use of org.forgerock.oauth2.core.OAuth2Request in project OpenAM by OpenRock.
the class OpenAMResourceOwnerAuthenticator method authenticate.
/**
* {@inheritDoc}
*/
public ResourceOwner authenticate(OAuth2Request request, boolean useSession) throws NotFoundException {
SSOToken token = null;
try {
SSOTokenManager mgr = SSOTokenManager.getInstance();
token = mgr.createSSOToken(ServletUtils.getRequest(request.<Request>getRequest()));
} catch (Exception e) {
logger.warning("No SSO Token in request", e);
}
if (token == null || !useSession) {
final String username = request.getParameter(USERNAME);
final char[] password = request.getParameter(PASSWORD) == null ? null : request.<String>getParameter(PASSWORD).toCharArray();
final String realm = realmNormaliser.normalise(request.<String>getParameter(OAuth2Constants.Custom.REALM));
final String authChain = request.getParameter(AUTH_CHAIN);
return authenticate(username, password, realm, authChain);
} else {
try {
final AMIdentity id = IdUtils.getIdentity(AccessController.doPrivileged(AdminTokenAction.getInstance()), token.getProperty(Constants.UNIVERSAL_IDENTIFIER));
long authTime = stringToDate(token.getProperty(ISAuthConstants.AUTH_INSTANT)).getTime();
return new OpenAMResourceOwner(id.getName(), id, authTime);
} catch (SSOException e) {
logger.error("Unable to create ResourceOwner", e);
} catch (ParseException e) {
logger.error("Unable to create ResourceOwner", e);
} catch (IdRepoException e) {
logger.error("Unable to create ResourceOwner", e);
}
}
return null;
}
use of org.forgerock.oauth2.core.OAuth2Request in project OpenAM by OpenRock.
the class OpenAMScopeValidator method getUpdatedAt.
private String getUpdatedAt(String username, String realm, OAuth2Request request) throws NotFoundException {
try {
final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
String modifyTimestampAttributeName;
String createdTimestampAttributeName;
try {
modifyTimestampAttributeName = providerSettings.getModifiedTimestampAttributeName();
createdTimestampAttributeName = providerSettings.getCreatedTimestampAttributeName();
} catch (ServerException e) {
logger.error("Unable to read last modified attribute from datastore", e);
return DEFAULT_TIMESTAMP;
}
if (modifyTimestampAttributeName == null && createdTimestampAttributeName == null) {
return null;
}
final AMHashMap timestamps = getTimestamps(username, realm, modifyTimestampAttributeName, createdTimestampAttributeName);
final String modifyTimestamp = CollectionHelper.getMapAttr(timestamps, modifyTimestampAttributeName);
if (modifyTimestamp != null) {
synchronized (TIMESTAMP_DATE_FORMAT) {
return Long.toString(TIMESTAMP_DATE_FORMAT.parse(modifyTimestamp).getTime() / 1000);
}
} else {
final String createTimestamp = CollectionHelper.getMapAttr(timestamps, createdTimestampAttributeName);
if (createTimestamp != null) {
synchronized (TIMESTAMP_DATE_FORMAT) {
return Long.toString(TIMESTAMP_DATE_FORMAT.parse(createTimestamp).getTime() / 1000);
}
} else {
return DEFAULT_TIMESTAMP;
}
}
} catch (IdRepoException e) {
if (logger.errorEnabled()) {
logger.error("ScopeValidatorImpl" + ".getUpdatedAt: " + "error searching Identities with username : " + username, e);
}
} catch (SSOException e) {
logger.warning("Error getting updatedAt attribute", e);
} catch (ParseException e) {
logger.warning("Error getting updatedAt attribute", e);
}
return null;
}
use of org.forgerock.oauth2.core.OAuth2Request in project OpenAM by OpenRock.
the class OpenAMScopeValidator method getUserInfo.
