Example 1 with OAuth2Response
use of io.trino.server.security.oauth2.OAuth2Client.OAuth2Response in project trino by trinodb.
the class OAuth2Service method finishOAuth2Challenge.
public Response finishOAuth2Challenge(String state, String code, URI callbackUri, Optional<String> nonce) {
Optional<String> handlerState;
try {
Claims stateClaims = parseState(state);
handlerState = Optional.ofNullable(stateClaims.get(HANDLER_STATE_CLAIM, String.class));
} catch (ChallengeFailedException | RuntimeException e) {
LOG.debug(e, "Authentication response could not be verified invalid state: state=%s", state);
return Response.status(BAD_REQUEST).entity(getInternalFailureHtml("Authentication response could not be verified")).cookie(NonceCookie.delete()).build();
}
// Note: the Web UI may be disabled, so REST requests can not redirect to a success or error page inside of the Web UI
try {
// fetch access token
OAuth2Response oauth2Response = client.getOAuth2Response(code, callbackUri);
Claims parsedToken = validateAndParseOAuth2Response(oauth2Response, nonce).orElseThrow(() -> new ChallengeFailedException("invalid access token"));
// determine expiration
Instant validUntil = determineExpiration(oauth2Response.getValidUntil(), parsedToken.getExpiration());
if (handlerState.isEmpty()) {
return Response.seeOther(URI.create(UI_LOCATION)).cookie(OAuthWebUiCookie.create(oauth2Response.getAccessToken(), validUntil), NonceCookie.delete()).build();
}
tokenHandler.setAccessToken(handlerState.get(), oauth2Response.getAccessToken());
Response.ResponseBuilder builder = Response.ok(getSuccessHtml());
if (webUiOAuthEnabled) {
builder.cookie(OAuthWebUiCookie.create(oauth2Response.getAccessToken(), validUntil));
}
return builder.cookie(NonceCookie.delete()).build();
} catch (ChallengeFailedException | RuntimeException e) {
LOG.debug(e, "Authentication response could not be verified: state=%s", state);
handlerState.ifPresent(value -> tokenHandler.setTokenExchangeError(value, format("Authentication response could not be verified: state=%s", value)));
return Response.status(BAD_REQUEST).cookie(NonceCookie.delete()).entity(getInternalFailureHtml("Authentication response could not be verified")).build();
}
}
Also used :
OAuth2Response(io.trino.server.security.oauth2.OAuth2Client.OAuth2Response)
OAuth2Response(io.trino.server.security.oauth2.OAuth2Client.OAuth2Response)
Response(javax.ws.rs.core.Response)
JsonResponseHandler(io.airlift.http.client.JsonResponseHandler)
GET(javax.ws.rs.HttpMethod.GET)
Date(java.util.Date)
AUTHORIZATION(com.google.common.net.HttpHeaders.AUTHORIZATION)
JwtParser(io.jsonwebtoken.JwtParser)
Random(java.util.Random)
SecureRandom(java.security.SecureRandom)
Duration(java.time.Duration)
Map(java.util.Map)
UriBuilder(javax.ws.rs.core.UriBuilder)
URI(java.net.URI)
OAuth2Response(io.trino.server.security.oauth2.OAuth2Client.OAuth2Response)
BAD_REQUEST(javax.ws.rs.core.Response.Status.BAD_REQUEST)
ImmutableSet(com.google.common.collect.ImmutableSet)
Collection(java.util.Collection)
Set(java.util.Set)
Instant(java.time.Instant)
AUDIENCE(io.jsonwebtoken.Claims.AUDIENCE)
String.format(java.lang.String.format)
Key(java.security.Key)
Response(javax.ws.rs.core.Response)
SigningKeyResolver(io.jsonwebtoken.SigningKeyResolver)
OAuthWebUiCookie(io.trino.server.ui.OAuthWebUiCookie)
Optional(java.util.Optional)
JsonResponseHandler.createJsonResponseHandler(io.airlift.http.client.JsonResponseHandler.createJsonResponseHandler)
OAuth2WebUiInstalled(io.trino.server.ui.OAuth2WebUiInstalled)
HttpClient(io.airlift.http.client.HttpClient)
Instant.now(java.time.Instant.now)
Logger(io.airlift.log.Logger)
Strings.nullToEmpty(com.google.common.base.Strings.nullToEmpty)
JwtUtil.newJwtBuilder(io.trino.server.security.jwt.JwtUtil.newJwtBuilder)
Claims(io.jsonwebtoken.Claims)
Inject(javax.inject.Inject)
Verify.verify(com.google.common.base.Verify.verify)
DefaultClaims(io.jsonwebtoken.impl.DefaultClaims)
Objects.requireNonNull(java.util.Objects.requireNonNull)
Request(io.airlift.http.client.Request)
TemporalAmount(java.time.temporal.TemporalAmount)
UI_LOCATION(io.trino.server.ui.FormWebUiAuthenticationFilter.UI_LOCATION)
JwtUtil.newJwtParserBuilder(io.trino.server.security.jwt.JwtUtil.newJwtParserBuilder)
Keys.hmacShaKeyFor(io.jsonwebtoken.security.Keys.hmacShaKeyFor)
BaseEncoding(com.google.common.io.BaseEncoding)
Resources(com.google.common.io.Resources)
JsonCodec.mapJsonCodec(io.airlift.json.JsonCodec.mapJsonCodec)
UTF_8(java.nio.charset.StandardCharsets.UTF_8)
IOException(java.io.IOException)
Hashing.sha256(com.google.common.hash.Hashing.sha256)
Ordering(com.google.common.collect.Ordering)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Claims(io.jsonwebtoken.Claims)
DefaultClaims(io.jsonwebtoken.impl.DefaultClaims)
Instant(java.time.Instant)
Aggregations
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
Strings.nullToEmpty (com.google.common.base.Strings.nullToEmpty)1
Verify.verify (com.google.common.base.Verify.verify)1
ImmutableSet (com.google.common.collect.ImmutableSet)1
Ordering (com.google.common.collect.Ordering)1
Hashing.sha256 (com.google.common.hash.Hashing.sha256)1
BaseEncoding (com.google.common.io.BaseEncoding)1
Resources (com.google.common.io.Resources)1
AUTHORIZATION (com.google.common.net.HttpHeaders.AUTHORIZATION)1
HttpClient (io.airlift.http.client.HttpClient)1
JsonResponseHandler (io.airlift.http.client.JsonResponseHandler)1
JsonResponseHandler.createJsonResponseHandler (io.airlift.http.client.JsonResponseHandler.createJsonResponseHandler)1
Request (io.airlift.http.client.Request)1
JsonCodec.mapJsonCodec (io.airlift.json.JsonCodec.mapJsonCodec)1
Logger (io.airlift.log.Logger)1
Claims (io.jsonwebtoken.Claims)1
AUDIENCE (io.jsonwebtoken.Claims.AUDIENCE)1
JwtParser (io.jsonwebtoken.JwtParser)1
SigningKeyResolver (io.jsonwebtoken.SigningKeyResolver)1
DefaultClaims (io.jsonwebtoken.impl.DefaultClaims)1
