Search in sources :

Example 1 with JwtSubClaimObject

use of io.jans.as.model.jwt.JwtSubClaimObject in project jans by JanssenProject.

the class IdTokenFactory method fillClaims.

private void fillClaims(JsonWebResponse jwr, IAuthorizationGrant authorizationGrant, AuthorizationCode authorizationCode, AccessToken accessToken, RefreshToken refreshToken, ExecutionContext executionContext) throws Exception {
    jwr.getClaims().setIssuer(appConfiguration.getIssuer());
    Audience.setAudience(jwr.getClaims(), authorizationGrant.getClient());
    int lifeTime = appConfiguration.getIdTokenLifetime();
    int lifetimeFromScript = externalUpdateTokenService.getIdTokenLifetimeInSeconds(ExternalUpdateTokenContext.of(executionContext));
    if (lifetimeFromScript > 0) {
        lifeTime = lifetimeFromScript;
        log.trace("Override id token lifetime with value from script: {}", lifetimeFromScript);
    }
    Calendar calendar = Calendar.getInstance();
    Date issuedAt = calendar.getTime();
    calendar.add(Calendar.SECOND, lifeTime);
    Date expiration = calendar.getTime();
    jwr.getClaims().setExpirationTime(expiration);
    jwr.getClaims().setIssuedAt(issuedAt);
    jwr.setClaim("code", UUID.randomUUID().toString());
    if (executionContext.getPreProcessing() != null) {
        executionContext.getPreProcessing().apply(jwr);
    }
    final SessionId session = sessionIdService.getSessionByDn(authorizationGrant.getSessionDn());
    if (session != null) {
        jwr.setClaim("sid", session.getOutsideSid());
    }
    if (authorizationGrant.getAcrValues() != null) {
        jwr.setClaim(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE, authorizationGrant.getAcrValues());
        setAmrClaim(jwr, authorizationGrant.getAcrValues());
    }
    String nonce = executionContext.getNonce();
    if (StringUtils.isNotBlank(nonce)) {
        jwr.setClaim(JwtClaimName.NONCE, nonce);
    }
    if (authorizationGrant.getAuthenticationTime() != null) {
        jwr.getClaims().setClaim(JwtClaimName.AUTHENTICATION_TIME, authorizationGrant.getAuthenticationTime());
    }
    if (authorizationCode != null) {
        String codeHash = AbstractToken.getHash(authorizationCode.getCode(), jwr.getHeader().getSignatureAlgorithm());
        jwr.setClaim(JwtClaimName.CODE_HASH, codeHash);
    }
    if (accessToken != null) {
        String accessTokenHash = AbstractToken.getHash(accessToken.getCode(), jwr.getHeader().getSignatureAlgorithm());
        jwr.setClaim(JwtClaimName.ACCESS_TOKEN_HASH, accessTokenHash);
    }
    String state = executionContext.getState();
    if (Strings.isNotBlank(state)) {
        String stateHash = AbstractToken.getHash(state, jwr.getHeader().getSignatureAlgorithm());
        jwr.setClaim(JwtClaimName.STATE_HASH, stateHash);
    }
    if (authorizationGrant.getGrantType() != null) {
        jwr.setClaim("grant", authorizationGrant.getGrantType().getValue());
    }
    jwr.setClaim(JwtClaimName.OX_OPENID_CONNECT_VERSION, appConfiguration.getOxOpenIdConnectVersion());
    User user = authorizationGrant.getUser();
    List<Scope> dynamicScopes = new ArrayList<>();
    if (executionContext.isIncludeIdTokenClaims() && authorizationGrant.getClient().isIncludeClaimsInIdToken()) {
        for (String scopeName : executionContext.getScopes()) {
