use of io.jans.as.common.model.common.User in project jans by JanssenProject.
the class ScopeServiceTest method buildRegularUser.
private User buildRegularUser(String userId, Date createdAt, Date updatedAt) {
final User user = new User();
user.setUpdatedAt(updatedAt);
user.setCreatedAt(createdAt);
user.setUserId(userId);
user.setAttribute("emailVerified", "true", false);
user.setAttribute("lastLogon", "20211012135114.554Z", false);
user.setAttribute("metadata", "{}", false);
user.setDn("DN");
return user;
}
use of io.jans.as.common.model.common.User in project jans by JanssenProject.
the class ScopeServiceTest method getClaims_GluuAttributeLdapNameBlank_EmptyResult.
@Test
public void getClaims_GluuAttributeLdapNameBlank_EmptyResult() throws Exception {
User user = new User();
Scope scope = new Scope();
scope.setClaims(Lists.newArrayList("claim1", "claim2"));
GluuAttribute gluuAttribute = new GluuAttribute();
gluuAttribute.setClaimName("CLAIM_NAME");
when(attributeService.getAttributeByDn(anyString())).thenReturn(gluuAttribute);
Map<String, Object> result = scopeService.getClaims(user, scope);
assertNotNull(result);
assertEquals(result.size(), 0);
verify(log, times(2)).error(startsWith("Failed to get claim because name is not set for attribute"), (Object) isNull());
verifyNoMoreInteractions(log);
verifyNoMoreInteractions(attributeService);
}
use of io.jans.as.common.model.common.User in project jans by JanssenProject.
the class AuthorizationGrant method createAccessTokenAsJwt.
private String createAccessTokenAsJwt(AccessToken accessToken, ExecutionContext context) throws Exception {
final User user = getUser();
final Client client = getClient();
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.fromString(appConfiguration.getDefaultSignatureAlgorithm());
if (client.getAccessTokenSigningAlg() != null && SignatureAlgorithm.fromString(client.getAccessTokenSigningAlg()) != null) {
signatureAlgorithm = SignatureAlgorithm.fromString(client.getAccessTokenSigningAlg());
}
final JwtSigner jwtSigner = new JwtSigner(appConfiguration, webKeysConfiguration, signatureAlgorithm, client.getClientId(), clientService.decryptSecret(client.getClientSecret()));
final Jwt jwt = jwtSigner.newJwt();
jwt.getClaims().setClaim("scope", Lists.newArrayList(getScopes()));
jwt.getClaims().setClaim("client_id", getClientId());
jwt.getClaims().setClaim("username", user != null ? user.getAttribute("displayName") : null);
jwt.getClaims().setClaim("token_type", accessToken.getTokenType().getName());
// guarantee uniqueness : without it we can get race condition
jwt.getClaims().setClaim("code", accessToken.getCode());
jwt.getClaims().setExpirationTime(accessToken.getExpirationDate());
jwt.getClaims().setIssuedAt(accessToken.getCreationDate());
jwt.getClaims().setSubjectIdentifier(getSub());
jwt.getClaims().setClaim("x5t#S256", accessToken.getX5ts256());
// DPoP
final String dpop = context.getDpop();
if (StringUtils.isNotBlank(dpop)) {
jwt.getClaims().setNotBefore(accessToken.getCreationDate());
JSONObject cnf = new JSONObject();
cnf.put("jkt", dpop);
jwt.getClaims().setClaim("cnf", cnf);
}
Audience.setAudience(jwt.getClaims(), getClient());
if (isTrue(client.getAttributes().getRunIntrospectionScriptBeforeAccessTokenAsJwtCreationAndIncludeClaims())) {
runIntrospectionScriptAndInjectValuesIntoJwt(jwt, context);
}
final String accessTokenCode = jwtSigner.sign().toString();
if (log.isTraceEnabled())
log.trace("Created access token JWT: {}", accessTokenCode + ", claims: " + jwt.getClaims().toJsonString());
return accessTokenCode;
}
use of io.jans.as.common.model.common.User in project jans by JanssenProject.
