Examples with OpenIDProviderMetadata io.gravitee.am.gateway.handler.oidc.service.discovery.OpenIDProviderMetadata used on opensource projects

Example 1 with OpenIDProviderMetadata

use of io.gravitee.am.gateway.handler.oidc.service.discovery.OpenIDProviderMetadata in project gravitee-access-management by gravitee-io.

the class DynamicClientRegistrationServiceImpl method applyRegistrationAccessToken.

private Single<Client> applyRegistrationAccessToken(String basePath, Client client) {
    OpenIDProviderMetadata openIDProviderMetadata = openIDDiscoveryService.getConfiguration(basePath);
    JWT jwt = new JWT();
    jwt.setIss(openIDProviderMetadata.getIssuer());
    jwt.setSub(client.getClientId());
    jwt.setAud(client.getClientId());
    jwt.setDomain(client.getDomain());
    jwt.setIat(new Date().getTime() / 1000l);
    jwt.setExp(Date.from(new Date().toInstant().plusSeconds(3600 * 24 * 365 * 2)).getTime() / 1000l);
    jwt.setScope(Scope.DCR.getKey());
    jwt.setJti(SecureRandomString.generate());
    return jwtService.encode(jwt, client).map(token -> {
        client.setRegistrationAccessToken(token);
        client.setRegistrationClientUri(openIDProviderMetadata.getRegistrationEndpoint() + "/" + client.getClientId());
        return client;
    });
}

Example 2 with OpenIDProviderMetadata

use of io.gravitee.am.gateway.handler.oidc.service.discovery.OpenIDProviderMetadata in project gravitee-access-management by gravitee-io.

the class UMADiscoveryServiceImpl method getConfiguration.

@Override
public UMAProviderMetadata getConfiguration(String basePath) {
    OpenIDProviderMetadata oidcMetadata = oidcDiscoveryService.getConfiguration(basePath);
    UMAProviderMetadata umaMetadata = new UMAProviderMetadata();
    // Set Oauth2 metadata values
    umaMetadata.setIssuer(oidcMetadata.getIssuer()).setAuthorizationEndpoint(oidcMetadata.getAuthorizationEndpoint()).setTokenEndpoint(oidcMetadata.getTokenEndpoint()).setJwksUri(oidcMetadata.getJwksUri()).setRegistrationEndpoint(oidcMetadata.getRegistrationEndpoint()).setScopesSupported(oidcMetadata.getScopesSupported()).setResponseTypesSupported(oidcMetadata.getResponseTypesSupported()).setResponseModesSupported(oidcMetadata.getResponseModesSupported()).setGrantTypesSupported(oidcMetadata.getGrantTypesSupported()).setTokenEndpointAuthMethodsSupported(oidcMetadata.getTokenEndpointAuthMethodsSupported()).setTokenEndpointAuthSigningAlgValuesSupported(oidcMetadata.getTokenEndpointAuthSigningAlgValuesSupported()).setServiceDocumentation(oidcMetadata.getServiceDocumentation()).setUiLocalesSupported(oidcMetadata.getUiLocalesSupported()).setOpPolicyUri(oidcMetadata.getOpPolicyUri()).setOpTosUri(oidcMetadata.getOpTosUri()).setRevocationEndpoint(oidcMetadata.getRevocationEndpoint()).setRevocationEndpointAuthMethodsSupported(oidcMetadata.getTokenEndpointAuthMethodsSupported()).setRevocationEndpointAuthSigningAlgValuesSupported(oidcMetadata.getTokenEndpointAuthSigningAlgValuesSupported()).setIntrospectionEndpoint(oidcMetadata.getIntrospectionEndpoint()).setIntrospectionEndpointAuthMethodsSupported(Arrays.asList(CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, CLIENT_SECRET_JWT, PRIVATE_KEY_JWT, TLS_CLIENT_AUTH, SELF_SIGNED_TLS_CLIENT_AUTH)).setIntrospectionEndpointAuthSigningAlgValuesSupported(JWAlgorithmUtils.getSupportedIntrospectionEndpointAuthSigningAlg()).setCodeChallengeMethodsSupported(oidcMetadata.getCodeChallengeMethodsSupported());
    // Set UMA2 metadata values
    umaMetadata.setClaimsInteractionEndpoint(getEndpointAbsoluteURL(basePath, CLAIMS_INTERACTION_PATH)).setUmaProfilesSupported(Collections.emptyList()).setPermissionEndpoint(getEndpointAbsoluteURL(basePath, PERMISSION_PATH)).setResourceRegistrationEndpoint(getEndpointAbsoluteURL(basePath, RESOURCE_REGISTRATION_PATH));
    return umaMetadata;
}

Example 3 with OpenIDProviderMetadata

use of io.gravitee.am.gateway.handler.oidc.service.discovery.OpenIDProviderMetadata in project gravitee-access-management by gravitee-io.

the class ClientAssertionServiceImpl method validateJWT.

