Examples with ClientRegistration org.forgerock.oauth2.core.ClientRegistration used on opensource projects

Search in sources :

Example 6 with ClientRegistration

use of org.forgerock.oauth2.core.ClientRegistration in project OpenAM by OpenRock.

the class AuthorizationServiceImpl method authorize.

/**
     * {@inheritDoc}
     */
public AuthorizationToken authorize(OAuth2Request request) throws ResourceOwnerAuthenticationRequired, ResourceOwnerConsentRequired, InvalidClientException, UnsupportedResponseTypeException, RedirectUriMismatchException, InvalidRequestException, AccessDeniedException, ServerException, LoginRequiredException, BadRequestException, InteractionRequiredException, ResourceOwnerConsentRequiredException, InvalidScopeException, NotFoundException {
    final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
    for (final AuthorizeRequestValidator requestValidator : requestValidators) {
        requestValidator.validateRequest(request);
    }
    final String clientId = request.getParameter(CLIENT_ID);
    final ClientRegistration clientRegistration = clientRegistrationStore.get(clientId, request);
    final Set<String> scope = Utils.splitScope(request.<String>getParameter(SCOPE));
    //plugin point
    final Set<String> validatedScope = providerSettings.validateAuthorizationScope(clientRegistration, scope, request);
    // is resource owner authenticated?
    final ResourceOwner resourceOwner = resourceOwnerSessionValidator.validate(request);
    final boolean consentSaved = providerSettings.isConsentSaved(resourceOwner, clientRegistration.getClientId(), validatedScope);
    //plugin point
    final boolean haveConsent = consentVerifier.verify(consentSaved, request, clientRegistration);
    if (!haveConsent) {
        String localeParameter = request.getParameter(LOCALE);
        String uiLocaleParameter = request.getParameter(UI_LOCALES);
        Locale locale = getLocale(uiLocaleParameter, localeParameter);
        if (locale == null) {
            locale = request.getLocale();
        }
        UserInfoClaims userInfo = null;
        try {
            userInfo = providerSettings.getUserInfo(request.getToken(AccessToken.class), request);
        } catch (UnauthorizedClientException e) {
            logger.debug("Couldn't get user info - continuing to display consent page without claims.", e);
        }
        String clientName = clientRegistration.getDisplayName(locale);
        if (clientName == null) {
            clientName = clientRegistration.getClientId();
            logger.warn("Client does not have a display name or client name set. using client ID {} for display", clientName);
        }
        final String displayDescription = clientRegistration.getDisplayDescription(locale);
        final String clientDescription = displayDescription == null ? "" : displayDescription;
        final Map<String, String> scopeDescriptions = getScopeDescriptions(validatedScope, clientRegistration.getScopeDescriptions(locale));
        final Map<String, String> claimDescriptions = getClaimDescriptions(userInfo.getValues(), clientRegistration.getClaimDescriptions(locale));
        throw new ResourceOwnerConsentRequired(clientName, clientDescription, scopeDescriptions, claimDescriptions, userInfo, resourceOwner.getName(providerSettings));
    }
    return tokenIssuer.issueTokens(request, clientRegistration, resourceOwner, scope, providerSettings);
}
Also used : Locale(java.util.Locale) UnauthorizedClientException(org.forgerock.oauth2.core.exceptions.UnauthorizedClientException) ResourceOwnerConsentRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerConsentRequired)

Example 7 with ClientRegistration

use of org.forgerock.oauth2.core.ClientRegistration in project OpenAM by OpenRock.

the class Saml2GrantTypeHandler method handle.