the class AuthorizationGrantList method asGrant.
public AuthorizationGrant asGrant(TokenEntity tokenEntity) {
if (tokenEntity != null) {
final AuthorizationGrantType grantType = AuthorizationGrantType.fromString(tokenEntity.getGrantType());
if (grantType != null) {
final User user = userService.getUser(tokenEntity.getUserId());
final Client client = clientService.getClient(tokenEntity.getClientId());
final Date authenticationTime = tokenEntity.getAuthenticationTime();
final String nonce = tokenEntity.getNonce();
AuthorizationGrant result;
switch(grantType) {
case AUTHORIZATION_CODE:
AuthorizationCodeGrant authorizationCodeGrant = grantInstance.select(AuthorizationCodeGrant.class).get();
authorizationCodeGrant.init(user, client, authenticationTime);
result = authorizationCodeGrant;
break;
case CLIENT_CREDENTIALS:
ClientCredentialsGrant clientCredentialsGrant = grantInstance.select(ClientCredentialsGrant.class).get();
clientCredentialsGrant.init(user, client);
result = clientCredentialsGrant;
break;
case IMPLICIT:
ImplicitGrant implicitGrant = grantInstance.select(ImplicitGrant.class).get();
implicitGrant.init(user, client, authenticationTime);
result = implicitGrant;
break;
case RESOURCE_OWNER_PASSWORD_CREDENTIALS:
ResourceOwnerPasswordCredentialsGrant resourceOwnerPasswordCredentialsGrant = grantInstance.select(ResourceOwnerPasswordCredentialsGrant.class).get();
resourceOwnerPasswordCredentialsGrant.init(user, client);
result = resourceOwnerPasswordCredentialsGrant;
break;
case CIBA:
CIBAGrant cibaGrant = grantInstance.select(CIBAGrant.class).get();
cibaGrant.init(user, AuthorizationGrantType.CIBA, client, tokenEntity.getCreationDate());
result = cibaGrant;
break;
case DEVICE_CODE:
DeviceCodeGrant deviceCodeGrant = grantInstance.select(DeviceCodeGrant.class).get();
deviceCodeGrant.init(user, AuthorizationGrantType.DEVICE_CODE, client, tokenEntity.getCreationDate());
result = deviceCodeGrant;
break;
default:
return null;
}
final String grantId = tokenEntity.getGrantId();
final String jwtRequest = tokenEntity.getJwtRequest();
final String authMode = tokenEntity.getAuthMode();
final String sessionDn = tokenEntity.getSessionDn();
final String claims = tokenEntity.getClaims();
result.setTokenBindingHash(tokenEntity.getTokenBindingHash());
result.setNonce(nonce);
result.setX5cs256(tokenEntity.getAttributes().getX5cs256());
result.setTokenEntity(tokenEntity);
if (StringUtils.isNotBlank(grantId)) {
result.setGrantId(grantId);
}
result.setScopes(Util.splittedStringAsList(tokenEntity.getScope(), " "));
result.setCodeChallenge(tokenEntity.getCodeChallenge());
result.setCodeChallengeMethod(tokenEntity.getCodeChallengeMethod());
if (StringUtils.isNotBlank(jwtRequest)) {
try {
result.setJwtAuthorizationRequest(new JwtAuthorizationRequest(appConfiguration, cryptoProvider, jwtRequest, client));
} catch (Exception e) {
log.trace(e.getMessage(), e);
}
}
result.setAcrValues(authMode);
result.setSessionDn(sessionDn);
result.setClaims(claims);
if (tokenEntity.getTokenTypeEnum() != null) {
switch(tokenEntity.getTokenTypeEnum()) {
case AUTHORIZATION_CODE:
if (result instanceof AuthorizationCodeGrant) {
final AuthorizationCode code = new AuthorizationCode(tokenEntity.getTokenCode(), tokenEntity.getCreationDate(), tokenEntity.getExpirationDate());
final AuthorizationCodeGrant g = (AuthorizationCodeGrant) result;
g.setAuthorizationCode(code);
}
break;
case REFRESH_TOKEN:
