use of org.forgerock.oauth2.core.OAuth2ProviderSettings in project OpenAM by OpenRock.
the class OpenIDConnectProviderConfiguration method getConfiguration.
/**
* Gets the OpenId configuration for the OpenId Connect provider.
*
* @param request The OAuth2 request.
* @return A JsonValue representation of the OpenId configuration.
* @throws UnsupportedResponseTypeException If the requested response type is not supported by either the client
* or the OAuth2 provider.
* @throws ServerException If any internal server error occurs.
*/
public JsonValue getConfiguration(OAuth2Request request) throws OAuth2Exception {
final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
final OAuth2Uris uris = urisFactory.get(request);
if (!providerSettings.exists() || providerSettings.getSupportedScopes() == null || !providerSettings.getSupportedScopes().contains("openid")) {
throw new NotFoundException("Invalid URL");
}
final Map<String, Object> configuration = new HashMap<>();
configuration.put("version", providerSettings.getOpenIDConnectVersion());
configuration.put("issuer", uris.getIssuer());
configuration.put("authorization_endpoint", uris.getAuthorizationEndpoint());
configuration.put("token_endpoint", uris.getTokenEndpoint());
configuration.put("userinfo_endpoint", uris.getUserInfoEndpoint());
configuration.put("check_session_iframe", uris.getCheckSessionEndpoint());
configuration.put("end_session_endpoint", uris.getEndSessionEndpoint());
configuration.put("jwks_uri", uris.getJWKSUri());
configuration.put("registration_endpoint", uris.getClientRegistrationEndpoint());
configuration.put("claims_supported", providerSettings.getSupportedClaims());
configuration.put("scopes_supported", providerSettings.getSupportedScopes());
configuration.put("response_types_supported", getResponseTypes(providerSettings.getAllowedResponseTypes().keySet()));
configuration.put("subject_types_supported", providerSettings.getSupportedSubjectTypes());
configuration.put("id_token_signing_alg_values_supported", providerSettings.getSupportedIDTokenSigningAlgorithms());
configuration.put("acr_values_supported", providerSettings.getAcrMapping().keySet());
configuration.put("claims_parameter_supported", providerSettings.getClaimsParameterSupported());
configuration.put("token_endpoint_auth_methods_supported", providerSettings.getEndpointAuthMethodsSupported());
return new JsonValue(configuration);
}
use of org.forgerock.oauth2.core.OAuth2ProviderSettings in project OpenAM by OpenRock.
the class ClaimsParameterValidator method validateRequest.
@Override
public void validateRequest(OAuth2Request request) throws InvalidClientException, InvalidRequestException, RedirectUriMismatchException, UnsupportedResponseTypeException, ServerException, BadRequestException, InvalidScopeException, NotFoundException {
final OAuth2ProviderSettings settings = providerSettingsFactory.get(request);
final String claims = request.getParameter(OAuth2Constants.Custom.CLAIMS);
//if we aren't supporting this no need to validate
if (!settings.getClaimsParameterSupported()) {
return;
}
//if we support, but it's not requested, no need to validate
if (claims == null) {
return;
}
final JSONObject claimsJson;
//convert claims into JSON object
try {
claimsJson = new JSONObject(claims);
} catch (JSONException e) {
throw new BadRequestException("Invalid JSON in supplied claims parameter.");
}
JSONObject userinfoClaims = null;
try {
userinfoClaims = claimsJson.getJSONObject(OAuth2Constants.UserinfoEndpoint.USERINFO);
} catch (Exception e) {
//fall through
}
//results in an Access Token being issued to the Client for use at the UserInfo Endpoint.
if (userinfoClaims != null) {
String responseType = request.getParameter(OAuth2Constants.Params.RESPONSE_TYPE);
if (responseType != null && responseType.trim().equals(OAuth2Constants.JWTTokenParams.ID_TOKEN)) {
throw new BadRequestException("Must request an access token when providing " + "userinfo in claims parameter.");
}
}
}
use of org.forgerock.oauth2.core.OAuth2ProviderSettings in project OpenAM by OpenRock.
the class OpenAMTokenStore method createDeviceCode.
