Examples with ClientAccessToken org.apache.cxf.rs.security.oauth2.common.ClientAccessToken used on opensource projects

Search in sources :

Example 31 with ClientAccessToken

use of org.apache.cxf.rs.security.oauth2.common.ClientAccessToken in project cxf by apache.

the class OAuthInvoker method performInvocation.

@Override
protected Object performInvocation(Exchange exchange, final Object serviceObject, Method m, Object[] paramArray) throws Exception {
    Message inMessage = exchange.getInMessage();
    ClientTokenContext tokenContext = inMessage.getContent(ClientTokenContext.class);
    try {
        if (tokenContext != null) {
            StaticClientTokenContext.setClientTokenContext(tokenContext);
        }
        return super.performInvocation(exchange, serviceObject, m, paramArray);
    } catch (InvocationTargetException ex) {
        if (tokenContext != null && ex.getCause() instanceof NotAuthorizedException && !inMessage.containsKey(OAUTH2_CALL_RETRIED)) {
            ClientAccessToken accessToken = tokenContext.getToken();
            String refreshToken = accessToken.getRefreshToken();
            if (refreshToken != null) {
                accessToken = OAuthClientUtils.refreshAccessToken(accessTokenServiceClient, consumer, accessToken);
                validateRefreshedToken(tokenContext, accessToken);
                MessageContext mc = new MessageContextImpl(inMessage);
                ((ClientTokenContextImpl) tokenContext).setToken(accessToken);
                clientTokenContextManager.setClientTokenContext(mc, tokenContext);
                // retry
                inMessage.put(OAUTH2_CALL_RETRIED, true);
                return super.performInvocation(exchange, serviceObject, m, paramArray);
            }
        }
        throw ex;
    } finally {
        if (tokenContext != null) {
            StaticClientTokenContext.removeClientTokenContext();
        }
    }
}
Also used : Message(org.apache.cxf.message.Message) ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken) NotAuthorizedException(javax.ws.rs.NotAuthorizedException) MessageContext(org.apache.cxf.jaxrs.ext.MessageContext) InvocationTargetException(java.lang.reflect.InvocationTargetException) MessageContextImpl(org.apache.cxf.jaxrs.ext.MessageContextImpl)

Example 32 with ClientAccessToken

use of org.apache.cxf.rs.security.oauth2.common.ClientAccessToken in project cxf by apache.

the class ClientCodeRequestFilter method getClientTokenContext.

protected ClientTokenContext getClientTokenContext(ContainerRequestContext rc) {
    ClientTokenContext ctx = null;
    if (clientTokenContextManager != null) {
        ctx = clientTokenContextManager.getClientTokenContext(mc);
        if (ctx != null) {
            ClientAccessToken newAt = refreshAccessTokenIfExpired(ctx.getToken());
            if (newAt != null) {
                ((ClientTokenContextImpl) ctx).setToken(newAt);
                clientTokenContextManager.setClientTokenContext(mc, ctx);
            }
        }
    }
    return ctx;
}
Also used : ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)

Example 33 with ClientAccessToken

use of org.apache.cxf.rs.security.oauth2.common.ClientAccessToken in project cxf by apache.

the class OidcClientCodeRequestFilter method createTokenContext.

@Override
protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken at, MultivaluedMap<String, String> requestParams, MultivaluedMap<String, String> state) {
    if (rc.getSecurityContext() instanceof OidcSecurityContext) {
        return ((OidcSecurityContext) rc.getSecurityContext()).getOidcContext();
    }
    OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl();
    if (at != null) {
        if (idTokenReader == null) {
            throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
        }
        IdToken idToken = idTokenReader.getIdToken(at, requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE), getConsumer());
        // Validate the properties set up at the redirection time.
        validateIdToken(idToken, state);
        ctx.setIdToken(idToken);
        if (userInfoClient != null) {
            ctx.setUserInfo(userInfoClient.getUserInfo(at, ctx.getIdToken(), getConsumer()));
        }
        OidcSecurityContext oidcSecCtx = new OidcSecurityContext(ctx);
        oidcSecCtx.setRoleClaim(roleClaim);
        rc.setSecurityContext(oidcSecCtx);
    }
    return ctx;
}
Also used : IdToken(org.apache.cxf.rs.security.oidc.common.IdToken) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)

Example 34 with ClientAccessToken

use of org.apache.cxf.rs.security.oauth2.common.ClientAccessToken in project cxf by apache.

the class OidcInvoker method validateRefreshedToken.

@Override
protected void validateRefreshedToken(ClientTokenContext tokenContext, ClientAccessToken refreshedToken) {
    if (refreshedToken.getParameters().containsKey(OidcUtils.ID_TOKEN)) {
        IdToken newIdToken = idTokenReader.getIdToken(refreshedToken, getConsumer());
        OidcClientTokenContextImpl oidcContext = (OidcClientTokenContextImpl) tokenContext;
        IdToken currentIdToken = oidcContext.getIdToken();
        if (!newIdToken.getIssuer().equals(currentIdToken.getIssuer())) {
            throw new OAuthServiceException("Invalid id token issuer");
        }
        if (!newIdToken.getSubject().equals(currentIdToken.getSubject())) {
            throw new OAuthServiceException("Invalid id token subject");
        }
        if (!newIdToken.getAudiences().containsAll(currentIdToken.getAudiences())) {
            throw new OAuthServiceException("Invalid id token audience(s)");
        }
        Long newAuthTime = newIdToken.getAuthenticationTime();
        if (newAuthTime != null && !newAuthTime.equals(currentIdToken.getAuthenticationTime())) {
            throw new OAuthServiceException("Invalid id token auth_time");
        }
        String newAzp = newIdToken.getAuthorizedParty();
        String origAzp = currentIdToken.getAuthorizedParty();
        if (newAzp != null && origAzp == null || newAzp == null && origAzp != null || newAzp != null && origAzp != null && !newAzp.equals(origAzp)) {
            throw new OAuthServiceException("Invalid id token authorized party");
        }
        Long newIssuedTime = newIdToken.getIssuedAt();
        Long origIssuedTime = currentIdToken.getIssuedAt();
        if (newIssuedTime < origIssuedTime) {
            throw new OAuthServiceException("Invalid id token issued time");
        }
        oidcContext.setIdToken(newIdToken);
    }
}
Also used : IdToken(org.apache.cxf.rs.security.oidc.common.IdToken) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)