public AccessToken handle(OAuth2Request request) throws InvalidGrantException, InvalidClientException, InvalidRequestException, ServerException, InvalidScopeException, NotFoundException {
    String clientId = request.getParameter(OAuth2Constants.Params.CLIENT_ID);
    Reject.ifTrue(isEmpty(clientId), "Missing parameter, 'client_id'");
    final ClientRegistration clientRegistration = clientRegistrationStore.get(clientId, request);
    Reject.ifTrue(isEmpty(request.<String>getParameter("assertion")), "Missing parameter, 'assertion'");
    final String assertion = request.getParameter(OAuth2Constants.SAML20.ASSERTION);
    logger.trace("Assertion:\n" + assertion);
    final byte[] decodedAssertion = Base64.decode(assertion.replace(" ", "+"));
    if (decodedAssertion == null) {
        logger.error("Decoding assertion failed\nassertion:" + assertion);
    }
    final String finalAssertion = new String(decodedAssertion);
    logger.trace("Decoded assertion:\n" + finalAssertion);
    final Assertion assertionObject;
    final boolean valid;
    try {
        final AssertionFactory factory = AssertionFactory.getInstance();
        assertionObject = factory.createAssertion(finalAssertion);
        valid = validAssertion(assertionObject, getDeploymentUrl(request));
    } catch (SAML2Exception e) {
        logger.error("Error parsing assertion", e);
        throw new InvalidGrantException("Assertion is invalid");
    }
    if (!valid) {
        logger.error("Error parsing assertion");
        throw new InvalidGrantException("Assertion is invalid.");
    }
    logger.trace("Assertion is valid");
    final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
    final String validatedClaims = providerSettings.validateRequestedClaims((String) request.getParameter(OAuth2Constants.Custom.CLAIMS));
    final String grantType = request.getParameter(OAuth2Constants.Params.GRANT_TYPE);
    final Set<String> scope = splitScope(request.<String>getParameter(OAuth2Constants.Params.SCOPE));
    final Set<String> validatedScope = providerSettings.validateAccessTokenScope(clientRegistration, scope, request);
    logger.trace("Granting scope: " + validatedScope.toString());
    logger.trace("Creating token with data: " + clientRegistration.getAccessTokenType() + "\n" + validatedScope.toString() + "\n" + normaliseRealm(request.<String>getParameter(OAuth2Constants.Params.REALM)) + "\n" + assertionObject.getSubject().getNameID().getValue() + "\n" + clientRegistration.getClientId());
    final AccessToken accessToken = tokenStore.createAccessToken(grantType, BEARER, null, assertionObject.getSubject().getNameID().getValue(), clientRegistration.getClientId(), null, validatedScope, null, null, validatedClaims, request);
    logger.trace("Token created: " + accessToken.toString());
    providerSettings.additionalDataToReturnFromTokenEndpoint(accessToken, request);
    if (validatedScope != null && !validatedScope.isEmpty()) {
        accessToken.put(SCOPE, joinScope(validatedScope));
    }
    tokenStore.updateAccessToken(accessToken);
    return accessToken;
}
Also used : SAML2Exception(com.sun.identity.saml2.common.SAML2Exception) AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory) ClientRegistration(org.forgerock.oauth2.core.ClientRegistration) AccessToken(org.forgerock.oauth2.core.AccessToken) Assertion(com.sun.identity.saml2.assertion.Assertion) OAuth2ProviderSettings(org.forgerock.oauth2.core.OAuth2ProviderSettings) InvalidGrantException(org.forgerock.oauth2.core.exceptions.InvalidGrantException)

Example 8 with ClientRegistration

use of org.forgerock.oauth2.core.ClientRegistration in project OpenAM by OpenRock.

the class ClientAuthenticatorImpl method authenticate.

/**
     * {@inheritDoc}
     */
public ClientRegistration authenticate(OAuth2Request request, String endpoint) throws InvalidClientException, InvalidRequestException, NotFoundException {
    final ClientCredentials clientCredentials = clientCredentialsReader.extractCredentials(request, endpoint);
    Reject.ifTrue(isEmpty(clientCredentials.getClientId()), "Missing parameter, 'client_id'");
    final String realm = realmNormaliser.normalise(request.<String>getParameter(OAuth2Constants.Custom.REALM));
    boolean authenticated = false;
    try {
        final ClientRegistration clientRegistration = clientRegistrationStore.get(clientCredentials.getClientId(), request);
        // Do not need to authenticate public clients
        if (!clientRegistration.isConfidential()) {
            return clientRegistration;
        }
        if (!clientCredentials.isAuthenticated() && !authenticate(request, clientCredentials.getClientId(), clientCredentials.getClientSecret(), realm)) {
            logger.error("ClientVerifierImpl::Unable to verify password for: " + clientCredentials.getClientId());
            throw failureFactory.getException(request, "Client authentication failed");
        }
        authenticated = true;
        return clientRegistration;
    } finally {
        if (auditLogger.isAuditLogEnabled()) {
            if (authenticated) {
                String[] obs = { clientCredentials.getClientId() };
                auditLogger.logAccessMessage("AUTHENTICATED_CLIENT", obs, null);
            } else {
                String[] obs = { clientCredentials.getClientId() };
                auditLogger.logErrorMessage("FAILED_AUTHENTICATE_CLIENT", obs, null);
            }
        }
    }
}
Also used : ClientRegistration(org.forgerock.oauth2.core.ClientRegistration)

