Example 1 with SessionClient
use of io.jans.as.server.model.session.SessionClient in project jans by JanssenProject.
the class DeviceAuthorizationRestWebServiceImpl method deviceAuthorization.
@Override
public Response deviceAuthorization(String clientId, String scope, HttpServletRequest httpRequest, HttpServletResponse httpResponse, SecurityContext securityContext) {
// it may be encoded
scope = ServerUtil.urlDecode(scope);
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpRequest), Action.DEVICE_CODE_AUTHORIZATION);
oAuth2AuditLog.setClientId(clientId);
oAuth2AuditLog.setScope(scope);
try {
log.debug("Attempting to request device codes: clientId = {}, scope = {}", clientId, scope);
errorResponseFactory.validateComponentEnabled(ComponentType.DEVICE_AUTHZ);
SessionClient sessionClient = identity.getSessionClient();
Client client = sessionClient != null ? sessionClient.getClient() : null;
if (client == null) {
client = clientService.getClient(clientId);
if (!clientService.isPublic(client)) {
log.trace("Client is not public and not authenticated. Skip device authorization, clientId: {}", clientId);
throw errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, INVALID_CLIENT, "");
}
}
if (client == null) {
log.trace("Client is not unknown. Skip revoking.");
throw errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, INVALID_CLIENT, "");
}
if (!deviceAuthorizationService.hasDeviceCodeCompatibility(client)) {
throw errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, INVALID_GRANT, "");
}
List<String> scopes = new ArrayList<>();
if (StringHelper.isNotEmpty(scope)) {
Set<String> grantedScopes = scopeChecker.checkScopesPolicy(client, scope);
scopes.addAll(grantedScopes);
}
// Entropy 20^8 which is suggested in the RFC8628 section 6.1
String userCode = StringUtils.generateRandomReadableCode((byte) 8);
// Entropy 160 bits which is over userCode entropy based on RFC8628 section 5.2
String deviceCode = StringUtils.generateRandomCode((byte) 24);
URI verificationUri = UriBuilder.fromUri(appConfiguration.getIssuer()).path("device-code").build();
int expiresIn = appConfiguration.getDeviceAuthzRequestExpiresIn();
int interval = appConfiguration.getDeviceAuthzTokenPollInterval();
long lastAccess = System.currentTimeMillis();
DeviceAuthorizationStatus status = DeviceAuthorizationStatus.PENDING;
DeviceAuthorizationCacheControl deviceAuthorizationCacheControl = new DeviceAuthorizationCacheControl(userCode, deviceCode, client, scopes, verificationUri, expiresIn, interval, lastAccess, status);
deviceAuthorizationService.saveInCache(deviceAuthorizationCacheControl, true, true);
log.info("Device authorization flow initiated, userCode: {}, deviceCode: {}, clientId: {}, verificationUri: {}, expiresIn: {}, interval: {}", userCode, deviceCode, clientId, verificationUri, expiresIn, interval);
applicationAuditLogger.sendMessage(oAuth2AuditLog);
return Response.ok().entity(getResponseJSONObject(deviceAuthorizationCacheControl).toString(4).replace("\\/", "/")).type(MediaType.APPLICATION_JSON_TYPE).build();
} catch (WebApplicationException wae) {
throw wae;
} catch (Exception e) {
log.error("Problems processing device authorization init flow, clientId: {}, scope: {}", clientId, scope, e);
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
}
}
Also used :
DeviceAuthorizationCacheControl(io.jans.as.server.model.common.DeviceAuthorizationCacheControl)
WebApplicationException(javax.ws.rs.WebApplicationException)
SessionClient(io.jans.as.server.model.session.SessionClient)
OAuth2AuditLog(io.jans.as.server.model.audit.OAuth2AuditLog)
ArrayList(java.util.ArrayList)
URI(java.net.URI)
VERIFICATION_URI(io.jans.as.model.authorize.DeviceAuthorizationResponseParam.VERIFICATION_URI)
JSONException(org.json.JSONException)
WebApplicationException(javax.ws.rs.WebApplicationException)
DeviceAuthorizationStatus(io.jans.as.server.model.common.DeviceAuthorizationStatus)
Client(io.jans.as.common.model.registration.Client)
SessionClient(io.jans.as.server.model.session.SessionClient)
Example 2 with SessionClient
use of io.jans.as.server.model.session.SessionClient in project jans by JanssenProject.
the class BackchannelAuthorizeRestWebServiceImpl method requestBackchannelAuthorizationPost.
@Override
public Response requestBackchannelAuthorizationPost(String clientId, String scope, String clientNotificationToken, String acrValues, String loginHintToken, String idTokenHint, String loginHint, String bindingMessage, String userCodeParam, Integer requestedExpiry, String request, String requestUri, HttpServletRequest httpRequest, HttpServletResponse httpResponse, SecurityContext securityContext) {
// it may be encoded
scope = ServerUtil.urlDecode(scope);
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpRequest), Action.BACKCHANNEL_AUTHENTICATION);
oAuth2AuditLog.setClientId(clientId);
oAuth2AuditLog.setScope(scope);
// ATTENTION : please do not add more parameter in this debug method because it will not work with Seam 2.2.2.Final,
// there is limit of 10 parameters (hardcoded), see: org.jboss.seam.core.Interpolator#interpolate
log.debug("Attempting to request backchannel authorization: " + "clientId = {}, scope = {}, clientNotificationToken = {}, acrValues = {}, loginHintToken = {}, " + "idTokenHint = {}, loginHint = {}, bindingMessage = {}, userCodeParam = {}, requestedExpiry = {}, " + "request= {}", clientId, scope, clientNotificationToken, acrValues, loginHintToken, idTokenHint, loginHint, bindingMessage, userCodeParam, requestedExpiry, request);
log.debug("Attempting to request backchannel authorization: " + "isSecure = {}", securityContext.isSecure());
errorResponseFactory.validateComponentEnabled(ComponentType.CIBA);
Response.ResponseBuilder builder = Response.ok();
SessionClient sessionClient = identity.getSessionClient();
Client client = null;
if (sessionClient != null) {
client = sessionClient.getClient();
}
if (client == null) {
// 401
builder = Response.status(Response.Status.UNAUTHORIZED.getStatusCode());
builder.entity(errorResponseFactory.getErrorAsJson(INVALID_CLIENT));
return builder.build();
}
if (!cibaRequestService.hasCibaCompatibility(client)) {
// 401
builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
return builder.build();
}
List<String> scopes = new ArrayList<>();
if (StringHelper.isNotEmpty(scope)) {
Set<String> grantedScopes = scopeChecker.checkScopesPolicy(client, scope);
scopes.addAll(grantedScopes);
}
JwtAuthorizationRequest jwtRequest = null;
if (StringUtils.isNotBlank(request) || StringUtils.isNotBlank(requestUri)) {
jwtRequest = JwtAuthorizationRequest.createJwtRequest(request, requestUri, client, null, cryptoProvider, appConfiguration);
if (jwtRequest == null) {
log.error("The JWT couldn't be processed");
// 400
builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
throw new WebApplicationException(builder.build());
}
authorizeRestWebServiceValidator.validateCibaRequestObject(jwtRequest, client.getClientId());
// JWT wins
if (!jwtRequest.getScopes().isEmpty()) {
scopes.addAll(scopeChecker.checkScopesPolicy(client, jwtRequest.getScopes()));
}
if (StringUtils.isNotBlank(jwtRequest.getClientNotificationToken())) {
clientNotificationToken = jwtRequest.getClientNotificationToken();
}
if (StringUtils.isNotBlank(jwtRequest.getAcrValues())) {
acrValues = jwtRequest.getAcrValues();
}
if (StringUtils.isNotBlank(jwtRequest.getLoginHintToken())) {
loginHintToken = jwtRequest.getLoginHintToken();
}
if (StringUtils.isNotBlank(jwtRequest.getIdTokenHint())) {
idTokenHint = jwtRequest.getIdTokenHint();
}
if (StringUtils.isNotBlank(jwtRequest.getLoginHint())) {
loginHint = jwtRequest.getLoginHint();
}
if (StringUtils.isNotBlank(jwtRequest.getBindingMessage())) {
bindingMessage = jwtRequest.getBindingMessage();
}
if (StringUtils.isNotBlank(jwtRequest.getUserCode())) {
userCodeParam = jwtRequest.getUserCode();
}
if (jwtRequest.getRequestedExpiry() != null) {
requestedExpiry = jwtRequest.getRequestedExpiry();
} else if (jwtRequest.getExp() != null) {
requestedExpiry = Math.toIntExact(jwtRequest.getExp() - System.currentTimeMillis() / 1000);
}
}
if (appConfiguration.isFapi() && jwtRequest == null) {
// 400
builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
return builder.build();
}
User user = null;
try {
if (Strings.isNotBlank(loginHint)) {
// login_hint
user = userService.getUniqueUserByAttributes(appConfiguration.getBackchannelLoginHintClaims(), loginHint);
} else if (Strings.isNotBlank(idTokenHint)) {
// id_token_hint
AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByIdToken(idTokenHint);
if (authorizationGrant == null) {
// 400
builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
builder.entity(errorResponseFactory.getErrorAsJson(UNKNOWN_USER_ID));
return builder.build();
}
user = authorizationGrant.getUser();
}
if (Strings.isNotBlank(loginHintToken)) {
// login_hint_token
Jwt jwt = Jwt.parse(loginHintToken);
SignatureAlgorithm algorithm = jwt.getHeader().getSignatureAlgorithm();
String keyId = jwt.getHeader().getKeyId();
if (algorithm == null || Strings.isBlank(keyId)) {
// 400
builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
builder.entity(errorResponseFactory.getErrorAsJson(UNKNOWN_USER_ID));
return builder.build();
}
boolean validSignature = false;
if (algorithm.getFamily() == AlgorithmFamily.RSA) {
RSAPublicKey publicKey = JwkClient.getRSAPublicKey(client.getJwksUri(), keyId);
RSASigner rsaSigner = new RSASigner(algorithm, publicKey);
validSignature = rsaSigner.validate(jwt);
} else if (algorithm.getFamily() == AlgorithmFamily.EC) {
ECDSAPublicKey publicKey = JwkClient.getECDSAPublicKey(client.getJwksUri(), keyId);
ECDSASigner ecdsaSigner = new ECDSASigner(algorithm, publicKey);
validSignature = ecdsaSigner.validate(jwt);
}
if (!validSignature) {
// 400
builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
builder.entity(errorResponseFactory.getErrorAsJson(UNKNOWN_USER_ID));
return builder.build();
}
JSONObject subject = jwt.getClaims().getClaimAsJSON("subject");
if (subject == null || !subject.has("subject_type") || !subject.has(subject.getString("subject_type"))) {
// 400
builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
builder.entity(errorResponseFactory.getErrorAsJson(UNKNOWN_USER_ID));
return builder.build();
}
String subjectTypeKey = subject.getString("subject_type");
String subjectTypeValue = subject.getString(subjectTypeKey);
