Search in sources :

Example 1 with AbstractToken

use of io.jans.as.server.model.common.AbstractToken in project jans by JanssenProject.

the class StatWS method validateAuthorization.

private void validateAuthorization(String authorization) {
    log.trace("Validating authorization: {}", authorization);
    AuthorizationGrant grant = tokenService.getAuthorizationGrant(authorization);
    if (grant == null) {
        log.trace("Unable to find token by authorization: {}", authorization);
        throw errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, TokenErrorResponseType.ACCESS_DENIED, "Can't find grant for authorization.");
    }
    final AbstractToken accessToken = grant.getAccessToken(tokenService.getToken(authorization));
    if (accessToken == null) {
        log.trace("Unable to find token by authorization: {}", authorization);
        throw errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, TokenErrorResponseType.ACCESS_DENIED, "Can't find access token.");
    }
    if (accessToken.isExpired()) {
        log.trace("Access Token is expired: {}", accessToken.getCode());
        throw errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, TokenErrorResponseType.ACCESS_DENIED, "Token expired.");
    }
    if (!grant.getScopesAsString().contains(appConfiguration.getStatAuthorizationScope())) {
        log.trace("Access Token does NOT have '{}' scope which is required to call Statistic Endpoint.", appConfiguration.getStatAuthorizationScope());
        throw errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, TokenErrorResponseType.ACCESS_DENIED, appConfiguration.getStatAuthorizationScope() + " scope is required for token.");
    }
}
Also used : AbstractToken(io.jans.as.server.model.common.AbstractToken) AuthorizationGrant(io.jans.as.server.model.common.AuthorizationGrant)

Example 2 with AbstractToken

use of io.jans.as.server.model.common.AbstractToken in project jans by JanssenProject.

the class RegisterRestWebServiceImpl method validateAuthorizationAccessToken.

private void validateAuthorizationAccessToken(String accessToken, String clientId) {
    if (isFalse(appConfiguration.getDcrAuthorizationWithClientCredentials())) {
        return;
    }
    if (StringUtils.isBlank(accessToken) || StringUtils.isBlank(clientId)) {
        log.trace("Access Token or clientId is blank.");
        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token is not valid for the Client ID.")).build());
    }
    final AuthorizationGrant grant = authorizationGrantList.getAuthorizationGrantByAccessToken(accessToken);
    if (grant == null) {
        log.trace("Unable to find grant by access token: {}", accessToken);
        throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).type(MediaType.APPLICATION_JSON_TYPE).entity(errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token grant is not found.")).build());
    }
    final AbstractToken accessTokenObj = grant.getAccessToken(accessToken);
    if (accessTokenObj == null || !accessTokenObj.isValid()) {
        log.trace("Unable to find access token object or otherwise it's expired.");
        throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).type(MediaType.APPLICATION_JSON_TYPE).entity(errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token object is not found or otherwise expired.")).build());
    }
    if (!clientId.equals(grant.getClientId())) {
        log.trace("ClientId from request does not match to access token's client id.");
        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token object is not found or otherwise expired.")).build());
    }
}
Also used : WebApplicationException(javax.ws.rs.WebApplicationException) AbstractToken(io.jans.as.server.model.common.AbstractToken) AuthorizationGrant(io.jans.as.server.model.common.AuthorizationGrant)

Example 3 with AbstractToken

use of io.jans.as.server.model.common.AbstractToken in project jans by JanssenProject.

the class ClientInfoRestWebServiceImpl method requestClientInfo.

public Response requestClientInfo(String accessToken, String authorization, SecurityContext securityContext) {
    if (tokenService.isBearerAuthToken(authorization)) {
        accessToken = tokenService.getBearerToken(authorization);
    }
    log.debug("Attempting to request Client Info, Access token = {}, Is Secure = {}", accessToken, securityContext.isSecure());
    errorResponseFactory.validateComponentEnabled(ComponentType.CLIENTINFO);
    Response.ResponseBuilder builder = Response.ok();
    if (!ClientInfoParamsValidator.validateParams(accessToken)) {
        builder = Response.status(400);
        builder.entity(errorResponseFactory.errorAsJson(ClientInfoErrorResponseType.INVALID_REQUEST, "Failed to validate access token."));
    } else {
        AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(accessToken);
        if (authorizationGrant == null) {
            log.trace("Failed to find authorization grant for access token.");
            return Response.status(400).entity(errorResponseFactory.getErrorAsJson(ClientInfoErrorResponseType.INVALID_TOKEN, "", "Unable to find grant object associated with access token.")).build();
        }
        final AbstractToken token = authorizationGrant.getAccessToken(accessToken);
        if (token == null || !token.isValid()) {
            log.trace("Invalid access token.");
            return Response.status(400).entity(errorResponseFactory.getErrorAsJson(ClientInfoErrorResponseType.INVALID_TOKEN, "", "Invalid access token.")).build();
        }
        builder.cacheControl(ServerUtil.cacheControlWithNoStoreTransformAndPrivate());
        builder.header(Constants.PRAGMA, Constants.NO_CACHE);
        builder.entity(getJSonResponse(authorizationGrant.getClient(), authorizationGrant.getScopes()));
    }
    return builder.build();
}
Also used : Response(javax.ws.rs.core.Response) AbstractToken(io.jans.as.server.model.common.AbstractToken) AuthorizationGrant(io.jans.as.server.model.common.AuthorizationGrant)

Example 4 with AbstractToken

use of io.jans.as.server.model.common.AbstractToken in project jans by JanssenProject.

the class IntrospectionWebService method fillResponse.

