use of org.apache.cxf.rs.security.oauth2.client.ClientTokenContext in project cxf by apache.
the class OAuthInvoker method performInvocation.
@Override
protected Object performInvocation(Exchange exchange, final Object serviceObject, Method m, Object[] paramArray) throws Exception {
Message inMessage = exchange.getInMessage();
ClientTokenContext tokenContext = inMessage.getContent(ClientTokenContext.class);
try {
if (tokenContext != null) {
StaticClientTokenContext.setClientTokenContext(tokenContext);
}
return super.performInvocation(exchange, serviceObject, m, paramArray);
} catch (InvocationTargetException ex) {
if (tokenContext != null && ex.getCause() instanceof NotAuthorizedException && !inMessage.containsKey(OAUTH2_CALL_RETRIED)) {
ClientAccessToken accessToken = tokenContext.getToken();
String refreshToken = accessToken.getRefreshToken();
if (refreshToken != null) {
accessToken = OAuthClientUtils.refreshAccessToken(accessTokenServiceClient, consumer, accessToken);
validateRefreshedToken(tokenContext, accessToken);
MessageContext mc = new MessageContextImpl(inMessage);
((ClientTokenContextImpl) tokenContext).setToken(accessToken);
clientTokenContextManager.setClientTokenContext(mc, tokenContext);
// retry
inMessage.put(OAUTH2_CALL_RETRIED, true);
return super.performInvocation(exchange, serviceObject, m, paramArray);
}
}
throw ex;
} finally {
if (tokenContext != null) {
StaticClientTokenContext.removeClientTokenContext();
}
}
}
use of org.apache.cxf.rs.security.oauth2.client.ClientTokenContext in project cxf by apache.
the class ClientCodeRequestFilter method getClientTokenContext.
protected ClientTokenContext getClientTokenContext(ContainerRequestContext rc) {
ClientTokenContext ctx = null;
if (clientTokenContextManager != null) {
ctx = clientTokenContextManager.getClientTokenContext(mc);
if (ctx != null) {
ClientAccessToken newAt = refreshAccessTokenIfExpired(ctx.getToken());
if (newAt != null) {
((ClientTokenContextImpl) ctx).setToken(newAt);
clientTokenContextManager.setClientTokenContext(mc, ctx);
}
}
}
return ctx;
}
use of org.apache.cxf.rs.security.oauth2.client.ClientTokenContext in project cxf by apache.
the class OidcClientCodeRequestFilter method createTokenContext.
@Override
protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken at, MultivaluedMap<String, String> requestParams, MultivaluedMap<String, String> state) {
if (rc.getSecurityContext() instanceof OidcSecurityContext) {
return ((OidcSecurityContext) rc.getSecurityContext()).getOidcContext();
}
OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl();
if (at != null) {
if (idTokenReader == null) {
throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
}
IdToken idToken = idTokenReader.getIdToken(at, requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE), getConsumer());
// Validate the properties set up at the redirection time.
validateIdToken(idToken, state);
ctx.setIdToken(idToken);
if (userInfoClient != null) {
ctx.setUserInfo(userInfoClient.getUserInfo(at, ctx.getIdToken(), getConsumer()));
}
OidcSecurityContext oidcSecCtx = new OidcSecurityContext(ctx);
oidcSecCtx.setRoleClaim(roleClaim);
rc.setSecurityContext(oidcSecCtx);
}
return ctx;
}
use of org.apache.cxf.rs.security.oauth2.client.ClientTokenContext in project cxf by apache.
the class OidcInvoker method validateRefreshedToken.
@Override
protected void validateRefreshedToken(ClientTokenContext tokenContext, ClientAccessToken refreshedToken) {
if (refreshedToken.getParameters().containsKey(OidcUtils.ID_TOKEN)) {
IdToken newIdToken = idTokenReader.getIdToken(refreshedToken, getConsumer());
OidcClientTokenContextImpl oidcContext = (OidcClientTokenContextImpl) tokenContext;
IdToken currentIdToken = oidcContext.getIdToken();
if (!newIdToken.getIssuer().equals(currentIdToken.getIssuer())) {
throw new OAuthServiceException("Invalid id token issuer");
}
if (!newIdToken.getSubject().equals(currentIdToken.getSubject())) {
throw new OAuthServiceException("Invalid id token subject");
}
if (!newIdToken.getAudiences().containsAll(currentIdToken.getAudiences())) {
throw new OAuthServiceException("Invalid id token audience(s)");
}
Long newAuthTime = newIdToken.getAuthenticationTime();
if (newAuthTime != null && !newAuthTime.equals(currentIdToken.getAuthenticationTime())) {
throw new OAuthServiceException("Invalid id token auth_time");
}
String newAzp = newIdToken.getAuthorizedParty();
String origAzp = currentIdToken.getAuthorizedParty();
if (newAzp != null && origAzp == null || newAzp == null && origAzp != null || newAzp != null && origAzp != null && !newAzp.equals(origAzp)) {
throw new OAuthServiceException("Invalid id token authorized party");
}
Long newIssuedTime = newIdToken.getIssuedAt();
Long origIssuedTime = currentIdToken.getIssuedAt();
if (newIssuedTime < origIssuedTime) {
throw new OAuthServiceException("Invalid id token issued time");
}
oidcContext.setIdToken(newIdToken);
}
}
use of org.apache.cxf.rs.security.oauth2.client.ClientTokenContext in project cxf by apache.
the class ClientCodeRequestFilter method processCodeResponse.
protected void processCodeResponse(ContainerRequestContext rc, UriInfo ui, MultivaluedMap<String, String> requestParams) {
MultivaluedMap<String, String> state = null;
if (clientStateManager != null) {
state = clientStateManager.fromRedirectState(mc, requestParams);
}
String codeParam = requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE);
ClientAccessToken at = null;
if (codeParam != null) {
AuthorizationCodeGrant grant = prepareCodeGrant(codeParam, getAbsoluteRedirectUri(ui));
if (state != null) {
grant.setCodeVerifier(state.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER));
}
at = OAuthClientUtils.getAccessToken(accessTokenServiceClient, consumer, grant, useAuthorizationHeader);
}
ClientTokenContext tokenContext = initializeClientTokenContext(rc, at, requestParams, state);
if (at != null && clientTokenContextManager != null) {
clientTokenContextManager.setClientTokenContext(mc, tokenContext);
}
setClientCodeRequest(tokenContext);
}
Aggregations