Example 6 with Client
use of io.jans.as.common.model.registration.Client in project jans by JanssenProject.
the class AuthorizeRestWebServiceValidator method validateRequestObject.
public void validateRequestObject(JwtAuthorizationRequest jwtRequest, RedirectUriResponse redirectUriResponse) {
if (!jwtRequest.getAud().isEmpty() && !jwtRequest.getAud().contains(appConfiguration.getIssuer())) {
log.error("Failed to match aud to AS, aud: {}", jwtRequest.getAud());
throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
}
if (!appConfiguration.isFapi()) {
return;
}
// FAPI related validation
if (jwtRequest.getNestedJwt() != null) {
SignatureAlgorithm nestedJwtSigAlg = jwtRequest.getNestedJwt().getHeader().getSignatureAlgorithm();
if (appConfiguration.isFapi() && (nestedJwtSigAlg == RS256 || nestedJwtSigAlg == NONE)) {
log.error("The Nested JWT signature algorithm is not valid.");
throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
}
}
String redirectUri = jwtRequest.getRedirectUri();
Client client = clientService.getClient(jwtRequest.getClientId());
if (redirectUri != null && redirectionUriService.validateRedirectionUri(client, redirectUri) == null) {
log.error(" unregistered redirect uri");
throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT, jwtRequest.getState(), "The request has unregistered request_uri")).type(MediaType.APPLICATION_JSON_TYPE).build());
}
if (jwtRequest.getExp() == null) {
log.error("The exp claim is not set");
throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
}
final long expInMillis = jwtRequest.getExp() * 1000L;
final long now = new Date().getTime();
if (expInMillis < now) {
log.error("Request object expired. Exp: {}, now: {}", expInMillis, now);
throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
}
if (jwtRequest.getScopes() == null || jwtRequest.getScopes().isEmpty()) {
log.error("Request object does not have scope claim.");
throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
}
if (StringUtils.isBlank(jwtRequest.getNonce())) {
log.error("Request object does not have nonce claim.");
throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
}
if (StringUtils.isBlank(jwtRequest.getRedirectUri())) {
log.error("Request object does not have redirect_uri claim.");
if (redirectUriResponse.getRedirectUri().getBaseRedirectUri() != null) {
throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
} else {
throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT, jwtRequest.getState(), "Request object does not have redirect_uri claim.")).type(MediaType.APPLICATION_JSON_TYPE).build());
}
}
}
Also used :
WebApplicationException(javax.ws.rs.WebApplicationException)
SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm)
Client(io.jans.as.common.model.registration.Client)
Date(java.util.Date)
Example 7 with Client
use of io.jans.as.common.model.registration.Client in project jans by JanssenProject.
the class RedirectionUriService method validatePostLogoutRedirectUri.
public String validatePostLogoutRedirectUri(SessionId sessionId, String postLogoutRedirectUri) {
if (sessionId == null) {
throw errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, EndSessionErrorResponseType.SESSION_NOT_PASSED, "Session object is not found.");
}
if (Strings.isNullOrEmpty(postLogoutRedirectUri)) {
throw errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, EndSessionErrorResponseType.POST_LOGOUT_URI_NOT_PASSED, "`post_logout_redirect_uri` is empty.");
}
final Set<Client> clientsByDns = sessionId.getPermissionGrantedMap() != null ? clientService.getClient(sessionId.getPermissionGrantedMap().getClientIds(true), true) : Sets.newHashSet();
log.trace("Validating post logout redirect URI: postLogoutRedirectUri = {}", postLogoutRedirectUri);
for (Client client : clientsByDns) {
String[] postLogoutRedirectUris = client.getPostLogoutRedirectUris();
String validatedUri = validatePostLogoutRedirectUri(postLogoutRedirectUri, postLogoutRedirectUris);
if (StringUtils.isNotBlank(validatedUri)) {
return validatedUri;
}
}
throw errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, EndSessionErrorResponseType.POST_LOGOUT_URI_NOT_ASSOCIATED_WITH_CLIENT, "Unable to validate `post_logout_redirect_uri`");
}
Also used :
Client(io.jans.as.common.model.registration.Client)
Example 8 with Client
use of io.jans.as.common.model.registration.Client in project jans by JanssenProject.
