Search in sources :

Example 41 with ServerAccessToken

use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project tesb-rt-se by Talend.

the class OAuthManager method createAccessToken.

// token management
public ServerAccessToken createAccessToken(AccessTokenRegistration reg) throws OAuthServiceException {
    ServerAccessToken token = new BearerAccessToken(reg.getClient(), 3600L);
    List<String> scope = reg.getApprovedScope().isEmpty() ? reg.getRequestedScope() : reg.getApprovedScope();
    token.setScopes(convertScopeToPermissions(reg.getClient(), scope));
    token.setSubject(reg.getSubject());
    token.setGrantType(reg.getGrantType());
    at = token;
    return token;
}
Also used : ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken) BearerAccessToken(org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken)

Example 42 with ServerAccessToken

use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project meecrowave by apache.

the class OAuth2Configurer method preCompute.

// TODO: still some missing configuration for jwt etc to add/wire from OAuth2Options
@PostConstruct
private void preCompute() {
    configuration = builder.getExtension(OAuth2Options.class);
    final Function<JwtClaims, JwtClaims> customizeClaims = configuration.isUseJwtFormatForAccessTokens() ? claims -> {
        if (claims.getIssuer() == null) {
            claims.setIssuer(configuration.getJwtIssuer());
        }
        return claims;
    } : identity();
    AbstractOAuthDataProvider provider;
    switch(configuration.getProvider().toLowerCase(ENGLISH)) {
        case "jpa":
            {
                if (!configuration.isAuthorizationCodeSupport()) {
                    // else use code impl
                    final JPAOAuthDataProvider jpaProvider = new JPAOAuthDataProvider() {

                        @Override
                        protected JwtClaims createJwtAccessToken(final ServerAccessToken at) {
                            return customizeClaims.apply(super.createJwtAccessToken(at));
                        }

                        @Override
                        protected ServerAccessToken createNewAccessToken(final Client client, final UserSubject userSub) {
                            final ServerAccessToken token = super.createNewAccessToken(client, userSub);
                            forwardClaims(client, userSub, token);
                            return token;
                        }
                    };
                    jpaProvider.setEntityManagerFactory(JPAAdapter.createEntityManagerFactory(configuration));
                    provider = jpaProvider;
                    break;
                }
            }
        case "jpa-code":
            {
                final JPACodeDataProvider jpaProvider = new JPACodeDataProvider() {

                    @Override
                    protected JwtClaims createJwtAccessToken(final ServerAccessToken at) {
                        return customizeClaims.apply(super.createJwtAccessToken(at));
                    }

                    @Override
                    protected ServerAccessToken createNewAccessToken(final Client client, final UserSubject userSub) {
                        final ServerAccessToken token = super.createNewAccessToken(client, userSub);
                        forwardClaims(client, userSub, token);
                        return token;
                    }
                };
                jpaProvider.setEntityManagerFactory(JPAAdapter.createEntityManagerFactory(configuration));
                provider = jpaProvider;
                break;
            }
        case "jcache":
            if (!configuration.isAuthorizationCodeSupport()) {
                // else use code impl
                jCacheConfigurer.doSetup(configuration);
                try {
                    provider = new JCacheOAuthDataProvider(configuration.getJcacheConfigUri(), bus, configuration.isJcacheStoreJwtKeyOnly()) {

                        @Override
                        protected JwtClaims createJwtAccessToken(final ServerAccessToken at) {
                            return customizeClaims.apply(super.createJwtAccessToken(at));
                        }

                        @Override
                        protected ServerAccessToken createNewAccessToken(final Client client, final UserSubject userSub) {
                            final ServerAccessToken token = super.createNewAccessToken(client, userSub);
                            forwardClaims(client, userSub, token);
                            return token;
                        }
                    };
                } catch (final Exception e) {
                    throw new IllegalStateException(e);
                }
                break;
            }
        case "jcache-code":
            jCacheConfigurer.doSetup(configuration);
            try {
                provider = new JCacheCodeDataProvider(configuration, bus) {

                    @Override
                    protected JwtClaims createJwtAccessToken(final ServerAccessToken at) {
                        return customizeClaims.apply(super.createJwtAccessToken(at));
                    }

