Search in sources :

Example 1 with ExternalUpdateTokenContext

use of io.jans.as.server.service.external.context.ExternalUpdateTokenContext in project jans by JanssenProject.

the class TokenRestWebServiceImpl method createRefreshToken.

@Nullable
private RefreshToken createRefreshToken(@NotNull HttpServletRequest request, @NotNull Client client, @NotNull String scope, @NotNull AuthorizationGrant grant, String dpop) {
    if (!isRefreshTokenAllowed(client, scope, grant)) {
        return null;
    }
    ExecutionContext executionContext = new ExecutionContext(request, null);
    executionContext.setGrant(grant);
    executionContext.setClient(client);
    executionContext.setAttributeService(attributeService);
    executionContext.setAppConfiguration(appConfiguration);
    executionContext.setDpop(dpop);
    final ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(request, grant, client, appConfiguration, attributeService);
    final int refreshTokenLifetimeInSeconds = externalUpdateTokenService.getRefreshTokenLifetimeInSeconds(context);
    if (refreshTokenLifetimeInSeconds > 0) {
        return grant.createRefreshToken(executionContext, refreshTokenLifetimeInSeconds);
    }
    return grant.createRefreshToken(executionContext);
}
Also used : ExecutionContext(io.jans.as.server.model.common.ExecutionContext) ExternalUpdateTokenContext(io.jans.as.server.service.external.context.ExternalUpdateTokenContext) Nullable(org.jetbrains.annotations.Nullable)

Example 2 with ExternalUpdateTokenContext

use of io.jans.as.server.service.external.context.ExternalUpdateTokenContext in project jans by JanssenProject.

the class TokenRestWebServiceImpl method processDeviceCodeGrantType.

/**
 * Processes token request for device code grant type.
 *
 * @param grantType      Grant type used, should be device code.
 * @param client         Client in process.
 * @param deviceCode     Device code generated in device authn request.
 * @param scope          Scope registered in device authn request.
 * @param request        HttpServletRequest
 * @param response       HttpServletResponse
 * @param oAuth2AuditLog OAuth2AuditLog
 */
private Response processDeviceCodeGrantType(final GrantType grantType, final Client client, final String deviceCode, String scope, final HttpServletRequest request, final HttpServletResponse response, final OAuth2AuditLog oAuth2AuditLog) {
    if (!TokenParamsValidator.validateGrantType(grantType, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
        return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Grant types are invalid."), oAuth2AuditLog);
    }
    log.debug("Attempting to find authorizationGrant by deviceCode: '{}'", deviceCode);
    final DeviceCodeGrant deviceCodeGrant = authorizationGrantList.getDeviceCodeGrant(deviceCode);
    log.trace("DeviceCodeGrant : '{}'", deviceCodeGrant);
    if (deviceCodeGrant != null) {
        if (!deviceCodeGrant.getClientId().equals(client.getClientId())) {
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, REASON_CLIENT_NOT_AUTHORIZED), oAuth2AuditLog));
        }
        RefreshToken refToken = createRefreshToken(request, client, scope, deviceCodeGrant, null);
        final ExecutionContext executionContext = new ExecutionContext(request, response);
        executionContext.setGrant(deviceCodeGrant);
        executionContext.setCertAsPem(request.getHeader(X_CLIENTCERT));
        executionContext.setClient(client);
        executionContext.setAppConfiguration(appConfiguration);
        executionContext.setAttributeService(attributeService);
        AccessToken accessToken = deviceCodeGrant.createAccessToken(executionContext);
        ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(request, deviceCodeGrant, client, appConfiguration, attributeService);
        context.setExecutionContext(executionContext);
        executionContext.setIncludeIdTokenClaims(false);
        executionContext.setPreProcessing(null);
        executionContext.setPostProcessor(externalUpdateTokenService.buildModifyIdTokenProcessor(context));
        IdToken idToken = deviceCodeGrant.createIdToken(null, null, accessToken, refToken, null, executionContext);
        deviceCodeGrant.checkScopesPolicy(scope);
        log.info("Device authorization in token endpoint processed and return to the client, device_code: {}", deviceCodeGrant.getDeviceCode());
        oAuth2AuditLog.updateOAuth2AuditLog(deviceCodeGrant, true);
        grantService.removeByCode(deviceCodeGrant.getDeviceCode());
        return Response.ok().entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), refToken, scope, idToken)).build();
    } else {
        final DeviceAuthorizationCacheControl cacheData = deviceAuthorizationService.getDeviceAuthzByDeviceCode(deviceCode);
        log.trace("DeviceAuthorizationCacheControl data : '{}'", cacheData);
        if (cacheData == null) {
            log.debug("The authentication request has expired for deviceCode: '{}'", deviceCode);
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.EXPIRED_TOKEN, "The authentication request has expired."), oAuth2AuditLog));
        }
        if (!cacheData.getClient().getClientId().equals(client.getClientId())) {
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, REASON_CLIENT_NOT_AUTHORIZED), oAuth2AuditLog));
        }
        long currentTime = new Date().getTime();
        Long lastAccess = cacheData.getLastAccessControl();
        if (lastAccess == null) {
            lastAccess = currentTime;
        }
        cacheData.setLastAccessControl(currentTime);
        deviceAuthorizationService.saveInCache(cacheData, true, true);
        if (cacheData.getStatus() == DeviceAuthorizationStatus.PENDING) {
            int intervalSeconds = appConfiguration.getBackchannelAuthenticationResponseInterval();
            long timeFromLastAccess = currentTime - lastAccess;
            if (timeFromLastAccess > intervalSeconds * 1000) {
                log.debug("Access hasn't been granted yet for deviceCode: '{}'", deviceCode);
                throw new WebApplicationException(response(error(400, TokenErrorResponseType.AUTHORIZATION_PENDING, "User hasn't answered yet"), oAuth2AuditLog));
            } else {
                log.debug("Slow down protection deviceCode: '{}'", deviceCode);
                throw new WebApplicationException(response(error(400, TokenErrorResponseType.SLOW_DOWN, "Client is asking too fast the token."), oAuth2AuditLog));
            }
        }
        if (cacheData.getStatus() == DeviceAuthorizationStatus.DENIED) {
            log.debug("The end-user denied the authorization request for deviceCode: '{}'", deviceCode);
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.ACCESS_DENIED, "The end-user denied the authorization request."), oAuth2AuditLog));
        }
        log.debug("The authentication request has expired for deviceCode: '{}'", deviceCode);
        throw new WebApplicationException(response(error(400, TokenErrorResponseType.EXPIRED_TOKEN, "The authentication request has expired"), oAuth2AuditLog));
    }
}
Also used : IdToken(io.jans.as.server.model.common.IdToken) RefreshToken(io.jans.as.server.model.common.RefreshToken) ExecutionContext(io.jans.as.server.model.common.ExecutionContext) WebApplicationException(javax.ws.rs.WebApplicationException) ExternalUpdateTokenContext(io.jans.as.server.service.external.context.ExternalUpdateTokenContext) DeviceAuthorizationCacheControl(io.jans.as.server.model.common.DeviceAuthorizationCacheControl) AccessToken(io.jans.as.server.model.common.AccessToken) DeviceCodeGrant(io.jans.as.server.model.common.DeviceCodeGrant) Date(java.util.Date)

Example 3 with ExternalUpdateTokenContext

use of io.jans.as.server.service.external.context.ExternalUpdateTokenContext in project jans by JanssenProject.

the class AuthorizeRestWebServiceImpl method requestAuthorization.