user = userService.getUniqueUserByAttributes(appConfiguration.getBackchannelLoginHintClaims(), subjectTypeValue);
}
} catch (InvalidJwtException e) {
log.error(e.getMessage(), e);
} catch (JSONException e) {
log.error(e.getMessage(), e);
}
if (user == null) {
// 400
builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
builder.entity(errorResponseFactory.getErrorAsJson(UNKNOWN_USER_ID));
return builder.build();
}
try {
String userCode = (String) user.getAttribute("jansBackchannelUsrCode", true, false);
DefaultErrorResponse cibaAuthorizeParamsValidation = cibaAuthorizeParamsValidatorService.validateParams(scopes, clientNotificationToken, client.getBackchannelTokenDeliveryMode(), loginHintToken, idTokenHint, loginHint, bindingMessage, client.getBackchannelUserCodeParameter(), userCodeParam, userCode, requestedExpiry);
if (cibaAuthorizeParamsValidation != null) {
builder = Response.status(cibaAuthorizeParamsValidation.getStatus());
builder.entity(errorResponseFactory.errorAsJson(cibaAuthorizeParamsValidation.getType(), cibaAuthorizeParamsValidation.getReason()));
return builder.build();
}
String deviceRegistrationToken = (String) user.getAttribute("jansBackchannelDeviceRegistrationTkn", true, false);
if (deviceRegistrationToken == null) {
// 401
builder = Response.status(Response.Status.UNAUTHORIZED.getStatusCode());
builder.entity(errorResponseFactory.getErrorAsJson(UNAUTHORIZED_END_USER_DEVICE));
return builder.build();
}
int expiresIn = requestedExpiry != null ? requestedExpiry : appConfiguration.getBackchannelAuthenticationResponseExpiresIn();
Integer interval = client.getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.PUSH ? null : appConfiguration.getBackchannelAuthenticationResponseInterval();
long currentTime = new Date().getTime();
CibaRequestCacheControl cibaRequestCacheControl = new CibaRequestCacheControl(user, client, expiresIn, scopes, clientNotificationToken, bindingMessage, currentTime, acrValues);
cibaRequestService.save(cibaRequestCacheControl, expiresIn);
String authReqId = cibaRequestCacheControl.getAuthReqId();
// Notify End-User to obtain Consent/Authorization
cibaEndUserNotificationService.notifyEndUser(cibaRequestCacheControl.getScopesAsString(), cibaRequestCacheControl.getAcrValues(), authReqId, deviceRegistrationToken);
builder.entity(getJSONObject(authReqId, expiresIn, interval).toString(4).replace("\\/", "/"));
builder.type(MediaType.APPLICATION_JSON_TYPE);
builder.cacheControl(ServerUtil.cacheControl(true, false));
} catch (JSONException e) {
builder = Response.status(400);
builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
log.error(e.getMessage(), e);
} catch (InvalidClaimException e) {
builder = Response.status(400);
builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
log.error(e.getMessage(), e);
}
applicationAuditLogger.sendMessage(oAuth2AuditLog);
return builder.build();
}
Also used :
InvalidJwtException(io.jans.as.model.exception.InvalidJwtException)
User(io.jans.as.common.model.common.User)
WebApplicationException(javax.ws.rs.WebApplicationException)
SessionClient(io.jans.as.server.model.session.SessionClient)
OAuth2AuditLog(io.jans.as.server.model.audit.OAuth2AuditLog)
ArrayList(java.util.ArrayList)
CibaRequestCacheControl(io.jans.as.server.model.common.CibaRequestCacheControl)
SignatureAlgorithm(io.jans.as.model.crypto.signature.SignatureAlgorithm)
InvalidClaimException(io.jans.as.model.exception.InvalidClaimException)
RSAPublicKey(io.jans.as.model.crypto.signature.RSAPublicKey)
RSASigner(io.jans.as.model.jws.RSASigner)
JwtAuthorizationRequest(io.jans.as.server.model.authorize.JwtAuthorizationRequest)
JwkClient(io.jans.as.client.JwkClient)
Client(io.jans.as.common.model.registration.Client)
SessionClient(io.jans.as.server.model.session.SessionClient)
DefaultErrorResponse(io.jans.as.model.error.DefaultErrorResponse)
AuthorizationGrant(io.jans.as.server.model.common.AuthorizationGrant)
ECDSAPublicKey(io.jans.as.model.crypto.signature.ECDSAPublicKey)
ECDSASigner(io.jans.as.model.jws.ECDSASigner)
Jwt(io.jans.as.model.jwt.Jwt)
JSONException(org.json.JSONException)
Date(java.util.Date)
Response(javax.ws.rs.core.Response)
DefaultErrorResponse(io.jans.as.model.error.DefaultErrorResponse)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
JSONObject(org.json.JSONObject)
Example 3 with SessionClient
use of io.jans.as.server.model.session.SessionClient in project jans by JanssenProject.
the class RevokeSessionRestWebService method validateAccess.
private void validateAccess() {
SessionClient sessionClient = identity.getSessionClient();
if (sessionClient == null || sessionClient.getClient() == null || ArrayUtils.isEmpty(sessionClient.getClient().getScopes())) {
log.debug("Client failed to authenticate.");
throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED.getStatusCode()).entity(errorResponseFactory.getErrorAsJson(EndSessionErrorResponseType.INVALID_REQUEST)).build());
}
List<String> scopesAllowedIds = scopeService.getScopeIdsByDns(Arrays.asList(sessionClient.getClient().getScopes()));
if (!scopesAllowedIds.contains(Constants.REVOKE_SESSION_SCOPE)) {
log.debug("Client does not have required revoke_session scope.");
throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED.getStatusCode()).entity(errorResponseFactory.getErrorAsJson(EndSessionErrorResponseType.INVALID_REQUEST)).build());
}
}
Also used :
WebApplicationException(javax.ws.rs.WebApplicationException)
SessionClient(io.jans.as.server.model.session.SessionClient)
Example 4 with SessionClient
use of io.jans.as.server.model.session.SessionClient in project jans by JanssenProject.
the class AuthenticationService method configureSessionClient.
public void configureSessionClient(Client client) {
SessionClient sessionClient = new SessionClient();
sessionClient.setClient(client);
identity.setSessionClient(sessionClient);
clientService.updateAccessTime(client, true);
}
Also used :
SessionClient(io.jans.as.server.model.session.SessionClient)
Example 5 with SessionClient
use of io.jans.as.server.model.session.SessionClient in project jans by JanssenProject.
the class TokenRestWebServiceImpl method requestAccessToken.
