatchException) {
authorizationRequest.setRedirectUri(defaultErrorURL);
}
// check if the redirect_uri request parameter is allowed
if (client != null && client.getRedirectUris() != null && authorizationRequest.getRedirectUri() != null && !client.getRedirectUris().contains(authorizationRequest.getRedirectUri())) {
authorizationRequest.setRedirectUri(defaultErrorURL);
}
// return to the default error page to avoid redirect using wrong response mode
if (oAuth2Exception instanceof InvalidRequestObjectException && context.get(ConstantKeys.REQUEST_OBJECT_KEY) == null) {
authorizationRequest.setRedirectUri(defaultErrorURL);
}
// Process error response
try {
// Response Mode is not supplied by the client, process the response as usual
if (client == null || authorizationRequest.getResponseMode() == null || !authorizationRequest.getResponseMode().endsWith("jwt")) {
// redirect user
handler.handle(Future.succeededFuture(buildRedirectUri(oAuth2Exception.getOAuth2ErrorCode(), oAuth2Exception.getMessage(), authorizationRequest, context)));
return;
}
// Otherwise the JWT contains the error response parameters
JWTOAuth2Exception jwtException = new JWTOAuth2Exception(oAuth2Exception, authorizationRequest.getState());
jwtException.setIss(openIDDiscoveryService.getIssuer(authorizationRequest.getOrigin()));
jwtException.setAud(client.getClientId());
// There is nothing about expiration. We admit to use the one settled for authorization code validity
jwtException.setExp(Instant.now().plusSeconds(this.codeValidityInSec).getEpochSecond());
// Sign if needed, else return unsigned JWT
jwtService.encodeAuthorization(jwtException.build(), client).flatMap(authorization -> jweService.encryptAuthorization(authorization, client)).subscribe(jwt -> handler.handle(Future.succeededFuture(jwtException.buildRedirectUri(authorizationRequest.getRedirectUri(), authorizationRequest.getResponseType(), authorizationRequest.getResponseMode(), jwt))), ex -> handler.handle(Future.failedFuture(ex)));
} catch (Exception e) {
handler.handle(Future.failedFuture(e));
}
}
Aggregations