Examples with OIDCException it.spid.cie.oidc.exception.OIDCException used on opensource projects

Example 11 with OIDCException

use of it.spid.cie.oidc.exception.OIDCException in project spid-cie-oidc-java by italia.

the class JWTHelper method verifyJWS.

public boolean verifyJWS(SignedJWT jws, JWKSet jwkSet) throws OIDCException {
    String kid = jws.getHeader().getKeyID();
    JWK jwk = jwkSet.getKeyByKeyId(kid);
    if (jwk == null) {
        throw new JWTException.UnknownKid(kid, jwkSet.toString());
    }
    JWSAlgorithm alg = jws.getHeader().getAlgorithm();
    if (!isValidAlgorithm(alg)) {
        throw new JWTException.UnsupportedAlgorithm(alg.toString());
    }
    try {
        JWSVerifier verifier = getJWSVerifier(alg, jwk);
        return jws.verify(verifier);
    } catch (Exception e) {
        throw new JWTException.Verifier(e);
    }
}

Example 12 with OIDCException

use of it.spid.cie.oidc.exception.OIDCException in project spid-cie-oidc-java by italia.

the class OAuth2Helper method sendRevocationRequest.

public void sendRevocationRequest(String token, String clientId, String revocationUrl, FederationEntity clientConf) throws OIDCException {
    // create client assertion (JWS Token)
    JSONObject payload = new JSONObject().put("iss", clientId).put("sub", clientId).put("aud", JSONUtil.asJSONArray(revocationUrl)).put("iat", JWTHelper.getIssuedAt()).put("exp", JWTHelper.getExpiresOn()).put("jti", UUID.randomUUID().toString());
    JWKSet jwkSet = JWTHelper.getJWKSetFromJSON(clientConf.getJwks());
    String clientAssertion = jwtHelper.createJWS(payload, jwkSet);
    // Body Parameters
    Map<String, Object> params = new HashMap<>();
    params.put("token", token);
    params.put("client_id", clientId);
    params.put("client_assertion", clientAssertion);
    params.put("client_assertion_type", JWT_BARRIER);
    if (logger.isDebugEnabled()) {
        logger.debug("Send Token Revocation: {}", buildPostBody(params));
    }
    try {
        HttpRequest request = HttpRequest.newBuilder().uri(new URI(revocationUrl)).POST(HttpRequest.BodyPublishers.ofString(buildPostBody(params))).header("Content-Type", "application/x-www-form-urlencoded").build();
        // TODO timeout from options
        HttpResponse<String> response = HttpClient.newBuilder().build().send(request, BodyHandlers.ofString());
        if (response.statusCode() != 200) {
            logger.error("Token revocation failed: {}", response.statusCode());
        }
    } catch (Exception e) {
        throw new OIDCException(e);
    }
}

Example 13 with OIDCException

use of it.spid.cie.oidc.exception.OIDCException in project spid-cie-oidc-java by italia.

the class OIDCHelper method getUserInfo.

public JSONObject getUserInfo(String state, String accessToken, JSONObject providerConf, boolean verify, JWKSet entityJwks) throws OIDCException {
    try {
        HttpRequest request = HttpRequest.newBuilder().uri(new URI(providerConf.optString("userinfo_endpoint"))).header("Authorization", "Bearer " + accessToken).GET().build();
        HttpResponse<String> response = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NORMAL).build().send(request, BodyHandlers.ofString());
        if (response.statusCode() != 200) {
            String msg = String.format("Something went wrong with %s: %d", state, response.statusCode());
            throw new OIDCException(msg);
        }
        JWKSet providerJwks = JWTHelper.getJWKSetFromJSON(providerConf.optJSONObject("jwks"));
        JSONObject jwt = jwtHelper.getJWTFromJWE(response.body(), entityJwks, providerJwks);
        // TODO: Debug
        logger.info("Userinfo endpoint result: " + jwt.toString(2));
        return jwt.getJSONObject("payload");
    } catch (OIDCException e) {
        throw e;
    } catch (Exception e) {
        throw new OIDCException(e);
    }
}

Example 14 with OIDCException

use of it.spid.cie.oidc.exception.OIDCException in project spid-cie-oidc-java by italia.

the class EntityConfiguration method validateByAllowedTrustMarks.