@Override
public Response requestAccessToken(String grantType, String code, String redirectUri, String username, String password, String scope, String assertion, String refreshToken, String clientId, String clientSecret, String codeVerifier, String ticket, String claimToken, String claimTokenFormat, String pctCode, String rptCode, String authReqId, String deviceCode, HttpServletRequest request, HttpServletResponse response, SecurityContext sec) {
log.debug("Attempting to request access token: grantType = {}, code = {}, redirectUri = {}, username = {}, refreshToken = {}, " + "clientId = {}, ExtraParams = {}, isSecure = {}, codeVerifier = {}, ticket = {}", grantType, code, redirectUri, username, refreshToken, clientId, request.getParameterMap(), sec.isSecure(), codeVerifier, ticket);
boolean isUma = StringUtils.isNotBlank(ticket);
if (isUma) {
return umaTokenService.requestRpt(grantType, ticket, claimToken, claimTokenFormat, pctCode, rptCode, scope, request, response);
}
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.TOKEN_REQUEST);
oAuth2AuditLog.setClientId(clientId);
oAuth2AuditLog.setUsername(username);
oAuth2AuditLog.setScope(scope);
String tokenBindingHeader = request.getHeader("Sec-Token-Binding");
// it may be encoded in uma case
scope = ServerUtil.urlDecode(scope);
ResponseBuilder builder = Response.ok();
String dpopStr;
try {
dpopStr = runDPoP(request);
} catch (InvalidJwtException | JWKException | NoSuchAlgorithmException | NoSuchProviderException e) {
return response(error(400, TokenErrorResponseType.INVALID_DPOP_PROOF, e.getMessage()), oAuth2AuditLog);
}
try {
log.debug("Starting to validate request parameters");
if (!TokenParamsValidator.validateParams(grantType, code, redirectUri, username, password, scope, assertion, refreshToken)) {
log.trace("Failed to validate request parameters");
return response(error(400, TokenErrorResponseType.INVALID_REQUEST, "Failed to validate request parameters"), oAuth2AuditLog);
}
GrantType gt = GrantType.fromString(grantType);
log.debug("Grant type: '{}'", gt);
SessionClient sessionClient = identity.getSessionClient();
Client client = null;
if (sessionClient != null) {
client = sessionClient.getClient();
log.debug("Get sessionClient: '{}'", sessionClient);
}
if (client == null) {
return response(error(401, TokenErrorResponseType.INVALID_GRANT, "Unable to find client."), oAuth2AuditLog);
}
log.debug("Get client from session: '{}'", client.getClientId());
if (client.isDisabled()) {
return response(error(Response.Status.FORBIDDEN.getStatusCode(), TokenErrorResponseType.DISABLED_CLIENT, "Client is disabled."), oAuth2AuditLog);
}
final Function<JsonWebResponse, Void> idTokenTokingBindingPreprocessing = TokenBindingMessage.createIdTokenTokingBindingPreprocessing(tokenBindingHeader, // for all except authorization code grant
client.getIdTokenTokenBindingCnf());
final SessionId sessionIdObj = sessionIdService.getSessionId(request);
final Function<JsonWebResponse, Void> idTokenPreProcessing = JwrService.wrapWithSidFunction(idTokenTokingBindingPreprocessing, sessionIdObj != null ? sessionIdObj.getOutsideSid() : null);
final ExecutionContext executionContext = new ExecutionContext(request, response);
executionContext.setCertAsPem(request.getHeader(X_CLIENTCERT));
executionContext.setDpop(dpopStr);
executionContext.setClient(client);
executionContext.setDpop(dpopStr);
executionContext.setAppConfiguration(appConfiguration);
executionContext.setAttributeService(attributeService);
if (gt == GrantType.AUTHORIZATION_CODE) {
if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
return response(error(400, TokenErrorResponseType.INVALID_GRANT, null), oAuth2AuditLog);
}
log.debug("Attempting to find authorizationCodeGrant by clientId: '{}', code: '{}'", client.getClientId(), code);
final AuthorizationCodeGrant authorizationCodeGrant = authorizationGrantList.getAuthorizationCodeGrant(code);
log.trace("AuthorizationCodeGrant : '{}'", authorizationCodeGrant);
if (authorizationCodeGrant == null) {
log.debug("AuthorizationCodeGrant is empty by clientId: '{}', code: '{}'", client.getClientId(), code);
// if authorization code is not found then code was already used or wrong client provided = remove all grants with this auth code
grantService.removeAllByAuthorizationCode(code);
return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Unable to find grant object for given code."), oAuth2AuditLog);
}
if (!client.getClientId().equals(authorizationCodeGrant.getClientId())) {
log.debug("AuthorizationCodeGrant is found but belongs to another client. Grant's clientId: '{}', code: '{}'", authorizationCodeGrant.getClientId(), code);
// if authorization code is not found then code was already used or wrong client provided = remove all grants with this auth code
grantService.removeAllByAuthorizationCode(code);
return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Client mismatch."), oAuth2AuditLog);
}
validatePKCE(authorizationCodeGrant, codeVerifier, oAuth2AuditLog);
authorizationCodeGrant.setIsCachedWithNoPersistence(false);
authorizationCodeGrant.save();
RefreshToken reToken = createRefreshToken(request, client, scope, authorizationCodeGrant, dpopStr);
scope = authorizationCodeGrant.checkScopesPolicy(scope);
executionContext.setGrant(authorizationCodeGrant);
// create token after scopes are checked
AccessToken accToken = authorizationCodeGrant.createAccessToken(executionContext);
IdToken idToken = null;
if (authorizationCodeGrant.getScopes().contains(OPENID)) {
String nonce = authorizationCodeGrant.getNonce();
boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
final String idTokenTokenBindingCnf = client.getIdTokenTokenBindingCnf();
Function<JsonWebResponse, Void> authorizationCodePreProcessing = jsonWebResponse -> {
if (StringUtils.isNotBlank(idTokenTokenBindingCnf) && StringUtils.isNotBlank(authorizationCodeGrant.getTokenBindingHash())) {
TokenBindingMessage.setCnfClaim(jsonWebResponse, authorizationCodeGrant.getTokenBindingHash(), idTokenTokenBindingCnf);
}
return null;
};
ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(request, authorizationCodeGrant, client, appConfiguration, attributeService);
executionContext.setIncludeIdTokenClaims(includeIdTokenClaims);
executionContext.setPreProcessing(JwrService.wrapWithSidFunction(authorizationCodePreProcessing, sessionIdObj != null ? sessionIdObj.getOutsideSid() : null));
