use of oidc.exceptions.InvalidGrantException in project OpenConext-oidcng by OpenConext.
the class AuthorizationEndpoint method validateGrantType.
public static ResponseType validateGrantType(AuthorizationRequest authorizationRequest, OpenIDClient client) {
ResponseType responseType = authorizationRequest.getResponseType();
List<String> grants = client.getGrants();
if ((responseType.impliesImplicitFlow() || responseType.impliesHybridFlow()) && !grants.contains(GrantType.IMPLICIT.getValue())) {
throw new InvalidGrantException(String.format("Grant types %s does not allow for implicit / hybrid flow", grants));
}
if (responseType.impliesCodeFlow() && !grants.contains(GrantType.AUTHORIZATION_CODE.getValue())) {
throw new InvalidGrantException(String.format("Grant types %s does not allow for authorization code flow", grants));
}
return responseType;
}
use of oidc.exceptions.InvalidGrantException in project OpenConext-oidcng by OpenConext.
the class TokenEndpoint method token.
@PostMapping(value = "oidc/token", consumes = { MediaType.APPLICATION_FORM_URLENCODED_VALUE })
public ResponseEntity token(HttpServletRequest request) throws IOException, ParseException, JOSEException, java.text.ParseException, CertificateException, BadJOSEException {
HTTPRequest httpRequest = ServletUtils.createHTTPRequest(request);
TokenRequest tokenRequest = TokenRequest.parse(httpRequest);
ClientAuthentication clientAuthentication = tokenRequest.getClientAuthentication();
if (clientAuthentication != null && !(clientAuthentication instanceof PlainClientSecret || clientAuthentication instanceof JWTAuthentication)) {
throw new IllegalArgumentException(String.format("Unsupported '%s' findByClientId authentication in token endpoint", clientAuthentication.getClass()));
}
AuthorizationGrant authorizationGrant = tokenRequest.getAuthorizationGrant();
if (clientAuthentication == null && authorizationGrant instanceof AuthorizationCodeGrant && ((AuthorizationCodeGrant) authorizationGrant).getCodeVerifier() == null) {
throw new CodeVerifierMissingException("code_verifier required without client authentication");
}
String clientId = clientAuthentication != null ? clientAuthentication.getClientID().getValue() : tokenRequest.getClientID().getValue();
OpenIDClient client = openIDClientRepository.findOptionalByClientId(clientId).orElseThrow(() -> new UnknownClientException(clientId));
if (clientAuthentication == null && !client.isPublicClient()) {
throw new UnauthorizedException("Non-public client requires authentication");
}
if (clientAuthentication != null) {
if (clientAuthentication instanceof PlainClientSecret && !secretsMatch((PlainClientSecret) clientAuthentication, client)) {
throw new UnauthorizedException("Invalid user / secret");
} else if (clientAuthentication instanceof JWTAuthentication && !verifySignature((JWTAuthentication) clientAuthentication, client, this.tokenEndpoint)) {
throw new UnauthorizedException("Invalid user / signature");
}
}
MDCContext.mdcContext("action", "Token", "rp", clientId, "grant", authorizationGrant.getType().getValue());
if (!client.getGrants().contains(authorizationGrant.getType().getValue())) {
throw new InvalidGrantException("Invalid grant: " + authorizationGrant.getType().getValue());
}
if (authorizationGrant instanceof AuthorizationCodeGrant) {
return handleAuthorizationCodeGrant((AuthorizationCodeGrant) authorizationGrant, client);
} else if (authorizationGrant instanceof ClientCredentialsGrant) {
return handleClientCredentialsGrant(client, tokenRequest);
} else if (authorizationGrant instanceof RefreshTokenGrant) {
return handleRefreshCodeGrant((RefreshTokenGrant) authorizationGrant, client);
}
throw new IllegalArgumentException("Not supported - yet - authorizationGrant " + authorizationGrant.getType().getValue());
}
use of oidc.exceptions.InvalidGrantException in project OpenConext-oidcng by OpenConext.
the class UserInfoEndpoint method userInfo.
private ResponseEntity<Map<String, Object>> userInfo(HttpServletRequest request) throws ParseException, IOException, java.text.ParseException {
HTTPRequest httpRequest = ServletUtils.createHTTPRequest(request);
UserInfoRequest userInfoRequest = UserInfoRequest.parse(httpRequest);
String accessTokenValue = userInfoRequest.getAccessToken().getValue();
MDCContext.mdcContext("action", "Userinfo", "accessTokenValue", accessTokenValue);
Optional<SignedJWT> optionalSignedJWT = tokenGenerator.parseAndValidateSignedJWT(accessTokenValue);
if (!optionalSignedJWT.isPresent()) {
return errorResponse("Access Token not found");
}
SignedJWT signedJWT = optionalSignedJWT.get();
String jwtId = signedJWT.getJWTClaimsSet().getJWTID();
Optional<AccessToken> optionalAccessToken = accessTokenRepository.findByJwtId(jwtId);
if (!optionalAccessToken.isPresent()) {
return errorResponse("Access Token not found");
}
AccessToken accessToken = optionalAccessToken.get();
if (accessToken.isExpired(Clock.systemDefaultZone())) {
return errorResponse("Access Token expired");
}
if (accessToken.isClientCredentials()) {
throw new InvalidGrantException("UserEndpoint not allowed for Client Credentials");
}
User user = tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(signedJWT);
MDCContext.mdcContext(user);
Map<String, Object> attributes = user.getAttributes();
List<String> acrClaims = user.getAcrClaims();
if (!CollectionUtils.isEmpty(acrClaims)) {
attributes.put("acr", String.join(" ", acrClaims));
}
attributes.put("updated_at", user.getUpdatedAt());
attributes.put("sub", user.getSub());
return ResponseEntity.ok(new TreeMap(attributes));
}
Aggregations