Search in sources :

Example 1 with ClientTokenContext

use of org.apache.cxf.rs.security.oauth2.client.ClientTokenContext in project cxf by apache.

the class OAuthInvoker method performInvocation.

@Override
protected Object performInvocation(Exchange exchange, final Object serviceObject, Method m, Object[] paramArray) throws Exception {
    Message inMessage = exchange.getInMessage();
    ClientTokenContext tokenContext = inMessage.getContent(ClientTokenContext.class);
    try {
        if (tokenContext != null) {
            StaticClientTokenContext.setClientTokenContext(tokenContext);
        }
        return super.performInvocation(exchange, serviceObject, m, paramArray);
    } catch (InvocationTargetException ex) {
        if (tokenContext != null && ex.getCause() instanceof NotAuthorizedException && !inMessage.containsKey(OAUTH2_CALL_RETRIED)) {
            ClientAccessToken accessToken = tokenContext.getToken();
            String refreshToken = accessToken.getRefreshToken();
            if (refreshToken != null) {
                accessToken = OAuthClientUtils.refreshAccessToken(accessTokenServiceClient, consumer, accessToken);
                validateRefreshedToken(tokenContext, accessToken);
                MessageContext mc = new MessageContextImpl(inMessage);
                ((ClientTokenContextImpl) tokenContext).setToken(accessToken);
                clientTokenContextManager.setClientTokenContext(mc, tokenContext);
                // retry
                inMessage.put(OAUTH2_CALL_RETRIED, true);
                return super.performInvocation(exchange, serviceObject, m, paramArray);
            }
        }
        throw ex;
    } finally {
        if (tokenContext != null) {
            StaticClientTokenContext.removeClientTokenContext();
        }
    }
}
Also used : Message(org.apache.cxf.message.Message) ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken) NotAuthorizedException(javax.ws.rs.NotAuthorizedException) MessageContext(org.apache.cxf.jaxrs.ext.MessageContext) InvocationTargetException(java.lang.reflect.InvocationTargetException) MessageContextImpl(org.apache.cxf.jaxrs.ext.MessageContextImpl)

Example 2 with ClientTokenContext

use of org.apache.cxf.rs.security.oauth2.client.ClientTokenContext in project cxf by apache.

the class ClientCodeRequestFilter method getClientTokenContext.

protected ClientTokenContext getClientTokenContext(ContainerRequestContext rc) {
    ClientTokenContext ctx = null;
    if (clientTokenContextManager != null) {
        ctx = clientTokenContextManager.getClientTokenContext(mc);
        if (ctx != null) {
            ClientAccessToken newAt = refreshAccessTokenIfExpired(ctx.getToken());
            if (newAt != null) {
                ((ClientTokenContextImpl) ctx).setToken(newAt);
                clientTokenContextManager.setClientTokenContext(mc, ctx);
            }
        }
    }
    return ctx;
}
Also used : ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)

Example 3 with ClientTokenContext

use of org.apache.cxf.rs.security.oauth2.client.ClientTokenContext in project cxf by apache.

the class OidcClientCodeRequestFilter method createTokenContext.

@Override
protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken at, MultivaluedMap<String, String> requestParams, MultivaluedMap<String, String> state) {
    if (rc.getSecurityContext() instanceof OidcSecurityContext) {
        return ((OidcSecurityContext) rc.getSecurityContext()).getOidcContext();
    }
    OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl();
    if (at != null) {
        if (idTokenReader == null) {
            throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
        }
        IdToken idToken = idTokenReader.getIdToken(at, requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE), getConsumer());
        // Validate the properties set up at the redirection time.
        validateIdToken(idToken, state);
        ctx.setIdToken(idToken);
        if (userInfoClient != null) {
            ctx.setUserInfo(userInfoClient.getUserInfo(at, ctx.getIdToken(), getConsumer()));
        }
        OidcSecurityContext oidcSecCtx = new OidcSecurityContext(ctx);
        oidcSecCtx.setRoleClaim(roleClaim);
        rc.setSecurityContext(oidcSecCtx);
    }
    return ctx;
}
Also used : IdToken(org.apache.cxf.rs.security.oidc.common.IdToken) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)

Example 4 with ClientTokenContext

use of org.apache.cxf.rs.security.oauth2.client.ClientTokenContext in project cxf by apache.

the class OidcInvoker method validateRefreshedToken.

