Search in sources :

Example 6 with IntrospectionResponse

use of io.jans.as.model.common.IntrospectionResponse in project jans by JanssenProject.

the class IntrospectionWsHttpTest method basicAuthentication.

@Test
@Parameters({ "umaPatClientId", "umaPatClientSecret" })
public void basicAuthentication(final String umaPatClientId, final String umaPatClientSecret) throws Exception {
    final Token tokenToIntrospect = UmaClient.requestPat(tokenEndpoint, umaPatClientId, umaPatClientSecret, clientEngine(true));
    final IntrospectionService introspectionService = ClientFactory.instance().createIntrospectionService(introspectionEndpoint, clientEngine(true));
    final IntrospectionResponse introspectionResponse = introspectionService.introspectToken("Basic " + BaseRequest.getEncodedCredentials(umaPatClientId, umaPatClientSecret), tokenToIntrospect.getAccessToken());
    assertTrue(introspectionResponse != null && introspectionResponse.isActive());
}
Also used : IntrospectionResponse(io.jans.as.model.common.IntrospectionResponse) IntrospectionService(io.jans.as.client.service.IntrospectionService) Token(io.jans.as.model.uma.wrapper.Token) Parameters(org.testng.annotations.Parameters) BaseTest(io.jans.as.client.BaseTest) Test(org.testng.annotations.Test)

Example 7 with IntrospectionResponse

use of io.jans.as.model.common.IntrospectionResponse in project jans by JanssenProject.

the class IntrospectionWsHttpTest method bearer.

@Test
@Parameters({ "umaPatClientId", "umaPatClientSecret" })
public void bearer(final String umaPatClientId, final String umaPatClientSecret) throws Exception {
    final Token authorization = UmaClient.requestPat(tokenEndpoint, umaPatClientId, umaPatClientSecret);
    final Token tokenToIntrospect = UmaClient.requestPat(tokenEndpoint, umaPatClientId, umaPatClientSecret);
    final IntrospectionService introspectionService = ClientFactory.instance().createIntrospectionService(introspectionEndpoint);
    final IntrospectionResponse introspectionResponse = introspectionService.introspectToken("Bearer " + authorization.getAccessToken(), tokenToIntrospect.getAccessToken());
    assertTrue(introspectionResponse != null && introspectionResponse.isActive());
}
Also used : IntrospectionResponse(io.jans.as.model.common.IntrospectionResponse) IntrospectionService(io.jans.as.client.service.IntrospectionService) Token(io.jans.as.model.uma.wrapper.Token) Parameters(org.testng.annotations.Parameters) BaseTest(io.jans.as.client.BaseTest) Test(org.testng.annotations.Test)

Example 8 with IntrospectionResponse

use of io.jans.as.model.common.IntrospectionResponse in project jans by JanssenProject.

the class OpenIdAuthorizationService method processAuthorization.