Example 9 with ClientRegistration

use of org.forgerock.oauth2.core.ClientRegistration in project OpenAM by OpenRock.

the class OpenIdConnectAuthorizeRequestValidator method validateOpenIdScope.

private void validateOpenIdScope(OAuth2Request request) throws InvalidClientException, InvalidRequestException, InvalidScopeException, NotFoundException {
    final ClientRegistration clientRegistration = clientRegistrationStore.get(request.<String>getParameter(CLIENT_ID), request);
    if (Utils.isOpenIdConnectClient(clientRegistration)) {
        final Set<String> responseTypes = Utils.splitResponseType(request.<String>getParameter(RESPONSE_TYPE));
        Set<String> requestedScopes = Utils.splitScope(request.<String>getParameter(SCOPE));
        if (CollectionUtils.isEmpty(requestedScopes)) {
            requestedScopes = clientRegistration.getDefaultScopes();
        }
        if (!requestedScopes.contains(OPENID)) {
            throw new InvalidRequestException("Missing expected scope=openid from request", Utils.isOpenIdConnectFragmentErrorType(responseTypes) ? FRAGMENT : QUERY);
        }
        validateNonce(request, responseTypes);
    }
}
Also used : ClientRegistration(org.forgerock.oauth2.core.ClientRegistration) InvalidRequestException(org.forgerock.oauth2.core.exceptions.InvalidRequestException)

Example 10 with ClientRegistration

use of org.forgerock.oauth2.core.ClientRegistration in project OpenAM by OpenRock.

the class ClientCredentialsReader method verifyJwtBearer.

private ClientCredentials verifyJwtBearer(OAuth2Request request, boolean basicAuth, String endpoint) throws InvalidClientException, InvalidRequestException, NotFoundException {
    final OAuth2Jwt jwt = OAuth2Jwt.create(request.<String>getParameter(CLIENT_ASSERTION));
    final ClientRegistration clientRegistration = clientRegistrationStore.get(jwt.getSubject(), request);
    if (jwt.isExpired()) {
        throw failureFactory.getException(request, "JWT has expired");
    }
    if (!clientRegistration.verifyJwtIdentity(jwt)) {
        throw failureFactory.getException(request, "JWT is not valid");
    }
    if (basicAuth && jwt.getSubject() != null) {
        logger.error("Client (" + jwt.getSubject() + ") using multiple authentication methods");
        throw failureFactory.getException(request, "Client authentication failed");
    }
    if (endpoint != null && !jwt.isIntendedForAudience(endpoint)) {
        throw failureFactory.getException(request, "Audience validation failed");
    }
    return new ClientCredentials(jwt.getSubject(), null, true, false);
}
Also used : OpenIdConnectClientRegistration(org.forgerock.openidconnect.OpenIdConnectClientRegistration) ClientRegistration(org.forgerock.oauth2.core.ClientRegistration) OAuth2Jwt(org.forgerock.oauth2.core.OAuth2Jwt)

Aggregations

ClientRegistration (org.forgerock.oauth2.core.ClientRegistration)11 OAuth2ProviderSettings (org.forgerock.oauth2.core.OAuth2ProviderSettings)9 ServerException (org.forgerock.oauth2.core.exceptions.ServerException)6 OpenIdConnectClientRegistration (org.forgerock.openidconnect.OpenIdConnectClientRegistration)6 JsonValue (org.forgerock.json.JsonValue)4 Locale (java.util.Locale)3 SignedJwt (org.forgerock.json.jose.jws.SignedJwt)3 InvalidClientException (org.forgerock.oauth2.core.exceptions.InvalidClientException)3 NotFoundException (org.forgerock.oauth2.core.exceptions.NotFoundException)3 UnauthorizedClientException (org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)3 CoreTokenException (org.forgerock.openam.cts.exceptions.CoreTokenException)3 BeforeMethod (org.testng.annotations.BeforeMethod)3 SSOToken (com.iplanet.sso.SSOToken)2 HashMap (java.util.HashMap)2 AccessToken (org.forgerock.oauth2.core.AccessToken)2 ClientRegistrationStore (org.forgerock.oauth2.core.ClientRegistrationStore)2 ClientAuthenticationFailureFactory (org.forgerock.oauth2.core.exceptions.ClientAuthenticationFailureFactory)2 InvalidRequestException (org.forgerock.oauth2.core.exceptions.InvalidRequestException)2 AMHashMap (com.iplanet.am.sdk.AMHashMap)1 SSOException (com.iplanet.sso.SSOException)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial