Search in sources :

Example 1 with OAuthRedirectionState

use of org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState in project cxf by apache.

the class AuthorizationCodeGrantService method createCodeRegistration.

protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preauthorizedToken) {
    AuthorizationCodeRegistration codeReg = new AuthorizationCodeRegistration();
    codeReg.setPreauthorizedTokenAvailable(preauthorizedToken != null);
    codeReg.setClient(client);
    codeReg.setRedirectUri(state.getRedirectUri());
    codeReg.setRequestedScope(requestedScope);
    codeReg.setResponseType(state.getResponseType());
    codeReg.setApprovedScope(getApprovedScope(requestedScope, approvedScope));
    codeReg.setSubject(userSubject);
    codeReg.setAudience(state.getAudience());
    codeReg.setNonce(state.getNonce());
    codeReg.setClientCodeChallenge(state.getClientCodeChallenge());
    codeReg.getExtraProperties().putAll(state.getExtraProperties());
    return codeReg;
}
Also used : AuthorizationCodeRegistration(org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration)

Example 2 with OAuthRedirectionState

use of org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState in project cxf by apache.

the class AuthorizationCodeGrantService method getGrantRepresentation.

public ServerAuthorizationCodeGrant getGrantRepresentation(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preauthorizedToken) {
    AuthorizationCodeRegistration codeReg = createCodeRegistration(state, client, requestedScope, approvedScope, userSubject, preauthorizedToken);
    ServerAuthorizationCodeGrant grant = ((AuthorizationCodeDataProvider) getDataProvider()).createCodeGrant(codeReg);
    if (grant.getExpiresIn() > RECOMMENDED_CODE_EXPIRY_TIME_SECS) {
        LOG.warning("Code expiry time exceeds 10 minutes");
    }
    return grant;
}
Also used : AuthorizationCodeRegistration(org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration) AuthorizationCodeDataProvider(org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider) ServerAuthorizationCodeGrant(org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant)

Example 3 with OAuthRedirectionState

use of org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState in project cxf by apache.

the class RedirectionBasedGrantService method completeAuthorization.

/**
 * Completes the authorization process
 */
protected Response completeAuthorization(MultivaluedMap<String, String> params) {
    // Make sure the end user has authenticated, check if HTTPS is used
    SecurityContext securityContext = getAndValidateSecurityContext(params);
    UserSubject userSubject = createUserSubject(securityContext, params);
    // Make sure the session is valid
    String sessionTokenParamName = params.getFirst(OAuthConstants.SESSION_AUTHENTICITY_TOKEN_PARAM_NAME);
    if (sessionTokenParamName == null) {
        sessionTokenParamName = OAuthConstants.SESSION_AUTHENTICITY_TOKEN;
    }
    String sessionToken = params.getFirst(sessionTokenParamName);
    if (sessionToken == null || !compareRequestAndSessionTokens(sessionToken, params, userSubject)) {
        throw ExceptionUtils.toBadRequestException(null, null);
    }
    OAuthRedirectionState state = recreateRedirectionStateFromSession(userSubject, sessionToken);
    if (state == null) {
        state = recreateRedirectionStateFromParams(params);
    }
    Client client = getClient(state.getClientId(), params);
    String redirectUri = validateRedirectUri(client, state.getRedirectUri());
    // Get the end user decision value
    String decision = params.getFirst(OAuthConstants.AUTHORIZATION_DECISION_KEY);
    boolean allow = OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(decision);
    // Return the error if denied
    if (!allow) {
        return createErrorResponse(params, redirectUri, OAuthConstants.ACCESS_DENIED);
    }
    // Check if the end user may have had a chance to down-scope the requested scopes
    List<String> requestedScope = OAuthUtils.parseScope(state.getProposedScope());
    List<String> approvedScope = new LinkedList<String>();
    for (String rScope : requestedScope) {
        String param = params.getFirst(rScope + "_status");
        if (param != null && OAuthConstants.AUTHORIZATION_DECISION_ALLOW.equals(param)) {
            approvedScope.add(rScope);
        }
    }
    if (!requestedScope.containsAll(approvedScope) || !OAuthUtils.validateScopes(requestedScope, client.getRegisteredScopes(), partialMatchScopeValidation)) {
        return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
    }
    getMessageContext().put(AUTHORIZATION_REQUEST_PARAMETERS, params);
    String preAuthorizedTokenKey = params.getFirst(PREAUTHORIZED_TOKEN_KEY);
    if (preAuthorizedTokenKey != null && isRevokePreauthorizedTokenOnApproval()) {
        getDataProvider().revokeToken(client, preAuthorizedTokenKey, OAuthConstants.ACCESS_TOKEN);
    }
    // Request a new grant
    return createGrant(state, client, requestedScope, approvedScope, userSubject, null);
}
Also used : OAuthRedirectionState(org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState) UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject) SecurityContext(org.apache.cxf.security.SecurityContext) Client(org.apache.cxf.rs.security.oauth2.common.Client) LinkedList(java.util.LinkedList)

Example 4 with OAuthRedirectionState

use of org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState in project cxf by apache.

the class OidcAuthorizationCodeService method recreateRedirectionStateFromParams.

@Override
protected OAuthRedirectionState recreateRedirectionStateFromParams(MultivaluedMap<String, String> params) {
    OAuthRedirectionState state = super.recreateRedirectionStateFromParams(params);
    OidcUtils.setStateClaimsProperty(state, params);
    return state;
}
Also used : OAuthRedirectionState(org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState)

Example 5 with OAuthRedirectionState

use of org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState in project cxf by apache.

the class OidcHybridService method prepareRedirectResponse.

@Override
protected StringBuilder prepareRedirectResponse(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preAuthorizedToken) {
    ServerAuthorizationCodeGrant codeGrant = prepareHybrideCode(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken);
    StringBuilder sb = super.prepareRedirectResponse(state, client, requestedScope, approvedScope, userSubject, preAuthorizedToken);
    if (codeGrant != null) {
        sb.append("&");
        sb.append(OAuthConstants.AUTHORIZATION_CODE_VALUE).append("=").append(codeGrant.getCode());
    }
    return sb;
}
Also used : ServerAuthorizationCodeGrant(org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant)

Aggregations

OAuthRedirectionState (org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState)7 ServerAuthorizationCodeGrant (org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant)5 ClientAccessToken (org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)3 Map (java.util.Map)2 Properties (java.util.Properties)2 AccessTokenRegistration (org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration)2 AuthorizationCodeRegistration (org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration)2 OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)2 IOException (java.io.IOException)1 StringReader (java.io.StringReader)1 StandardCharsets (java.nio.charset.StandardCharsets)1 Principal (java.security.Principal)1 ArrayList (java.util.ArrayList)1 Arrays.asList (java.util.Arrays.asList)1 Collections (java.util.Collections)1 Collections.emptySet (java.util.Collections.emptySet)1 HashMap (java.util.HashMap)1 LinkedList (java.util.LinkedList)1 List (java.util.List)1 ENGLISH (java.util.Locale.ENGLISH)1