use of oidc.model.User in project OpenConext-oidcng by OpenConext.
the class UserInfoEndpoint method userInfo.
private ResponseEntity<Map<String, Object>> userInfo(HttpServletRequest request) throws ParseException, IOException, java.text.ParseException {
HTTPRequest httpRequest = ServletUtils.createHTTPRequest(request);
UserInfoRequest userInfoRequest = UserInfoRequest.parse(httpRequest);
String accessTokenValue = userInfoRequest.getAccessToken().getValue();
MDCContext.mdcContext("action", "Userinfo", "accessTokenValue", accessTokenValue);
Optional<SignedJWT> optionalSignedJWT = tokenGenerator.parseAndValidateSignedJWT(accessTokenValue);
if (!optionalSignedJWT.isPresent()) {
return errorResponse("Access Token not found");
}
SignedJWT signedJWT = optionalSignedJWT.get();
String jwtId = signedJWT.getJWTClaimsSet().getJWTID();
Optional<AccessToken> optionalAccessToken = accessTokenRepository.findByJwtId(jwtId);
if (!optionalAccessToken.isPresent()) {
return errorResponse("Access Token not found");
}
AccessToken accessToken = optionalAccessToken.get();
if (accessToken.isExpired(Clock.systemDefaultZone())) {
return errorResponse("Access Token expired");
}
if (accessToken.isClientCredentials()) {
throw new InvalidGrantException("UserEndpoint not allowed for Client Credentials");
}
User user = tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(signedJWT);
MDCContext.mdcContext(user);
Map<String, Object> attributes = user.getAttributes();
List<String> acrClaims = user.getAcrClaims();
if (!CollectionUtils.isEmpty(acrClaims)) {
attributes.put("acr", String.join(" ", acrClaims));
}
attributes.put("updated_at", user.getUpdatedAt());
attributes.put("sub", user.getSub());
return ResponseEntity.ok(new TreeMap(attributes));
}
use of oidc.model.User in project OpenConext-oidcng by OpenConext.
the class TokenGeneratorTest method defaultAcrValue.
@Test
public void defaultAcrValue() throws IOException, JOSEException, NoSuchAlgorithmException, NoSuchProviderException, ParseException {
User user = new User("sub", "unspecifiedNameId", "http://mockidp", "clientId", getUserInfo(), emptyList());
OpenIDClient client = openIDClient("mock-sp");
TokenValue tokenValue = tokenGenerator.generateIDTokenForTokenEndpoint(Optional.of(user), client, "nonce", emptyList(), emptyList(), Optional.empty());
SignedJWT jwt = SignedJWT.parse(tokenValue.getValue());
Object acr = jwt.getJWTClaimsSet().getClaim("acr");
assertEquals("http://test.surfconext.nl/assurance/loa1", acr);
}
use of oidc.model.User in project OpenConext-oidcng by OpenConext.
the class TokenGeneratorTest method doEncryptAndDecryptAccessToken.
private String doEncryptAndDecryptAccessToken(boolean verify) throws IOException, ParseException {
User user = new User("sub", "unspecifiedNameId", "http://mockidp", "clientId", getUserInfo(), emptyList());
String clientId = "mock-sp";
OpenIDClient client = mongoTemplate.find(Query.query(Criteria.where("clientId").is(clientId)), OpenIDClient.class).get(0);
EncryptedTokenValue encryptedAccessToken = tokenGenerator.generateAccessTokenWithEmbeddedUserInfo(user, client, Arrays.asList("openid", "groups"));
String accessToken = encryptedAccessToken.getValue();
SignedJWT signedJWT = verify ? tokenGenerator.parseAndValidateSignedJWT(accessToken).get() : SignedJWT.parse(accessToken);
User convertedUser = tokenGenerator.decryptAccessTokenWithEmbeddedUserInfo(signedJWT);
assertEquals(user, convertedUser);
assertEquals("openid groups", signedJWT.getJWTClaimsSet().getStringClaim("scope"));
return accessToken;
}
use of oidc.model.User in project OpenConext-oidcng by OpenConext.
the class TokenGeneratorTest method invalidAcrValueIsAllowed.
@Test
public void invalidAcrValueIsAllowed() throws IOException, ParseException {
User user = new User("sub", "unspecifiedNameId", "http://mockidp", "clientId", getUserInfo(), Arrays.asList("http://test.surfconext.nl/assurance/loa3", "invalid_acr"));
OpenIDClient client = openIDClient("mock-sp");
TokenValue tokenValue = tokenGenerator.generateIDTokenForTokenEndpoint(Optional.of(user), client, "nonce", emptyList(), emptyList(), Optional.empty());
SignedJWT jwt = SignedJWT.parse(tokenValue.getValue());
Object acr = jwt.getJWTClaimsSet().getClaim("acr");
assertEquals("http://test.surfconext.nl/assurance/loa3 invalid_acr", acr);
}
use of oidc.model.User in project OpenConext-oidcng by OpenConext.
the class FakeSamlAuthenticationFilter method doFilter.
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
String requestURI = ((HttpServletRequest) request).getRequestURI();
boolean authorizeFlow = authorizeEndpoints.stream().anyMatch(requestURI::contains);
if (authorizeFlow && (authentication == null || !authentication.isAuthenticated()) && !(authentication instanceof OidcSamlAuthentication)) {
User user = getUser(objectMapper, request);
userRepository.deleteAll();
userRepository.insert(user);
request.setAttribute(REDIRECT_URI_VALID, true);
OidcSamlAuthentication samlAuthentication = new OidcSamlAuthentication(getAssertion(), user, "http://localhost");
SecurityContextHolder.getContext().setAuthentication(samlAuthentication);
}
chain.doFilter(request, response);
}
Aggregations