private Response requestAuthorization(String scope, String responseType, String clientId, String redirectUri, String state, String respMode, String nonce, String display, String prompt, Integer maxAge, String uiLocalesStr, String idTokenHint, String loginHint, String acrValuesStr, String amrValuesStr, String request, String requestUri, String sessionId, String method, String originHeaders, String codeChallenge, String codeChallengeMethod, String customRespHeaders, String claims, String authReqId, HttpServletRequest httpRequest, HttpServletResponse httpResponse, SecurityContext securityContext) {
    // it may be encoded in uma case
    scope = ServerUtil.urlDecode(scope);
    String tokenBindingHeader = httpRequest.getHeader("Sec-Token-Binding");
    OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpRequest), Action.USER_AUTHORIZATION);
    oAuth2AuditLog.setClientId(clientId);
    oAuth2AuditLog.setScope(scope);
    // ATTENTION : please do not add more parameter in this debug method because it will not work with Seam 2.2.2.Final ,
    // there is limit of 10 parameters (hardcoded), see: org.jboss.seam.core.Interpolator#interpolate
    log.debug("Attempting to request authorization: " + "responseType = {}, clientId = {}, scope = {}, redirectUri = {}, nonce = {}, " + "state = {}, request = {}, isSecure = {}, sessionId = {}", responseType, clientId, scope, redirectUri, nonce, state, request, securityContext.isSecure(), sessionId);
    log.debug("Attempting to request authorization: " + "acrValues = {}, amrValues = {}, originHeaders = {}, codeChallenge = {}, codeChallengeMethod = {}, " + "customRespHeaders = {}, claims = {}, tokenBindingHeader = {}", acrValuesStr, amrValuesStr, originHeaders, codeChallenge, codeChallengeMethod, customRespHeaders, claims, tokenBindingHeader);
    ResponseBuilder builder = null;
    Map<String, String> customParameters = requestParameterService.getCustomParameters(QueryStringDecoder.decode(httpRequest.getQueryString()));
    boolean isPar = Util.isPar(requestUri);
    if (!isPar && isTrue(appConfiguration.getRequirePar())) {
        log.debug("Server configured for PAR only (via requirePar conf property). Failed to find PAR by request_uri (id): {}", requestUri);
        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, state, "Failed to find par by request_uri")).type(MediaType.APPLICATION_JSON_TYPE).build());
    }
    if (isPar) {
        final Par par = parService.getParAndValidateForAuthorizationRequest(requestUri, state, clientId);
        // set it to null, we don't want to follow request uri for PAR
        requestUri = null;
        // request is validated and parameters parsed by PAR endpoint before PAR persistence
        request = null;
        log.debug("Setting request parameters from PAR - {}", par);
        responseType = par.getAttributes().getResponseType();
        respMode = par.getAttributes().getResponseMode();
        scope = par.getAttributes().getScope();
        prompt = par.getAttributes().getPrompt();
        redirectUri = par.getAttributes().getRedirectUri();
        acrValuesStr = par.getAttributes().getAcrValuesStr();
        amrValuesStr = par.getAttributes().getAmrValuesStr();
        codeChallenge = par.getAttributes().getCodeChallenge();
        codeChallengeMethod = par.getAttributes().getCodeChallengeMethod();
        if (StringUtils.isNotBlank(par.getAttributes().getState())) {
            state = par.getAttributes().getState();
        } else {
            state = "";
        }
        if (StringUtils.isNotBlank(par.getAttributes().getNonce()))
            nonce = par.getAttributes().getNonce();
        if (StringUtils.isNotBlank(par.getAttributes().getSessionId()))
            sessionId = par.getAttributes().getSessionId();
        if (StringUtils.isNotBlank(par.getAttributes().getCustomResponseHeaders()))
            customRespHeaders = par.getAttributes().getCustomResponseHeaders();
        if (StringUtils.isNotBlank(par.getAttributes().getClaims()))
            claims = par.getAttributes().getClaims();
        if (StringUtils.isNotBlank(par.getAttributes().getOriginHeaders()))
            originHeaders = par.getAttributes().getOriginHeaders();
        if (StringUtils.isNotBlank(par.getAttributes().getUiLocales()))
            uiLocalesStr = par.getAttributes().getUiLocales();
        if (!par.getAttributes().getCustomParameters().isEmpty())
            customParameters.putAll(par.getAttributes().getCustomParameters());
    }
    List<String> uiLocales = Util.splittedStringAsList(uiLocalesStr, " ");
    List<ResponseType> responseTypes = ResponseType.fromString(responseType, " ");
    List<Prompt> prompts = Prompt.fromString(prompt, " ");
    List<String> acrValues = Util.splittedStringAsList(acrValuesStr, " ");
    List<String> amrValues = Util.splittedStringAsList(amrValuesStr, " ");
    ResponseMode responseMode = ResponseMode.getByValue(respMode);
    SessionId sessionUser = identity.getSessionId();
    User user = sessionIdService.getUser(sessionUser);
    try {
        Map<String, String> customResponseHeaders = Util.jsonObjectArrayStringAsMap(customRespHeaders);
        updateSessionForROPC(httpRequest, sessionUser);
        Client client = authorizeRestWebServiceValidator.validateClient(clientId, state, isPar);
        String deviceAuthzUserCode = deviceAuthorizationService.getUserCodeFromSession(httpRequest);
        redirectUri = authorizeRestWebServiceValidator.validateRedirectUri(client, redirectUri, state, deviceAuthzUserCode, httpRequest);
        // check after redirect uri is validated
        checkAcrChanged(acrValuesStr, prompts, sessionUser);
        RedirectUriResponse redirectUriResponse = new RedirectUriResponse(new RedirectUri(redirectUri, responseTypes, responseMode), state, httpRequest, errorResponseFactory);
        redirectUriResponse.setFapiCompatible(appConfiguration.isFapi());
        Set<String> scopes = scopeChecker.checkScopesPolicy(client, scope);
        JwtAuthorizationRequest jwtRequest = null;
        if (StringUtils.isNotBlank(request) || StringUtils.isNotBlank(requestUri)) {
            try {
                jwtRequest = JwtAuthorizationRequest.createJwtRequest(request, requestUri, client, redirectUriResponse, cryptoProvider, appConfiguration);
                if (jwtRequest == null) {
                    throw authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, "Failed to parse jwt.");
                }
                if (StringUtils.isNotBlank(jwtRequest.getState())) {
                    state = jwtRequest.getState();
                    redirectUriResponse.setState(state);
                }
                if (appConfiguration.isFapi() && StringUtils.isBlank(jwtRequest.getState())) {
                    // #1250 - FAPI : discard state if in JWT we don't have state
                    state = "";
                    redirectUriResponse.setState("");
                }
                if (jwtRequest.getRedirectUri() != null) {
                    redirectUriResponse.getRedirectUri().setBaseRedirectUri(jwtRequest.getRedirectUri());
                }
                // JWT wins
                if (!jwtRequest.getScopes().isEmpty()) {
                    if (!scopes.contains("openid")) {
                        // spec: Even if a scope parameter is present in the Request Object value, a scope parameter MUST always be passed using the OAuth 2.0 request syntax containing the openid scope value
                        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_SCOPE, state, "scope parameter does not contain openid value which is required.")).build());
                    }
                    scopes = scopeChecker.checkScopesPolicy(client, Lists.newArrayList(jwtRequest.getScopes()));
                }
                if (jwtRequest.getRedirectUri() != null && !jwtRequest.getRedirectUri().equals(redirectUri)) {
                    throw authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, "The redirect_uri parameter is not the same in the JWT");
                }
                if (StringUtils.isNotBlank(jwtRequest.getNonce())) {
                    nonce = jwtRequest.getNonce();
                }
                if (StringUtils.isNotBlank(jwtRequest.getCodeChallenge())) {
                    codeChallenge = jwtRequest.getCodeChallenge();
                }
                if (StringUtils.isNotBlank(jwtRequest.getCodeChallengeMethod())) {
                    codeChallengeMethod = jwtRequest.getCodeChallengeMethod();
                }
                if (jwtRequest.getDisplay() != null && StringUtils.isNotBlank(jwtRequest.getDisplay().getParamName())) {
                    display = jwtRequest.getDisplay().getParamName();
                }
                if (!jwtRequest.getPrompts().isEmpty()) {
                    prompts = Lists.newArrayList(jwtRequest.getPrompts());
                }
                if (jwtRequest.getResponseMode() != null) {
                    responseMode = jwtRequest.getResponseMode();
                    redirectUriResponse.getRedirectUri().setResponseMode(responseMode);
                }
                final IdTokenMember idTokenMember = jwtRequest.getIdTokenMember();
                if (idTokenMember != null) {
                    if (idTokenMember.getMaxAge() != null) {
                        maxAge = idTokenMember.getMaxAge();
                    }
                    final Claim acrClaim = idTokenMember.getClaim(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE);
                    if (acrClaim != null && acrClaim.getClaimValue() != null) {
                        acrValuesStr = acrClaim.getClaimValue().getValueAsString();
                        acrValues = Util.splittedStringAsList(acrValuesStr, " ");
                    }
                    Claim userIdClaim = idTokenMember.getClaim(JwtClaimName.SUBJECT_IDENTIFIER);
                    if (userIdClaim != null && userIdClaim.getClaimValue() != null && userIdClaim.getClaimValue().getValue() != null) {
                        String userIdClaimValue = userIdClaim.getClaimValue().getValue();
                        if (user != null) {
                            String userId = user.getUserId();
                            if (!userId.equalsIgnoreCase(userIdClaimValue)) {
                                builder = redirectUriResponse.createErrorBuilder(AuthorizeErrorResponseType.USER_MISMATCHED);
                                applicationAuditLogger.sendMessage(oAuth2AuditLog);
                                return builder.build();
                            }
                        }
                    }
                }
                requestParameterService.getCustomParameters(jwtRequest, customParameters);
            } catch (WebApplicationException e) {
                JsonWebResponse jwr = parseRequestToJwr(request);
                if (jwr != null) {
                    // to handle Jans Issue#310
                    String checkForAlg = jwr.getClaims().getClaimAsString("alg");
                    if ("none".equals(checkForAlg)) {
                        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT, "", "The None algorithm in nested JWT is not allowed for FAPI")).type(MediaType.APPLICATION_JSON_TYPE).build());
                    }
                    responseMode = ResponseMode.getByValue(jwr.getClaims().getClaimAsString("response_mode"));
                    if (responseMode == ResponseMode.JWT) {
                        redirectUriResponse.getRedirectUri().setResponseMode(ResponseMode.JWT);
                        fillRedirectUriResponseforJARM(redirectUriResponse, jwr, client);
                        if (appConfiguration.isFapi()) {
                            authorizeRestWebServiceValidator.throwInvalidJwtRequestExceptionAsJwtMode(redirectUriResponse, "Invalid JWT authorization request", jwr.getClaims().getClaimAsString("state"), httpRequest);