Example 35 with ClientAccessToken

use of org.apache.cxf.rs.security.oauth2.common.ClientAccessToken in project cxf by apache.

the class OAuth2JwtFiltersTest method doTestServiceWithJwtTokenAndScope.

private void doTestServiceWithJwtTokenAndScope(String oauthService, String rsAddress) throws Exception {
    final AuthorizationMetadata authorizationMetadata = OAuthClientUtils.getAuthorizationMetadata(oauthService);
    final String scope = "create_book";
    final URI authorizationURI = OAuthClientUtils.getAuthorizationURI(authorizationMetadata.getAuthorizationEndpoint().toString(), "consumer-id", null, null, scope);
    // Get Authorization Code
    WebClient oauthClient = WebClient.create(authorizationURI.toString(), OAuth2TestUtils.setupProviders(), "alice", "security", null);
    // Save the Cookie for the second request...
    WebClient.getConfig(oauthClient).getRequestContext().put(org.apache.cxf.message.Message.MAINTAIN_SESSION, Boolean.TRUE);
    final String location = OAuth2TestUtils.getLocation(oauthClient, oauthClient.accept(MediaType.APPLICATION_JSON).get(OAuthAuthorizationData.class), null);
    final String code = OAuth2TestUtils.getSubstring(location, "code");
    assertNotNull(code);
    // Now get the access token
    final ClientAccessToken accessToken = OAuthClientUtils.getAccessToken(authorizationMetadata.getTokenEndpoint().toString(), new Consumer("consumer-id", "this-is-a-secret"), new AuthorizationCodeGrant(code), true);
    assertNotNull(accessToken.getTokenKey());
    JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(accessToken.getTokenKey());
    JwsSignatureVerifier verifier = JwsUtils.loadSignatureVerifier("org/apache/cxf/systest/jaxrs/security/alice.rs.properties", null);
    assertTrue(jwtConsumer.verifySignatureWith(verifier));
    JwtClaims claims = jwtConsumer.getJwtClaims();
    assertEquals("consumer-id", claims.getStringProperty(OAuthConstants.CLIENT_ID));
    assertEquals("alice", claims.getStringProperty("username"));
    assertTrue(claims.getStringProperty(OAuthConstants.SCOPE).contains(scope));
    // Now invoke on the service with the access token
    WebClient client = WebClient.create(rsAddress, OAuth2TestUtils.setupProviders()).authorization(new ClientAccessToken(BEARER_AUTHORIZATION_SCHEME, accessToken.getTokenKey()));
    Book returnedBook = client.type("application/xml").post(new Book("book", 123L), Book.class);
    assertEquals(returnedBook.getName(), "book");
    assertEquals(returnedBook.getId(), 123L);
}
Also used : JwsSignatureVerifier(org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier) AuthorizationMetadata(org.apache.cxf.rs.security.oauth2.services.AuthorizationMetadata) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) Consumer(org.apache.cxf.rs.security.oauth2.client.Consumer) AuthorizationCodeGrant(org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrant) JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims) Book(org.apache.cxf.systest.jaxrs.security.Book) ClientAccessToken(org.apache.cxf.rs.security.oauth2.common.ClientAccessToken) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) URI(java.net.URI) WebClient(org.apache.cxf.jaxrs.client.WebClient) OAuthAuthorizationData(org.apache.cxf.rs.security.oauth2.common.OAuthAuthorizationData)

Aggregations

ClientAccessToken (org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)134 WebClient (org.apache.cxf.jaxrs.client.WebClient)116 URL (java.net.URL)53 Response (javax.ws.rs.core.Response)51 Form (javax.ws.rs.core.Form)41 Test (org.junit.Test)21 Consumer (org.apache.cxf.rs.security.oauth2.client.Consumer)16 Book (org.apache.cxf.systest.jaxrs.security.Book)12 JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)11 TokenIntrospection (org.apache.cxf.rs.security.oauth2.common.TokenIntrospection)11 OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)8 JsonMapObjectProvider (org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider)7 OAuthJSONProvider (org.apache.cxf.rs.security.oauth2.provider.OAuthJSONProvider)7 ClientRegistration (org.apache.cxf.rs.security.oauth2.services.ClientRegistration)7 ClientRegistrationResponse (org.apache.cxf.rs.security.oauth2.services.ClientRegistrationResponse)7 ResponseProcessingException (javax.ws.rs.client.ResponseProcessingException)6 JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)6 AuthorizationCodeGrant (org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrant)6 HashMap (java.util.HashMap)4 Produces (javax.ws.rs.Produces)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial