Example 1 with AuthorizationRequest
use of io.gravitee.am.gateway.handler.oauth2.service.request.AuthorizationRequest in project gravitee-access-management by gravitee-io.
the class AuthorizationCodeFlow method prepareResponse.
@Override
protected Single<AuthorizationResponse> prepareResponse(AuthorizationRequest authorizationRequest, Client client, User endUser) {
return authorizationCodeService.create(authorizationRequest, endUser).map(code -> {
AuthorizationCodeResponse response = new AuthorizationCodeResponse();
response.setRedirectUri(authorizationRequest.getRedirectUri());
response.setCode(code.getCode());
response.setState(authorizationRequest.getState());
return response;
});
}
Also used :
AuthorizationCodeResponse(io.gravitee.am.gateway.handler.oauth2.service.response.AuthorizationCodeResponse)
Example 2 with AuthorizationRequest
use of io.gravitee.am.gateway.handler.oauth2.service.request.AuthorizationRequest in project gravitee-access-management by gravitee-io.
the class ImplicitFlow method prepareResponse.
@Override
protected Single<AuthorizationResponse> prepareResponse(AuthorizationRequest authorizationRequest, Client client, User endUser) {
OAuth2Request oAuth2Request = authorizationRequest.createOAuth2Request();
oAuth2Request.setGrantType(GrantType.IMPLICIT);
oAuth2Request.setSupportRefreshToken(false);
oAuth2Request.setSubject(endUser.getId());
oAuth2Request.getContext().put(Claims.s_hash, authorizationRequest.getState());
if (io.gravitee.am.common.oidc.ResponseType.ID_TOKEN.equals(authorizationRequest.getResponseType())) {
return idTokenService.create(oAuth2Request, client, endUser).map(idToken -> {
IDTokenResponse response = new IDTokenResponse();
response.setRedirectUri(authorizationRequest.getRedirectUri());
response.setIdToken(idToken);
response.setState(authorizationRequest.getState());
return response;
});
} else {
return tokenService.create(oAuth2Request, client, endUser).map(accessToken -> {
ImplicitResponse response = new ImplicitResponse();
response.setRedirectUri(authorizationRequest.getRedirectUri());
response.setAccessToken(accessToken);
response.setState(authorizationRequest.getState());
return response;
});
}
}
Also used :
OAuth2Request(io.gravitee.am.gateway.handler.oauth2.service.request.OAuth2Request)
ImplicitResponse(io.gravitee.am.gateway.handler.oauth2.service.response.ImplicitResponse)
IDTokenResponse(io.gravitee.am.gateway.handler.oauth2.service.response.IDTokenResponse)
Example 3 with AuthorizationRequest
use of io.gravitee.am.gateway.handler.oauth2.service.request.AuthorizationRequest in project gravitee-access-management by gravitee-io.
the class UserConsentPrepareContextHandler method handle.
@Override
public void handle(RoutingContext routingContext) {
// user must redirected here after an authorization request
AuthorizationRequest authorizationRequest = routingContext.get(ConstantKeys.AUTHORIZATION_REQUEST_CONTEXT_KEY);
if (authorizationRequest == null) {
routingContext.response().setStatusCode(400).end("An authorization request is required to handle user approval");
return;
}
// check user
User authenticatedUser = routingContext.user();
if (authenticatedUser == null || !(authenticatedUser.getDelegate() instanceof io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User)) {
routingContext.fail(new AccessDeniedException());
return;
}
// prepare context
Client safeClient = new Client(routingContext.get(ConstantKeys.CLIENT_CONTEXT_KEY));
safeClient.setClientSecret(null);
io.gravitee.am.model.User user = ((io.gravitee.am.gateway.handler.common.vertx.web.auth.user.User) authenticatedUser.getDelegate()).getUser();
prepareContext(routingContext, safeClient, user);
routingContext.next();
}
Also used :
AccessDeniedException(io.gravitee.am.gateway.handler.oauth2.exception.AccessDeniedException)
AuthorizationRequest(io.gravitee.am.gateway.handler.oauth2.service.request.AuthorizationRequest)
User(io.vertx.reactivex.ext.auth.User)
Client(io.gravitee.am.model.oidc.Client)
Example 4 with AuthorizationRequest
use of io.gravitee.am.gateway.handler.oauth2.service.request.AuthorizationRequest in project gravitee-access-management by gravitee-io.
the class AuthorizationRequestFactory method create.