                        }
                    }
                }
                throw e;
            } catch (Exception e) {
                log.error("Invalid JWT authorization request. Message : " + e.getMessage(), e);
                throw authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, "Invalid JWT authorization request");
            }
        }
        // JARM
        if (responseMode == ResponseMode.QUERY_JWT || responseMode == ResponseMode.FRAGMENT_JWT || responseMode == ResponseMode.JWT || responseMode == ResponseMode.FORM_POST_JWT) {
            JsonWebResponse jwe = parseRequestToJwr(request);
            fillRedirectUriResponseforJARM(redirectUriResponse, jwe, client);
        }
        // Validate JWT request object after JARM check, because we want to return errors well formatted (JSON/JWT).
        if (jwtRequest != null) {
            validateJwtRequest(clientId, state, httpRequest, responseTypes, redirectUriResponse, jwtRequest);
        }
        if (!cibaRequestService.hasCibaCompatibility(client) && !isPar) {
            if (appConfiguration.isFapi() && jwtRequest == null) {
                throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST);
            }
            authorizeRestWebServiceValidator.validateRequestJwt(request, requestUri, redirectUriResponse);
        }
        authorizeRestWebServiceValidator.validate(responseTypes, prompts, nonce, state, redirectUri, httpRequest, client, responseMode);
        authorizeRestWebServiceValidator.validatePkce(codeChallenge, redirectUriResponse);
        if (CollectionUtils.isEmpty(acrValues) && !ArrayUtils.isEmpty(client.getDefaultAcrValues())) {
            acrValues = Lists.newArrayList(client.getDefaultAcrValues());
        }
        if (scopes.contains(ScopeConstants.OFFLINE_ACCESS) && !client.getTrustedClient()) {
            if (!responseTypes.contains(ResponseType.CODE)) {
                log.trace("Removed (ignored) offline_scope. Can't find `code` in response_type which is required.");
                scopes.remove(ScopeConstants.OFFLINE_ACCESS);
            }
            if (scopes.contains(ScopeConstants.OFFLINE_ACCESS) && !prompts.contains(Prompt.CONSENT)) {
                log.error("Removed offline_access. Can't find prompt=consent. Consent is required for offline_access.");
                scopes.remove(ScopeConstants.OFFLINE_ACCESS);
            }
        }
        final boolean isResponseTypeValid = AuthorizeParamsValidator.validateResponseTypes(responseTypes, client) && AuthorizeParamsValidator.validateGrantType(responseTypes, client.getGrantTypes(), appConfiguration);
        if (!isResponseTypeValid) {
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNSUPPORTED_RESPONSE_TYPE, state, "")).build());
        }
        AuthorizationGrant authorizationGrant = null;
        if (user == null) {
            identity.logout();
            if (prompts.contains(Prompt.NONE)) {
                if (authenticationFilterService.isEnabled()) {
                    Map<String, String> params;
                    if (method.equals(HttpMethod.GET)) {
                        params = QueryStringDecoder.decode(httpRequest.getQueryString());
                    } else {
                        params = getGenericRequestMap(httpRequest);
                    }
                    String userDn = authenticationFilterService.processAuthenticationFilters(params);
                    if (userDn != null) {
                        Map<String, String> genericRequestMap = getGenericRequestMap(httpRequest);
                        Map<String, String> parameterMap = Maps.newHashMap(genericRequestMap);
                        Map<String, String> requestParameterMap = requestParameterService.getAllowedParameters(parameterMap);
                        sessionUser = sessionIdService.generateAuthenticatedSessionId(httpRequest, userDn, prompt);
                        sessionUser.setSessionAttributes(requestParameterMap);
                        cookieService.createSessionIdCookie(sessionUser, httpRequest, httpResponse, false);
                        sessionIdService.updateSessionId(sessionUser);
                        user = userService.getUserByDn(sessionUser.getUserDn());
                    } else {
                        builder = redirectUriResponse.createErrorBuilder(AuthorizeErrorResponseType.LOGIN_REQUIRED);
                        applicationAuditLogger.sendMessage(oAuth2AuditLog);
                        return builder.build();
                    }
                } else {
                    builder = redirectUriResponse.createErrorBuilder(AuthorizeErrorResponseType.LOGIN_REQUIRED);
                    applicationAuditLogger.sendMessage(oAuth2AuditLog);
                    return builder.build();
                }
            } else {
                if (prompts.contains(Prompt.LOGIN)) {
                    unauthenticateSession(sessionId, httpRequest);
                    sessionId = null;
                    prompts.remove(Prompt.LOGIN);
                }
                return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), responseTypes, scope, clientId, redirectUri, state, responseMode, nonce, display, prompts, maxAge, uiLocales, idTokenHint, loginHint, acrValues, amrValues, request, requestUri, originHeaders, codeChallenge, codeChallengeMethod, sessionId, claims, authReqId, customParameters, oAuth2AuditLog, httpRequest);
            }
        }
        boolean validAuthenticationMaxAge = authorizeRestWebServiceValidator.validateAuthnMaxAge(maxAge, sessionUser, client);
        if (!validAuthenticationMaxAge) {
            unauthenticateSession(sessionId, httpRequest);
            sessionId = null;
            return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), responseTypes, scope, clientId, redirectUri, state, responseMode, nonce, display, prompts, maxAge, uiLocales, idTokenHint, loginHint, acrValues, amrValues, request, requestUri, originHeaders, codeChallenge, codeChallengeMethod, sessionId, claims, authReqId, customParameters, oAuth2AuditLog, httpRequest);
        }
        oAuth2AuditLog.setUsername(user != null ? user.getUserId() : "");
        ExternalPostAuthnContext postAuthnContext = new ExternalPostAuthnContext(client, sessionUser, httpRequest, httpResponse);
        final boolean forceReAuthentication = externalPostAuthnService.externalForceReAuthentication(client, postAuthnContext);
        if (forceReAuthentication) {
            unauthenticateSession(sessionId, httpRequest);
            sessionId = null;
            return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), responseTypes, scope, clientId, redirectUri, state, responseMode, nonce, display, prompts, maxAge, uiLocales, idTokenHint, loginHint, acrValues, amrValues, request, requestUri, originHeaders, codeChallenge, codeChallengeMethod, sessionId, claims, authReqId, customParameters, oAuth2AuditLog, httpRequest);
        }
        final boolean forceAuthorization = externalPostAuthnService.externalForceAuthorization(client, postAuthnContext);
        if (forceAuthorization) {
            return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), responseTypes, scope, clientId, redirectUri, state, responseMode, nonce, display, prompts, maxAge, uiLocales, idTokenHint, loginHint, acrValues, amrValues, request, requestUri, originHeaders, codeChallenge, codeChallengeMethod, sessionId, claims, authReqId, customParameters, oAuth2AuditLog, httpRequest);
        }
        ClientAuthorization clientAuthorization = null;
        boolean clientAuthorizationFetched = false;
        if (!scopes.isEmpty()) {
            if (prompts.contains(Prompt.CONSENT)) {
                return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), responseTypes, scope, clientId, redirectUri, state, responseMode, nonce, display, prompts, maxAge, uiLocales, idTokenHint, loginHint, acrValues, amrValues, request, requestUri, originHeaders, codeChallenge, codeChallengeMethod, sessionId, claims, authReqId, customParameters, oAuth2AuditLog, httpRequest);
            }
            // There is no need to present the consent page:
            // If Client is a Trusted Client.
            // If a client is configured for pairwise identifiers, and the openid scope is the only scope requested.
            // Also, we should make sure that the claims request is not enabled.
            final boolean isPairwiseWithOnlyOpenIdScope = client.getSubjectType() == SubjectType.PAIRWISE && scopes.size() == 1 && scopes.contains(DefaultScope.OPEN_ID.toString()) && claims == null && (jwtRequest == null || (jwtRequest.getUserInfoMember() == null && jwtRequest.getIdTokenMember() == null));
            if (client.getTrustedClient() || isPairwiseWithOnlyOpenIdScope) {
                sessionUser.addPermission(clientId, true);
                sessionIdService.updateSessionId(sessionUser);
            } else {
                clientAuthorization = clientAuthorizationsService.find(user.getAttribute("inum"), client.getClientId());
                clientAuthorizationFetched = true;
                if (clientAuthorization != null && clientAuthorization.getScopes() != null) {
                    if (log.isTraceEnabled())
                        log.trace("ClientAuthorization - scope: {}, dn: {}, requestedScope: {}", scope, clientAuthorization.getDn(), scopes);
                    if (Arrays.asList(clientAuthorization.getScopes()).containsAll(scopes)) {
                        sessionUser.addPermission(clientId, true);
                        sessionIdService.updateSessionId(sessionUser);
                    } else {
                        return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), responseTypes, scope, clientId, redirectUri, state, responseMode, nonce, display, prompts, maxAge, uiLocales, idTokenHint, loginHint, acrValues, amrValues, request, requestUri, originHeaders, codeChallenge, codeChallengeMethod, sessionId, claims, authReqId, customParameters, oAuth2AuditLog, httpRequest);
                    }
                }
            }
        }
        if (identity != null && identity.getSessionId() != null && identity.getSessionId().getState() == SessionIdState.AUTHENTICATED && client != null && Boolean.TRUE.equals(client.getAttributes().getDefaultPromptLogin()) && identity.getSessionId().getAuthenticationTime() != null && new Date().getTime() - identity.getSessionId().getAuthenticationTime().getTime() > 200) {
            prompts.add(Prompt.LOGIN);
        }
        if (prompts.contains(Prompt.LOGIN)) {
            // workaround for #1030 - remove only authenticated session, for set up acr we set it unauthenticated and then drop in AuthorizeAction
            if (identity.getSessionId().getState() == SessionIdState.AUTHENTICATED) {
                unauthenticateSession(sessionId, httpRequest);
            }
            sessionId = null;
            prompts.remove(Prompt.LOGIN);
            return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), responseTypes, scope, clientId, redirectUri, state, responseMode, nonce, display, prompts, maxAge, uiLocales, idTokenHint, loginHint, acrValues, amrValues, request, requestUri, originHeaders, codeChallenge, codeChallengeMethod, sessionId, claims, authReqId, customParameters, oAuth2AuditLog, httpRequest);
        }
        if (prompts.contains(Prompt.CONSENT) || !isTrue(sessionUser.isPermissionGrantedForClient(clientId))) {
            if (!clientAuthorizationFetched) {
                clientAuthorization = clientAuthorizationsService.find(user.getAttribute("inum"), client.getClientId());
            }
            clientAuthorizationsService.clearAuthorizations(clientAuthorization, client.getPersistClientAuthorizations());