                    @Override
                    protected ServerAccessToken createNewAccessToken(final Client client, final UserSubject userSub) {
                        final ServerAccessToken token = super.createNewAccessToken(client, userSub);
                        forwardClaims(client, userSub, token);
                        return token;
                    }
                };
            } catch (final Exception e) {
                throw new IllegalStateException(e);
            }
            break;
        case "encrypted":
            if (!configuration.isAuthorizationCodeSupport()) {
                // else use code impl
                provider = new DefaultEncryptingOAuthDataProvider(new SecretKeySpec(configuration.getEncryptedKey().getBytes(StandardCharsets.UTF_8), configuration.getEncryptedAlgo())) {

                    @Override
                    protected JwtClaims createJwtAccessToken(final ServerAccessToken at) {
                        return customizeClaims.apply(super.createJwtAccessToken(at));
                    }

                    @Override
                    protected ServerAccessToken createNewAccessToken(final Client client, final UserSubject userSub) {
                        final ServerAccessToken token = super.createNewAccessToken(client, userSub);
                        forwardClaims(client, userSub, token);
                        return token;
                    }
                };
                break;
            }
        case "encrypted-code":
            provider = new DefaultEncryptingCodeDataProvider(new SecretKeySpec(configuration.getEncryptedKey().getBytes(StandardCharsets.UTF_8), configuration.getEncryptedAlgo())) {

                @Override
                protected JwtClaims createJwtAccessToken(final ServerAccessToken at) {
                    return customizeClaims.apply(super.createJwtAccessToken(at));
                }

                @Override
                protected ServerAccessToken createNewAccessToken(final Client client, final UserSubject userSub) {
                    final ServerAccessToken token = super.createNewAccessToken(client, userSub);
                    forwardClaims(client, userSub, token);
                    return token;
                }
            };
            break;
        default:
            throw new IllegalArgumentException("Unsupported oauth2 provider: " + configuration.getProvider());
    }
    final RefreshTokenGrantHandler refreshTokenGrantHandler = new RefreshTokenGrantHandler() {

        @Override
        public ServerAccessToken createAccessToken(final Client client, final MultivaluedMap<String, String> params) throws OAuthServiceException {
            final ServerAccessToken accessToken = super.createAccessToken(client, params);
            forwardClaims(client, accessToken.getSubject(), accessToken);
            return accessToken;
        }
    };
    refreshTokenGrantHandler.setDataProvider(provider);
    refreshTokenGrantHandler.setUseAllClientScopes(configuration.isUseAllClientScopes());
    refreshTokenGrantHandler.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
    final ResourceOwnerLoginHandler loginHandler = configuration.isJaas() ? new JAASResourceOwnerLoginHandler() {

        @Override
        public UserSubject createSubject(final Client client, final String name, final String password) {
            final UserSubject subject = super.createSubject(client, name, password);
            forwardRolesAsClaims(subject);
            return subject;
        }
    } : (client, name, password) -> {
        try {
            request.login(name, password);
            try {
                final Principal pcp = request.getUserPrincipal();
                return doCreateUserSubject(pcp);
            } finally {
                request.logout();
            }
        } catch (final ServletException e) {
            throw new AuthenticationException(e.getMessage());
        }
    };
    final List<AccessTokenGrantHandler> handlers = new ArrayList<>();
    handlers.add(refreshTokenGrantHandler);
    handlers.add(new ClientCredentialsGrantHandler() {

        @Override
        protected ServerAccessToken doCreateAccessToken(final Client client, final UserSubject subject, final String requestedGrant, final List<String> requestedScopes, final List<String> audiences) {
            final ServerAccessToken serverAccessToken = super.doCreateAccessToken(client, subject, requestedGrant, requestedScopes, audiences);
            forwardClaims(client, subject, serverAccessToken);
            return serverAccessToken;
        }
    });
    handlers.add(new ResourceOwnerGrantHandler() {

        {
            setLoginHandler(loginHandler);
        }

        @Override
        protected ServerAccessToken doCreateAccessToken(final Client client, final UserSubject subject, final String requestedGrant, final List<String> requestedScopes, final List<String> audiences) {
            final ServerAccessToken serverAccessToken = super.doCreateAccessToken(client, subject, requestedGrant, requestedScopes, audiences);
            forwardClaims(client, subject, serverAccessToken);
            return serverAccessToken;
        }
    });
    handlers.add(new AuthorizationCodeGrantHandler() {

        @Override
        public ServerAccessToken createAccessToken(final Client client, final MultivaluedMap<String, String> params) throws OAuthServiceException {
            if (configuration.isUseS256CodeChallenge()) {
                setCodeVerifierTransformer(new DigestCodeVerifier());
            }
            return super.createAccessToken(client, params);
        }