final RefreshToken refreshToken = new RefreshToken(tokenEntity.getTokenCode(), tokenEntity.getCreationDate(), tokenEntity.getExpirationDate());
result.setRefreshTokens(Collections.singletonList(refreshToken));
break;
case ACCESS_TOKEN:
final AccessToken accessToken = new AccessToken(tokenEntity.getTokenCode(), tokenEntity.getCreationDate(), tokenEntity.getExpirationDate());
accessToken.setDpop(tokenEntity.getDpop());
result.setAccessTokens(Collections.singletonList(accessToken));
break;
case ID_TOKEN:
final IdToken idToken = new IdToken(tokenEntity.getTokenCode(), tokenEntity.getCreationDate(), tokenEntity.getExpirationDate());
result.setIdToken(idToken);
break;
case LONG_LIVED_ACCESS_TOKEN:
final AccessToken longLivedAccessToken = new AccessToken(tokenEntity.getTokenCode(), tokenEntity.getCreationDate(), tokenEntity.getExpirationDate());
result.setLongLivedAccessToken(longLivedAccessToken);
break;
}
}
return result;
}
}
return null;
}
use of io.jans.as.common.model.common.User in project jans by JanssenProject.
the class AuthorizeAction method checkPermissionGranted.
public void checkPermissionGranted() throws IOException {
if ((clientId == null) || clientId.isEmpty()) {
log.debug("Permission denied. client_id should be not empty.");
permissionDenied();
return;
}
Client client = null;
try {
client = clientService.getClient(clientId);
} catch (EntryPersistenceException ex) {
log.debug("Permission denied. Failed to find client by inum '{}' in LDAP.", clientId, ex);
permissionDenied();
return;
}
if (client == null) {
log.debug("Permission denied. Failed to find client_id '{}' in LDAP.", clientId);
permissionDenied();
return;
}
// Fix the list of scopes in the authorization page. Jans Auth #739
Set<String> grantedScopes = scopeChecker.checkScopesPolicy(client, scope);
allowedScope = io.jans.as.model.util.StringUtils.implode(grantedScopes, " ");
SessionId session = getSession();
List<io.jans.as.model.common.Prompt> prompts = io.jans.as.model.common.Prompt.fromString(prompt, " ");
try {
redirectUri = authorizeRestWebServiceValidator.validateRedirectUri(client, redirectUri, state, session != null ? session.getSessionAttributes().get(SESSION_USER_CODE) : null, (HttpServletRequest) externalContext.getRequest());
} catch (WebApplicationException e) {
log.error(e.getMessage(), e);
permissionDenied();
return;
}
try {
session = sessionIdService.assertAuthenticatedSessionCorrespondsToNewRequest(session, acrValues);
} catch (AcrChangedException e) {
log.debug("There is already existing session which has another acr then {}, session: {}", acrValues, session.getId());
if (e.isForceReAuthentication()) {
session = handleAcrChange(session, prompts);
} else {
log.error("ACR is changed, please provide a supported and enabled acr value");
permissionDenied();
return;
}
}
if (session == null || StringUtils.isBlank(session.getUserDn()) || SessionIdState.AUTHENTICATED != session.getState()) {
Map<String, String> parameterMap = externalContext.getRequestParameterMap();
Map<String, String> requestParameterMap = requestParameterService.getAllowedParameters(parameterMap);
String redirectTo = "/login.xhtml";
boolean useExternalAuthenticator = externalAuthenticationService.isEnabled(AuthenticationScriptUsageType.INTERACTIVE);
if (useExternalAuthenticator) {
List<String> acrValuesList = sessionIdService.acrValuesList(this.acrValues);
if (acrValuesList.isEmpty()) {
acrValuesList = Arrays.asList(defaultAuthenticationMode.getName());
}
CustomScriptConfiguration customScriptConfiguration = externalAuthenticationService.determineCustomScriptConfiguration(AuthenticationScriptUsageType.INTERACTIVE, acrValuesList);
if (customScriptConfiguration == null) {
log.error("Failed to get CustomScriptConfiguration. auth_step: {}, acr_values: {}", 1, this.acrValues);
permissionDenied();
return;
}
String acr = customScriptConfiguration.getName();
requestParameterMap.put(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE, acr);
requestParameterMap.put("auth_step", Integer.toString(1));
String tmpRedirectTo = externalAuthenticationService.executeExternalGetPageForStep(customScriptConfiguration, 1);
if (StringHelper.isNotEmpty(tmpRedirectTo)) {
log.trace("Redirect to person authentication login page: {}", tmpRedirectTo);
redirectTo = tmpRedirectTo;
}
}
// Store Remote IP
String remoteIp = networkService.getRemoteIp();
requestParameterMap.put(Constants.REMOTE_IP, remoteIp);
// User Code used in Device Authz flow
if (session != null && session.getSessionAttributes().containsKey(SESSION_USER_CODE)) {
String userCode = session.getSessionAttributes().get(SESSION_USER_CODE);
requestParameterMap.put(SESSION_USER_CODE, userCode);
}
// Create unauthenticated session
SessionId unauthenticatedSession = sessionIdService.generateUnauthenticatedSessionId(null, new Date(), SessionIdState.UNAUTHENTICATED, requestParameterMap, false);
unauthenticatedSession.setSessionAttributes(requestParameterMap);
unauthenticatedSession.addPermission(clientId, false);
// Copy ACR script parameters
if (appConfiguration.getKeepAuthenticatorAttributesOnAcrChange()) {
authenticationService.copyAuthenticatorExternalAttributes(session, unauthenticatedSession);
}
// #1030, fix for flow 4 - transfer previous session permissions to new session
if (session != null && session.getPermissionGrantedMap() != null && session.getPermissionGrantedMap().getPermissionGranted() != null) {
for (Map.Entry<String, Boolean> entity : session.getPermissionGrantedMap().getPermissionGranted().entrySet()) {
unauthenticatedSession.addPermission(entity.getKey(), entity.getValue());
}
// #1030, remove previous session
sessionIdService.remove(session);
}
// always persist is prompt is not none
boolean persisted = sessionIdService.persistSessionId(unauthenticatedSession, !prompts.contains(io.jans.as.model.common.Prompt.NONE));
if (persisted && log.isTraceEnabled()) {
log.trace("Session '{}' persisted to LDAP", unauthenticatedSession.getId());
}
this.sessionId = unauthenticatedSession.getId();
cookieService.createSessionIdCookie(unauthenticatedSession, false);
cookieService.creatRpOriginIdCookie(redirectUri);
identity.setSessionId(unauthenticatedSession);
Map<String, Object> loginParameters = new HashMap<String, Object>();
if (requestParameterMap.containsKey(io.jans.as.model.authorize.AuthorizeRequestParam.LOGIN_HINT)) {
loginParameters.put(io.jans.as.model.authorize.AuthorizeRequestParam.LOGIN_HINT, requestParameterMap.get(io.jans.as.model.authorize.AuthorizeRequestParam.LOGIN_HINT));
}
boolean enableRedirect = StringHelper.toBoolean(System.getProperty("gluu.enable-redirect", "false"), false);
if (!enableRedirect && redirectTo.toLowerCase().endsWith("xhtml")) {
if (redirectTo.toLowerCase().endsWith("postlogin.xhtml")) {
authenticator.authenticateWithOutcome();
} else {
authenticator.prepareAuthenticationForStep(unauthenticatedSession);
facesService.renderView(redirectTo);
}