/**
* {@inheritDoc}
*/
public DeviceCode createDeviceCode(Set<String> scope, ResourceOwner resourceOwner, String clientId, String nonce, String responseType, String state, String acrValues, String prompt, String uiLocales, String loginHint, Integer maxAge, String claims, OAuth2Request request, String codeChallenge, String codeChallengeMethod) throws ServerException, NotFoundException {
logger.message("DefaultOAuthTokenStoreImpl::Creating Authorization code");
final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
final String deviceCode = UUID.randomUUID().toString();
final StringBuilder codeBuilder = new StringBuilder(CODE_LENGTH);
String userCode = null;
int i;
for (i = 0; i < NUM_RETRIES; i++) {
for (int k = 0; k < CODE_LENGTH; k++) {
codeBuilder.append(ALPHABET.charAt(secureRandom.nextInt(ALPHABET.length())));
}
try {
readDeviceCode(codeBuilder.toString(), request);
codeBuilder.delete(0, codeBuilder.length());
// code can be found - try again
} catch (InvalidGrantException e) {
// Good, it doesn't exist yet.
userCode = codeBuilder.toString();
break;
} catch (ServerException e) {
logger.message("Could not query CTS, assume duplicate to be safe", e);
}
}
if (i == NUM_RETRIES) {
throw new ServerException("Could not generate a unique user code");
}
long expiryTime = System.currentTimeMillis() + (1000 * providerSettings.getDeviceCodeLifetime());
String resourceOwnerId = resourceOwner == null ? null : resourceOwner.getId();
final DeviceCode code = new DeviceCode(deviceCode, userCode, resourceOwnerId, clientId, nonce, responseType, state, acrValues, prompt, uiLocales, loginHint, maxAge, claims, expiryTime, scope, realmNormaliser.normalise(request.<String>getParameter(REALM)), codeChallenge, codeChallengeMethod);
// Store in CTS
try {
tokenStore.create(code);
if (auditLogger.isAuditLogEnabled()) {
String[] obs = { "CREATED_DEVICE_CODE", code.toString() };
auditLogger.logAccessMessage("CREATED_DEVICE_CODE", obs, null);
}
} catch (CoreTokenException e) {
if (auditLogger.isAuditLogEnabled()) {
String[] obs = { "FAILED_CREATE_DEVICE_CODE", code.toString() };
auditLogger.logErrorMessage("FAILED_CREATE_DEVICE_CODE", obs, null);
}
logger.error("Unable to create device code " + code, e);
throw new ServerException("Could not create token in CTS");
}
request.setToken(DeviceCode.class, code);
return code;
}
use of org.forgerock.oauth2.core.OAuth2ProviderSettings in project OpenAM by OpenRock.
the class OpenAMOAuth2ProviderSettingsFactory method getProviderSettings.
private OAuth2ProviderSettings getProviderSettings(String realm) throws NotFoundException {
synchronized (providerSettingsMap) {
OAuth2ProviderSettings providerSettings = providerSettingsMap.get(realm);
if (providerSettings == null) {
ResourceSetStore resourceSetStore = resourceSetStoreFactory.create(realm);
providerSettings = new OpenAMOAuth2ProviderSettings(realm, resourceSetStore, cookieExtractor);
if (providerSettings.exists()) {
providerSettingsMap.put(realm, providerSettings);
} else {
throw new NotFoundException("No OpenID Connect provider for realm " + realm);
}
}
return providerSettings;
}
}
use of org.forgerock.oauth2.core.OAuth2ProviderSettings in project OpenAM by OpenRock.
the class OpenAMScopeValidator method gatherRequestedClaims.
/**
* Generates a map for the claims specifically requested as per Section 5.5 of the spec.
* Ends up mapping requested claims against a set of their optional values (empty if
* claim is requested but no suggested/required values given).
*/
private Map<String, Set<String>> gatherRequestedClaims(OAuth2ProviderSettings providerSettings, String claimsJson, String objectName) {
final Map<String, Set<String>> requestedClaims = new HashMap<String, Set<String>>();
try {
if (providerSettings.getClaimsParameterSupported() && claimsJson != null) {
try {
final JSONObject claimsObject = new JSONObject(claimsJson);
JSONObject subClaimsRequest = claimsObject.getJSONObject(objectName);
Iterator<String> it = subClaimsRequest.keys();
while (it.hasNext()) {
final String keyName = it.next();
JSONObject optObj = subClaimsRequest.optJSONObject(keyName);
final HashSet<String> options = new HashSet<String>();
if (optObj != null) {
final JSONArray optArray = optObj.optJSONArray(OAuth2Constants.Params.VALUES);
if (optArray != null) {
for (int i = 0; i < optArray.length(); i++) {
options.add(optArray.getString(i));
}
}
final String value = optObj.optString(OAuth2Constants.Params.VALUE);
if (!StringUtils.isBlank(value)) {
options.add(value);
}
}
requestedClaims.put(keyName, options);
}
} catch (JSONException e) {
//ignorable
}
}
} catch (ServerException e) {
logger.message("Requested Claims Supported not set.");
}
return requestedClaims;
}
Aggregations