        @Override
        protected ServerAccessToken doCreateAccessToken(final Client client, final UserSubject subject, final String requestedGrant, final List<String> requestedScopes, final List<String> audiences) {
            final ServerAccessToken serverAccessToken = super.doCreateAccessToken(client, subject, requestedGrant, requestedScopes, audiences);
            forwardClaims(client, subject, serverAccessToken);
            return serverAccessToken;
        }
    });
    handlers.add(new JwtBearerGrantHandler() {

        @Override
        protected ServerAccessToken doCreateAccessToken(final Client client, final UserSubject subject, final String requestedGrant, final List<String> requestedScopes, final List<String> audiences) {
            final ServerAccessToken serverAccessToken = super.doCreateAccessToken(client, subject, requestedGrant, requestedScopes, audiences);
            forwardClaims(client, subject, serverAccessToken);
            return serverAccessToken;
        }
    });
    provider.setUseJwtFormatForAccessTokens(configuration.isUseJwtFormatForAccessTokens());
    provider.setAccessTokenLifetime(configuration.getAccessTokenLifetime());
    provider.setRefreshTokenLifetime(configuration.getRefreshTokenLifetime());
    provider.setRecycleRefreshTokens(configuration.isRecycleRefreshTokens());
    provider.setSupportPreauthorizedTokens(configuration.isSupportPreauthorizedTokens());
    ofNullable(configuration.getRequiredScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setRequiredScopes);
    ofNullable(configuration.getDefaultScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setDefaultScopes);
    ofNullable(configuration.getInvisibleToClientScopes()).map(s -> asList(s.split(","))).ifPresent(provider::setInvisibleToClientScopes);
    ofNullable(configuration.getJwtAccessTokenClaimMap()).map(s -> new Properties() {

        {
            try {
                load(new StringReader(s));
            } catch (IOException e) {
                throw new IllegalArgumentException("Bad claim map configuration, use properties syntax");
            }
        }
    }).ifPresent(m -> provider.setJwtAccessTokenClaimMap(new HashMap<>(Map.class.cast(m))));
    final OAuthDataProvider dataProvider;
    if (configuration.isRefreshToken()) {
        dataProvider = new RefreshTokenEnabledProvider(provider);
        if (provider.getInvisibleToClientScopes() == null) {
            provider.setInvisibleToClientScopes(new ArrayList<>());
        }
        provider.getInvisibleToClientScopes().add(OAuthConstants.REFRESH_TOKEN_SCOPE);
    } else {
        dataProvider = provider;
    }
    handlers.stream().filter(AbstractGrantHandler.class::isInstance).forEach(h -> {
        final AbstractGrantHandler handler = AbstractGrantHandler.class.cast(h);
        handler.setDataProvider(dataProvider);
        handler.setCanSupportPublicClients(configuration.isCanSupportPublicClients());
        handler.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
    });
    abstractTokenServiceConsumer = s -> {
        // this is used @RequestScoped so ensure it is not slow for no reason
        s.setCanSupportPublicClients(configuration.isCanSupportPublicClients());
        s.setBlockUnsecureRequests(configuration.isBlockUnsecureRequests());
        s.setWriteCustomErrors(configuration.isWriteCustomErrors());
        s.setWriteOptionalParameters(configuration.isWriteOptionalParameters());
        s.setDataProvider(dataProvider);
    };
    tokenServiceConsumer = s -> {
        // this is used @RequestScoped so ensure it is not slow for no reason
        abstractTokenServiceConsumer.accept(s);
        s.setGrantHandlers(handlers);
    };
    final List<String> noConsentScopes = ofNullable(configuration.getScopesRequiringNoConsent()).map(s -> asList(s.split(","))).orElse(null);
    // we prefix them oauth2.cxf. but otherwise it is the plain cxf config
    securityProperties = ofNullable(builder.getProperties()).map(Properties::stringPropertyNames).orElse(emptySet()).stream().filter(s -> s.startsWith("oauth2.cxf.rs.security.")).collect(toMap(s -> s.substring("oauth2.cxf.".length()), s -> builder.getProperties().getProperty(s)));
    final JoseSessionTokenProvider sessionAuthenticityTokenProvider = new JoseSessionTokenProvider() {

        @Override
        public String createSessionToken(final MessageContext mc, final MultivaluedMap<String, String> params, final UserSubject subject, final OAuthRedirectionState secData) {
            // CXF-8368
            secData.setClientCodeChallenge(params.getFirst(OAuthConstants.AUTHORIZATION_CODE_CHALLENGE));
            return super.createSessionToken(mc, params, subject, secData);
        }
    };
    sessionAuthenticityTokenProvider.setMaxDefaultSessionInterval(configuration.getMaxDefaultSessionInterval());
    // TODO: other configs
    redirectionBasedGrantServiceConsumer = s -> {
        s.setDataProvider(dataProvider);
        s.setBlockUnsecureRequests(configuration.isBlockUnsecureRequests());
        s.setWriteOptionalParameters(configuration.isWriteOptionalParameters());
        s.setUseAllClientScopes(configuration.isUseAllClientScopes());
        s.setPartialMatchScopeValidation(configuration.isPartialMatchScopeValidation());
        s.setUseRegisteredRedirectUriIfPossible(configuration.isUseRegisteredRedirectUriIfPossible());
        s.setMaxDefaultSessionInterval(configuration.getMaxDefaultSessionInterval());
        s.setMatchRedirectUriWithApplicationUri(configuration.isMatchRedirectUriWithApplicationUri());
        s.setScopesRequiringNoConsent(noConsentScopes);
        s.setSessionAuthenticityTokenProvider(sessionAuthenticityTokenProvider);
        s.setCanSupportPublicClients(configuration.isCanSupportPublicClients());
    };
}
Also used : JCacheOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.JCacheOAuthDataProvider) ServletException(javax.servlet.ServletException) AccessTokenService(org.apache.cxf.rs.security.oauth2.services.AccessTokenService) SecretKeySpec(javax.crypto.spec.SecretKeySpec) JAXRSUtils(org.apache.cxf.jaxrs.utils.JAXRSUtils) ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken) Collectors.toMap(java.util.stream.Collectors.toMap) AbstractTokenService(org.apache.cxf.rs.security.oauth2.services.AbstractTokenService) JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims) ClientCredentialsGrantHandler(org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler) Arrays.asList(java.util.Arrays.asList) Map(java.util.Map) JCacheCodeDataProvider(org.apache.meecrowave.oauth2.provider.JCacheCodeDataProvider) RefreshTokenEnabledProvider(org.apache.meecrowave.oauth2.data.RefreshTokenEnabledProvider) AuthorizationCodeGrantHandler(org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrantHandler) DefaultEncryptingCodeDataProvider(org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider) JwtBearerGrantHandler(org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerGrantHandler) ResourceOwnerLoginHandler(org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerLoginHandler) ENGLISH(java.util.Locale.ENGLISH) AuthenticationMethod(org.apache.cxf.rs.security.oauth2.common.AuthenticationMethod) ResourceOwnerGrantHandler(org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerGrantHandler) JPACodeDataProvider(org.apache.cxf.rs.security.oauth2.grants.code.JPACodeDataProvider) StandardCharsets(java.nio.charset.StandardCharsets) OAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider) List(java.util.List) Principal(java.security.Principal) AbstractGrantHandler(org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler) PostConstruct(javax.annotation.PostConstruct) Function.identity(java.util.function.Function.identity) ApplicationScoped(javax.enterprise.context.ApplicationScoped) PASSWORD(org.apache.cxf.rs.security.oauth2.common.AuthenticationMethod.PASSWORD) AccessTokenGrantHandler(org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler) Meecrowave(org.apache.meecrowave.Meecrowave) Bus(org.apache.cxf.Bus) JAASResourceOwnerLoginHandler(org.apache.cxf.rs.security.oauth2.grants.owner.JAASResourceOwnerLoginHandler) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException) RefreshTokenGrantHandler(org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler) AuthorizationCodeGrantService(org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService) HashMap(java.util.HashMap) Function(java.util.function.Function) ArrayList(java.util.ArrayList) Inject(javax.inject.Inject) AbstractOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider) HttpServletRequest(javax.servlet.http.HttpServletRequest) AuthenticationException(org.apache.cxf.interceptor.security.AuthenticationException) MessageContext(org.apache.cxf.jaxrs.ext.MessageContext) DefaultEncryptingOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider) PlainCodeVerifier(org.apache