            prompts.remove(Prompt.CONSENT);
            return redirectToAuthorizationPage(redirectUriResponse.getRedirectUri(), responseTypes, scope, clientId, redirectUri, state, responseMode, nonce, display, prompts, maxAge, uiLocales, idTokenHint, loginHint, acrValues, amrValues, request, requestUri, originHeaders, codeChallenge, codeChallengeMethod, sessionId, claims, authReqId, customParameters, oAuth2AuditLog, httpRequest);
        }
        if (prompts.contains(Prompt.SELECT_ACCOUNT)) {
            return redirectToSelectAccountPage(redirectUriResponse.getRedirectUri(), responseTypes, scope, clientId, redirectUri, state, responseMode, nonce, display, prompts, maxAge, uiLocales, idTokenHint, loginHint, acrValues, amrValues, request, requestUri, originHeaders, codeChallenge, codeChallengeMethod, sessionId, claims, authReqId, customParameters, oAuth2AuditLog, httpRequest);
        }
        AuthorizationCode authorizationCode = null;
        if (responseTypes.contains(ResponseType.CODE)) {
            authorizationGrant = authorizationGrantList.createAuthorizationCodeGrant(user, client, sessionUser.getAuthenticationTime());
            authorizationGrant.setNonce(nonce);
            authorizationGrant.setJwtAuthorizationRequest(jwtRequest);
            authorizationGrant.setTokenBindingHash(TokenBindingMessage.getTokenBindingIdHashFromTokenBindingMessage(tokenBindingHeader, client.getIdTokenTokenBindingCnf()));
            authorizationGrant.setScopes(scopes);
            authorizationGrant.setCodeChallenge(codeChallenge);
            authorizationGrant.setCodeChallengeMethod(codeChallengeMethod);
            authorizationGrant.setClaims(claims);
            // Store acr_values
            authorizationGrant.setAcrValues(getAcrForGrant(acrValuesStr, sessionUser));
            authorizationGrant.setSessionDn(sessionUser.getDn());
            // call save after object modification!!!
            authorizationGrant.save();
            authorizationCode = authorizationGrant.getAuthorizationCode();
            redirectUriResponse.getRedirectUri().addResponseParameter("code", authorizationCode.getCode());
        }
        AccessToken newAccessToken = null;
        if (responseTypes.contains(ResponseType.TOKEN)) {
            if (authorizationGrant == null) {
                authorizationGrant = authorizationGrantList.createImplicitGrant(user, client, sessionUser.getAuthenticationTime());
                authorizationGrant.setNonce(nonce);
                authorizationGrant.setJwtAuthorizationRequest(jwtRequest);
                authorizationGrant.setScopes(scopes);
                authorizationGrant.setClaims(claims);
                // Store acr_values
                authorizationGrant.setAcrValues(getAcrForGrant(acrValuesStr, sessionUser));
                authorizationGrant.setSessionDn(sessionUser.getDn());
                // call save after object modification!!!
                authorizationGrant.save();
            }
            final ExecutionContext executionContext = new ExecutionContext(httpRequest, httpResponse);
            executionContext.setCertAsPem(httpRequest.getHeader("X-ClientCert"));
            newAccessToken = authorizationGrant.createAccessToken(executionContext);
            redirectUriResponse.getRedirectUri().addResponseParameter(AuthorizeResponseParam.ACCESS_TOKEN, newAccessToken.getCode());
            redirectUriResponse.getRedirectUri().addResponseParameter(AuthorizeResponseParam.TOKEN_TYPE, newAccessToken.getTokenType().toString());
            redirectUriResponse.getRedirectUri().addResponseParameter(AuthorizeResponseParam.EXPIRES_IN, newAccessToken.getExpiresIn() + "");
        }
        if (responseTypes.contains(ResponseType.ID_TOKEN)) {
            boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
            if (authorizationGrant == null) {
                includeIdTokenClaims = true;
                authorizationGrant = authorizationGrantList.createImplicitGrant(user, client, sessionUser.getAuthenticationTime());
                authorizationGrant.setNonce(nonce);
                authorizationGrant.setJwtAuthorizationRequest(jwtRequest);
                authorizationGrant.setScopes(scopes);
                authorizationGrant.setClaims(claims);
                // Store authentication acr values
                authorizationGrant.setAcrValues(getAcrForGrant(acrValuesStr, sessionUser));
                authorizationGrant.setSessionDn(sessionUser.getDn());
                // call save after object modification, call is asynchronous!!!
                authorizationGrant.save();
            }
            ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(httpRequest, authorizationGrant, client, appConfiguration, attributeService);
            final Function<JsonWebResponse, Void> preProcessor = JwrService.wrapWithSidFunction(TokenBindingMessage.createIdTokenTokingBindingPreprocessing(tokenBindingHeader, client.getIdTokenTokenBindingCnf()), sessionUser.getOutsideSid());
            Function<JsonWebResponse, Void> postProcessor = externalUpdateTokenService.buildModifyIdTokenProcessor(context);
            final ExecutionContext executionContext = context.toExecutionContext();
            executionContext.setPreProcessing(preProcessor);
            executionContext.setPostProcessor(postProcessor);
            executionContext.setIncludeIdTokenClaims(includeIdTokenClaims);
            executionContext.setGrant(authorizationGrant);
            IdToken idToken = authorizationGrant.createIdToken(nonce, authorizationCode, newAccessToken, null, state, executionContext);
            redirectUriResponse.getRedirectUri().addResponseParameter(AuthorizeResponseParam.ID_TOKEN, idToken.getCode());
        }
        if (authorizationGrant != null && StringHelper.isNotEmpty(acrValuesStr) && !appConfiguration.isFapi()) {
            redirectUriResponse.getRedirectUri().addResponseParameter(AuthorizeResponseParam.ACR_VALUES, acrValuesStr);
        }
        for (Map.Entry<String, String> customParam : requestParameterService.getCustomParameters(customParameters, true).entrySet()) {
            redirectUriResponse.getRedirectUri().addResponseParameter(customParam.getKey(), customParam.getValue());
        }
        if (sessionUser.getId() == null) {
            final SessionId newSessionUser = sessionIdService.generateAuthenticatedSessionId(httpRequest, sessionUser.getUserDn(), prompt);
            String newSessionId = newSessionUser.getId();
            sessionUser.setId(newSessionId);
            log.trace("newSessionId = {}", newSessionId);
        }
        if (!appConfiguration.isFapi() && isTrue(appConfiguration.getSessionIdRequestParameterEnabled())) {
            redirectUriResponse.getRedirectUri().addResponseParameter(AuthorizeResponseParam.SESSION_ID, sessionUser.getId());
        }
        if (isTrue(appConfiguration.getIncludeSidInResponse())) {
            // by defalut we do not include sid in response. It should be read by RP from id_token
            redirectUriResponse.getRedirectUri().addResponseParameter(AuthorizeResponseParam.SID, sessionUser.getOutsideSid());
        }
        redirectUriResponse.getRedirectUri().addResponseParameter(AuthorizeResponseParam.SESSION_STATE, sessionIdService.computeSessionState(sessionUser, clientId, redirectUri));
        redirectUriResponse.getRedirectUri().addResponseParameter(AuthorizeResponseParam.STATE, state);
        if (scope != null && !scope.isEmpty() && authorizationGrant != null && !appConfiguration.isFapi()) {
            scope = authorizationGrant.checkScopesPolicy(scope);
            redirectUriResponse.getRedirectUri().addResponseParameter(AuthorizeResponseParam.SCOPE, scope);
        }
        clientService.updateAccessTime(client, false);
        oAuth2AuditLog.setSuccess(true);
        builder = RedirectUtil.getRedirectResponseBuilder(redirectUriResponse.getRedirectUri(), httpRequest);
        if (isTrue(appConfiguration.getCustomHeadersWithAuthorizationResponse())) {
            for (Entry<String, String> entry : customResponseHeaders.entrySet()) {
                builder.header(entry.getKey(), entry.getValue());
            }
        }
        if (StringUtils.isNotBlank(authReqId)) {
            runCiba(authReqId, client, httpRequest, httpResponse);
        }
        if (StringUtils.isNotBlank(deviceAuthzUserCode)) {
            processDeviceAuthorization(deviceAuthzUserCode, user);
        }
    } catch (WebApplicationException e) {
        applicationAuditLogger.sendMessage(oAuth2AuditLog);
        if (log.isErrorEnabled())
            log.error(e.getMessage(), e);
        throw e;
    } catch (AcrChangedException e) {
        // Acr changed
        log.error("ACR is changed, please provide a supported and enabled acr value");
        log.error(e.getMessage(), e);
        RedirectUri redirectUriResponse = new RedirectUri(redirectUri, responseTypes, responseMode);
        redirectUriResponse.parseQueryString(errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.SESSION_SELECTION_REQUIRED, state));
        redirectUriResponse.addResponseParameter("hint", "Use prompt=login in order to alter existing session.");
        applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return RedirectUtil.getRedirectResponseBuilder(redirectUriResponse, httpRequest).build();
    } catch (EntryPersistenceException e) {
        // Invalid clientId
        builder = Response.status(Response.Status.UNAUTHORIZED.getStatusCode()).entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, state, "")).type(MediaType.APPLICATION_JSON_TYPE);
        log.error(e.getMessage(), e);
    } catch (InvalidRedirectUrlException e) {
        builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode()).entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_REDIRECT_URI, state, "")).type(MediaType.APPLICATION_JSON_TYPE);
        log.error(e.getMessage(), e);
    } catch (InvalidSessionStateException ex) {
        // Allow to handle it via GlobalExceptionHandler
        throw ex;
    } catch (Exception e) {
        // 500
        builder = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
        log.error(e.getMessage(), e);
    }
    applicationAuditLogger.sendMessage(oAuth2AuditLog);
    return builder.build();
}
Also used : Par(io.jans.as.persistence.model.Par) InvalidRedirectUrlException(io.jans.as.server.model.exception.InvalidRedirectUrlException) User(io.jans.as.common.model.common.User) WebApplicationException(javax.ws.rs.WebApplicationException) OAuth2AuditLog(io.jans.as.server.model.audit.OAuth2AuditLog) EntryPersistenceException(io.jans.orm.exception.EntryPersistenceException) RedirectUri(io.jans.as.common.util.RedirectUri) InvalidSessionStateException(io.jans.as.server.model.exception.InvalidSessionStateException) AcrChangedException(io.jans.as.server.model.exception.AcrChangedException) ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder) Client(io.jans.as.common.model.registration.Client) JsonWebResponse(io.jans.as.model.token.JsonWebResponse) ClientAuthorization(io.jans.as.server.model.ldap.ClientAuthorization) ExternalPostAuthnContext(io.jans.as.server.service.external.context.ExternalPostAuthnContext) InvalidSessionStateException(io.jans.as.server.model.exception.InvalidSessionStateException) InvalidJwtException(io.jans.as.model.exception.InvalidJwtException) AcrChangedException(io.jans.as.server.model.exception.AcrChangedException) WebApplicationException(javax.ws.rs.WebApplicationException) InvalidRedirectUrlException(io.jans.as.server.model.exception.InvalidRedirectUrlException) EntryPersistenceException(io.jans.orm.exception.EntryPersistenceException) AuthorizeErrorResponseType(io.jans.as.model.authorize.AuthorizeErrorResponseType) ExternalUpdateTokenContext(io.jans.as.server.service.external.context.ExternalUpdateTokenContext)