@Override
protected void validateRefreshedToken(ClientTokenContext tokenContext, ClientAccessToken refreshedToken) {
    if (refreshedToken.getParameters().containsKey(OidcUtils.ID_TOKEN)) {
        IdToken newIdToken = idTokenReader.getIdToken(refreshedToken, getConsumer());
        OidcClientTokenContextImpl oidcContext = (OidcClientTokenContextImpl) tokenContext;
        IdToken currentIdToken = oidcContext.getIdToken();
        if (!newIdToken.getIssuer().equals(currentIdToken.getIssuer())) {
            throw new OAuthServiceException("Invalid id token issuer");
        }
        if (!newIdToken.getSubject().equals(currentIdToken.getSubject())) {
            throw new OAuthServiceException("Invalid id token subject");
        }
        if (!newIdToken.getAudiences().containsAll(currentIdToken.getAudiences())) {
            throw new OAuthServiceException("Invalid id token audience(s)");
        }
        Long newAuthTime = newIdToken.getAuthenticationTime();
        if (newAuthTime != null && !newAuthTime.equals(currentIdToken.getAuthenticationTime())) {
            throw new OAuthServiceException("Invalid id token auth_time");
        }
        String newAzp = newIdToken.getAuthorizedParty();
        String origAzp = currentIdToken.getAuthorizedParty();
        if (newAzp != null && origAzp == null || newAzp == null && origAzp != null || newAzp != null && origAzp != null && !newAzp.equals(origAzp)) {
            throw new OAuthServiceException("Invalid id token authorized party");
        }
        Long newIssuedTime = newIdToken.getIssuedAt();
        Long origIssuedTime = currentIdToken.getIssuedAt();
        if (newIssuedTime < origIssuedTime) {
            throw new OAuthServiceException("Invalid id token issued time");
        }
        oidcContext.setIdToken(newIdToken);
    }
}
Also used : IdToken(org.apache.cxf.rs.security.oidc.common.IdToken) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)

Example 5 with ClientTokenContext

use of org.apache.cxf.rs.security.oauth2.client.ClientTokenContext in project cxf by apache.

the class ClientCodeRequestFilter method processCodeResponse.

protected void processCodeResponse(ContainerRequestContext rc, UriInfo ui, MultivaluedMap<String, String> requestParams) {
    MultivaluedMap<String, String> state = null;
    if (clientStateManager != null) {
        state = clientStateManager.fromRedirectState(mc, requestParams);
    }
    String codeParam = requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE);
    ClientAccessToken at = null;
    if (codeParam != null) {
        AuthorizationCodeGrant grant = prepareCodeGrant(codeParam, getAbsoluteRedirectUri(ui));
        if (state != null) {
            grant.setCodeVerifier(state.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER));
        }
        at = OAuthClientUtils.getAccessToken(accessTokenServiceClient, consumer, grant, useAuthorizationHeader);
    }
    ClientTokenContext tokenContext = initializeClientTokenContext(rc, at, requestParams, state);
    if (at != null && clientTokenContextManager != null) {
        clientTokenContextManager.setClientTokenContext(mc, tokenContext);
    }
    setClientCodeRequest(tokenContext);
}
Also used : AuthorizationCodeGrant(org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrant) ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)

Aggregations

ClientAccessToken (org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)3 OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)2 IdToken (org.apache.cxf.rs.security.oidc.common.IdToken)2 InvocationTargetException (java.lang.reflect.InvocationTargetException)1 NotAuthorizedException (javax.ws.rs.NotAuthorizedException)1 MessageContext (org.apache.cxf.jaxrs.ext.MessageContext)1 MessageContextImpl (org.apache.cxf.jaxrs.ext.MessageContextImpl)1 Message (org.apache.cxf.message.Message)1 AuthorizationCodeGrant (org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrant)1