.cxf.rs.security.oauth2.grants.code.PlainCodeVerifier) JoseSessionTokenProvider(org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider) Client(org.apache.cxf.rs.security.oauth2.common.Client) GenericPrincipal(org.apache.catalina.realm.GenericPrincipal) Properties(java.util.Properties) JPAOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider) Collections.emptySet(java.util.Collections.emptySet) Message(org.apache.cxf.message.Message) Optional.ofNullable(java.util.Optional.ofNullable) IOException(java.io.IOException) MultivaluedMap(javax.ws.rs.core.MultivaluedMap) Consumer(java.util.function.Consumer) StringReader(java.io.StringReader) PhaseInterceptorChain(org.apache.cxf.phase.PhaseInterceptorChain) OAuthConstants(org.apache.cxf.rs.security.oauth2.utils.OAuthConstants) UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject) DigestCodeVerifier(org.apache.cxf.rs.security.oauth2.grants.code.DigestCodeVerifier) Collections(java.util.Collections) OAuthRedirectionState(org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState) AbstractGrantHandler(org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler) JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims) JPAOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider) AuthenticationException(org.apache.cxf.interceptor.security.AuthenticationException) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) JPACodeDataProvider(org.apache.cxf.rs.security.oauth2.grants.code.JPACodeDataProvider) ResourceOwnerLoginHandler(org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerLoginHandler) JAASResourceOwnerLoginHandler(org.apache.cxf.rs.security.oauth2.grants.owner.JAASResourceOwnerLoginHandler) JoseSessionTokenProvider(org.apache.cxf.rs.security.oauth2.provider.JoseSessionTokenProvider) ServletException(javax.servlet.ServletException) SecretKeySpec(javax.crypto.spec.SecretKeySpec) Client(org.apache.cxf.rs.security.oauth2.common.Client) JCacheCodeDataProvider(org.apache.meecrowave.oauth2.provider.JCacheCodeDataProvider) OAuthRedirectionState(org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState) DefaultEncryptingOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider) RefreshTokenGrantHandler(org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler) RefreshTokenEnabledProvider(org.apache.meecrowave.oauth2.data.RefreshTokenEnabledProvider) ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken) JCacheOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.JCacheOAuthDataProvider) Collectors.toMap(java.util.stream.Collectors.toMap) Map(java.util.Map) HashMap(java.util.HashMap) MultivaluedMap(javax.ws.rs.core.MultivaluedMap) DefaultEncryptingCodeDataProvider(org.apache.cxf.rs.security.oauth2.grants.code.DefaultEncryptingCodeDataProvider) AccessTokenGrantHandler(org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler) Properties(java.util.Properties) UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject) ResourceOwnerGrantHandler(org.apache.cxf.rs.security.oauth2.grants.owner.ResourceOwnerGrantHandler) StringReader(java.io.StringReader) MessageContext(org.apache.cxf.jaxrs.ext.MessageContext) AbstractOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider) DigestCodeVerifier(org.apache.cxf.rs.security.oauth2.grants.code.DigestCodeVerifier) JwtBearerGrantHandler(org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerGrantHandler) AuthorizationCodeGrantHandler(org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrantHandler) IOException(java.io.IOException) ServletException(javax.servlet.ServletException) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException) AuthenticationException(org.apache.cxf.interceptor.security.AuthenticationException) IOException(java.io.IOException) ClientCredentialsGrantHandler(org.apache.cxf.rs.security.oauth2.grants.clientcred.ClientCredentialsGrantHandler) JCacheOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.JCacheOAuthDataProvider) OAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider) AbstractOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthDataProvider) DefaultEncryptingOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.DefaultEncryptingOAuthDataProvider) JPAOAuthDataProvider(org.apache.cxf.rs.security.oauth2.provider.JPAOAuthDataProvider) MultivaluedMap(javax.ws.rs.core.MultivaluedMap) JAASResourceOwnerLoginHandler(org.apache.cxf.rs.security.oauth2.grants.owner.JAASResourceOwnerLoginHandler) Principal(java.security.Principal) GenericPrincipal(org.apache.catalina.realm.GenericPrincipal) PostConstruct(javax.annotation.PostConstruct)