/**
 * Validate the entity configuration only if marked by a well known trust mark, issued
 * by a trusted issuer
 *
 * @return
 * @throws OIDCException
 */
public boolean validateByAllowedTrustMarks() throws OIDCException {
    if (trustAnchor == null) {
        throw new TrustChainException.TrustAnchorNeeded("To validate the trust marks the Trust Anchor Entity Configuration " + "is needed.");
    }
    if (allowedTrustMarks.isEmpty()) {
        return true;
    }
    JSONArray jsonTrustMarks = payload.optJSONArray("trust_marks");
    if (jsonTrustMarks == null) {
        logger.warn("{} doesn't have the trust marks claim in its Entity Configuration", this.sub);
        return false;
    }
    List<TrustMark> trustMarks = new ArrayList<>();
    for (int x = 0; x < jsonTrustMarks.length(); x++) {
        JSONObject jsonTrustMark = jsonTrustMarks.optJSONObject(x);
        if (jsonTrustMark == null) {
            logger.warn("invalid trust_mark at " + x + " on " + trustMarks.toString());
            continue;
        } else if (!isTrustMarkAllowed(jsonTrustMark)) {
            continue;
        }
        try {
            trustMarks.add(new TrustMark(jsonTrustMark.optString("trust_mark"), jwtHelper));
        } catch (Exception e) {
            logger.error("Trust Mark decoding failed on {}", jsonTrustMark);
        }
    }
    if (trustMarks.isEmpty()) {
        throw new EntityException.MissingTrustMarks("Required Trust marks are missing.");
    }
    Map<String, Set<String>> trustAnchorIssuers = trustAnchor.getTrustMarksIssuers();
    boolean valid = false;
    for (TrustMark trustMark : trustMarks) {
        Set<String> issuers = trustAnchorIssuers.get(trustMark.getId());
        if (issuers != null) {
            if (!issuers.contains(trustMark.getIssuer())) {
                valid = false;
            } else {
                valid = trustMark.validateByIssuer();
            }
        } else {
            valid = trustMark.validate(trustAnchor);
        }
        if (!trustMark.isValid()) {
            valid = false;
        }
        if (valid) {
            if (logger.isInfoEnabled()) {
                logger.info("Trust Mark {} is valid", trustMark);
            }
            this.verifiedTrustMarks.add(trustMark);
        } else if (logger.isWarnEnabled()) {
            logger.warn("Trust Mark {} is not valid", trustMark);
        }
    }
    return valid;
}

Example 15 with OIDCException

use of it.spid.cie.oidc.exception.OIDCException in project spid-cie-oidc-java by italia.

the class TrustChainBuilder method processSubjectConfiguration.

/**
 * Ensure the provided Subject Entity Configuration is valid (self validable) and
 * complete (at least by required elements)
 *
 * @throws OIDCException
 *
 * @throws OIDCException
 */
protected void processSubjectConfiguration() throws OIDCException {
    if (subjectConfiguration != null) {
        return;
    }
    try {
        String jwt = EntityHelper.getEntityConfiguration(subject);
        subjectConfiguration = new EntityConfiguration(jwt, trustAnchorConfiguration, jwtHelper);
        subjectConfiguration.validateItself();
    } catch (Exception e) {
        String msg = String.format("Entity Configuration for %s failed: %s", subject, e.getMessage());
        logger.error(msg);
        throw new TrustChainBuilderException(msg);
    }
    if (requiredTrustMasks.length > 0) {
        subjectConfiguration.setAllowedTrustMarks(requiredTrustMasks);
        if (!subjectConfiguration.validateByAllowedTrustMarks()) {
            throw new TrustChainException.InvalidRequiredTrustMark("The required Trust Marks are not valid");
        }
        this.verifiedTrustMasks.addAll(subjectConfiguration.getVerifiedTrustMarks());
    }
}