Search in sources :

Example 1 with AccessToken

use of io.gravitee.am.gateway.handler.oauth2.service.token.impl.AccessToken in project gravitee-access-management by gravitee-io.

the class ImplicitFlow method prepareResponse.

@Override
protected Single<AuthorizationResponse> prepareResponse(AuthorizationRequest authorizationRequest, Client client, User endUser) {
    OAuth2Request oAuth2Request = authorizationRequest.createOAuth2Request();
    oAuth2Request.setGrantType(GrantType.IMPLICIT);
    oAuth2Request.setSupportRefreshToken(false);
    oAuth2Request.setSubject(endUser.getId());
    oAuth2Request.getContext().put(Claims.s_hash, authorizationRequest.getState());
    if (io.gravitee.am.common.oidc.ResponseType.ID_TOKEN.equals(authorizationRequest.getResponseType())) {
        return idTokenService.create(oAuth2Request, client, endUser).map(idToken -> {
            IDTokenResponse response = new IDTokenResponse();
            response.setRedirectUri(authorizationRequest.getRedirectUri());
            response.setIdToken(idToken);
            response.setState(authorizationRequest.getState());
            return response;
        });
    } else {
        return tokenService.create(oAuth2Request, client, endUser).map(accessToken -> {
            ImplicitResponse response = new ImplicitResponse();
            response.setRedirectUri(authorizationRequest.getRedirectUri());
            response.setAccessToken(accessToken);
            response.setState(authorizationRequest.getState());
            return response;
        });
    }
}
Also used : OAuth2Request(io.gravitee.am.gateway.handler.oauth2.service.request.OAuth2Request) ImplicitResponse(io.gravitee.am.gateway.handler.oauth2.service.response.ImplicitResponse) IDTokenResponse(io.gravitee.am.gateway.handler.oauth2.service.response.IDTokenResponse)

Example 2 with AccessToken

use of io.gravitee.am.gateway.handler.oauth2.service.token.impl.AccessToken in project gravitee-access-management by gravitee-io.

the class TokenEndpoint method handle.

@Override
public void handle(RoutingContext context) {
    // Confidential clients or other clients issued client credentials MUST
    // authenticate with the authorization server when making requests to the token endpoint.
    Client client = context.get(CLIENT_CONTEXT_KEY);
    if (client == null) {
        throw new InvalidClientException();
    }
    TokenRequest tokenRequest = tokenRequestFactory.create(context);
    // client_id is not required in the token request since the client can be authenticated via a Basic Authentication
    if (tokenRequest.getClientId() != null) {
        if (!client.getClientId().equals(tokenRequest.getClientId())) {
            throw new InvalidClientException();
        }
    } else {
        // set token request client_id with the authenticated client
        tokenRequest.setClientId(client.getClientId());
    }
    // check if client has authorized grant types
    if (client.getAuthorizedGrantTypes() == null || client.getAuthorizedGrantTypes().isEmpty()) {
        throw new InvalidClientException("Invalid client: client must at least have one grant type configured");
    }
    if (context.get(ConstantKeys.PEER_CERTIFICATE_THUMBPRINT) != null) {
        // preserve certificate thumbprint to add the information into the access token
        tokenRequest.setConfirmationMethodX5S256(context.get(ConstantKeys.PEER_CERTIFICATE_THUMBPRINT));
    }
    tokenGranter.grant(tokenRequest, client).subscribe(accessToken -> context.response().putHeader(HttpHeaders.CACHE_CONTROL, "no-store").putHeader(HttpHeaders.PRAGMA, "no-cache").putHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON).end(Json.encodePrettily(accessToken)), context::fail);
}
Also used : InvalidClientException(io.gravitee.am.gateway.handler.oauth2.exception.InvalidClientException) TokenRequest(io.gravitee.am.gateway.handler.oauth2.service.request.TokenRequest) Client(io.gravitee.am.model.oidc.Client)

Example 3 with AccessToken

use of io.gravitee.am.gateway.handler.oauth2.service.token.impl.AccessToken in project gravitee-access-management by gravitee-io.

the class HybridResponse method buildRedirectUri.

@Override
public String buildRedirectUri() throws URISyntaxException {
    UriBuilder uriBuilder = UriBuilder.fromURIString(getRedirectUri());
    uriBuilder.addFragmentParameter(Parameters.CODE, getCode());
    if (getState() != null) {
        uriBuilder.addFragmentParameter(Parameters.STATE, getState());
    }
    if (getIdToken() != null) {
        uriBuilder.addFragmentParameter(ResponseType.ID_TOKEN, getIdToken());
    } else {
        Token accessToken = getAccessToken();
        uriBuilder.addFragmentParameter(Token.ACCESS_TOKEN, accessToken.getValue());
        uriBuilder.addFragmentParameter(Token.TOKEN_TYPE, accessToken.getTokenType());
        uriBuilder.addFragmentParameter(Token.EXPIRES_IN, String.valueOf(accessToken.getExpiresIn()));
        if (accessToken.getScope() != null && !accessToken.getScope().isEmpty()) {
            uriBuilder.addFragmentParameter(Token.SCOPE, accessToken.getScope());
        }
        // additional information
        if (accessToken.getAdditionalInformation() != null) {
            accessToken.getAdditionalInformation().forEach((k, v) -> uriBuilder.addFragmentParameter(k, String.valueOf(v)));
        }
    }
    return uriBuilder.buildString();
}
Also used : Token(io.gravitee.am.gateway.handler.oauth2.service.token.Token) UriBuilder(io.gravitee.am.common.web.UriBuilder)

