Search in sources :

Example 1 with CIBASettingNotifier

use of io.gravitee.am.model.oidc.CIBASettingNotifier in project gravitee-access-management by gravitee-io.

the class AuthenticationRequestAcknowledgeHandler method handle.

@Override
public void handle(RoutingContext context) {
    final CibaAuthenticationRequest authRequest = context.get(CIBA_AUTH_REQUEST_KEY);
    if (authRequest != null) {
        final Client client = context.get(CLIENT_CONTEXT_KEY);
        final List<CIBASettingNotifier> deviceNotifiers = this.domain.getOidc().getCibaSettings().getDeviceNotifiers();
        if (CollectionUtils.isEmpty(deviceNotifiers)) {
            LOGGER.warn("CIBA Authentication Request can't be processed without device notifier configured");
            context.fail(new InvalidRequestException("No Device notifier configure for the domain"));
            return;
        }
        // as a first implementation, we only manage a single notifier
        // in future release we may manage multiple one and select the right one
        // base one context information.
        final String authDeviceNotifierId = deviceNotifiers.get(0).getId();
        if (authRequest.getId() == null) {
            final String authReqId = SecureRandomString.generate();
            authRequest.setId(authReqId);
        }
        LOGGER.debug("CIBA Authentication Request linked to auth_req_id '{}'", authRequest);
        final int expiresIn = authRequest.getRequestedExpiry() != null ? authRequest.getRequestedExpiry() : domain.getOidc().getCibaSettings().getAuthReqExpiry();
        final String externalTrxId = SecureRandomString.generate();
        // Forge a state token to validate the callback response
        JWT jwt = new JWT();
        jwt.setIss(client.getDomain());
        final Instant now = Instant.now();
        jwt.setIat(now.getEpochSecond());
        jwt.setExp(now.plusSeconds(expiresIn).getEpochSecond());
        jwt.setAud(client.getClientId());
        jwt.setSub(authRequest.getSubject());
        jwt.setJti(externalTrxId);
        this.jwtService.encode(jwt, client).flatMap(stateJwt -> this.authRequestService.register(authRequest, client).flatMap(req -> {
            final ADNotificationRequest adRequest = new ADNotificationRequest();
            adRequest.setExpiresIn(expiresIn);
            adRequest.setAcrValues(authRequest.getAcrValues());
            adRequest.setMessage(authRequest.getBindingMessage());
            adRequest.setScopes(authRequest.getScopes());
            adRequest.setSubject(authRequest.getSubject());
            adRequest.setState(stateJwt);
            adRequest.setTransactionId(externalTrxId);
            adRequest.setDeviceNotifierId(authDeviceNotifierId);
            return authRequestService.notify(adRequest).flatMap(adResponse -> {
                req.setExternalInformation(adResponse.getExtraData());
                req.setExternalTrxId(adResponse.getTransactionId());
                return authRequestService.updateAuthDeviceInformation(req);
            });
        })).subscribe(req -> {
            CibaAuthenticationResponse response = new CibaAuthenticationResponse();
            response.setAuthReqId(req.getId());
            response.setExpiresIn(req.getExpireAt().toInstant().minusMillis(req.getCreatedAt().getTime()).getEpochSecond());
            // specify rate limit for Poll and Ping mode
            if (client.getBackchannelTokenDeliveryMode() != null && !client.getBackchannelTokenDeliveryMode().equals(CIBADeliveryMode.PUSH)) {
                response.setInterval(domain.getOidc().getCibaSettings().getTokenReqInterval());
            }
            context.response().putHeader(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_JSON).putHeader(HttpHeaders.CACHE_CONTROL, "no-store").putHeader(HttpHeaders.PRAGMA, "no-cache").setStatusCode(HttpStatusCode.OK_200).end(Json.encodePrettily(response));
        }, error -> {
            LOGGER.error("Unable to persist CIBA AuthenticationRequest object", error);
            context.fail(error);
        });
        return;
    } else {
        LOGGER.error("CIBA Authentication Request object is null");
        context.fail(new InvalidRequestException("Missing authentication request"));
    }
}
Also used : CIBASettingNotifier(io.gravitee.am.model.oidc.CIBASettingNotifier) CIBADeliveryMode(io.gravitee.am.common.oidc.CIBADeliveryMode) Json(io.vertx.core.json.Json) HttpHeaders(io.gravitee.common.http.HttpHeaders) Logger(org.slf4j.Logger) ADNotificationRequest(io.gravitee.am.authdevice.notifier.api.model.ADNotificationRequest) CibaAuthenticationResponse(io.gravitee.am.gateway.handler.ciba.service.response.CibaAuthenticationResponse) JWT(io.gravitee.am.common.jwt.JWT) Client(io.gravitee.am.model.oidc.Client) SecureRandomString(io.gravitee.am.common.utils.SecureRandomString) LoggerFactory(org.slf4j.LoggerFactory) AuthenticationRequestService(io.gravitee.am.gateway.handler.ciba.service.AuthenticationRequestService) Domain(io.gravitee.am.model.Domain) ConstantKeys(io.gravitee.am.common.utils.ConstantKeys) Instant(java.time.Instant) RoutingContext(io.vertx.reactivex.ext.web.RoutingContext) CibaAuthenticationRequest(io.gravitee.am.gateway.handler.ciba.service.request.CibaAuthenticationRequest) HttpStatusCode(io.gravitee.common.http.HttpStatusCode) List(java.util.List) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) MediaType(io.gravitee.common.http.MediaType) CollectionUtils(org.springframework.util.CollectionUtils) JWTService(io.gravitee.am.gateway.handler.common.jwt.JWTService) Handler(io.vertx.core.Handler) CIBASettingNotifier(io.gravitee.am.model.oidc.CIBASettingNotifier) JWT(io.gravitee.am.common.jwt.JWT) CibaAuthenticationResponse(io.gravitee.am.gateway.handler.ciba.service.response.CibaAuthenticationResponse) Instant(java.time.Instant) CibaAuthenticationRequest(io.gravitee.am.gateway.handler.ciba.service.request.CibaAuthenticationRequest) InvalidRequestException(io.gravitee.am.common.exception.oauth2.InvalidRequestException) SecureRandomString(io.gravitee.am.common.utils.SecureRandomString) Client(io.gravitee.am.model.oidc.Client) ADNotificationRequest(io.gravitee.am.authdevice.notifier.api.model.ADNotificationRequest)

