Example 16 with OAuthServiceException
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class OidcImplicitService method canAuthorizationBeSkipped.
@Override
protected boolean canAuthorizationBeSkipped(MultivaluedMap<String, String> params, Client client, UserSubject userSubject, List<String> requestedScope, List<OAuthPermission> permissions) {
List<String> promptValues = OidcUtils.getPromptValues(params);
if (promptValues.contains(OidcUtils.PROMPT_CONSENT_VALUE)) {
// Displaying the consent screen is preferred by the client
return false;
}
// Check the pre-configured consent
boolean preConfiguredConsentForScopes = super.canAuthorizationBeSkipped(params, client, userSubject, requestedScope, permissions);
if (!preConfiguredConsentForScopes && promptValues.contains(OidcUtils.PROMPT_NONE_VALUE)) {
// An error is returned if client does not have pre-configured consent for the requested scopes/claims
LOG.log(Level.FINE, "Prompt 'none' request can not be met");
throw new OAuthServiceException(new OAuthError(OidcUtils.CONSENT_REQUIRED_ERROR));
}
return preConfiguredConsentForScopes;
}
Also used :
OAuthError(org.apache.cxf.rs.security.oauth2.common.OAuthError)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
Example 17 with OAuthServiceException
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class OidcClientCodeRequestFilter method createTokenContext.
@Override
protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken at, MultivaluedMap<String, String> requestParams, MultivaluedMap<String, String> state) {
if (rc.getSecurityContext() instanceof OidcSecurityContext) {
return ((OidcSecurityContext) rc.getSecurityContext()).getOidcContext();
}
OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl();
if (at != null) {
if (idTokenReader == null) {
throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
}
IdToken idToken = idTokenReader.getIdToken(at, requestParams.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE), getConsumer());
// Validate the properties set up at the redirection time.
validateIdToken(idToken, state);
ctx.setIdToken(idToken);
if (userInfoClient != null) {
ctx.setUserInfo(userInfoClient.getUserInfo(at, ctx.getIdToken(), getConsumer()));
}
OidcSecurityContext oidcSecCtx = new OidcSecurityContext(ctx);
oidcSecCtx.setRoleClaim(roleClaim);
rc.setSecurityContext(oidcSecCtx);
}
return ctx;
}
Also used :
IdToken(org.apache.cxf.rs.security.oidc.common.IdToken)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
Example 18 with OAuthServiceException
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class OidcInvoker method validateRefreshedToken.
@Override
protected void validateRefreshedToken(ClientTokenContext tokenContext, ClientAccessToken refreshedToken) {
if (refreshedToken.getParameters().containsKey(OidcUtils.ID_TOKEN)) {
IdToken newIdToken = idTokenReader.getIdToken(refreshedToken, getConsumer());
OidcClientTokenContextImpl oidcContext = (OidcClientTokenContextImpl) tokenContext;
IdToken currentIdToken = oidcContext.getIdToken();
if (!newIdToken.getIssuer().equals(currentIdToken.getIssuer())) {
throw new OAuthServiceException("Invalid id token issuer");
}
if (!newIdToken.getSubject().equals(currentIdToken.getSubject())) {
throw new OAuthServiceException("Invalid id token subject");
}
if (!newIdToken.getAudiences().containsAll(currentIdToken.getAudiences())) {
throw new OAuthServiceException("Invalid id token audience(s)");
}
Long newAuthTime = newIdToken.getAuthenticationTime();
if (newAuthTime != null && !newAuthTime.equals(currentIdToken.getAuthenticationTime())) {
throw new OAuthServiceException("Invalid id token auth_time");
}
String newAzp = newIdToken.getAuthorizedParty();
String origAzp = currentIdToken.getAuthorizedParty();
if (newAzp != null && origAzp == null || newAzp == null && origAzp != null || newAzp != null && origAzp != null && !newAzp.equals(origAzp)) {
throw new OAuthServiceException("Invalid id token authorized party");
}
Long newIssuedTime = newIdToken.getIssuedAt();
Long origIssuedTime = currentIdToken.getIssuedAt();
if (newIssuedTime < origIssuedTime) {
throw new OAuthServiceException("Invalid id token issued time");
}
oidcContext.setIdToken(newIdToken);
}
}
Also used :
IdToken(org.apache.cxf.rs.security.oidc.common.IdToken)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
Example 19 with OAuthServiceException
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class CustomGrantHandler method createAccessToken.
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params) throws OAuthServiceException {
AccessTokenRegistration atr = new AccessTokenRegistration();
atr.setClient(client);
return dataProvider.createAccessToken(atr);
}
Also used :
AccessTokenRegistration(org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration)
Example 20 with OAuthServiceException
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class JAXRSOAuth2Test method testJWTBadSubjectName.
@Test
public void testJWTBadSubjectName() throws Exception {
String address = "https://localhost:" + PORT + "/oauth2-auth-jwt/token";
WebClient wc = createWebClient(address);
// Create the JWT Token
String token = OAuth2TestUtils.createToken("resourceOwner", "bob", address, true, true);
Map<String, String> extraParams = new HashMap<>();
extraParams.put(Constants.CLIENT_AUTH_ASSERTION_TYPE, "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
extraParams.put(Constants.CLIENT_AUTH_ASSERTION_PARAM, token);
try {
OAuthClientUtils.getAccessToken(wc, new CustomGrant(), extraParams);
fail("Failure expected on a bad subject name");
} catch (OAuthServiceException ex) {
// expected
}
}
Also used :
HashMap(java.util.HashMap)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
WebClient(org.apache.cxf.jaxrs.client.WebClient)
Test(org.junit.Test)
Aggregations
OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)37
ServerAccessToken (org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)12
WebClient (org.apache.cxf.jaxrs.client.WebClient)11
Test (org.junit.Test)8
HashMap (java.util.HashMap)6
IOException (java.io.IOException)4
OAuthPermission (org.apache.cxf.rs.security.oauth2.common.OAuthPermission)4
UserSubject (org.apache.cxf.rs.security.oauth2.common.UserSubject)4
ArrayList (java.util.ArrayList)3
Base64Exception (org.apache.cxf.common.util.Base64Exception)3
Consumer (org.apache.cxf.rs.security.oauth2.client.Consumer)3
AccessTokenValidation (org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation)3
OAuthError (org.apache.cxf.rs.security.oauth2.common.OAuthError)3
InputStream (java.io.InputStream)2
List (java.util.List)2
Map (java.util.Map)2
Consumes (javax.ws.rs.Consumes)2
POST (javax.ws.rs.POST)2
ProcessingException (javax.ws.rs.ProcessingException)2
Produces (javax.ws.rs.Produces)2