Example 4 with ExternalUpdateTokenContext

use of io.jans.as.server.service.external.context.ExternalUpdateTokenContext in project jans by JanssenProject.

the class AuthorizeRestWebServiceImpl method runCiba.

private void runCiba(String authReqId, Client client, HttpServletRequest httpRequest, HttpServletResponse httpResponse) {
    CibaRequestCacheControl cibaRequest = cibaRequestService.getCibaRequest(authReqId);
    if (cibaRequest == null || cibaRequest.getStatus() == CibaRequestStatus.EXPIRED) {
        log.trace("User responded too late and the grant {} has expired, {}", authReqId, cibaRequest);
        return;
    }
    cibaRequestService.removeCibaRequest(authReqId);
    CIBAGrant cibaGrant = authorizationGrantList.createCIBAGrant(cibaRequest);
    ExecutionContext executionContext = new ExecutionContext(httpRequest, httpResponse);
    executionContext.setAppConfiguration(appConfiguration);
    executionContext.setAttributeService(attributeService);
    executionContext.setGrant(cibaGrant);
    executionContext.setClient(client);
    executionContext.setCertAsPem(httpRequest.getHeader("X-ClientCert"));
    AccessToken accessToken = cibaGrant.createAccessToken(executionContext);
    log.debug("Issuing access token: {}", accessToken.getCode());
    ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(httpRequest, cibaGrant, client, appConfiguration, attributeService);
    final int refreshTokenLifetimeInSeconds = externalUpdateTokenService.getRefreshTokenLifetimeInSeconds(context);
    final RefreshToken refreshToken;
    if (refreshTokenLifetimeInSeconds > 0) {
        refreshToken = cibaGrant.createRefreshToken(executionContext, refreshTokenLifetimeInSeconds);
    } else {
        refreshToken = cibaGrant.createRefreshToken(executionContext);
    }
    log.debug("Issuing refresh token: {}", (refreshToken != null ? refreshToken.getCode() : ""));
    executionContext.setPostProcessor(externalUpdateTokenService.buildModifyIdTokenProcessor(context));
    executionContext.setGrant(cibaGrant);
    executionContext.setIncludeIdTokenClaims(false);
    IdToken idToken = cibaGrant.createIdToken(null, null, accessToken, refreshToken, null, executionContext);
    cibaGrant.setTokensDelivered(true);
    cibaGrant.save();
    if (cibaRequest.getClient().getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.PUSH) {
        cibaPushTokenDeliveryService.pushTokenDelivery(cibaGrant.getAuthReqId(), cibaGrant.getClient().getBackchannelClientNotificationEndpoint(), cibaRequest.getClientNotificationToken(), accessToken.getCode(), refreshToken != null ? refreshToken.getCode() : null, idToken.getCode(), accessToken.getExpiresIn());
    } else if (cibaGrant.getClient().getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.PING) {
        cibaGrant.setTokensDelivered(false);
        cibaGrant.save();
        cibaPingCallbackService.pingCallback(cibaGrant.getAuthReqId(), cibaGrant.getClient().getBackchannelClientNotificationEndpoint(), cibaRequest.getClientNotificationToken());
    } else if (cibaGrant.getClient().getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.POLL) {
        cibaGrant.setTokensDelivered(false);
        cibaGrant.save();
    }
}
Also used : ExternalUpdateTokenContext(io.jans.as.server.service.external.context.ExternalUpdateTokenContext)

Example 5 with ExternalUpdateTokenContext

use of io.jans.as.server.service.external.context.ExternalUpdateTokenContext in project jans by JanssenProject.

the class TokenRestWebServiceImpl method requestAccessToken.