Example 4 with AccessToken

use of io.gravitee.am.gateway.handler.oauth2.service.token.impl.AccessToken in project gravitee-access-management by gravitee-io.

the class IntrospectionServiceImpl method convert.

private IntrospectionResponse convert(AccessToken accessToken, User user) {
    IntrospectionResponse introspectionResponse = new IntrospectionResponse();
    introspectionResponse.setActive(true);
    introspectionResponse.setClientId(accessToken.getClientId());
    introspectionResponse.setExp(accessToken.getExpireAt().getTime() / 1000);
    introspectionResponse.setIat(accessToken.getCreatedAt().getTime() / 1000);
    introspectionResponse.setTokenType(accessToken.getTokenType());
    introspectionResponse.setSub(accessToken.getSubject());
    if (user != null) {
        introspectionResponse.setUsername(user.getUsername());
    }
    if (accessToken.getScope() != null && !accessToken.getScope().isEmpty()) {
        introspectionResponse.setScope(accessToken.getScope());
    }
    if (accessToken.getAdditionalInformation() != null && !accessToken.getAdditionalInformation().isEmpty()) {
        accessToken.getAdditionalInformation().forEach((k, v) -> introspectionResponse.putIfAbsent(k, v));
    }
    final Map<String, Object> cnf = accessToken.getConfirmationMethod();
    if (cnf != null) {
        introspectionResponse.setConfirmationMethod(cnf);
    }
    // remove "aud" claim due to some backend APIs unable to verify the "aud" value
    // see <a href="https://github.com/gravitee-io/issues/issues/3111"></a>
    introspectionResponse.remove(Claims.aud);
    return introspectionResponse;
}
Also used : IntrospectionResponse(io.gravitee.am.gateway.handler.oauth2.service.introspection.IntrospectionResponse)

Example 5 with AccessToken

use of io.gravitee.am.gateway.handler.oauth2.service.token.impl.AccessToken in project gravitee-access-management by gravitee-io.

the class ImplicitResponse method buildRedirectUri.

@Override
public String buildRedirectUri() throws URISyntaxException {
    Token accessToken = getAccessToken();
    UriBuilder uriBuilder = UriBuilder.fromURIString(getRedirectUri());
    uriBuilder.addFragmentParameter(Token.ACCESS_TOKEN, accessToken.getValue());
    uriBuilder.addFragmentParameter(Token.TOKEN_TYPE, accessToken.getTokenType());
    uriBuilder.addFragmentParameter(Token.EXPIRES_IN, String.valueOf(accessToken.getExpiresIn()));
    if (accessToken.getScope() != null && !accessToken.getScope().isEmpty()) {
        uriBuilder.addFragmentParameter(Token.SCOPE, accessToken.getScope());
    }
    if (getState() != null) {
        uriBuilder.addFragmentParameter(Parameters.STATE, getState());
    }
    // additional information
    if (accessToken.getAdditionalInformation() != null) {
        accessToken.getAdditionalInformation().forEach((k, v) -> uriBuilder.addFragmentParameter(k, String.valueOf(v)));
    }
    return uriBuilder.buildString();
}
Also used : Token(io.gravitee.am.gateway.handler.oauth2.service.token.Token) UriBuilder(io.gravitee.am.common.web.UriBuilder)

Aggregations

Test (org.junit.Test)23 AccessToken (io.gravitee.am.gateway.handler.oauth2.service.token.impl.AccessToken)22 Client (io.gravitee.am.model.oidc.Client)19 Token (io.gravitee.am.gateway.handler.oauth2.service.token.Token)14 OAuth2Request (io.gravitee.am.gateway.handler.oauth2.service.request.OAuth2Request)10 AuthorizationRequest (io.gravitee.am.gateway.handler.oauth2.service.request.AuthorizationRequest)7 User (io.vertx.reactivex.ext.auth.User)5 JWT (io.gravitee.am.common.jwt.JWT)4 TokenRequest (io.gravitee.am.gateway.handler.oauth2.service.request.TokenRequest)4 ApplicationScopeSettings (io.gravitee.am.model.application.ApplicationScopeSettings)4 ReactableExecutionContext (io.gravitee.am.gateway.handler.context.ReactableExecutionContext)3 User (io.gravitee.am.model.User)3 PermissionRequest (io.gravitee.am.model.uma.PermissionRequest)3 RefreshToken (io.gravitee.am.repository.oauth2.model.RefreshToken)3 LinkedMultiValueMap (io.gravitee.common.util.LinkedMultiValueMap)3 ExecutionContext (io.gravitee.gateway.api.ExecutionContext)3 UriBuilder (io.gravitee.am.common.web.UriBuilder)2 TokenClaim (io.gravitee.am.model.TokenClaim)2 JWTException (io.gravitee.am.common.exception.jwt.JWTException)1 InvalidTokenException (io.gravitee.am.common.exception.oauth2.InvalidTokenException)1