public String processAuthorization(String token, String issuer, ResourceInfo resourceInfo, String method, String path) throws Exception {
    logger.debug("oAuth  Authorization parameters , token:{}, issuer:{}, resourceInfo:{}, method: {}, path: {} ", token, issuer, resourceInfo, method, path);
    if (StringUtils.isBlank(token)) {
        logger.error("Token is blank !!!");
        throw new WebApplicationException("Token is blank.", Response.status(Response.Status.UNAUTHORIZED).build());
    }
    // Validate issuer
    logger.info("Validate issuer");
    if (StringUtils.isNotBlank(issuer) && !authUtil.isValidIssuer(issuer)) {
        throw new WebApplicationException("Header Issuer is Invalid.", Response.status(Response.Status.UNAUTHORIZED).build());
    }
    // Check the type of token simple, jwt, reference
    logger.info("Verify if JWT");
    String acccessToken = token.substring("Bearer".length()).trim();
    boolean isJwtToken = jwtUtil.isJwt(acccessToken);
    if (isJwtToken) {
        try {
            logger.info("Since token is JWT Validate it");
            jwtUtil.parse(acccessToken);
            List<String> tokenScopes = jwtUtil.validateToken(acccessToken);
            logger.debug(" tokenScopes:{} ", tokenScopes);
            // Validate Scopes
            return this.validateScope(acccessToken, tokenScopes, resourceInfo, issuer);
        } catch (InvalidJwtException exp) {
            logger.error("oAuth Invalid Jwt token:{}, exception:{} ", token, exp);
            throw new WebApplicationException("Jwt Token is Invalid.", Response.status(Response.Status.UNAUTHORIZED).build());
        }
    }
    logger.info("Token is NOT JWT hence introspecting it as Reference token ");
    IntrospectionResponse introspectionResponse = openIdService.getIntrospectionResponse(token, token.substring("Bearer".length()).trim(), issuer);
    logger.trace("oAuth  Authorization introspectionResponse:{}", introspectionResponse);
    if (introspectionResponse == null || !introspectionResponse.isActive()) {
        logger.error("Token is Invalid.");
        throw new WebApplicationException("Token is Invalid.", Response.status(Response.Status.UNAUTHORIZED).build());
    }
    List<String> tokenScopes = introspectionResponse.getScope();
    // Validate Scopes
    acccessToken = validateScope(acccessToken, tokenScopes, resourceInfo, issuer);
    boolean isAuthorized = externalAuthorization(token, issuer, method, path);
    logger.debug("Custom authorization - isAuthorized:{}", isAuthorized);
    return acccessToken;
}
Also used : InvalidJwtException(io.jans.as.model.exception.InvalidJwtException) WebApplicationException(javax.ws.rs.WebApplicationException) IntrospectionResponse(io.jans.as.model.common.IntrospectionResponse)

Example 9 with IntrospectionResponse

use of io.jans.as.model.common.IntrospectionResponse in project jans by JanssenProject.

the class OpenIdAuthorizationService method validateScope.

private String validateScope(String accessToken, List<String> tokenScopes, ResourceInfo resourceInfo, String issuer) throws WebApplicationException {
    logger.debug("Validate scope, accessToken:{}, tokenScopes:{}, resourceInfo: {}, issuer: {}", accessToken, tokenScopes, resourceInfo, issuer);
    try {
        // Get resource scope
        List<String> resourceScopes = getRequestedScopes(resourceInfo);
        // Check if resource requires auth server specific scope
        List<String> authSpecificScope = getAuthSpecificScopeRequired(resourceInfo);
        logger.debug(" resourceScopes:{}, authSpecificScope:{} ", resourceScopes, authSpecificScope);
        // If No auth scope required OR if token contains the authSpecificScope
        if ((authSpecificScope == null || authSpecificScope.isEmpty())) {
            logger.debug("Validating token scopes as no authSpecificScope required");
            if (!validateScope(tokenScopes, resourceScopes)) {
                logger.error("Insufficient scopes! Required scope:{} -  however token scopes:{}", resourceScopes, tokenScopes);
                throw new WebApplicationException("Insufficient scopes! , Required scope: " + resourceScopes + ", however token scopes: " + tokenScopes, Response.status(Response.Status.UNAUTHORIZED).build());
            }
            return AUTHENTICATION_SCHEME + accessToken;
        }
        // find missing scopes
        List<String> missingScopes = findMissingElements(resourceScopes, tokenScopes);
        logger.debug("missingScopes:{}", missingScopes);
        // error
        if (missingScopes != null && !missingScopes.isEmpty() && !isEqualCollection(missingScopes, authSpecificScope)) {
            logger.error("Insufficient scopes!! Required scope:{}, , however token scopes:{} ", resourceScopes, tokenScopes);
            throw new WebApplicationException("Insufficient scopes!! , Required scope: " + resourceScopes + ", however token scopes: " + tokenScopes, Response.status(Response.Status.UNAUTHORIZED).build());
        }
        // Generate token with required resourceScopes
        resourceScopes.addAll(authSpecificScope);
        accessToken = openIdService.requestAccessToken(authUtil.getClientId(), resourceScopes);
        logger.debug("Introspecting new accessToken:{}", accessToken);
        // Introspect
        IntrospectionResponse introspectionResponse = openIdService.getIntrospectionResponse(AUTHENTICATION_SCHEME + accessToken, accessToken, authUtil.getIssuer());
        // Validate Token Scope
        if (!validateScope(introspectionResponse.getScope(), resourceScopes)) {
            logger.error("Insufficient scopes!!! for new token as well - Required scope:{}, token scopes:{}", resourceScopes, introspectionResponse.getScope());
            throw new WebApplicationException("Insufficient scopes!!! Required scope: " + resourceScopes + ", token scopes: " + introspectionResponse.getScope(), Response.status(Response.Status.UNAUTHORIZED).build());
        }
        logger.info("Token scopes Valid Returning accessToken:{}", accessToken);
        return AUTHENTICATION_SCHEME + accessToken;
    } catch (Exception ex) {
        if (log.isErrorEnabled()) {
            log.error("oAuth authorization error:{} ", ex.getMessage());
        }
        throw new WebApplicationException("oAuth authorization error " + ex.getMessage(), Response.status(Response.Status.INTERNAL_SERVER_ERROR).build());
    }
}
Also used : WebApplicationException(javax.ws.rs.WebApplicationException) IntrospectionResponse(io.jans.as.model.common.IntrospectionResponse) WebApplicationException(javax.ws.rs.WebApplicationException) InvalidJwtException(io.jans.as.model.exception.InvalidJwtException)