executionContext.setPostProcessor(externalUpdateTokenService.buildModifyIdTokenProcessor(context));
idToken = authorizationCodeGrant.createIdToken(nonce, authorizationCodeGrant.getAuthorizationCode(), accToken, null, null, executionContext);
}
oAuth2AuditLog.updateOAuth2AuditLog(authorizationCodeGrant, true);
grantService.removeAuthorizationCode(authorizationCodeGrant.getAuthorizationCode().getCode());
final String entity = getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, idToken);
return response(Response.ok().entity(entity), oAuth2AuditLog);
}
if (gt == GrantType.REFRESH_TOKEN) {
if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
return response(error(400, TokenErrorResponseType.INVALID_GRANT, "grant_type does not belong to client."), oAuth2AuditLog);
}
AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), refreshToken);
if (authorizationGrant == null) {
log.trace("Grant object is not found by refresh token.");
return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Unable to find grant object by refresh token or otherwise token type or client does not match."), oAuth2AuditLog);
}
final RefreshToken refreshTokenObject = authorizationGrant.getRefreshToken(refreshToken);
if (refreshTokenObject == null || !refreshTokenObject.isValid()) {
log.trace("Invalid refresh token.");
return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Unable to find refresh token or otherwise token type or client does not match."), oAuth2AuditLog);
}
executionContext.setGrant(authorizationGrant);
// The authorization server MAY issue a new refresh token, in which case
// the client MUST discard the old refresh token and replace it with the new refresh token.
RefreshToken reToken = null;
if (isFalse(appConfiguration.getSkipRefreshTokenDuringRefreshing())) {
if (isTrue(appConfiguration.getRefreshTokenExtendLifetimeOnRotation())) {
// extend lifetime
reToken = createRefreshToken(request, client, scope, authorizationGrant, dpopStr);
} else {
log.trace("Create refresh token with fixed (not extended) lifetime taken from previous refresh token.");
// do not extend lifetime
reToken = authorizationGrant.createRefreshToken(executionContext, refreshTokenObject.getExpirationDate());
}
}
scope = authorizationGrant.checkScopesPolicy(scope);
// create token after scopes are checked
AccessToken accToken = authorizationGrant.createAccessToken(executionContext);
IdToken idToken = null;
if (isTrue(appConfiguration.getOpenidScopeBackwardCompatibility()) && authorizationGrant.getScopes().contains(OPENID)) {
boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(request, authorizationGrant, client, appConfiguration, attributeService);
context.setExecutionContext(executionContext);
executionContext.setIncludeIdTokenClaims(includeIdTokenClaims);
executionContext.setPreProcessing(idTokenPreProcessing);
executionContext.setPostProcessor(externalUpdateTokenService.buildModifyIdTokenProcessor(context));
idToken = authorizationGrant.createIdToken(null, null, accToken, null, null, executionContext);
}
if (reToken != null && refreshToken != null) {
// remove refresh token after access token and id_token is created.
grantService.removeByCode(refreshToken);
}
builder.entity(getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, idToken));
oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
} else if (gt == GrantType.CLIENT_CREDENTIALS) {
if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
return response(error(400, TokenErrorResponseType.INVALID_GRANT, "grant_type is not present in client."), oAuth2AuditLog);
}
ClientCredentialsGrant clientCredentialsGrant = authorizationGrantList.createClientCredentialsGrant(new User(), client);
scope = clientCredentialsGrant.checkScopesPolicy(scope);
executionContext.setGrant(clientCredentialsGrant);
// create token after scopes are checked
AccessToken accessToken = clientCredentialsGrant.createAccessToken(executionContext);
IdToken idToken = null;
if (isTrue(appConfiguration.getOpenidScopeBackwardCompatibility()) && clientCredentialsGrant.getScopes().contains(OPENID)) {
boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(request, clientCredentialsGrant, client, appConfiguration, attributeService);
executionContext.setIncludeIdTokenClaims(includeIdTokenClaims);
executionContext.setPreProcessing(idTokenPreProcessing);
executionContext.setPostProcessor(externalUpdateTokenService.buildModifyIdTokenProcessor(context));
idToken = clientCredentialsGrant.createIdToken(null, null, null, null, null, executionContext);
}
oAuth2AuditLog.updateOAuth2AuditLog(clientCredentialsGrant, true);
builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), null, scope, idToken));
} else if (gt == GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) {
if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
return response(error(400, TokenErrorResponseType.INVALID_GRANT, "grant_type is not present in client."), oAuth2AuditLog);
}
boolean authenticated = false;
User user = null;
if (authenticationFilterService.isEnabled()) {
String userDn = authenticationFilterService.processAuthenticationFilters(request.getParameterMap());
if (StringHelper.isNotEmpty(userDn)) {
user = userService.getUserByDn(userDn);
authenticated = true;
}
}
if (!authenticated) {
if (externalResourceOwnerPasswordCredentialsService.isEnabled()) {
final ExternalResourceOwnerPasswordCredentialsContext context = new ExternalResourceOwnerPasswordCredentialsContext(executionContext);
context.setUser(user);
if (externalResourceOwnerPasswordCredentialsService.executeExternalAuthenticate(context)) {
log.trace("RO PC - User is authenticated successfully by external script.");
user = context.getUser();
}
} else {
try {
authenticated = authenticationService.authenticate(username, password);
if (authenticated) {
user = authenticationService.getAuthenticatedUser();
}
} catch (AuthenticationException ex) {
log.trace("Failed to authenticate user ", new RuntimeException("User name or password is invalid"));
}
}
}
if (user != null) {
ResourceOwnerPasswordCredentialsGrant resourceOwnerPasswordCredentialsGrant = authorizationGrantList.createResourceOwnerPasswordCredentialsGrant(user, client);
SessionId sessionId = identity.getSessionId();
if (sessionId != null) {
resourceOwnerPasswordCredentialsGrant.setAcrValues(OxConstants.SCRIPT_TYPE_INTERNAL_RESERVED_NAME);
resourceOwnerPasswordCredentialsGrant.setSessionDn(sessionId.getDn());
// call save after object modification!!!
