use of io.jans.as.model.common.IntrospectionResponse in project jans by JanssenProject.
the class ValidationService method introspect.
public IntrospectionResponse introspect(String accessToken, String rpId) {
if (StringUtils.isBlank(accessToken)) {
LOG.debug("access_token is blank. Command is protected by access_token, please provide valid token or otherwise switch off protection in configuration with protect_commands_with_access_token=false");
throw new HttpException(ErrorResponseCode.BLANK_ACCESS_TOKEN);
}
final RpSyncService rpSyncService = ServerLauncher.getInjector().getInstance(RpSyncService.class);
final Rp rp = rpSyncService.getRp(rpId);
LOG.trace("Introspect token with rp: " + rp);
final IntrospectionService introspectionService = ServerLauncher.getInjector().getInstance(IntrospectionService.class);
final IntrospectionResponse response = introspectionService.introspectToken(rpId, accessToken);
if (!response.isActive()) {
LOG.error("access_token is not active.");
throw new HttpException(ErrorResponseCode.INACTIVE_ACCESS_TOKEN);
}
return response;
}
use of io.jans.as.model.common.IntrospectionResponse in project jans by JanssenProject.
the class ValidationService method validateAccessToken.
/**
* Returns whether has valid token
*
* @param accessToken
* @param rpId
*/
public void validateAccessToken(String accessToken, String rpId) {
if (StringUtils.isBlank(accessToken)) {
throw new HttpException(ErrorResponseCode.BLANK_ACCESS_TOKEN);
}
final RpSyncService rpSyncService = ServerLauncher.getInjector().getInstance(RpSyncService.class);
final Rp rp = rpSyncService.getRp(rpId);
final IntrospectionResponse introspectionResponse = introspect(accessToken, rpId);
LOG.trace("access_token: " + accessToken + ", introspection: " + introspectionResponse + ", clientId: " + rp.getClientId());
if (StringUtils.isBlank(introspectionResponse.getClientId())) {
LOG.error("AS returned introspection response with empty/blank client_id which is required by jans_client_api. Please check your AS installation and make sure AS return client_id for introspection call (CE 3.1.0 or later).");
throw new HttpException(ErrorResponseCode.NO_CLIENT_ID_IN_INTROSPECTION_RESPONSE);
}
if (!introspectionResponse.getScope().contains("jans_client_api")) {
LOG.error("access_token does not have `jans_client_api` scope. Make sure a) scope exists on AS b) register_site is registered with 'jans_client_api' scope c) get_client_token has 'jans_client_api' scope in request");
throw new HttpException(ErrorResponseCode.ACCESS_TOKEN_INSUFFICIENT_SCOPE);
}
if (introspectionResponse.getClientId().equals(rp.getClientId())) {
return;
}
LOG.error("No access token provided in Authorization header. Forbidden.");
throw new HttpException(ErrorResponseCode.INVALID_ACCESS_TOKEN);
}
use of io.jans.as.model.common.IntrospectionResponse in project jans by JanssenProject.
the class DefaultOAuthProtectionService method processIntrospectionResponse.
@Override
public Response processIntrospectionResponse(IntrospectionResponse iresponse, List<String> scopes) {
Response response = null;
List<String> tokenScopes = Optional.ofNullable(iresponse).map(IntrospectionResponse::getScope).orElse(null);
if (tokenScopes == null || !iresponse.isActive() || !tokenScopes.containsAll(scopes)) {
String msg = "Invalid token or insufficient scopes";
log.error("{}. Token scopes: {}", msg, tokenScopes);
// see section 3.12 RFC 7644
response = IProtectionService.simpleResponse(Response.Status.FORBIDDEN, msg);
}
return response;
}
Aggregations