} else {
facesService.redirectWithExternal(redirectTo, loginParameters);
}
return;
}
String userCode = session.getSessionAttributes().get(SESSION_USER_CODE);
if (StringUtils.isBlank(userCode) && StringUtils.isBlank(redirectionUriService.validateRedirectionUri(clientId, redirectUri))) {
ExternalContext externalContext = facesContext.getExternalContext();
externalContext.setResponseStatus(HttpServletResponse.SC_BAD_REQUEST);
externalContext.setResponseContentType(MediaType.APPLICATION_JSON);
externalContext.getResponseOutputWriter().write(errorResponseFactory.getErrorAsJson(io.jans.as.model.authorize.AuthorizeErrorResponseType.INVALID_REQUEST_REDIRECT_URI, state, ""));
facesContext.responseComplete();
}
if (log.isTraceEnabled()) {
log.trace("checkPermissionGranted, userDn = " + session.getUserDn());
}
if (prompts.contains(io.jans.as.model.common.Prompt.SELECT_ACCOUNT)) {
Map requestParameterMap = requestParameterService.getAllowedParameters(externalContext.getRequestParameterMap());
facesService.redirect("/selectAccount.xhtml", requestParameterMap);
return;
}
if (prompts.contains(io.jans.as.model.common.Prompt.NONE) && prompts.size() > 1) {
invalidRequest();
return;
}
ExternalPostAuthnContext postAuthnContext = new ExternalPostAuthnContext(client, session, (HttpServletRequest) externalContext.getRequest(), (HttpServletResponse) externalContext.getResponse());
final boolean forceAuthorization = externalPostAuthnService.externalForceAuthorization(client, postAuthnContext);
final boolean hasConsentPrompt = prompts.contains(io.jans.as.model.common.Prompt.CONSENT);
if (!hasConsentPrompt && !forceAuthorization) {
final boolean isTrusted = isTrue(appConfiguration.getTrustedClientEnabled()) && client.getTrustedClient();
final boolean canGrantAccess = isTrue(appConfiguration.getSkipAuthorizationForOpenIdScopeAndPairwiseId()) && SubjectType.PAIRWISE.equals(client.getSubjectType()) && hasOnlyOpenidScope();
// There is no need to present the consent page:
// If Client is a Trusted Client.
// If a client is configured for pairwise identifiers, and the openid scope is the only scope requested.
// Also, we should make sure that the claims request is not enabled.
final boolean isPairwiseWithOnlyOpenIdScope = client.getSubjectType() == SubjectType.PAIRWISE && grantedScopes.size() == 1 && grantedScopes.contains(DefaultScope.OPEN_ID.toString()) && scope.equals(DefaultScope.OPEN_ID.toString()) && claims == null && request == null;
if (isTrusted || canGrantAccess || isPairwiseWithOnlyOpenIdScope) {
permissionGranted(session);
return;
}
final User user = sessionIdService.getUser(session);
ClientAuthorization clientAuthorization = clientAuthorizationsService.find(user.getAttribute("inum"), client.getClientId());
if (clientAuthorization != null && clientAuthorization.getScopes() != null && Arrays.asList(clientAuthorization.getScopes()).containsAll(io.jans.as.model.util.StringUtils.spaceSeparatedToList(scope))) {
permissionGranted(session);
return;
}
}
if (externalConsentGatheringService.isEnabled()) {
if (consentGatherer.isConsentGathered()) {
log.trace("Consent-gathered flow passed successfully");
permissionGranted(session);
return;
}
log.trace("Starting external consent-gathering flow");
boolean result = consentGatherer.configure(session.getUserDn(), clientId, state);
if (!result) {
log.error("Failed to initialize external consent-gathering flow.");
permissionDenied();
return;
}
}
}
Aggregations