@Override
public Response requestAccessToken(String grantType, String code, String redirectUri, String username, String password, String scope, String assertion, String refreshToken, String clientId, String clientSecret, String codeVerifier, String ticket, String claimToken, String claimTokenFormat, String pctCode, String rptCode, String authReqId, String deviceCode, HttpServletRequest request, HttpServletResponse response, SecurityContext sec) {
    log.debug("Attempting to request access token: grantType = {}, code = {}, redirectUri = {}, username = {}, refreshToken = {}, " + "clientId = {}, ExtraParams = {}, isSecure = {}, codeVerifier = {}, ticket = {}", grantType, code, redirectUri, username, refreshToken, clientId, request.getParameterMap(), sec.isSecure(), codeVerifier, ticket);
    boolean isUma = StringUtils.isNotBlank(ticket);
    if (isUma) {
        return umaTokenService.requestRpt(grantType, ticket, claimToken, claimTokenFormat, pctCode, rptCode, scope, request, response);
    }
    OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.TOKEN_REQUEST);
    oAuth2AuditLog.setClientId(clientId);
    oAuth2AuditLog.setUsername(username);
    oAuth2AuditLog.setScope(scope);
    String tokenBindingHeader = request.getHeader("Sec-Token-Binding");
    // it may be encoded in uma case
    scope = ServerUtil.urlDecode(scope);
    ResponseBuilder builder = Response.ok();
    String dpopStr;
    try {
        dpopStr = runDPoP(request);
    } catch (InvalidJwtException | JWKException | NoSuchAlgorithmException | NoSuchProviderException e) {
        return response(error(400, TokenErrorResponseType.INVALID_DPOP_PROOF, e.getMessage()), oAuth2AuditLog);
    }
    try {
        log.debug("Starting to validate request parameters");
        if (!TokenParamsValidator.validateParams(grantType, code, redirectUri, username, password, scope, assertion, refreshToken)) {
            log.trace("Failed to validate request parameters");
            return response(error(400, TokenErrorResponseType.INVALID_REQUEST, "Failed to validate request parameters"), oAuth2AuditLog);
        }
        GrantType gt = GrantType.fromString(grantType);
        log.debug("Grant type: '{}'", gt);
        SessionClient sessionClient = identity.getSessionClient();
        Client client = null;
        if (sessionClient != null) {
            client = sessionClient.getClient();
            log.debug("Get sessionClient: '{}'", sessionClient);
        }
        if (client == null) {
            return response(error(401, TokenErrorResponseType.INVALID_GRANT, "Unable to find client."), oAuth2AuditLog);
        }
        log.debug("Get client from session: '{}'", client.getClientId());
        if (client.isDisabled()) {
            return response(error(Response.Status.FORBIDDEN.getStatusCode(), TokenErrorResponseType.DISABLED_CLIENT, "Client is disabled."), oAuth2AuditLog);
        }
        final Function<JsonWebResponse, Void> idTokenTokingBindingPreprocessing = TokenBindingMessage.createIdTokenTokingBindingPreprocessing(tokenBindingHeader, // for all except authorization code grant
        client.getIdTokenTokenBindingCnf());
        final SessionId sessionIdObj = sessionIdService.getSessionId(request);
        final Function<JsonWebResponse, Void> idTokenPreProcessing = JwrService.wrapWithSidFunction(idTokenTokingBindingPreprocessing, sessionIdObj != null ? sessionIdObj.getOutsideSid() : null);
        final ExecutionContext executionContext = new ExecutionContext(request, response);
        executionContext.setCertAsPem(request.getHeader(X_CLIENTCERT));
        executionContext.setDpop(dpopStr);
        executionContext.setClient(client);
        executionContext.setDpop(dpopStr);
        executionContext.setAppConfiguration(appConfiguration);
        executionContext.setAttributeService(attributeService);
        if (gt == GrantType.AUTHORIZATION_CODE) {
            if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
                return response(error(400, TokenErrorResponseType.INVALID_GRANT, null), oAuth2AuditLog);
            }
            log.debug("Attempting to find authorizationCodeGrant by clientId: '{}', code: '{}'", client.getClientId(), code);
            final AuthorizationCodeGrant authorizationCodeGrant = authorizationGrantList.getAuthorizationCodeGrant(code);
            log.trace("AuthorizationCodeGrant : '{}'", authorizationCodeGrant);
            if (authorizationCodeGrant == null) {
                log.debug("AuthorizationCodeGrant is empty by clientId: '{}', code: '{}'", client.getClientId(), code);
                // if authorization code is not found then code was already used or wrong client provided = remove all grants with this auth code
                grantService.removeAllByAuthorizationCode(code);
                return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Unable to find grant object for given code."), oAuth2AuditLog);
            }
            if (!client.getClientId().equals(authorizationCodeGrant.getClientId())) {
                log.debug("AuthorizationCodeGrant is found but belongs to another client. Grant's clientId: '{}', code: '{}'", authorizationCodeGrant.getClientId(), code);
                // if authorization code is not found then code was already used or wrong client provided = remove all grants with this auth code
                grantService.removeAllByAuthorizationCode(code);
                return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Client mismatch."), oAuth2AuditLog);
            }
            validatePKCE(authorizationCodeGrant, codeVerifier, oAuth2AuditLog);
            authorizationCodeGrant.setIsCachedWithNoPersistence(false);
            authorizationCodeGrant.save();
            RefreshToken reToken = createRefreshToken(request, client, scope, authorizationCodeGrant, dpopStr);
            scope = authorizationCodeGrant.checkScopesPolicy(scope);
            executionContext.setGrant(authorizationCodeGrant);
            // create token after scopes are checked
            AccessToken accToken = authorizationCodeGrant.createAccessToken(executionContext);
            IdToken idToken = null;
            if (authorizationCodeGrant.getScopes().contains(OPENID)) {
                String nonce = authorizationCodeGrant.getNonce();
                boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
                final String idTokenTokenBindingCnf = client.getIdTokenTokenBindingCnf();
                Function<JsonWebResponse, Void> authorizationCodePreProcessing = jsonWebResponse -> {
                    if (StringUtils.isNotBlank(idTokenTokenBindingCnf) && StringUtils.isNotBlank(authorizationCodeGrant.getTokenBindingHash())) {
                        TokenBindingMessage.setCnfClaim(jsonWebResponse, authorizationCodeGrant.getTokenBindingHash(), idTokenTokenBindingCnf);
                    }
                    return null;
                };
                ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(request, authorizationCodeGrant, client, appConfiguration, attributeService);
                executionContext.setIncludeIdTokenClaims(includeIdTokenClaims);
                executionContext.setPreProcessing(JwrService.wrapWithSidFunction(authorizationCodePreProcessing, sessionIdObj != null ? sessionIdObj.getOutsideSid() : null));
                executionContext.setPostProcessor(externalUpdateTokenService.buildModifyIdTokenProcessor(context));
                idToken = authorizationCodeGrant.createIdToken(nonce, authorizationCodeGrant.getAuthorizationCode(), accToken, null, null, executionContext);
            }
            oAuth2AuditLog.updateOAuth2AuditLog(authorizationCodeGrant, true);
            grantService.removeAuthorizationCode(authorizationCodeGrant.getAuthorizationCode().getCode());
            final String entity = getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, idToken);
            return response(Response.ok().entity(entity), oAuth2AuditLog);
        }
        if (gt == GrantType.REFRESH_TOKEN) {
            if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
                return response(error(400, TokenErrorResponseType.INVALID_GRANT, "grant_type does not belong to client."), oAuth2AuditLog);
            }
            AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), refreshToken);
            if (authorizationGrant == null) {
                log.trace("Grant object is not found by refresh token.");
                return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Unable to find grant object by refresh token or otherwise token type or client does not match."), oAuth2AuditLog);
            }
            final RefreshToken refreshTokenObject = authorizationGrant.getRefreshToken(refreshToken);
            if (refreshTokenObject == null || !refreshTokenObject.isValid()) {
                log.trace("Invalid refresh token.");
                return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Unable to find refresh token or otherwise token type or client does not match."), oAuth2AuditLog);
            }
            executionContext.setGrant(authorizationGrant);
            // The authorization server MAY issue a new refresh token, in which case
            // the client MUST discard the old refresh token and replace it with the new refresh token.
            RefreshToken reToken = null;
            if (isFalse(appConfiguration.getSkipRefreshTokenDuringRefreshing())) {
                if (isTrue(appConfiguration.getRefreshTokenExtendLifetimeOnRotation())) {
                    // extend lifetime
                    reToken = createRefreshToken(request, client, scope, authorizationGrant, dpopStr);
                } else {
                    log.trace("Create refresh token with fixed (not extended) lifetime taken from previous refresh token.");
                    // do not extend lifetime
                    reToken = authorizationGrant.createRefreshToken(executionContext, refreshTokenObject.getExpirationDate());
                }
            }
            scope = authorizationGrant.checkScopesPolicy(scope);
            // create token after scopes are checked
            AccessToken accToken = authorizationGrant.createAccessToken(executionContext);
            IdToken idToken = null;
            if (isTrue(appConfiguration.getOpenidScopeBackwardCompatibility()) && authorizationGrant.getScopes().contains(OPENID)) {
                boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
                ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(request, authorizationGrant, client, appConfiguration, attributeService);
                context.setExecutionContext(executionContext);
                executionContext.setIncludeIdTokenClaims(includeIdTokenClaims);
                executionContext.setPreProcessing(idTokenPreProcessing);
                executionContext.setPostProcessor(externalUpdateTokenService.buildModifyIdTokenProcessor(context));
                idToken = authorizationGrant.createIdToken(null, null, accToken, null, null, executionContext);
            }
            if (reToken != null && refreshToken != null) {
                // remove refresh token after access token and id_token is created.
                grantService.removeByCode(refreshToken);
            }
            builder.entity(getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, idToken));
            oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
        } else if (gt == GrantType.CLIENT_CREDENTIALS) {
            if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
                return response(error(400, TokenErrorResponseType.INVALID_GRANT, "grant_type is not present in client."), oAuth2AuditLog);
            }
            ClientCredentialsGrant clientCredentialsGrant = authorizationGrantList.createClientCredentialsGrant(new User(), client);
            scope = clientCredentialsGrant.checkScopesPolicy(scope);
            executionContext.setGrant(clientCredentialsGrant);
            // create token after scopes are checked
            AccessToken accessToken = clientCredentialsGrant.createAccessToken(executionContext);
            IdToken idToken = null;
            if (isTrue(appConfiguration.getOpenidScopeBackwardCompatibility()) && clientCredentialsGrant.getScopes().contains(OPENID)) {
                boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
                ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(request, clientCredentialsGrant, client, appConfiguration, attributeService);
                executionContext.setIncludeIdTokenClaims(includeIdTokenClaims);
                executionContext.setPreProcessing(idTokenPreProcessing);
                executionContext.setPostProcessor(externalUpdateTokenService.buildModifyIdTokenProcessor(context));
                idToken = clientCredentialsGrant.createIdToken(null, null, null, null, null, executionContext);
            }
            oAuth2AuditLog.updateOAuth2AuditLog(clientCredentialsGrant, true);
            builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), null, scope, idToken));
        } else if (gt == GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) {
            if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
                return response(error(400, TokenErrorResponseType.INVALID_GRANT, "grant_type is not present in client."), oAuth2AuditLog);
            }
            boolean authenticated = false;
            User user = null;
            if (authenticationFilterService.isEnabled()) {
                String userDn = authenticationFilterService.processAuthenticationFilters(request.getParameterMap());
                if (StringHelper.isNotEmpty(userDn)) {
                    user = userService.getUserByDn(userDn);
                    authenticated = true;
                }
            }
            if (!authenticated) {
                if (externalResourceOwnerPasswordCredentialsService.isEnabled()) {
                    final ExternalResourceOwnerPasswordCredentialsContext context = new ExternalResourceOwnerPasswordCredentialsContext(executionContext);
                    context.setUser(user);
                    if (externalResourceOwnerPasswordCredentialsService.executeExternalAuthenticate(context)) {
                        log.trace("RO PC - User is authenticated successfully by external script.");
                        user = context.getUser();
                    }
                } else {
                    try {
                        authenticated = authenticationService.authenticate(username, password);
                        if (authenticated) {
                            user = authenticationService.getAuthenticatedUser();
                        }
                    } catch (AuthenticationException ex) {
                        log.trace("Failed to authenticate user ", new RuntimeException("User name or password is invalid"));
                    }
                }
            }
            if (user != null) {
                ResourceOwnerPasswordCredentialsGrant resourceOwnerPasswordCredentialsGrant = authorizationGrantList.createResourceOwnerPasswordCredentialsGrant(user, client);
                SessionId sessionId = identity.getSessionId();
                if (sessionId != null) {
                    resourceOwnerPasswordCredentialsGrant.setAcrValues(OxConstants.SCRIPT_TYPE_INTERNAL_RESERVED_NAME);
                    resourceOwnerPasswordCredentialsGrant.setSessionDn(sessionId.getDn());
                    // call save after object modification!!!
                    resourceOwnerPasswordCredentialsGrant.save();
                    sessionId.getSessionAttributes().put(Constants.AUTHORIZED_GRANT, gt.getValue());