@Nullable
private AbstractToken fillResponse(String token, IntrospectionResponse response, AuthorizationGrant grantOfIntrospectionToken) {
    AbstractToken tokenToIntrospect = null;
    if (grantOfIntrospectionToken != null) {
        tokenToIntrospect = grantOfIntrospectionToken.getAccessToken(token);
        response.setActive(tokenToIntrospect.isValid());
        response.setExpiresAt(ServerUtil.dateToSeconds(tokenToIntrospect.getExpirationDate()));
        response.setIssuedAt(ServerUtil.dateToSeconds(tokenToIntrospect.getCreationDate()));
        response.setAcrValues(grantOfIntrospectionToken.getAcrValues());
        // #433
        response.setScope(grantOfIntrospectionToken.getScopes() != null ? grantOfIntrospectionToken.getScopes() : Lists.newArrayList());
        response.setClientId(grantOfIntrospectionToken.getClientId());
        response.setSub(grantOfIntrospectionToken.getSub());
        response.setUsername(grantOfIntrospectionToken.getUserId());
        response.setIssuer(appConfiguration.getIssuer());
        response.setAudience(grantOfIntrospectionToken.getClientId());
        if (tokenToIntrospect instanceof AccessToken) {
            AccessToken accessToken = (AccessToken) tokenToIntrospect;
            response.setTokenType(accessToken.getTokenType() != null ? accessToken.getTokenType().getName() : io.jans.as.model.common.TokenType.BEARER.getName());
            // DPoP
            if (StringUtils.isNotBlank(accessToken.getDpop())) {
                response.setNotBefore(accessToken.getCreationDate().getTime());
                HashMap<String, String> cnf = new HashMap<>();
                cnf.put("jkt", accessToken.getDpop());
                response.setCnf(cnf);
            }
        }
    } else {
        if (log.isDebugEnabled())
            log.debug("Failed to find grant for access_token: {}. Return 200 with active=false.", escapeLog(token));
    }
    return tokenToIntrospect;
}
Also used : AbstractToken(io.jans.as.server.model.common.AbstractToken) HashMap(java.util.HashMap) AccessToken(io.jans.as.server.model.common.AccessToken) Nullable(org.jetbrains.annotations.Nullable)

Example 5 with AbstractToken

use of io.jans.as.server.model.common.AbstractToken in project jans by JanssenProject.

the class SessionRestWebService method validateToken.

private AuthorizationGrant validateToken(String accessToken) {
    if (StringUtils.isBlank(accessToken)) {
        throw new WebApplicationException(response(Response.Status.BAD_REQUEST, INVALID_TOKEN));
    }
    AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(accessToken);
    if (authorizationGrant == null) {
        log.trace("Failed to find authorization grant by access_token: {}", accessToken);
        throw new WebApplicationException(response(Response.Status.UNAUTHORIZED, INVALID_TOKEN));
    }
    final AbstractToken accessTokenObject = authorizationGrant.getAccessToken(accessToken);
    if (accessTokenObject == null || !accessTokenObject.isValid()) {
        log.trace("Invalid access token object, access_token: {}, isNull: {}, isValid: {}", accessToken, accessTokenObject == null, false);
        throw new WebApplicationException(response(Response.Status.UNAUTHORIZED, INVALID_TOKEN));
    }
    final Set<String> scopes = authorizationGrant.getScopes();
    if (BooleanUtils.isFalse(appConfiguration.getOpenidScopeBackwardCompatibility()) && !scopes.contains(DefaultScope.OPEN_ID.toString())) {
        throw new WebApplicationException(response(Response.Status.FORBIDDEN, UserInfoErrorResponseType.INSUFFICIENT_SCOPE));
    }
    final String requiredScope = appConfiguration.getActiveSessionAuthorizationScope();
    if (StringUtils.isNotBlank(requiredScope) && !scopes.contains(requiredScope)) {
        log.trace("Required scope {} is not present.", requiredScope);
        throw new WebApplicationException(response(Response.Status.FORBIDDEN, UserInfoErrorResponseType.INSUFFICIENT_SCOPE));
    }
    return authorizationGrant;
}
Also used : WebApplicationException(javax.ws.rs.WebApplicationException) AbstractToken(io.jans.as.server.model.common.AbstractToken) AuthorizationGrant(io.jans.as.server.model.common.AuthorizationGrant)

Aggregations

AbstractToken (io.jans.as.server.model.common.AbstractToken)10 AuthorizationGrant (io.jans.as.server.model.common.AuthorizationGrant)9 WebApplicationException (javax.ws.rs.WebApplicationException)5 IOException (java.io.IOException)2 Response (javax.ws.rs.core.Response)2 User (io.jans.as.common.model.common.User)1 Client (io.jans.as.common.model.registration.Client)1 IntrospectionResponse (io.jans.as.model.common.IntrospectionResponse)1 BlockEncryptionAlgorithm (io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm)1 KeyEncryptionAlgorithm (io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm)1 SignatureAlgorithm (io.jans.as.model.crypto.signature.SignatureAlgorithm)1 InvalidClaimException (io.jans.as.model.exception.InvalidClaimException)1 InvalidJweException (io.jans.as.model.exception.InvalidJweException)1 InvalidJwtException (io.jans.as.model.exception.InvalidJwtException)1 JsonWebResponse (io.jans.as.model.token.JsonWebResponse)1 OAuth2AuditLog (io.jans.as.server.model.audit.OAuth2AuditLog)1 AccessToken (io.jans.as.server.model.common.AccessToken)1 UnmodifiableAuthorizationGrant (io.jans.as.server.model.common.UnmodifiableAuthorizationGrant)1 ExternalIntrospectionContext (io.jans.as.server.service.external.context.ExternalIntrospectionContext)1 EntryPersistenceException (io.jans.orm.exception.EntryPersistenceException)1