Example 2 with CIBASettingNotifier

use of io.gravitee.am.model.oidc.CIBASettingNotifier in project gravitee-access-management by gravitee-io.

the class AuthenticationRequestAcknowledgeHandlerTest method setUp.

@Override
public void setUp() throws Exception {
    super.setUp();
    final OIDCSettings oidcSettings = OIDCSettings.defaultSettings();
    final CIBASettingNotifier notifierSetting = new CIBASettingNotifier();
    notifierSetting.setId("notifierid");
    oidcSettings.getCibaSettings().setDeviceNotifiers(List.of(notifierSetting));
    when(domain.getOidc()).thenReturn(oidcSettings);
    handlerUnderTest = new AuthenticationRequestAcknowledgeHandler(authReqService, domain, jwtService);
    router.route(HttpMethod.POST, "/oidc/ciba/authenticate").handler(handlerUnderTest).failureHandler(rc -> {
        final Throwable failure = rc.failure();
        if (failure instanceof OAuth2Exception) {
            rc.response().setStatusCode(((OAuth2Exception) failure).getHttpStatusCode()).end();
        } else {
            rc.response().setStatusCode(HttpStatusCode.INTERNAL_SERVER_ERROR_500).end();
        }
    });
    ;
    this.client = new Client();
    this.client.setAuthorizedGrantTypes(Collections.singletonList(GrantType.CIBA_GRANT_TYPE));
    this.client.setClientId("client_id_iss");
    this.client.setDomain("domain_uuid");
}
Also used : CIBASettingNotifier(io.gravitee.am.model.oidc.CIBASettingNotifier) Client(io.gravitee.am.model.oidc.Client) OIDCSettings(io.gravitee.am.model.oidc.OIDCSettings) OAuth2Exception(io.gravitee.am.common.exception.oauth2.OAuth2Exception)

Example 3 with CIBASettingNotifier

use of io.gravitee.am.model.oidc.CIBASettingNotifier in project gravitee-access-management by gravitee-io.

the class DomainRepositoryTest method initDomain.