resourceOwnerPasswordCredentialsGrant.save();
sessionId.getSessionAttributes().put(Constants.AUTHORIZED_GRANT, gt.getValue());
boolean updateResult = sessionIdService.updateSessionId(sessionId, false, true, true);
if (!updateResult) {
log.debug("Failed to update session entry: '{}'", sessionId.getId());
}
}
RefreshToken reToken = createRefreshToken(request, client, scope, resourceOwnerPasswordCredentialsGrant, null);
scope = resourceOwnerPasswordCredentialsGrant.checkScopesPolicy(scope);
executionContext.setGrant(resourceOwnerPasswordCredentialsGrant);
// create token after scopes are checked
AccessToken accessToken = resourceOwnerPasswordCredentialsGrant.createAccessToken(executionContext);
IdToken idToken = null;
if (isTrue(appConfiguration.getOpenidScopeBackwardCompatibility()) && resourceOwnerPasswordCredentialsGrant.getScopes().contains("openid")) {
boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(request, resourceOwnerPasswordCredentialsGrant, client, appConfiguration, attributeService);
context.setExecutionContext(executionContext);
executionContext.setIncludeIdTokenClaims(includeIdTokenClaims);
executionContext.setPreProcessing(idTokenPreProcessing);
executionContext.setPostProcessor(externalUpdateTokenService.buildModifyIdTokenProcessor(context));
idToken = resourceOwnerPasswordCredentialsGrant.createIdToken(null, null, null, null, null, executionContext);
}
oAuth2AuditLog.updateOAuth2AuditLog(resourceOwnerPasswordCredentialsGrant, true);
builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), reToken, scope, idToken));
} else {
log.debug("Invalid user", new RuntimeException("User is empty"));
builder = error(401, TokenErrorResponseType.INVALID_CLIENT, "Invalid user.");
}
} else if (gt == GrantType.CIBA) {
errorResponseFactory.validateComponentEnabled(ComponentType.CIBA);
if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Grant types are invalid."), oAuth2AuditLog);
}
log.debug("Attempting to find authorizationGrant by authReqId: '{}'", authReqId);
final CIBAGrant cibaGrant = authorizationGrantList.getCIBAGrant(authReqId);
executionContext.setGrant(cibaGrant);
log.trace("AuthorizationGrant : '{}'", cibaGrant);
if (cibaGrant != null) {
if (!cibaGrant.getClientId().equals(client.getClientId())) {
builder = error(400, TokenErrorResponseType.INVALID_GRANT, REASON_CLIENT_NOT_AUTHORIZED);
return response(builder, oAuth2AuditLog);
}
if (cibaGrant.getClient().getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.PING || cibaGrant.getClient().getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.POLL) {
if (!cibaGrant.isTokensDelivered()) {
RefreshToken refToken = createRefreshToken(request, client, scope, cibaGrant, null);
AccessToken accessToken = cibaGrant.createAccessToken(executionContext);
ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(request, cibaGrant, client, appConfiguration, attributeService);
context.setExecutionContext(executionContext);
executionContext.setIncludeIdTokenClaims(false);
executionContext.setPreProcessing(idTokenPreProcessing);
executionContext.setPostProcessor(externalUpdateTokenService.buildModifyIdTokenProcessor(context));
IdToken idToken = cibaGrant.createIdToken(null, null, accessToken, refToken, null, executionContext);
cibaGrant.setTokensDelivered(true);
cibaGrant.save();
RefreshToken reToken = null;
if (isRefreshTokenAllowed(client, scope, cibaGrant)) {
reToken = refToken;
}
scope = cibaGrant.checkScopesPolicy(scope);
builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), reToken, scope, idToken));
oAuth2AuditLog.updateOAuth2AuditLog(cibaGrant, true);
} else {
builder = error(400, TokenErrorResponseType.INVALID_GRANT, "AuthReqId is no longer available.");
}
} else {
log.debug("Client is not using Poll flow authReqId: '{}'", authReqId);
builder = error(400, TokenErrorResponseType.UNAUTHORIZED_CLIENT, "The client is not authorized as it is configured in Push Mode");
}
} else {
final CibaRequestCacheControl cibaRequest = cibaRequestService.getCibaRequest(authReqId);
log.trace("Ciba request : '{}'", cibaRequest);
if (cibaRequest != null) {
if (!cibaRequest.getClient().getClientId().equals(client.getClientId())) {
builder = error(400, TokenErrorResponseType.INVALID_GRANT, REASON_CLIENT_NOT_AUTHORIZED);
return response(builder, oAuth2AuditLog);
}
long currentTime = new Date().getTime();
Long lastAccess = cibaRequest.getLastAccessControl();
if (lastAccess == null) {
lastAccess = currentTime;
}
cibaRequest.setLastAccessControl(currentTime);
cibaRequestService.update(cibaRequest);
if (cibaRequest.getStatus() == CibaRequestStatus.PENDING) {
int intervalSeconds = appConfiguration.getBackchannelAuthenticationResponseInterval();
long timeFromLastAccess = currentTime - lastAccess;
if (timeFromLastAccess > intervalSeconds * 1000) {
log.debug("Access hasn't been granted yet for authReqId: '{}'", authReqId);
builder = error(400, TokenErrorResponseType.AUTHORIZATION_PENDING, "User hasn't answered yet");