public AuthorizationRequest create(RoutingContext context) {
HttpServerRequest request = context.request();
AuthorizationRequest authorizationRequest = new AuthorizationRequest();
// set technical information
authorizationRequest.setTimestamp(System.currentTimeMillis());
authorizationRequest.setId(RandomString.generate());
if (context.session() != null) {
authorizationRequest.setTransactionId(context.session().get(ConstantKeys.TRANSACTION_ID_KEY));
}
if (context.get(ConstantKeys.AUTH_FLOW_CONTEXT_KEY) != null) {
AuthenticationFlowContext authFlowContext = context.get(ConstantKeys.AUTH_FLOW_CONTEXT_KEY);
authorizationRequest.setContextVersion(authFlowContext.getVersion());
authorizationRequest.getContext().put(ConstantKeys.AUTH_FLOW_CONTEXT_ATTRIBUTES_KEY, authFlowContext.getData());
}
authorizationRequest.setUri(request.uri());
authorizationRequest.setOrigin(extractOrigin(context));
authorizationRequest.setContextPath(request.path() != null ? request.path().split("/")[0] : null);
authorizationRequest.setPath(request.path());
authorizationRequest.setHeaders(extractHeaders(request));
authorizationRequest.setParameters(extractRequestParameters(request));
authorizationRequest.setSslSession(request.sslSession());
authorizationRequest.setMethod(request.method() != null ? HttpMethod.valueOf(request.method().name()) : null);
authorizationRequest.setScheme(request.scheme());
authorizationRequest.setVersion(request.version() != null ? HttpVersion.valueOf(request.version().name()) : null);
authorizationRequest.setRemoteAddress(request.remoteAddress() != null ? request.remoteAddress().host() : null);
authorizationRequest.setLocalAddress(request.localAddress() != null ? request.localAddress().host() : null);
authorizationRequest.setHttpResponse(new VertxHttpServerResponse(request.getDelegate(), new VertxHttpServerRequest(request.getDelegate()).metrics()));
// set OAuth 2.0 information
authorizationRequest.setClientId(request.params().get(Parameters.CLIENT_ID));
authorizationRequest.setResponseType(getOAuthParameter(context, Parameters.RESPONSE_TYPE));
authorizationRequest.setRedirectUri(getOAuthParameter(context, Parameters.REDIRECT_URI));
String scope = getOAuthParameter(context, Parameters.SCOPE);
authorizationRequest.setScopes(scope != null && !scope.isEmpty() ? new HashSet<>(Arrays.asList(scope.split("\\s+"))) : null);
authorizationRequest.setState(getOAuthParameter(context, Parameters.STATE));
authorizationRequest.setResponseMode(getOAuthParameter(context, Parameters.RESPONSE_MODE));
authorizationRequest.setAdditionalParameters(extractAdditionalParameters(request));
authorizationRequest.setApproved(context.session() != null && Boolean.TRUE.equals(context.session().get(ConstantKeys.USER_CONSENT_APPROVED_KEY)));
// set OIDC information
String prompt = getOAuthParameter(context, io.gravitee.am.common.oidc.Parameters.PROMPT);
authorizationRequest.setPrompts(prompt != null ? new HashSet<>(Arrays.asList(prompt.split("\\s+"))) : Collections.emptySet());
if (authorizationRequest.getParameters() == null) {
authorizationRequest.setParameters(new LinkedMultiValueMap<>());
}
String nonce = getOAuthParameter(context, io.gravitee.am.common.oidc.Parameters.NONCE);
if (nonce != null) {
authorizationRequest.getParameters().put(io.gravitee.am.common.oidc.Parameters.NONCE, List.of(nonce));
}
String codeChallenge = getOAuthParameter(context, Parameters.CODE_CHALLENGE);
if (codeChallenge != null) {
authorizationRequest.getParameters().put(Parameters.CODE_CHALLENGE, List.of(codeChallenge));
}
String codeChallengeMethod = getOAuthParameter(context, Parameters.CODE_CHALLENGE_METHOD);
if (codeChallengeMethod != null) {
authorizationRequest.getParameters().put(Parameters.CODE_CHALLENGE_METHOD, List.of(codeChallengeMethod));
}
// store authorization request in context for later use
context.put(ConstantKeys.AUTHORIZATION_REQUEST_CONTEXT_KEY, authorizationRequest);
return authorizationRequest;
}
Also used :
AuthorizationRequest(io.gravitee.am.gateway.handler.oauth2.service.request.AuthorizationRequest)
AuthenticationFlowContext(io.gravitee.am.model.AuthenticationFlowContext)
HttpServerRequest(io.vertx.reactivex.core.http.HttpServerRequest)
VertxHttpServerRequest(io.gravitee.am.gateway.handler.common.vertx.core.http.VertxHttpServerRequest)
VertxHttpServerResponse(io.gravitee.am.gateway.handler.common.vertx.core.http.VertxHttpServerResponse)
RandomString(io.gravitee.am.common.utils.RandomString)
VertxHttpServerRequest(io.gravitee.am.gateway.handler.common.vertx.core.http.VertxHttpServerRequest)
Example 5 with AuthorizationRequest
use of io.gravitee.am.gateway.handler.oauth2.service.request.AuthorizationRequest in project gravitee-access-management by gravitee-io.
the class AuthorizationRequestEndUserConsentHandler method handle.
