Search in sources :

Example 11 with IntrospectionResponse

use of io.jans.as.model.common.IntrospectionResponse in project jans by JanssenProject.

the class ValidationService method introspect.

public IntrospectionResponse introspect(String accessToken, String rpId) {
    if (StringUtils.isBlank(accessToken)) {
        LOG.debug("access_token is blank. Command is protected by access_token, please provide valid token or otherwise switch off protection in configuration with protect_commands_with_access_token=false");
        throw new HttpException(ErrorResponseCode.BLANK_ACCESS_TOKEN);
    }
    final RpSyncService rpSyncService = ServerLauncher.getInjector().getInstance(RpSyncService.class);
    final Rp rp = rpSyncService.getRp(rpId);
    LOG.trace("Introspect token with rp: " + rp);
    final IntrospectionService introspectionService = ServerLauncher.getInjector().getInstance(IntrospectionService.class);
    final IntrospectionResponse response = introspectionService.introspectToken(rpId, accessToken);
    if (!response.isActive()) {
        LOG.error("access_token is not active.");
        throw new HttpException(ErrorResponseCode.INACTIVE_ACCESS_TOKEN);
    }
    return response;
}
Also used : IntrospectionResponse(io.jans.as.model.common.IntrospectionResponse) HttpException(io.jans.ca.server.HttpException)

Example 12 with IntrospectionResponse

use of io.jans.as.model.common.IntrospectionResponse in project jans by JanssenProject.

the class ValidationService method validateAccessToken.

/**
 * Returns whether has valid token
 *
 * @param accessToken
 * @param rpId
 */
public void validateAccessToken(String accessToken, String rpId) {
    if (StringUtils.isBlank(accessToken)) {
        throw new HttpException(ErrorResponseCode.BLANK_ACCESS_TOKEN);
    }
    final RpSyncService rpSyncService = ServerLauncher.getInjector().getInstance(RpSyncService.class);
    final Rp rp = rpSyncService.getRp(rpId);
    final IntrospectionResponse introspectionResponse = introspect(accessToken, rpId);
    LOG.trace("access_token: " + accessToken + ", introspection: " + introspectionResponse + ", clientId: " + rp.getClientId());
    if (StringUtils.isBlank(introspectionResponse.getClientId())) {
        LOG.error("AS returned introspection response with empty/blank client_id which is required by jans_client_api. Please check your AS installation and make sure AS return client_id for introspection call (CE 3.1.0 or later).");
        throw new HttpException(ErrorResponseCode.NO_CLIENT_ID_IN_INTROSPECTION_RESPONSE);
    }
    if (!introspectionResponse.getScope().contains("jans_client_api")) {
        LOG.error("access_token does not have `jans_client_api` scope. Make sure a) scope exists on AS b) register_site is registered with 'jans_client_api' scope c) get_client_token has 'jans_client_api' scope in request");
        throw new HttpException(ErrorResponseCode.ACCESS_TOKEN_INSUFFICIENT_SCOPE);
    }
    if (introspectionResponse.getClientId().equals(rp.getClientId())) {
        return;
    }
    LOG.error("No access token provided in Authorization header. Forbidden.");
    throw new HttpException(ErrorResponseCode.INVALID_ACCESS_TOKEN);
}
Also used : IntrospectionResponse(io.jans.as.model.common.IntrospectionResponse) HttpException(io.jans.ca.server.HttpException)

Example 13 with IntrospectionResponse

use of io.jans.as.model.common.IntrospectionResponse in project jans by JanssenProject.

the class DefaultOAuthProtectionService method processIntrospectionResponse.

@Override
public Response processIntrospectionResponse(IntrospectionResponse iresponse, List<String> scopes) {
    Response response = null;
    List<String> tokenScopes = Optional.ofNullable(iresponse).map(IntrospectionResponse::getScope).orElse(null);
    if (tokenScopes == null || !iresponse.isActive() || !tokenScopes.containsAll(scopes)) {
        String msg = "Invalid token or insufficient scopes";
        log.error("{}. Token scopes: {}", msg, tokenScopes);
        // see section 3.12 RFC 7644
        response = IProtectionService.simpleResponse(Response.Status.FORBIDDEN, msg);
    }
    return response;
}
Also used : Response(javax.ws.rs.core.Response) IntrospectionResponse(io.jans.as.model.common.IntrospectionResponse)

Aggregations

IntrospectionResponse (io.jans.as.model.common.IntrospectionResponse)13 Parameters (org.testng.annotations.Parameters)4 Test (org.testng.annotations.Test)4 BaseTest (io.jans.as.client.BaseTest)3 IntrospectionService (io.jans.as.client.service.IntrospectionService)3 InvalidJwtException (io.jans.as.model.exception.InvalidJwtException)3 Token (io.jans.as.model.uma.wrapper.Token)3 Response (javax.ws.rs.core.Response)3 HttpException (io.jans.ca.server.HttpException)2 WebApplicationException (javax.ws.rs.WebApplicationException)2 Builder (javax.ws.rs.client.Invocation.Builder)2 JwkResponse (io.jans.as.client.JwkResponse)1 TokenResponse (io.jans.as.client.TokenResponse)1 AuthCryptoProvider (io.jans.as.model.crypto.AuthCryptoProvider)1 SignatureAlgorithm (io.jans.as.model.crypto.signature.SignatureAlgorithm)1 Jwt (io.jans.as.model.jwt.Jwt)1 JwtClaims (io.jans.as.model.jwt.JwtClaims)1 BaseTest (io.jans.as.server.BaseTest)1 CorrectRptIntrospectionResponse (io.jans.ca.common.introspection.CorrectRptIntrospectionResponse)1 POJOResponse (io.jans.ca.common.response.POJOResponse)1