private Domain initDomain(String name) {
    Domain domain = new Domain();
    domain.setName(name);
    domain.setHrid(name);
    domain.setCreatedAt(new Date());
    domain.setUpdatedAt(domain.getCreatedAt());
    domain.setDescription(name + " description");
    domain.setEnabled(true);
    domain.setAlertEnabled(false);
    domain.setPath("/" + name);
    domain.setReferenceId("refId" + name);
    domain.setReferenceType(ReferenceType.ENVIRONMENT);
    domain.setVhostMode(true);
    VirtualHost host = new VirtualHost();
    host.setHost("hostname-" + name);
    host.setPath("/hostname-" + name);
    host.setOverrideEntrypoint(true);
    VirtualHost host2 = new VirtualHost();
    host2.setHost("hostname2-" + name);
    host2.setPath("/hostname2-" + name);
    host2.setOverrideEntrypoint(true);
    domain.setVhosts(Arrays.asList(host, host2));
    domain.setTags(new HashSet<>(Arrays.asList("tag1", "tag2")));
    domain.setIdentities(new HashSet<>(Arrays.asList("id1", "id2")));
    domain.setAccountSettings(new AccountSettings());
    domain.setLoginSettings(new LoginSettings());
    final OIDCSettings oidc = new OIDCSettings();
    final CIBASettings cibaSettings = new CIBASettings();
    cibaSettings.setEnabled(true);
    final CIBASettingNotifier notifier = new CIBASettingNotifier();
    notifier.setId(UUID.randomUUID().toString());
    cibaSettings.setDeviceNotifiers(Arrays.asList(notifier));
    oidc.setCibaSettings(cibaSettings);
    domain.setOidc(oidc);
    domain.setScim(new SCIMSettings());
    domain.setUma(new UMASettings());
    domain.setWebAuthnSettings(new WebAuthnSettings());
    domain.setSelfServiceAccountManagementSettings(new SelfServiceAccountManagementSettings());
    return domain;
}
Also used : SCIMSettings(io.gravitee.am.model.scim.SCIMSettings) CIBASettings(io.gravitee.am.model.oidc.CIBASettings) OIDCSettings(io.gravitee.am.model.oidc.OIDCSettings) WebAuthnSettings(io.gravitee.am.model.login.WebAuthnSettings) UMASettings(io.gravitee.am.model.uma.UMASettings) AccountSettings(io.gravitee.am.model.account.AccountSettings) CIBASettingNotifier(io.gravitee.am.model.oidc.CIBASettingNotifier) SelfServiceAccountManagementSettings(io.gravitee.am.model.SelfServiceAccountManagementSettings) LoginSettings(io.gravitee.am.model.login.LoginSettings) VirtualHost(io.gravitee.am.model.VirtualHost) Domain(io.gravitee.am.model.Domain)

Aggregations

CIBASettingNotifier (io.gravitee.am.model.oidc.CIBASettingNotifier)3 Domain (io.gravitee.am.model.Domain)2 Client (io.gravitee.am.model.oidc.Client)2 OIDCSettings (io.gravitee.am.model.oidc.OIDCSettings)2 ADNotificationRequest (io.gravitee.am.authdevice.notifier.api.model.ADNotificationRequest)1 InvalidRequestException (io.gravitee.am.common.exception.oauth2.InvalidRequestException)1 OAuth2Exception (io.gravitee.am.common.exception.oauth2.OAuth2Exception)1 JWT (io.gravitee.am.common.jwt.JWT)1 CIBADeliveryMode (io.gravitee.am.common.oidc.CIBADeliveryMode)1 ConstantKeys (io.gravitee.am.common.utils.ConstantKeys)1 SecureRandomString (io.gravitee.am.common.utils.SecureRandomString)1 AuthenticationRequestService (io.gravitee.am.gateway.handler.ciba.service.AuthenticationRequestService)1 CibaAuthenticationRequest (io.gravitee.am.gateway.handler.ciba.service.request.CibaAuthenticationRequest)1 CibaAuthenticationResponse (io.gravitee.am.gateway.handler.ciba.service.response.CibaAuthenticationResponse)1 JWTService (io.gravitee.am.gateway.handler.common.jwt.JWTService)1 SelfServiceAccountManagementSettings (io.gravitee.am.model.SelfServiceAccountManagementSettings)1 VirtualHost (io.gravitee.am.model.VirtualHost)1 AccountSettings (io.gravitee.am.model.account.AccountSettings)1 LoginSettings (io.gravitee.am.model.login.LoginSettings)1 WebAuthnSettings (io.gravitee.am.model.login.WebAuthnSettings)1