Example 43 with ServerAccessToken

use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project cxf by apache.

the class Saml2BearerGrantHandler method createAccessToken.

public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params) throws OAuthServiceException {
    String assertion = params.getFirst(Constants.CLIENT_GRANT_ASSERTION_PARAM);
    if (assertion == null) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
    try {
        InputStream tokenStream = decodeAssertion(assertion);
        Element token = readToken(tokenStream);
        SamlAssertionWrapper assertionWrapper = new SamlAssertionWrapper(token);
        Message message = PhaseInterceptorChain.getCurrentMessage();
        validateToken(message, assertionWrapper);
        UserSubject grantSubject = getGrantSubject(message, assertionWrapper);
        return doCreateAccessToken(client, grantSubject, Constants.SAML2_BEARER_GRANT, OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE)));
    } catch (OAuthServiceException ex) {
        throw ex;
    } catch (Exception ex) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT, ex);
    }
}
Also used : Message(org.apache.cxf.message.Message) UserSubject(org.apache.cxf.rs.security.oauth2.common.UserSubject) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException) ByteArrayInputStream(java.io.ByteArrayInputStream) InputStream(java.io.InputStream) Element(org.w3c.dom.Element) SamlAssertionWrapper(org.apache.wss4j.common.saml.SamlAssertionWrapper) Base64Exception(org.apache.cxf.common.util.Base64Exception) OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException) IOException(java.io.IOException)

Example 44 with ServerAccessToken

use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project cxf by apache.

the class AbstractOAuthDataProvider method handleLinkedRefreshToken.

protected void handleLinkedRefreshToken(Client client, ServerAccessToken accessToken) {
    if (accessToken != null && accessToken.getRefreshToken() != null) {
        RefreshToken rt = getRefreshToken(accessToken.getRefreshToken());
        if (rt == null) {
            return;
        }
        unlinkRefreshAccessToken(rt, accessToken.getTokenKey());
        if (rt.getAccessTokens().isEmpty()) {
            revokeRefreshToken(client, rt.getTokenKey());
        } else {
            saveRefreshToken(rt);
        }
    }
}
Also used : RefreshToken(org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken)

Example 45 with ServerAccessToken

use of org.apache.cxf.rs.security.oauth2.common.ServerAccessToken in project cxf by apache.

the class AbstractOAuthDataProvider method refreshAccessToken.

@Override
public ServerAccessToken refreshAccessToken(Client client, String refreshTokenKey, List<String> restrictedScopes) throws OAuthServiceException {
    RefreshToken currentRefreshToken = recycleRefreshTokens ? revokeRefreshToken(client, refreshTokenKey) : getRefreshToken(refreshTokenKey);
    if (currentRefreshToken == null) {
        throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
    }
    if (OAuthUtils.isExpired(currentRefreshToken.getIssuedAt(), currentRefreshToken.getExpiresIn())) {
        if (!recycleRefreshTokens) {
            revokeRefreshToken(client, refreshTokenKey);
        }
        throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
    }
    if (recycleRefreshTokens) {
        revokeAccessTokens(client, currentRefreshToken);
    }
    ServerAccessToken at = doRefreshAccessToken(client, currentRefreshToken, restrictedScopes);
    saveAccessToken(at);
    if (recycleRefreshTokens) {
        createNewRefreshToken(at);
    } else {
        updateExistingRefreshToken(currentRefreshToken, at);
    }
    return at;
}
Also used : ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken) RefreshToken(org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken)

Aggregations

ServerAccessToken (org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)54 AccessTokenRegistration (org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration)24 Client (org.apache.cxf.rs.security.oauth2.common.Client)24 Test (org.junit.Test)21 OAuthPermission (org.apache.cxf.rs.security.oauth2.common.OAuthPermission)15 RefreshToken (org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken)15 UserSubject (org.apache.cxf.rs.security.oauth2.common.UserSubject)12 OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)11 BearerAccessToken (org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken)7 ClientAccessToken (org.apache.cxf.rs.security.oauth2.common.ClientAccessToken)6 ServerAuthorizationCodeGrant (org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant)6 JoseJwtConsumer (org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer)5 JwtClaims (org.apache.cxf.rs.security.jose.jwt.JwtClaims)5 ArrayList (java.util.ArrayList)4 ByteArrayInputStream (java.io.ByteArrayInputStream)3 LinkedList (java.util.LinkedList)3 Map (java.util.Map)3 JwtToken (org.apache.cxf.rs.security.jose.jwt.JwtToken)3 Ignore (org.junit.Ignore)3 ByteArrayOutputStream (java.io.ByteArrayOutputStream)2