use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class AbstractOAuthDataProvider method convertSingleScopeToPermission.
protected void convertSingleScopeToPermission(Client client, String scope, List<OAuthPermission> perms) {
OAuthPermission permission = permissionMap.get(scope);
if (permission == null) {
throw new OAuthServiceException("Unexpected scope: " + scope);
}
perms.add(permission);
}
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class AuthorizationCodeGrantService method createGrant.
protected Response createGrant(OAuthRedirectionState state, Client client, List<String> requestedScope, List<String> approvedScope, UserSubject userSubject, ServerAccessToken preauthorizedToken) {
// in this flow the code is still created, the preauthorized token
// will be retrieved by the authorization code grant handler
ServerAuthorizationCodeGrant grant = null;
try {
grant = getGrantRepresentation(state, client, requestedScope, approvedScope, userSubject, preauthorizedToken);
} catch (OAuthServiceException ex) {
return createErrorResponse(state.getState(), state.getRedirectUri(), OAuthConstants.ACCESS_DENIED);
}
String grantCode = processCodeGrant(client, grant.getCode(), grant.getSubject());
if (state.getRedirectUri() == null) {
OOBAuthorizationResponse bean = new OOBAuthorizationResponse();
bean.setClientId(client.getClientId());
bean.setClientDescription(client.getApplicationDescription());
bean.setAuthorizationCode(grantCode);
bean.setUserId(userSubject.getLogin());
bean.setExpiresIn(grant.getExpiresIn());
return deliverOOBResponse(bean);
} else if (isFormResponse(state)) {
FormAuthorizationResponse bean = new FormAuthorizationResponse();
bean.setAuthorizationCode(grantCode);
bean.setExpiresIn(grant.getExpiresIn());
bean.setState(state.getState());
bean.setRedirectUri(state.getRedirectUri());
return createHtmlResponse(bean);
} else {
// return the code by appending it as a query parameter to the redirect URI
UriBuilder ub = getRedirectUriBuilder(state.getState(), state.getRedirectUri());
ub.queryParam(OAuthConstants.AUTHORIZATION_CODE_VALUE, grantCode);
return Response.seeOther(ub.build()).build();
}
}
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class TokenRevocationService method handleTokenRevocation.
/**
* Processes a token revocation request
* @param params the form parameters representing the access token grant
* @return Access Token or the error
*/
@POST
@Consumes("application/x-www-form-urlencoded")
@Produces("application/json")
public Response handleTokenRevocation(MultivaluedMap<String, String> params) {
// Make sure the client is authenticated
Client client = authenticateClientIfNeeded(params);
String token = params.getFirst(OAuthConstants.TOKEN_ID);
if (token == null) {
return createErrorResponse(params, OAuthConstants.UNSUPPORTED_TOKEN_TYPE);
}
String tokenTypeHint = params.getFirst(OAuthConstants.TOKEN_TYPE_HINT);
if (tokenTypeHint != null && !OAuthConstants.ACCESS_TOKEN.equals(tokenTypeHint) && !OAuthConstants.REFRESH_TOKEN.equals(tokenTypeHint)) {
return createErrorResponseFromErrorCode(OAuthConstants.UNSUPPORTED_TOKEN_TYPE);
}
try {
getDataProvider().revokeToken(client, token, tokenTypeHint);
} catch (OAuthServiceException ex) {
// Spec: The authorization server responds with HTTP status code 200 if the
// token has been revoked successfully or if the client submitted an
// invalid token
}
return Response.ok().build();
}
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class AbstractHawkAccessTokenValidator method validateAccessToken.
public AccessTokenValidation validateAccessToken(MessageContext mc, String authScheme, String authSchemeData, MultivaluedMap<String, String> extraProps) throws OAuthServiceException {
Map<String, String> schemeParams = getSchemeParameters(authSchemeData);
AccessTokenValidation atv = getAccessTokenValidation(mc, authScheme, authSchemeData, extraProps, schemeParams);
if (isRemoteSignatureValidation()) {
return atv;
}
String macKey = atv.getExtraProps().get(OAuthConstants.HAWK_TOKEN_KEY);
String macAlgo = atv.getExtraProps().get(OAuthConstants.HAWK_TOKEN_ALGORITHM);
HttpRequestProperties httpProps = null;
if (extraProps != null && extraProps.containsKey(HTTP_VERB) && extraProps.containsKey(HTTP_URI)) {
httpProps = new HttpRequestProperties(URI.create(extraProps.getFirst(HTTP_URI)), extraProps.getFirst(HTTP_VERB));
} else {
httpProps = new HttpRequestProperties(mc.getUriInfo().getRequestUri(), mc.getHttpServletRequest().getMethod());
}
HawkAuthorizationScheme macAuthInfo = new HawkAuthorizationScheme(httpProps, schemeParams);
String normalizedString = macAuthInfo.getNormalizedRequestString();
try {
HmacAlgorithm hmacAlgo = HmacAlgorithm.toHmacAlgorithm(macAlgo);
byte[] serverMacData = HmacUtils.computeHmac(macKey, hmacAlgo.getJavaName(), normalizedString);
String clientMacString = schemeParams.get(OAuthConstants.HAWK_TOKEN_SIGNATURE);
byte[] clientMacData = Base64Utility.decode(clientMacString);
boolean validMac = MessageDigest.isEqual(serverMacData, clientMacData);
if (!validMac) {
AuthorizationUtils.throwAuthorizationFailure(Collections.singleton(OAuthConstants.HAWK_AUTHORIZATION_SCHEME));
}
} catch (Base64Exception e) {
throw new OAuthServiceException(OAuthConstants.SERVER_ERROR, e);
}
validateTimestampNonce(macKey, macAuthInfo.getTimestamp(), macAuthInfo.getNonce());
return atv;
}
use of org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException in project cxf by apache.
the class HawkAccessTokenValidator method getAccessTokenValidation.
protected AccessTokenValidation getAccessTokenValidation(MessageContext mc, String authScheme, String authSchemeData, MultivaluedMap<String, String> extraProps, Map<String, String> schemeParams) {
String macKey = schemeParams.get(OAuthConstants.HAWK_TOKEN_ID);
ServerAccessToken accessToken = dataProvider.getAccessToken(macKey);
if (!(accessToken instanceof HawkAccessToken)) {
throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
}
HawkAccessToken macAccessToken = (HawkAccessToken) accessToken;
AccessTokenValidation atv = new AccessTokenValidation(macAccessToken);
// OAuth2 Pop token introspection will likely support returning a JWE-encrypted key
if (!isRemoteSignatureValidation() || mc.getSecurityContext().isSecure()) {
atv.getExtraProps().put(OAuthConstants.HAWK_TOKEN_KEY, macAccessToken.getMacKey());
atv.getExtraProps().put(OAuthConstants.HAWK_TOKEN_ALGORITHM, macAccessToken.getMacAlgorithm());
}
return atv;
}
Aggregations