the class SectorIdentifierService method getSub.
public String getSub(IAuthorizationGrant grant) {
Client client = grant.getClient();
User user = grant.getUser();
if (user == null) {
log.trace("User is null, return blank sub");
return "";
}
if (client == null) {
log.trace("Client is null, return blank sub.");
return "";
}
return getSub(client, user, grant instanceof CIBAGrant);
}Example 9 with Client
use of io.jans.as.common.model.registration.Client in project jans by JanssenProject.
the class JwtAuthorizationRequestTest method createJwtAuthorizationRequest_whenEncryptionIsRequiredForUnencryptedRequestObject_shouldThrowException.
@Test(expectedExceptions = InvalidJwtException.class)
public void createJwtAuthorizationRequest_whenEncryptionIsRequiredForUnencryptedRequestObject_shouldThrowException() throws InvalidJwtException {
AppConfiguration appConfiguration = new AppConfiguration();
appConfiguration.setRequireRequestObjectEncryption(true);
String signedJwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c";
new JwtAuthorizationRequest(appConfiguration, null, signedJwt, new Client());
}
Also used :
AppConfiguration(io.jans.as.model.configuration.AppConfiguration)
Client(io.jans.as.common.model.registration.Client)
Test(org.testng.annotations.Test)
Example 10 with Client
use of io.jans.as.common.model.registration.Client in project jans by JanssenProject.
the class UmaRptService method createRPTAndPersist.
public UmaRPT createRPTAndPersist(ExecutionContext executionContext, List<UmaPermission> permissions) {
try {
final Date creationDate = new Date();
final Date expirationDate = rptExpirationDate();
final Client client = executionContext.getClient();
final String code;
if (client.isRptAsJwt()) {
code = createRptJwt(executionContext, permissions, creationDate, expirationDate);
} else {
code = UUID.randomUUID().toString() + "_" + INumGenerator.generate(8);
}
UmaRPT rpt = new UmaRPT(code, creationDate, expirationDate, null, client.getClientId());
rpt.setPermissions(getPermissionDns(permissions));
persist(rpt);
statService.reportUmaToken(GrantType.OXAUTH_UMA_TICKET);
return rpt;
} catch (Exception e) {
if (log.isErrorEnabled()) {
log.error(e.getMessage(), e);
}
throw new RuntimeException("Failed to generate RPT, clientId: " + executionContext.getClient().getClientId(), e);
}
}
Also used :
UmaRPT(io.jans.as.server.uma.authorization.UmaRPT)
Client(io.jans.as.common.model.registration.Client)
Date(java.util.Date)
JSONException(org.json.JSONException)
IOException(java.io.IOException)
Aggregations
Client (io.jans.as.common.model.registration.Client)70
WebApplicationException (javax.ws.rs.WebApplicationException)20
InvalidJwtException (io.jans.as.model.exception.InvalidJwtException)12
JSONObject (org.json.JSONObject)12
Test (org.testng.annotations.Test)12
User (io.jans.as.common.model.common.User)11
BaseComponentTest (io.jans.as.server.BaseComponentTest)10
Calendar (java.util.Calendar)10
GregorianCalendar (java.util.GregorianCalendar)10
IOException (java.io.IOException)9
OAuth2AuditLog (io.jans.as.server.model.audit.OAuth2AuditLog)8
AuthorizationGrant (io.jans.as.server.model.common.AuthorizationGrant)8
ExecutionContext (io.jans.as.server.model.common.ExecutionContext)8
JSONException (org.json.JSONException)8
Jwt (io.jans.as.model.jwt.Jwt)7
Response (javax.ws.rs.core.Response)7
SessionClient (io.jans.as.server.model.session.SessionClient)6
ProtectedApi (io.jans.configapi.core.rest.ProtectedApi)6
ServletException (javax.servlet.ServletException)6
SignatureAlgorithm (io.jans.as.model.crypto.signature.SignatureAlgorithm)5