                    boolean updateResult = sessionIdService.updateSessionId(sessionId, false, true, true);
                    if (!updateResult) {
                        log.debug("Failed to update session entry: '{}'", sessionId.getId());
                    }
                }
                RefreshToken reToken = createRefreshToken(request, client, scope, resourceOwnerPasswordCredentialsGrant, null);
                scope = resourceOwnerPasswordCredentialsGrant.checkScopesPolicy(scope);
                executionContext.setGrant(resourceOwnerPasswordCredentialsGrant);
                // create token after scopes are checked
                AccessToken accessToken = resourceOwnerPasswordCredentialsGrant.createAccessToken(executionContext);
                IdToken idToken = null;
                if (isTrue(appConfiguration.getOpenidScopeBackwardCompatibility()) && resourceOwnerPasswordCredentialsGrant.getScopes().contains("openid")) {
                    boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
                    ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(request, resourceOwnerPasswordCredentialsGrant, client, appConfiguration, attributeService);
                    context.setExecutionContext(executionContext);
                    executionContext.setIncludeIdTokenClaims(includeIdTokenClaims);
                    executionContext.setPreProcessing(idTokenPreProcessing);
                    executionContext.setPostProcessor(externalUpdateTokenService.buildModifyIdTokenProcessor(context));
                    idToken = resourceOwnerPasswordCredentialsGrant.createIdToken(null, null, null, null, null, executionContext);
                }
                oAuth2AuditLog.updateOAuth2AuditLog(resourceOwnerPasswordCredentialsGrant, true);
                builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), reToken, scope, idToken));
            } else {
                log.debug("Invalid user", new RuntimeException("User is empty"));
                builder = error(401, TokenErrorResponseType.INVALID_CLIENT, "Invalid user.");
            }
        } else if (gt == GrantType.CIBA) {
            errorResponseFactory.validateComponentEnabled(ComponentType.CIBA);
            if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
                return response(error(400, TokenErrorResponseType.INVALID_GRANT, "Grant types are invalid."), oAuth2AuditLog);
            }
            log.debug("Attempting to find authorizationGrant by authReqId: '{}'", authReqId);
            final CIBAGrant cibaGrant = authorizationGrantList.getCIBAGrant(authReqId);
            executionContext.setGrant(cibaGrant);
            log.trace("AuthorizationGrant : '{}'", cibaGrant);
            if (cibaGrant != null) {
                if (!cibaGrant.getClientId().equals(client.getClientId())) {
                    builder = error(400, TokenErrorResponseType.INVALID_GRANT, REASON_CLIENT_NOT_AUTHORIZED);
                    return response(builder, oAuth2AuditLog);
                }
                if (cibaGrant.getClient().getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.PING || cibaGrant.getClient().getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.POLL) {
                    if (!cibaGrant.isTokensDelivered()) {
                        RefreshToken refToken = createRefreshToken(request, client, scope, cibaGrant, null);
                        AccessToken accessToken = cibaGrant.createAccessToken(executionContext);
                        ExternalUpdateTokenContext context = new ExternalUpdateTokenContext(request, cibaGrant, client, appConfiguration, attributeService);
                        context.setExecutionContext(executionContext);
                        executionContext.setIncludeIdTokenClaims(false);
                        executionContext.setPreProcessing(idTokenPreProcessing);
                        executionContext.setPostProcessor(externalUpdateTokenService.buildModifyIdTokenProcessor(context));
                        IdToken idToken = cibaGrant.createIdToken(null, null, accessToken, refToken, null, executionContext);
                        cibaGrant.setTokensDelivered(true);
                        cibaGrant.save();
                        RefreshToken reToken = null;
                        if (isRefreshTokenAllowed(client, scope, cibaGrant)) {
                            reToken = refToken;
                        }
                        scope = cibaGrant.checkScopesPolicy(scope);
                        builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), reToken, scope, idToken));
                        oAuth2AuditLog.updateOAuth2AuditLog(cibaGrant, true);
                    } else {
                        builder = error(400, TokenErrorResponseType.INVALID_GRANT, "AuthReqId is no longer available.");
                    }
                } else {
                    log.debug("Client is not using Poll flow authReqId: '{}'", authReqId);
                    builder = error(400, TokenErrorResponseType.UNAUTHORIZED_CLIENT, "The client is not authorized as it is configured in Push Mode");
                }
            } else {
                final CibaRequestCacheControl cibaRequest = cibaRequestService.getCibaRequest(authReqId);
                log.trace("Ciba request : '{}'", cibaRequest);
                if (cibaRequest != null) {
                    if (!cibaRequest.getClient().getClientId().equals(client.getClientId())) {
                        builder = error(400, TokenErrorResponseType.INVALID_GRANT, REASON_CLIENT_NOT_AUTHORIZED);
                        return response(builder, oAuth2AuditLog);
                    }
                    long currentTime = new Date().getTime();
                    Long lastAccess = cibaRequest.getLastAccessControl();
                    if (lastAccess == null) {
                        lastAccess = currentTime;
                    }
                    cibaRequest.setLastAccessControl(currentTime);
                    cibaRequestService.update(cibaRequest);
                    if (cibaRequest.getStatus() == CibaRequestStatus.PENDING) {
                        int intervalSeconds = appConfiguration.getBackchannelAuthenticationResponseInterval();
                        long timeFromLastAccess = currentTime - lastAccess;
                        if (timeFromLastAccess > intervalSeconds * 1000) {
                            log.debug("Access hasn't been granted yet for authReqId: '{}'", authReqId);
                            builder = error(400, TokenErrorResponseType.AUTHORIZATION_PENDING, "User hasn't answered yet");
                        } else {
                            log.debug("Slow down protection authReqId: '{}'", authReqId);
                            builder = error(400, TokenErrorResponseType.SLOW_DOWN, "Client is asking too fast the token.");
                        }
                    } else if (cibaRequest.getStatus() == CibaRequestStatus.DENIED) {
                        log.debug("The end-user denied the authorization request for authReqId: '{}'", authReqId);
                        builder = error(400, TokenErrorResponseType.ACCESS_DENIED, "The end-user denied the authorization request.");
                    } else if (cibaRequest.getStatus() == CibaRequestStatus.EXPIRED) {
                        log.debug("The authentication request has expired for authReqId: '{}'", authReqId);
                        builder = error(400, TokenErrorResponseType.EXPIRED_TOKEN, "The authentication request has expired");
                    }
                } else {
                    log.debug("AuthorizationGrant is empty by authReqId: '{}'", authReqId);
                    builder = error(400, TokenErrorResponseType.EXPIRED_TOKEN, "Unable to find grant object for given auth_req_id.");
                }
            }
        } else if (gt == GrantType.DEVICE_CODE) {
            return processDeviceCodeGrantType(gt, client, deviceCode, scope, request, response, oAuth2AuditLog);
        }
    } catch (WebApplicationException e) {
        throw e;
    } catch (Exception e) {
        builder = Response.status(500);
        log.error(e.getMessage(), e);
    }
    return response(builder, oAuth2AuditLog);
}
Also used : InvalidJwtException(io.jans.as.model.exception.InvalidJwtException) TokenErrorResponseType(io.jans.as.model.token.TokenErrorResponseType) StringUtils(org.apache.commons.lang.StringUtils) Arrays(java.util.Arrays) DeviceAuthorizationStatus(io.jans.as.server.model.common.DeviceAuthorizationStatus) AbstractAuthorizationGrant(io.jans.as.server.model.common.AbstractAuthorizationGrant) ExternalUpdateTokenService(io.jans.as.server.service.external.ExternalUpdateTokenService) Date(java.util.Date) Path(javax.ws.rs.Path) SecurityContext(javax.ws.rs.core.SecurityContext) Identity(io.jans.as.server.security.Identity) SessionId(io.jans.as.server.model.common.SessionId) ResourceOwnerPasswordCredentialsGrant(io.jans.as.server.model.common.ResourceOwnerPasswordCredentialsGrant) DeviceCodeGrant(io.jans.as.server.model.common.DeviceCodeGrant) ExternalUpdateTokenContext(io.jans.as.server.service.external.context.ExternalUpdateTokenContext) ExecutionContext(io.jans.as.server.model.common.ExecutionContext) Action(io.jans.as.server.model.audit.Action) CIBAGrant(io.jans.as.server.model.common.CIBAGrant) BooleanUtils.isTrue(org.apache.commons.lang.BooleanUtils.isTrue) DeviceAuthorizationService(io.jans.as.server.service.DeviceAuthorizationService) JSONException(org.json.JSONException) MediaType(javax.ws.rs.core.MediaType) IdToken(io.jans.as.server.model.common.IdToken) JSONObject(org.json.JSONObject) InvalidJwtException(io.jans.as.model.exception.InvalidJwtException) StringHelper(io.jans.util.StringHelper) JSONWebKey(io.jans.as.model.jwk.JSONWebKey) UmaTokenService(io.jans.as.server.uma.service.UmaTokenService) OPENID(io.jans.as.model.config.Constants.OPENID) CibaRequestCacheControl(io.jans.as.server.model.common.CibaRequestCacheControl) OxConstants(io.jans.util.OxConstants) TokenParamsValidator(io.jans.as.server.model.token.TokenParamsValidator) JsonWebResponse(io.jans.as.model.token.JsonWebResponse) SessionIdService(io.jans.as.server.service.SessionIdService) TokenRequestParam(io.jans.as.model.token.TokenRequestParam) Client(io.jans.as.common.model.registration.Client) Nullable(org.jetbrains.annotations.Nullable) Jwt(io.jans.as.model.jwt.Jwt) Response(javax.ws.rs.core.Response) ServerUtil(io.jans.as.server.util.ServerUtil) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ComponentType(io.jans.as.model.common.ComponentType) AuthenticationService(io.jans.as.server.service.AuthenticationService) TokenBindingMessage(io.jans.as.model.crypto.binding.TokenBindingMessage) WebApplicationException(javax.ws.rs.WebApplicationException) SessionClient(io.jans.as.server.model.session.SessionClient) ExternalResourceOwnerPasswordCredentialsContext(io.jans.as.server.service.external.context.ExternalResourceOwnerPasswordCredentialsContext) NotNull(org.jetbrains.annotations.NotNull) RefreshToken(io.jans.as.server.model.common.RefreshToken) BackchannelTokenDeliveryMode(io.jans.as.model.common.BackchannelTokenDeliveryMode) AttributeService(io.jans.as.common.service.AttributeService) AuthenticationFilterService(io.jans.as.server.service.AuthenticationFilterService) ClientCredentialsGrant(io.jans.as.server.model.common.ClientCredentialsGrant) GrantService(io.jans.as.server.service.GrantService) Function(java.util.function.Function) Inject(javax.inject.Inject) Strings(com.google.common.base.Strings) REASON_CLIENT_NOT_AUTHORIZED(io.jans.as.model.config.Constants.REASON_CLIENT_NOT_AUTHORIZED) DeviceAuthorizationCacheControl(io.jans.as.server.model.common.DeviceAuthorizationCacheControl) HttpServletRequest(javax.servlet.http.HttpServletRequest) ApplicationAuditLogger(io.jans.as.server.audit.ApplicationAuditLogger) User(io.jans.as.common.model.common.User) UserService(io.jans.as.server.service.UserService) Constants(io.jans.as.server.model.config.Constants) ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder) ExternalResourceOwnerPasswordCredentialsService(io.jans.as.server.service.external.ExternalResourceOwnerPasswordCredentialsService) OAuth2AuditLog(io.jans.as.server.model.audit.OAuth2AuditLog) AuthorizationGrantList(io.jans.as.server.model.common.AuthorizationGrantList) AccessToken(io.jans.as.server.model.common.AccessToken) CodeVerifier(io.jans.as.model.authorize.CodeVerifier) Logger(org.slf4j.Logger) X_CLIENTCERT(io.jans.as.model.config.Constants.X_CLIENTCERT) ErrorResponseFactory(io.jans.as.model.error.ErrorResponseFactory) HttpServletResponse(javax.servlet.http.HttpServletResponse) JWKException(com.nimbusds.jose.jwk.JWKException) BooleanUtils.isFalse(org.apache.commons.lang.BooleanUtils.isFalse) AppConfiguration(io.jans.as.model.configuration.AppConfiguration) CibaRequestService(io.jans.as.server.service.ciba.CibaRequestService) CibaRequestStatus(io.jans.as.server.model.common.CibaRequestStatus) JwrService(io.jans.as.server.model.token.JwrService) ScopeConstants(io.jans.as.model.common.ScopeConstants) AuthenticationException(io.jans.orm.exception.AuthenticationException) AuthorizationCodeGrant(io.jans.as.server.model.common.AuthorizationCodeGrant) GrantType(io.jans.as.model.common.GrantType) TokenType(io.jans.as.model.common.TokenType) AuthorizationGrant(io.jans.as.server.model.common.AuthorizationGrant) NoSuchProviderException(java.security.NoSuchProviderException) User(io.jans.as.common.model.common.User) WebApplicationException(javax.ws.rs.WebApplicationException) SessionClient(io.jans.as.server.model.session.SessionClient) AuthenticationException(io.jans.orm.exception.AuthenticationException) OAuth2AuditLog(io.jans.as.server.model.audit.OAuth2AuditLog) CibaRequestCacheControl(io.jans.as.server.model.common.CibaRequestCacheControl) JWKException(com.nimbusds.jose.jwk.JWKException) ResourceOwnerPasswordCredentialsGrant(io.jans.as.server.model.common.ResourceOwnerPasswordCredentialsGrant) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) RefreshToken(io.jans.as.server.model.common.RefreshToken) AccessToken(io.jans.as.server.model.common.AccessToken) ClientCredentialsGrant(io.jans.as.server.model.common.ClientCredentialsGrant) ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder) Client(io.jans.as.common.model.registration.Client) SessionClient(io.jans.as.server.model.session.SessionClient) SessionId(io.jans.as.server.model.common.SessionId) AbstractAuthorizationGrant(io.jans.as.server.model.common.AbstractAuthorizationGrant) AuthorizationGrant(io.jans.as.server.model.common.AuthorizationGrant) IdToken(io.jans.as.server.model.common.IdToken) JsonWebResponse(io.jans.as.model.token.JsonWebResponse) ExternalResourceOwnerPasswordCredentialsContext(io.jans.as.server.service.external.context.ExternalResourceOwnerPasswordCredentialsContext) GrantType(io.jans.as.model.common.GrantType) Date(java.util.Date) JSONException(org.json.JSONException) InvalidJwtException(io.jans.as.model.exception.InvalidJwtException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) WebApplicationException(javax.ws.rs.WebApplicationException) JWKException(com.nimbusds.jose.jwk.JWKException) AuthenticationException(io.jans.orm.exception.AuthenticationException) NoSuchProviderException(java.security.NoSuchProviderException) ExecutionContext(io.jans.as.server.model.common.ExecutionContext) ExternalUpdateTokenContext(io.jans.as.server.service.external.context.ExternalUpdateTokenContext) AuthorizationCodeGrant(io.jans.as.server.model.common.AuthorizationCodeGrant) CIBAGrant(io.jans.as.server.model.common.CIBAGrant) NoSuchProviderException(java.security.NoSuchProviderException)