            Scope scope = scopeService.getScopeById(scopeName);
            if (scope == null) {
                continue;
            }
            if (DYNAMIC == scope.getScopeType()) {
                dynamicScopes.add(scope);
                continue;
            }
            Map<String, Object> claims = scopeService.getClaims(user, scope);
            if (Boolean.TRUE.equals(scope.isGroupClaims())) {
                JwtSubClaimObject groupClaim = new JwtSubClaimObject();
                groupClaim.setName(scope.getId());
                for (Map.Entry<String, Object> entry : claims.entrySet()) {
                    String key = entry.getKey();
                    Object value = entry.getValue();
                    if (value instanceof List) {
                        groupClaim.setClaim(key, (List) value);
                    } else {
                        groupClaim.setClaim(key, (String) value);
                    }
                }
                jwr.getClaims().setClaim(scope.getId(), groupClaim);
            } else {
                for (Map.Entry<String, Object> entry : claims.entrySet()) {
                    String key = entry.getKey();
                    Object value = entry.getValue();
                    if (value instanceof List) {
                        jwr.getClaims().setClaim(key, (List) value);
                    } else if (value instanceof Boolean) {
                        jwr.getClaims().setClaim(key, (Boolean) value);
                    } else if (value instanceof Date) {
                        jwr.getClaims().setClaim(key, ((Date) value).getTime() / 1000);
                    } else {
                        jwr.setClaim(key, (String) value);
                    }
                }
            }
            jwr.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute("inum"));
        }
    }
    setClaimsFromJwtAuthorizationRequest(jwr, authorizationGrant, executionContext.getScopes());
    setClaimsFromRequestedClaims(executionContext.getClaimsAsString(), jwr, user);
    filterClaimsBasedOnAccessToken(jwr, accessToken, authorizationCode);
    jwrService.setSubjectIdentifier(jwr, authorizationGrant);
    if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
        final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
        DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jwr, unmodifiableAuthorizationGrant);
        externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
    }
    processCiba(jwr, authorizationGrant, refreshToken);
    if (executionContext.getPostProcessor() != null) {
        executionContext.getPostProcessor().apply(jwr);
    }
}
Also used : User(io.jans.as.common.model.common.User) Calendar(java.util.Calendar) ArrayList(java.util.ArrayList) DynamicScopeExternalContext(io.jans.as.server.service.external.context.DynamicScopeExternalContext) Date(java.util.Date) JwtSubClaimObject(io.jans.as.model.jwt.JwtSubClaimObject) UnmodifiableAuthorizationGrant(io.jans.as.server.model.common.UnmodifiableAuthorizationGrant) Scope(io.jans.as.persistence.model.Scope) JSONObject(org.json.JSONObject) JwtSubClaimObject(io.jans.as.model.jwt.JwtSubClaimObject) List(java.util.List) ArrayList(java.util.ArrayList) SessionId(io.jans.as.server.model.common.SessionId) Map(java.util.Map)