} else {
log.debug("Slow down protection authReqId: '{}'", authReqId);
builder = error(400, TokenErrorResponseType.SLOW_DOWN, "Client is asking too fast the token.");
}
} else if (cibaRequest.getStatus() == CibaRequestStatus.DENIED) {
log.debug("The end-user denied the authorization request for authReqId: '{}'", authReqId);
builder = error(400, TokenErrorResponseType.ACCESS_DENIED, "The end-user denied the authorization request.");
} else if (cibaRequest.getStatus() == CibaRequestStatus.EXPIRED) {
log.debug("The authentication request has expired for authReqId: '{}'", authReqId);
builder = error(400, TokenErrorResponseType.EXPIRED_TOKEN, "The authentication request has expired");
}
} else {
log.debug("AuthorizationGrant is empty by authReqId: '{}'", authReqId);
builder = error(400, TokenErrorResponseType.EXPIRED_TOKEN, "Unable to find grant object for given auth_req_id.");
}
}
} else if (gt == GrantType.DEVICE_CODE) {
return processDeviceCodeGrantType(gt, client, deviceCode, scope, request, response, oAuth2AuditLog);
}
} catch (WebApplicationException e) {
throw e;
} catch (Exception e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
}
return response(builder, oAuth2AuditLog);
}
Also used :
InvalidJwtException(io.jans.as.model.exception.InvalidJwtException)
TokenErrorResponseType(io.jans.as.model.token.TokenErrorResponseType)
StringUtils(org.apache.commons.lang.StringUtils)
Arrays(java.util.Arrays)
DeviceAuthorizationStatus(io.jans.as.server.model.common.DeviceAuthorizationStatus)
AbstractAuthorizationGrant(io.jans.as.server.model.common.AbstractAuthorizationGrant)
ExternalUpdateTokenService(io.jans.as.server.service.external.ExternalUpdateTokenService)
Date(java.util.Date)
Path(javax.ws.rs.Path)
SecurityContext(javax.ws.rs.core.SecurityContext)
Identity(io.jans.as.server.security.Identity)
SessionId(io.jans.as.server.model.common.SessionId)
ResourceOwnerPasswordCredentialsGrant(io.jans.as.server.model.common.ResourceOwnerPasswordCredentialsGrant)
DeviceCodeGrant(io.jans.as.server.model.common.DeviceCodeGrant)
ExternalUpdateTokenContext(io.jans.as.server.service.external.context.ExternalUpdateTokenContext)
ExecutionContext(io.jans.as.server.model.common.ExecutionContext)
Action(io.jans.as.server.model.audit.Action)
CIBAGrant(io.jans.as.server.model.common.CIBAGrant)
BooleanUtils.isTrue(org.apache.commons.lang.BooleanUtils.isTrue)
DeviceAuthorizationService(io.jans.as.server.service.DeviceAuthorizationService)
JSONException(org.json.JSONException)
MediaType(javax.ws.rs.core.MediaType)
IdToken(io.jans.as.server.model.common.IdToken)
JSONObject(org.json.JSONObject)
InvalidJwtException(io.jans.as.model.exception.InvalidJwtException)
StringHelper(io.jans.util.StringHelper)
JSONWebKey(io.jans.as.model.jwk.JSONWebKey)
UmaTokenService(io.jans.as.server.uma.service.UmaTokenService)
OPENID(io.jans.as.model.config.Constants.OPENID)
CibaRequestCacheControl(io.jans.as.server.model.common.CibaRequestCacheControl)
OxConstants(io.jans.util.OxConstants)
TokenParamsValidator(io.jans.as.server.model.token.TokenParamsValidator)
JsonWebResponse(io.jans.as.model.token.JsonWebResponse)
SessionIdService(io.jans.as.server.service.SessionIdService)
TokenRequestParam(io.jans.as.model.token.TokenRequestParam)
Client(io.jans.as.common.model.registration.Client)
Nullable(org.jetbrains.annotations.Nullable)
Jwt(io.jans.as.model.jwt.Jwt)
Response(javax.ws.rs.core.Response)
ServerUtil(io.jans.as.server.util.ServerUtil)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
ComponentType(io.jans.as.model.common.ComponentType)
AuthenticationService(io.jans.as.server.service.AuthenticationService)
TokenBindingMessage(io.jans.as.model.crypto.binding.TokenBindingMessage)
WebApplicationException(javax.ws.rs.WebApplicationException)
SessionClient(io.jans.as.server.model.session.SessionClient)
ExternalResourceOwnerPasswordCredentialsContext(io.jans.as.server.service.external.context.ExternalResourceOwnerPasswordCredentialsContext)
NotNull(org.jetbrains.annotations.NotNull)
RefreshToken(io.jans.as.server.model.common.RefreshToken)
BackchannelTokenDeliveryMode(io.jans.as.model.common.BackchannelTokenDeliveryMode)
AttributeService(io.jans.as.common.service.AttributeService)
AuthenticationFilterService(io.jans.as.server.service.AuthenticationFilterService)
ClientCredentialsGrant(io.jans.as.server.model.common.ClientCredentialsGrant)
GrantService(io.jans.as.server.service.GrantService)
Function(java.util.function.Function)
Inject(javax.inject.Inject)
Strings(com.google.common.base.Strings)
REASON_CLIENT_NOT_AUTHORIZED(io.jans.as.model.config.Constants.REASON_CLIENT_NOT_AUTHORIZED)
DeviceAuthorizationCacheControl(io.jans.as.server.model.common.DeviceAuthorizationCacheControl)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
ApplicationAuditLogger(io.jans.as.server.audit.ApplicationAuditLogger)
User(io.jans.as.common.model.common.User)
