Example 36 with OAuthServiceException
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class OidcClaimsValidator method validateJwtClaims.
/**
* Validate core JWT claims
* @param claims the claims
* @param clientId OAuth2 client id
* @param validateClaimsAlways if set to true then enforce that the claims
* to be validated must be set
*/
public void validateJwtClaims(JwtClaims claims, String clientId, boolean validateClaimsAlways) {
// validate the issuer
String issuer = claims.getIssuer();
if (issuer == null && validateClaimsAlways) {
throw new OAuthServiceException("Invalid issuer");
}
if (supportSelfIssuedProvider && issuerId == null && issuer != null && SELF_ISSUED_ISSUER.equals(issuer)) {
validateSelfIssuedProvider(claims, clientId, validateClaimsAlways);
} else {
if (issuer != null && !issuer.equals(issuerId)) {
throw new OAuthServiceException("Invalid issuer");
}
// validate subject
if (claims.getSubject() == null) {
throw new OAuthServiceException("Invalid subject");
}
// validate authorized party
String authorizedParty = (String) claims.getClaim(IdToken.AZP_CLAIM);
if (authorizedParty != null && !authorizedParty.equals(clientId)) {
throw new OAuthServiceException("Invalid authorized party");
}
// validate audience
List<String> audiences = claims.getAudiences();
if (StringUtils.isEmpty(audiences) && validateClaimsAlways || !StringUtils.isEmpty(audiences) && !audiences.contains(clientId)) {
throw new OAuthServiceException("Invalid audience");
}
// If strict time validation: if no issuedTime claim is set then an expiresAt claim must be set
// Otherwise: validate only if expiresAt claim is set
boolean expiredRequired = validateClaimsAlways || strictTimeValidation && claims.getIssuedAt() == null;
try {
JwtUtils.validateJwtExpiry(claims, getClockOffset(), expiredRequired);
} catch (JwtException ex) {
throw new OAuthServiceException("ID Token has expired", ex);
}
// If strict time validation: If no expiresAt claim is set then an issuedAt claim must be set
// Otherwise: validate only if issuedAt claim is set
boolean issuedAtRequired = validateClaimsAlways || strictTimeValidation && claims.getExpiryTime() == null;
try {
JwtUtils.validateJwtIssuedAt(claims, getTtl(), getClockOffset(), issuedAtRequired);
} catch (JwtException ex) {
throw new OAuthServiceException("Invalid issuedAt claim", ex);
}
if (strictTimeValidation) {
try {
JwtUtils.validateJwtNotBefore(claims, getClockOffset(), strictTimeValidation);
} catch (JwtException ex) {
throw new OAuthServiceException("ID Token can not be used yet", ex);
}
}
}
}
Also used :
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
JwtException(org.apache.cxf.rs.security.jose.jwt.JwtException)
Example 37 with OAuthServiceException
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class OidcUtils method calculateHash.
private static String calculateHash(String value, SignatureAlgorithm sigAlgo) {
if (sigAlgo == SignatureAlgorithm.NONE) {
throw new JwsException(JwsException.Error.INVALID_ALGORITHM);
}
String algoShaSizeString = sigAlgo.getJwaName().substring(2);
String javaShaAlgo = "SHA-" + algoShaSizeString;
int algoShaSize = Integer.parseInt(algoShaSizeString);
int valueHashSize = (algoShaSize / 8) / 2;
try {
byte[] atBytes = StringUtils.toBytesASCII(value);
byte[] digest = MessageDigestUtils.createDigest(atBytes, javaShaAlgo);
return Base64UrlUtility.encodeChunk(digest, 0, valueHashSize);
} catch (NoSuchAlgorithmException ex) {
throw new OAuthServiceException(ex);
}
}
Also used :
JwsException(org.apache.cxf.rs.security.jose.jws.JwsException)
OAuthServiceException(org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Example 38 with OAuthServiceException
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class AbstractOAuthDataProvider method getPreauthorizedToken.
@Override
public ServerAccessToken getPreauthorizedToken(Client client, List<String> requestedScopes, UserSubject sub, String grantType) throws OAuthServiceException {
if (!isSupportPreauthorizedTokens()) {
return null;
}
ServerAccessToken token = null;
for (ServerAccessToken at : getAccessTokens(client, sub)) {
if (at.getClient().getClientId().equals(client.getClientId()) && at.getGrantType().equals(grantType) && (sub == null && at.getSubject() == null || sub != null && at.getSubject().getLogin().equals(sub.getLogin()))) {
token = at;
break;
}
}
if (token != null && OAuthUtils.isExpired(token.getIssuedAt(), token.getExpiresIn())) {
revokeToken(client, token.getTokenKey(), OAuthConstants.ACCESS_TOKEN);
token = null;
}
return token;
}
Also used :
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
Example 39 with OAuthServiceException
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class AbstractOAuthDataProvider method createAccessToken.
@Override
public ServerAccessToken createAccessToken(AccessTokenRegistration reg) throws OAuthServiceException {
ServerAccessToken at = doCreateAccessToken(reg);
saveAccessToken(at);
if (isRefreshTokenSupported(reg.getApprovedScope())) {
createNewRefreshToken(at);
}
return at;
}
Also used :
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
Example 40 with OAuthServiceException
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class AbstractOAuthDataProvider method refreshAccessToken.
@Override
public ServerAccessToken refreshAccessToken(Client client, String refreshTokenKey, List<String> restrictedScopes) throws OAuthServiceException {
RefreshToken currentRefreshToken = recycleRefreshTokens ? revokeRefreshToken(refreshTokenKey) : getRefreshToken(refreshTokenKey);
if (currentRefreshToken == null) {
throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
}
if (OAuthUtils.isExpired(currentRefreshToken.getIssuedAt(), currentRefreshToken.getExpiresIn())) {
if (!recycleRefreshTokens) {
revokeRefreshToken(refreshTokenKey);
}
throw new OAuthServiceException(OAuthConstants.ACCESS_DENIED);
}
if (recycleRefreshTokens) {
revokeAccessTokens(currentRefreshToken);
}
ServerAccessToken at = doRefreshAccessToken(client, currentRefreshToken, restrictedScopes);
saveAccessToken(at);
if (recycleRefreshTokens) {
createNewRefreshToken(at);
} else {
updateExistingRefreshToken(currentRefreshToken, at);
}
return at;
}
Also used :
ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)
RefreshToken(org.apache.cxf.rs.security.oauth2.tokens.refresh.RefreshToken)
Aggregations
OAuthServiceException (org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException)37
ServerAccessToken (org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)12
WebClient (org.apache.cxf.jaxrs.client.WebClient)11
Test (org.junit.Test)8
HashMap (java.util.HashMap)6
IOException (java.io.IOException)4
OAuthPermission (org.apache.cxf.rs.security.oauth2.common.OAuthPermission)4
UserSubject (org.apache.cxf.rs.security.oauth2.common.UserSubject)4
ArrayList (java.util.ArrayList)3
Base64Exception (org.apache.cxf.common.util.Base64Exception)3
Consumer (org.apache.cxf.rs.security.oauth2.client.Consumer)3
AccessTokenValidation (org.apache.cxf.rs.security.oauth2.common.AccessTokenValidation)3
OAuthError (org.apache.cxf.rs.security.oauth2.common.OAuthError)3
InputStream (java.io.InputStream)2
List (java.util.List)2
Map (java.util.Map)2
Consumes (javax.ws.rs.Consumes)2
POST (javax.ws.rs.POST)2
ProcessingException (javax.ws.rs.ProcessingException)2
Produces (javax.ws.rs.Produces)2