Example 2 with JwtSubClaimObject

use of io.jans.as.model.jwt.JwtSubClaimObject in project jans by JanssenProject.

the class UserInfoRestWebServiceImpl method getJSonResponse.

/**
 * Builds a JSon String with the response parameters.
 */
public String getJSonResponse(User user, AuthorizationGrant authorizationGrant, Collection<String> scopes) throws InvalidClaimException, ParseException {
    log.trace("Building JSON reponse with next scopes {} for user {} and user custom attributes {}", scopes, user.getUserId(), user.getCustomAttributes());
    JsonWebResponse jsonWebResponse = new JsonWebResponse();
    // Claims
    List<Scope> dynamicScopes = new ArrayList<>();
    for (String scopeName : scopes) {
        Scope scope = scopeService.getScopeById(scopeName);
        if ((scope != null) && (ScopeType.DYNAMIC == scope.getScopeType())) {
            dynamicScopes.add(scope);
            continue;
        }
        Map<String, Object> claims = scopeService.getClaims(user, scope);
        if (claims == null) {
            continue;
        }
        if (scope == null) {
            log.trace("Unable to find scope in persistence. Is it removed? Scope name: {}", scopeName);
        }
        if (scope != null && Boolean.TRUE.equals(scope.isGroupClaims())) {
            JwtSubClaimObject groupClaim = new JwtSubClaimObject();
            groupClaim.setName(scope.getId());
            for (Map.Entry<String, Object> entry : claims.entrySet()) {
                String key = entry.getKey();
                Object value = entry.getValue();
                if (value instanceof List) {
                    groupClaim.setClaim(key, (List<String>) value);
                } else {
                    groupClaim.setClaim(key, String.valueOf(value));
                }
            }
            jsonWebResponse.getClaims().setClaim(scope.getId(), groupClaim);
        } else {
            for (Map.Entry<String, Object> entry : claims.entrySet()) {
                String key = entry.getKey();
                Object value = entry.getValue();
                if (value instanceof List) {
                    jsonWebResponse.getClaims().setClaim(key, (List<String>) value);
                } else if (value instanceof Boolean) {
                    jsonWebResponse.getClaims().setClaim(key, (Boolean) value);
                } else if (value instanceof Date) {
                    jsonWebResponse.getClaims().setClaim(key, ((Date) value).getTime() / 1000);
                } else {
                    jsonWebResponse.getClaims().setClaim(key, String.valueOf(value));
                }
            }
        }
    }
    if (authorizationGrant.getClaims() != null) {
        JSONObject claimsObj = new JSONObject(authorizationGrant.getClaims());
        if (claimsObj.has("userinfo")) {
            JSONObject userInfoObj = claimsObj.getJSONObject("userinfo");
            for (Iterator<String> it = userInfoObj.keys(); it.hasNext(); ) {
                String claimName = it.next();
                // ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
                boolean optional = true;
                GluuAttribute gluuAttribute = attributeService.getByClaimName(claimName);
                if (gluuAttribute != null) {
                    String ldapClaimName = gluuAttribute.getName();
                    Object attribute = user.getAttribute(ldapClaimName, optional, gluuAttribute.getOxMultiValuedAttribute());
                    jsonWebResponse.getClaims().setClaimFromJsonObject(claimName, attribute);
                }
            }
        }
    }
    if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
        for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
            // ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
            boolean optional = true;
            GluuAttribute gluuAttribute = attributeService.getByClaimName(claim.getName());
            if (gluuAttribute != null) {
                Client client = authorizationGrant.getClient();
                if (validateRequesteClaim(gluuAttribute, client.getClaims(), scopes)) {
                    String ldapClaimName = gluuAttribute.getName();
                    Object attribute = user.getAttribute(ldapClaimName, optional, gluuAttribute.getOxMultiValuedAttribute());
                    jsonWebResponse.getClaims().setClaimFromJsonObject(claim.getName(), attribute);
                }
            }
        }
    }
    jsonWebResponse.getClaims().setSubjectIdentifier(authorizationGrant.getSub());
    if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
        final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
        DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jsonWebResponse, unmodifiableAuthorizationGrant);
        externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
    }
    return jsonWebResponse.toString();
}
Also used : JsonWebResponse(io.jans.as.model.token.JsonWebResponse) ArrayList(java.util.ArrayList) DynamicScopeExternalContext(io.jans.as.server.service.external.context.DynamicScopeExternalContext) JwtSubClaimObject(io.jans.as.model.jwt.JwtSubClaimObject) Date(java.util.Date) GluuAttribute(io.jans.model.GluuAttribute) UnmodifiableAuthorizationGrant(io.jans.as.server.model.common.UnmodifiableAuthorizationGrant) DefaultScope(io.jans.as.server.model.common.DefaultScope) Scope(io.jans.as.persistence.model.Scope) JSONObject(org.json.JSONObject) JSONObject(org.json.JSONObject) JwtSubClaimObject(io.jans.as.model.jwt.JwtSubClaimObject) List(java.util.List) ArrayList(java.util.ArrayList) AuthorizationGrantList(io.jans.as.server.model.common.AuthorizationGrantList) Client(io.jans.as.common.model.registration.Client) Map(java.util.Map) Claim(io.jans.as.server.model.authorize.Claim)

Aggregations

JwtSubClaimObject (io.jans.as.model.jwt.JwtSubClaimObject)2 Scope (io.jans.as.persistence.model.Scope)2 UnmodifiableAuthorizationGrant (io.jans.as.server.model.common.UnmodifiableAuthorizationGrant)2 DynamicScopeExternalContext (io.jans.as.server.service.external.context.DynamicScopeExternalContext)2 ArrayList (java.util.ArrayList)2 Date (java.util.Date)2 List (java.util.List)2 Map (java.util.Map)2 JSONObject (org.json.JSONObject)2 User (io.jans.as.common.model.common.User)1 Client (io.jans.as.common.model.registration.Client)1 JsonWebResponse (io.jans.as.model.token.JsonWebResponse)1 Claim (io.jans.as.server.model.authorize.Claim)1 AuthorizationGrantList (io.jans.as.server.model.common.AuthorizationGrantList)1 DefaultScope (io.jans.as.server.model.common.DefaultScope)1 SessionId (io.jans.as.server.model.common.SessionId)1 GluuAttribute (io.jans.model.GluuAttribute)1 Calendar (java.util.Calendar)1