Example 10 with IntrospectionResponse

use of io.jans.as.model.common.IntrospectionResponse in project jans by JanssenProject.

the class IntrospectionWebServiceEmbeddedTest method introspection.

@Test(dependsOnMethods = "requestTokenToIntrospect")
@Parameters({ "introspectionPath" })
public void introspection(final String introspectionPath) throws Exception {
    Builder request = ResteasyClientBuilder.newClient().target(url.toString() + introspectionPath).request();
    request.header("Accept", "application/json");
    request.header("Authorization", "Bearer " + authorization.getAccessToken());
    Response response = request.post(Entity.form(new Form("token", tokenToIntrospect.getAccessToken())));
    String entity = response.readEntity(String.class);
    showResponse("introspection", response, entity);
    assertEquals(response.getStatus(), 200);
    try {
        final IntrospectionResponse t = ServerUtil.createJsonMapper().readValue(entity, IntrospectionResponse.class);
        assertTrue(t != null && t.isActive());
    } catch (Exception e) {
        e.printStackTrace();
        fail();
    }
}
Also used : IntrospectionResponse(io.jans.as.model.common.IntrospectionResponse) Response(javax.ws.rs.core.Response) Form(javax.ws.rs.core.Form) IntrospectionResponse(io.jans.as.model.common.IntrospectionResponse) ResteasyClientBuilder(org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder) Builder(javax.ws.rs.client.Invocation.Builder) Parameters(org.testng.annotations.Parameters) Test(org.testng.annotations.Test) BaseTest(io.jans.as.server.BaseTest)

Aggregations

IntrospectionResponse (io.jans.as.model.common.IntrospectionResponse)13 Parameters (org.testng.annotations.Parameters)4 Test (org.testng.annotations.Test)4 BaseTest (io.jans.as.client.BaseTest)3 IntrospectionService (io.jans.as.client.service.IntrospectionService)3 InvalidJwtException (io.jans.as.model.exception.InvalidJwtException)3 Token (io.jans.as.model.uma.wrapper.Token)3 Response (javax.ws.rs.core.Response)3 HttpException (io.jans.ca.server.HttpException)2 WebApplicationException (javax.ws.rs.WebApplicationException)2 Builder (javax.ws.rs.client.Invocation.Builder)2 JwkResponse (io.jans.as.client.JwkResponse)1 TokenResponse (io.jans.as.client.TokenResponse)1 AuthCryptoProvider (io.jans.as.model.crypto.AuthCryptoProvider)1 SignatureAlgorithm (io.jans.as.model.crypto.signature.SignatureAlgorithm)1 Jwt (io.jans.as.model.jwt.Jwt)1 JwtClaims (io.jans.as.model.jwt.JwtClaims)1 BaseTest (io.jans.as.server.BaseTest)1 CorrectRptIntrospectionResponse (io.jans.ca.common.introspection.CorrectRptIntrospectionResponse)1 POJOResponse (io.jans.ca.common.response.POJOResponse)1