UserService(io.jans.as.server.service.UserService)
Constants(io.jans.as.server.model.config.Constants)
ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder)
ExternalResourceOwnerPasswordCredentialsService(io.jans.as.server.service.external.ExternalResourceOwnerPasswordCredentialsService)
OAuth2AuditLog(io.jans.as.server.model.audit.OAuth2AuditLog)
AuthorizationGrantList(io.jans.as.server.model.common.AuthorizationGrantList)
AccessToken(io.jans.as.server.model.common.AccessToken)
CodeVerifier(io.jans.as.model.authorize.CodeVerifier)
Logger(org.slf4j.Logger)
X_CLIENTCERT(io.jans.as.model.config.Constants.X_CLIENTCERT)
ErrorResponseFactory(io.jans.as.model.error.ErrorResponseFactory)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
JWKException(com.nimbusds.jose.jwk.JWKException)
BooleanUtils.isFalse(org.apache.commons.lang.BooleanUtils.isFalse)
AppConfiguration(io.jans.as.model.configuration.AppConfiguration)
CibaRequestService(io.jans.as.server.service.ciba.CibaRequestService)
CibaRequestStatus(io.jans.as.server.model.common.CibaRequestStatus)
JwrService(io.jans.as.server.model.token.JwrService)
ScopeConstants(io.jans.as.model.common.ScopeConstants)
AuthenticationException(io.jans.orm.exception.AuthenticationException)
AuthorizationCodeGrant(io.jans.as.server.model.common.AuthorizationCodeGrant)
GrantType(io.jans.as.model.common.GrantType)
TokenType(io.jans.as.model.common.TokenType)
AuthorizationGrant(io.jans.as.server.model.common.AuthorizationGrant)
NoSuchProviderException(java.security.NoSuchProviderException)
User(io.jans.as.common.model.common.User)
WebApplicationException(javax.ws.rs.WebApplicationException)
SessionClient(io.jans.as.server.model.session.SessionClient)
AuthenticationException(io.jans.orm.exception.AuthenticationException)
OAuth2AuditLog(io.jans.as.server.model.audit.OAuth2AuditLog)
CibaRequestCacheControl(io.jans.as.server.model.common.CibaRequestCacheControl)
JWKException(com.nimbusds.jose.jwk.JWKException)
ResourceOwnerPasswordCredentialsGrant(io.jans.as.server.model.common.ResourceOwnerPasswordCredentialsGrant)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
RefreshToken(io.jans.as.server.model.common.RefreshToken)
AccessToken(io.jans.as.server.model.common.AccessToken)
ClientCredentialsGrant(io.jans.as.server.model.common.ClientCredentialsGrant)
ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder)
Client(io.jans.as.common.model.registration.Client)
SessionClient(io.jans.as.server.model.session.SessionClient)
SessionId(io.jans.as.server.model.common.SessionId)
AbstractAuthorizationGrant(io.jans.as.server.model.common.AbstractAuthorizationGrant)
AuthorizationGrant(io.jans.as.server.model.common.AuthorizationGrant)
IdToken(io.jans.as.server.model.common.IdToken)
JsonWebResponse(io.jans.as.model.token.JsonWebResponse)
ExternalResourceOwnerPasswordCredentialsContext(io.jans.as.server.service.external.context.ExternalResourceOwnerPasswordCredentialsContext)
GrantType(io.jans.as.model.common.GrantType)
Date(java.util.Date)
JSONException(org.json.JSONException)
InvalidJwtException(io.jans.as.model.exception.InvalidJwtException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
WebApplicationException(javax.ws.rs.WebApplicationException)
JWKException(com.nimbusds.jose.jwk.JWKException)
AuthenticationException(io.jans.orm.exception.AuthenticationException)
NoSuchProviderException(java.security.NoSuchProviderException)
ExecutionContext(io.jans.as.server.model.common.ExecutionContext)
ExternalUpdateTokenContext(io.jans.as.server.service.external.context.ExternalUpdateTokenContext)
AuthorizationCodeGrant(io.jans.as.server.model.common.AuthorizationCodeGrant)
CIBAGrant(io.jans.as.server.model.common.CIBAGrant)
NoSuchProviderException(java.security.NoSuchProviderException)
Aggregations
SessionClient (io.jans.as.server.model.session.SessionClient)6
WebApplicationException (javax.ws.rs.WebApplicationException)5
Client (io.jans.as.common.model.registration.Client)4
OAuth2AuditLog (io.jans.as.server.model.audit.OAuth2AuditLog)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)3
Response (javax.ws.rs.core.Response)3
User (io.jans.as.common.model.common.User)2
InvalidJwtException (io.jans.as.model.exception.InvalidJwtException)2
Jwt (io.jans.as.model.jwt.Jwt)2
AuthorizationGrant (io.jans.as.server.model.common.AuthorizationGrant)2
CibaRequestCacheControl (io.jans.as.server.model.common.CibaRequestCacheControl)2
ExecutionContext (io.jans.as.server.model.common.ExecutionContext)2
ArrayList (java.util.ArrayList)2
JSONException (org.json.JSONException)2
Strings (com.google.common.base.Strings)1
JWKException (com.nimbusds.jose.jwk.JWKException)1
JwkClient (io.jans.as.client.JwkClient)1
AttributeService (io.jans.as.common.service.AttributeService)1
CodeVerifier (io.jans.as.model.authorize.CodeVerifier)1
VERIFICATION_URI (io.jans.as.model.authorize.DeviceAuthorizationResponseParam.VERIFICATION_URI)1