@Override
public void handle(RoutingContext routingContext) {
final Session session = routingContext.session();
final HttpServerRequest request = routingContext.request();
final Client client = routingContext.get(CLIENT_CONTEXT_KEY);
final io.gravitee.am.model.User user = routingContext.user() != null ? ((User) routingContext.user().getDelegate()).getUser() : null;
final AuthorizationRequest authorizationRequest = routingContext.get(AUTHORIZATION_REQUEST_CONTEXT_KEY);
final Set<String> requestedConsent = authorizationRequest.getScopes();
// no consent to check, continue
if (requestedConsent == null || requestedConsent.isEmpty()) {
routingContext.next();
return;
}
// check if user is already set its consent
if (Boolean.TRUE.equals(session.get(ConstantKeys.USER_CONSENT_COMPLETED_KEY))) {
if (authorizationRequest.isApproved()) {
routingContext.next();
return;
}
// if prompt=none and the Client does not have pre-configured consent for the requested Claims, throw interaction_required exception
// https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
String prompt = getOAuthParameter(routingContext, Parameters.PROMPT);
if (prompt != null && Arrays.asList(prompt.split("\\s+")).contains("none")) {
routingContext.fail(new InteractionRequiredException("Interaction required"));
} else {
routingContext.fail(new AccessDeniedException("User denied access"));
}
return;
}
// application has forced to prompt consent screen to the user
// go to the user consent page
final String prompt = getOAuthParameter(routingContext, Parameters.PROMPT);
if (prompt != null && prompt.contains("consent")) {
redirectToConsentPage(routingContext);
return;
}
// check if application has enabled skip consent option
if (skipConsent(requestedConsent, client)) {
authorizationRequest.setApproved(true);
routingContext.next();
return;
}
// check user consent
checkUserConsent(client, user, h -> {
if (h.failed()) {
routingContext.fail(h.cause());
return;
}
Set<String> approvedConsent = h.result();
// user approved consent, continue
if (approvedConsent.containsAll(requestedConsent)) {
authorizationRequest.setApproved(true);
routingContext.next();
return;
}
// else go to the user consent page
redirectToConsentPage(routingContext);
});
}
Also used :
InteractionRequiredException(io.gravitee.am.gateway.handler.oauth2.exception.InteractionRequiredException)
AccessDeniedException(io.gravitee.am.gateway.handler.oauth2.exception.AccessDeniedException)
AuthorizationRequest(io.gravitee.am.gateway.handler.oauth2.service.request.AuthorizationRequest)
HttpServerRequest(io.vertx.reactivex.core.http.HttpServerRequest)
Client(io.gravitee.am.model.oidc.Client)
Session(io.vertx.reactivex.ext.web.Session)
Aggregations
AuthorizationRequest (io.gravitee.am.gateway.handler.oauth2.service.request.AuthorizationRequest)43
Client (io.gravitee.am.model.oidc.Client)41
Test (org.junit.Test)31
User (io.vertx.reactivex.ext.auth.User)20
ApplicationScopeSettings (io.gravitee.am.model.application.ApplicationScopeSettings)13
JWTAuthorizationCodeResponse (io.gravitee.am.gateway.handler.oauth2.service.response.jwt.JWTAuthorizationCodeResponse)11
User (io.gravitee.am.model.User)8
AccessDeniedException (io.gravitee.am.gateway.handler.oauth2.exception.AccessDeniedException)4
AuthorizationCode (io.gravitee.am.repository.oauth2.model.AuthorizationCode)4
RoutingContext (io.vertx.reactivex.ext.web.RoutingContext)3
Date (java.util.Date)3
InvalidRequestObjectException (io.gravitee.am.common.exception.oauth2.InvalidRequestObjectException)2
OAuth2Exception (io.gravitee.am.common.exception.oauth2.OAuth2Exception)2
ConstantKeys (io.gravitee.am.common.utils.ConstantKeys)2
JWTService (io.gravitee.am.gateway.handler.common.jwt.JWTService)2
JWTOAuth2Exception (io.gravitee.am.gateway.handler.oauth2.exception.JWTOAuth2Exception)2
RedirectMismatchException (io.gravitee.am.gateway.handler.oauth2.exception.RedirectMismatchException)2
ServerErrorException (io.gravitee.am.gateway.handler.oauth2.exception.ServerErrorException)2
OAuth2ErrorResponse (io.gravitee.am.gateway.handler.oauth2.service.response.OAuth2ErrorResponse)2
Token (io.gravitee.am.gateway.handler.oauth2.service.token.Token)2