/**
 * This method will parse the JWT bearer then ensure that all requested claims are set as required
 * <a href="https://tools.ietf.org/html/rfc7523#section-3">here</a>
 * @param assertion jwt as string value.
 * @return
 */
private Maybe<JWT> validateJWT(String assertion, String basePath) {
    try {
        JWT jwt = JWTParser.parse(assertion);
        String iss = jwt.getJWTClaimsSet().getIssuer();
        String sub = jwt.getJWTClaimsSet().getSubject();
        List<String> aud = jwt.getJWTClaimsSet().getAudience();
        Date exp = jwt.getJWTClaimsSet().getExpirationTime();
        if (iss == null || iss.isEmpty() || sub == null || sub.isEmpty() || aud == null || aud.isEmpty() || exp == null) {
            return Maybe.error(NOT_VALID);
        }
        if (exp.before(Date.from(Instant.now()))) {
            return Maybe.error(new InvalidClientException("assertion has expired"));
        }
        // Check audience, here we expect to have absolute token endpoint path.
        OpenIDProviderMetadata discovery = openIDDiscoveryService.getConfiguration(basePath);
        if (discovery == null || discovery.getTokenEndpoint() == null) {
            return Maybe.error(new ServerErrorException("Unable to retrieve discovery token endpoint."));
        }
        // https://tools.ietf.org/id/draft-lodderstedt-oauth-par-00.html#pushed-authorization-request-endpoint
        if (aud.stream().filter(discovery.getTokenEndpoint()::equals).count() == 0 && (discovery.getIssuer() != null && aud.stream().filter(discovery.getIssuer()::equals).count() == 0) && (discovery.getParEndpoint() != null && aud.stream().filter(discovery.getParEndpoint()::equals).count() == 0)) {
            return Maybe.error(NOT_VALID);
        }
        if (this.domain.usePlainFapiProfile() && !isSignAlgCompliantWithFapi(jwt.getHeader().getAlgorithm().getName())) {
            return Maybe.error(new InvalidClientException("JWT Assertion must be signed with PS256"));
        }
        return Maybe.just(jwt);
    } catch (ParseException pe) {
        return Maybe.error(NOT_VALID);
    }
}

Example 4 with OpenIDProviderMetadata

use of io.gravitee.am.gateway.handler.oidc.service.discovery.OpenIDProviderMetadata in project gravitee-access-management by gravitee-io.

the class AuthorizationRequestParseParametersHandler method parseResponseModeParameter.

private void parseResponseModeParameter(RoutingContext context) {
    String responseMode = getOAuthParameter(context, io.gravitee.am.common.oauth2.Parameters.RESPONSE_MODE);
    OpenIDProviderMetadata openIDProviderMetadata = context.get(PROVIDER_METADATA_CONTEXT_KEY);
    if (responseMode == null) {
        return;
    }
    // get supported response modes
    List<String> responseModesSupported = openIDProviderMetadata.getResponseModesSupported();
    if (!responseModesSupported.contains(responseMode)) {
        throw new UnsupportedResponseModeException("Unsupported response mode: " + responseMode);
    }
}

Example 5 with OpenIDProviderMetadata

use of io.gravitee.am.gateway.handler.oidc.service.discovery.OpenIDProviderMetadata in project gravitee-access-management by gravitee-io.

the class AuthorizationRequestParseRequiredParametersHandler method parseResponseTypeParameter.

private void parseResponseTypeParameter(RoutingContext context) {
    String responseType = context.request().getParam(Parameters.RESPONSE_TYPE);
    OpenIDProviderMetadata openIDProviderMetadata = context.get(PROVIDER_METADATA_CONTEXT_KEY);
    if (!isJwtAuthRequest(context)) {
        // for non JAR request, response_type is required as query parameter
        // otherwise, it can be provided by the request object and will be checked
        // later in the flow by io.gravitee.am.gateway.handler.oauth2.resources.handler.authorization.AuthorizationRequestParseParametersHandler
        checkResponseType(responseType, openIDProviderMetadata);
    }
}