Aggregations

ExternalUpdateTokenContext (io.jans.as.server.service.external.context.ExternalUpdateTokenContext)5 WebApplicationException (javax.ws.rs.WebApplicationException)3 User (io.jans.as.common.model.common.User)2 Client (io.jans.as.common.model.registration.Client)2 InvalidJwtException (io.jans.as.model.exception.InvalidJwtException)2 JsonWebResponse (io.jans.as.model.token.JsonWebResponse)2 OAuth2AuditLog (io.jans.as.server.model.audit.OAuth2AuditLog)2 AccessToken (io.jans.as.server.model.common.AccessToken)2 ExecutionContext (io.jans.as.server.model.common.ExecutionContext)2 ResponseBuilder (javax.ws.rs.core.Response.ResponseBuilder)2 Strings (com.google.common.base.Strings)1 JWKException (com.nimbusds.jose.jwk.JWKException)1 AttributeService (io.jans.as.common.service.AttributeService)1 RedirectUri (io.jans.as.common.util.RedirectUri)1 AuthorizeErrorResponseType (io.jans.as.model.authorize.AuthorizeErrorResponseType)1 CodeVerifier (io.jans.as.model.authorize.CodeVerifier)1 BackchannelTokenDeliveryMode (io.jans.as.model.common.BackchannelTokenDeliveryMode)1 ComponentType (io.jans.as.model.common.ComponentType)1 GrantType (io.jans.as.model.common.GrantType)1 ScopeConstants (io.jans.as.model.common.ScopeConstants)1