Search in sources :

Example 1 with InvalidGrantException

use of oidc.exceptions.InvalidGrantException in project OpenConext-oidcng by OpenConext.

the class AuthorizationEndpoint method validateGrantType.

public static ResponseType validateGrantType(AuthorizationRequest authorizationRequest, OpenIDClient client) {
    ResponseType responseType = authorizationRequest.getResponseType();
    List<String> grants = client.getGrants();
    if ((responseType.impliesImplicitFlow() || responseType.impliesHybridFlow()) && !grants.contains(GrantType.IMPLICIT.getValue())) {
        throw new InvalidGrantException(String.format("Grant types %s does not allow for implicit / hybrid flow", grants));
    }
    if (responseType.impliesCodeFlow() && !grants.contains(GrantType.AUTHORIZATION_CODE.getValue())) {
        throw new InvalidGrantException(String.format("Grant types %s does not allow for authorization code flow", grants));
    }
    return responseType;
}
Also used : InvalidGrantException(oidc.exceptions.InvalidGrantException) ResponseType(com.nimbusds.oauth2.sdk.ResponseType)

Example 2 with InvalidGrantException

use of oidc.exceptions.InvalidGrantException in project OpenConext-oidcng by OpenConext.

the class TokenEndpoint method token.

@PostMapping(value = "oidc/token", consumes = { MediaType.APPLICATION_FORM_URLENCODED_VALUE })
public ResponseEntity token(HttpServletRequest request) throws IOException, ParseException, JOSEException, java.text.ParseException, CertificateException, BadJOSEException {
    HTTPRequest httpRequest = ServletUtils.createHTTPRequest(request);
    TokenRequest tokenRequest = TokenRequest.parse(httpRequest);
    ClientAuthentication clientAuthentication = tokenRequest.getClientAuthentication();
    if (clientAuthentication != null && !(clientAuthentication instanceof PlainClientSecret || clientAuthentication instanceof JWTAuthentication)) {
        throw new IllegalArgumentException(String.format("Unsupported '%s' findByClientId authentication in token endpoint", clientAuthentication.getClass()));
    }
    AuthorizationGrant authorizationGrant = tokenRequest.getAuthorizationGrant();
    if (clientAuthentication == null && authorizationGrant instanceof AuthorizationCodeGrant && ((AuthorizationCodeGrant) authorizationGrant).getCodeVerifier() == null) {
        throw new CodeVerifierMissingException("code_verifier required without client authentication");
    }
    String clientId = clientAuthentication != null ? clientAuthentication.getClientID().getValue() : tokenRequest.getClientID().getValue();
    OpenIDClient client = openIDClientRepository.findOptionalByClientId(clientId).orElseThrow(() -> new UnknownClientException(clientId));
    if (clientAuthentication == null && !client.isPublicClient()) {
        throw new UnauthorizedException("Non-public client requires authentication");
    }
    if (clientAuthentication != null) {
        if (clientAuthentication instanceof PlainClientSecret && !secretsMatch((PlainClientSecret) clientAuthentication, client)) {
            throw new UnauthorizedException("Invalid user / secret");
        } else if (clientAuthentication instanceof JWTAuthentication && !verifySignature((JWTAuthentication) clientAuthentication, client, this.tokenEndpoint)) {
            throw new UnauthorizedException("Invalid user / signature");
        }
    }
    MDCContext.mdcContext("action", "Token", "rp", clientId, "grant", authorizationGrant.getType().getValue());
    if (!client.getGrants().contains(authorizationGrant.getType().getValue())) {
        throw new InvalidGrantException("Invalid grant: " + authorizationGrant.getType().getValue());
    }
    if (authorizationGrant instanceof AuthorizationCodeGrant) {
        return handleAuthorizationCodeGrant((AuthorizationCodeGrant) authorizationGrant, client);
    } else if (authorizationGrant instanceof ClientCredentialsGrant) {
        return handleClientCredentialsGrant(client, tokenRequest);
    } else if (authorizationGrant instanceof RefreshTokenGrant) {
        return handleRefreshCodeGrant((RefreshTokenGrant) authorizationGrant, client);
    }
    throw new IllegalArgumentException("Not supported - yet - authorizationGrant " + authorizationGrant.getType().getValue());
}
Also used : HTTPRequest(com.nimbusds.oauth2.sdk.http.HTTPRequest) JWTAuthentication(com.nimbusds.oauth2.sdk.auth.JWTAuthentication) UnknownClientException(oidc.exceptions.UnknownClientException) OpenIDClient(oidc.model.OpenIDClient) RefreshTokenGrant(com.nimbusds.oauth2.sdk.RefreshTokenGrant) CodeVerifierMissingException(oidc.exceptions.CodeVerifierMissingException) InvalidGrantException(oidc.exceptions.InvalidGrantException) AuthorizationCodeGrant(com.nimbusds.oauth2.sdk.AuthorizationCodeGrant) PlainClientSecret(com.nimbusds.oauth2.sdk.auth.PlainClientSecret) ClientCredentialsGrant(com.nimbusds.oauth2.sdk.ClientCredentialsGrant) TokenRequest(com.nimbusds.oauth2.sdk.TokenRequest) UnauthorizedException(oidc.exceptions.UnauthorizedException) ClientAuthentication(com.nimbusds.oauth2.sdk.auth.ClientAuthentication) AuthorizationGrant(com.nimbusds.oauth2.sdk.AuthorizationGrant) PostMapping(org.springframework.web.bind.annotation.PostMapping)

Example 3 with InvalidGrantException

use of oidc.exceptions.InvalidGrantException in project OpenConext-oidcng by OpenConext.

the class UserInfoEndpoint method userInfo.

private ResponseEntity<Map<String, Object>> userInfo(HttpServletRequest request) throws ParseException, IOException, java.text.ParseException {
    HTTPRequest httpRequest = ServletUtils.createHTTPRequest(request);
    UserInfoRequest userInfoRequest = UserInfoRequest.parse(httpRequest);
    String accessTokenValue = userInfoRequest.getAccessToken().getValue();
    MDCContext.mdcContext("action", "Userinfo", "accessTokenValue", accessTokenValue);
    Optional<SignedJWT> optionalSignedJWT = tokenGenerator.parseAndValidateSignedJWT(accessTokenValue);
    if (!optionalSignedJWT.isPresent()) {
        return errorResponse("Access Token not found");
    }
    SignedJWT signedJWT = optionalSignedJWT.get();
    String jwtId = signedJWT.getJWTClaimsSet().getJWTID();
    Optional<AccessToken> optionalAccessToken = accessTokenRepository.findByJwtId(jwtId);
    if (!optionalAccessToken.isPresent()) {
        return errorResponse("Access Token not found");
    }
    AccessToken accessToken = optionalAccessToken.get();
    if (accessToken.isExpired(Clock.systemDefaultZone())) {
        return errorResponse("Access Token expired");
    }
    if (accessToken.isClientCredentials()) {
        throw new InvalidGrantException("UserEndpoint not allowed for Client Credentials");
    }
    User user = tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(signedJWT);
    MDCContext.mdcContext(user);
    Map<String, Object> attributes = user.getAttributes();
    List<String> acrClaims = user.getAcrClaims();
    if (!CollectionUtils.isEmpty(acrClaims)) {
        attributes.put("acr", String.join(" ", acrClaims));
    }
    attributes.put("updated_at", user.getUpdatedAt());
    attributes.put("sub", user.getSub());
    return ResponseEntity.ok(new TreeMap(attributes));
}
Also used : HTTPRequest(com.nimbusds.oauth2.sdk.http.HTTPRequest) User(oidc.model.User) UserInfoRequest(com.nimbusds.openid.connect.sdk.UserInfoRequest) SignedJWT(com.nimbusds.jwt.SignedJWT) TreeMap(java.util.TreeMap) InvalidGrantException(oidc.exceptions.InvalidGrantException) AccessToken(oidc.model.AccessToken)

Aggregations

InvalidGrantException (oidc.exceptions.InvalidGrantException)3 HTTPRequest (com.nimbusds.oauth2.sdk.http.HTTPRequest)2 SignedJWT (com.nimbusds.jwt.SignedJWT)1 AuthorizationCodeGrant (com.nimbusds.oauth2.sdk.AuthorizationCodeGrant)1 AuthorizationGrant (com.nimbusds.oauth2.sdk.AuthorizationGrant)1 ClientCredentialsGrant (com.nimbusds.oauth2.sdk.ClientCredentialsGrant)1 RefreshTokenGrant (com.nimbusds.oauth2.sdk.RefreshTokenGrant)1 ResponseType (com.nimbusds.oauth2.sdk.ResponseType)1 TokenRequest (com.nimbusds.oauth2.sdk.TokenRequest)1 ClientAuthentication (com.nimbusds.oauth2.sdk.auth.ClientAuthentication)1 JWTAuthentication (com.nimbusds.oauth2.sdk.auth.JWTAuthentication)1 PlainClientSecret (com.nimbusds.oauth2.sdk.auth.PlainClientSecret)1 UserInfoRequest (com.nimbusds.openid.connect.sdk.UserInfoRequest)1 TreeMap (java.util.TreeMap)1 CodeVerifierMissingException (oidc.exceptions.CodeVerifierMissingException)1 UnauthorizedException (oidc.exceptions.UnauthorizedException)1 UnknownClientException (oidc.exceptions.UnknownClientException)1 AccessToken (oidc.model.AccessToken)1 OpenIDClient (oidc.model.OpenIDClient)1 User (oidc.model.User)1