/**
* {@inheritDoc}
*/
public UserInfoClaims getUserInfo(AccessToken token, OAuth2Request request) throws UnauthorizedClientException, NotFoundException {
Map<String, Object> response = new HashMap<>();
Bindings scriptVariables = new SimpleBindings();
SSOToken ssoToken = getUsersSession(request);
String realm;
Set<String> scopes;
AMIdentity id;
OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
Map<String, Set<String>> requestedClaimsValues = gatherRequestedClaims(providerSettings, request, token);
try {
if (token != null) {
OpenIdConnectClientRegistration clientRegistration;
try {
clientRegistration = clientRegistrationStore.get(token.getClientId(), request);
} catch (InvalidClientException e) {
logger.message("Unable to retrieve client from store.");
throw new NotFoundException("No valid client registration found.");
}
final String subId = clientRegistration.getSubValue(token.getResourceOwnerId(), providerSettings);
//data comes from token when we have one
realm = token.getRealm();
scopes = token.getScope();
id = identityManager.getResourceOwnerIdentity(token.getResourceOwnerId(), realm);
response.put(OAuth2Constants.JWTTokenParams.SUB, subId);
response.put(OAuth2Constants.JWTTokenParams.UPDATED_AT, getUpdatedAt(token.getResourceOwnerId(), token.getRealm(), request));
} else {
//otherwise we're simply reading claims into the id_token, so grab it from the request/ssoToken
realm = DNMapper.orgNameToRealmName(ssoToken.getProperty(ISAuthConstants.ORGANIZATION));
id = identityManager.getResourceOwnerIdentity(ssoToken.getProperty(ISAuthConstants.USER_ID), realm);
String scopeStr = request.getParameter(OAuth2Constants.Params.SCOPE);
scopes = splitScope(scopeStr);
}
scriptVariables.put(OAuth2Constants.ScriptParams.SCOPES, getScriptFriendlyScopes(scopes));
scriptVariables.put(OAuth2Constants.ScriptParams.IDENTITY, id);
scriptVariables.put(OAuth2Constants.ScriptParams.LOGGER, logger);
scriptVariables.put(OAuth2Constants.ScriptParams.CLAIMS, response);
scriptVariables.put(OAuth2Constants.ScriptParams.SESSION, ssoToken);
scriptVariables.put(OAuth2Constants.ScriptParams.REQUESTED_CLAIMS, requestedClaimsValues);
ScriptObject script = getOIDCClaimsExtensionScript(realm);
try {
return scriptEvaluator.evaluateScript(script, scriptVariables);
} catch (ScriptException e) {
logger.message("Error running OIDC claims script", e);
throw new ServerException("Error running OIDC claims script: " + e.getMessage());
}
} catch (ServerException e) {
//API does not allow ServerExceptions to be thrown!
throw new NotFoundException(e.getMessage());
} catch (SSOException e) {
throw new NotFoundException(e.getMessage());
}
}
use of org.forgerock.oauth2.core.OAuth2Request in project OpenAM by OpenRock.
the class OpenAMTokenStore method createAuthorizationCode.
/**
* {@inheritDoc}
*/
public AuthorizationCode createAuthorizationCode(Set<String> scope, ResourceOwner resourceOwner, String clientId, String redirectUri, String nonce, OAuth2Request request, String codeChallenge, String codeChallengeMethod) throws ServerException, NotFoundException {
logger.message("DefaultOAuthTokenStoreImpl::Creating Authorization code");
OpenIdConnectClientRegistration clientRegistration = getClientRegistration(clientId, request);
final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
final String code = UUID.randomUUID().toString();
long expiryTime = 0;
if (clientRegistration == null) {
expiryTime = providerSettings.getAuthorizationCodeLifetime() + System.currentTimeMillis();
} else {
expiryTime = clientRegistration.getAuthorizationCodeLifeTime(providerSettings) + System.currentTimeMillis();
}
final String ssoTokenId = getSsoTokenId(request);
final OpenAMAuthorizationCode authorizationCode = new OpenAMAuthorizationCode(code, resourceOwner.getId(), clientId, redirectUri, scope, getClaimsFromRequest(request), expiryTime, nonce, realmNormaliser.normalise(request.<String>getParameter(REALM)), getAuthModulesFromSSOToken(request), getAuthenticationContextClassReferenceFromRequest(request), ssoTokenId, codeChallenge, codeChallengeMethod);
// Store in CTS
try {
tokenStore.create(authorizationCode);
if (auditLogger.isAuditLogEnabled()) {
String[] obs = { "CREATED_AUTHORIZATION_CODE", authorizationCode.toString() };
auditLogger.logAccessMessage("CREATED_AUTHORIZATION_CODE", obs, null);
}
} catch (CoreTokenException e) {
if (auditLogger.isAuditLogEnabled()) {
String[] obs = { "FAILED_CREATE_AUTHORIZATION_CODE", authorizationCode.toString() };
auditLogger.logErrorMessage("FAILED_CREATE_AUTHORIZATION_CODE", obs, null);
}
logger.error("Unable to create authorization code " + authorizationCode.getTokenInfo(), e);
throw new ServerException("Could not create token in CTS");
}
request.setToken(AuthorizationCode.class, authorizationCode);
return authorizationCode;
}
use of org.forgerock.oauth2.core.OAuth2Request in project OpenAM by OpenRock.
the class OpenAMTokenStore method generateAtHash.
/**
* For at_hash values, used when token and id_token exist in scope.
*/
private String generateAtHash(String algorithm, OAuth2Request request, OAuth2ProviderSettings providerSettings) throws ServerException {
final AccessToken accessToken = request.getToken(AccessToken.class);
if (accessToken == null) {
logger.message("at_hash generation requires an existing access_token.");
return null;
}
final String accessTokenValue = ((String) accessToken.getTokenInfo().get(OAuth2Constants.Params.ACCESS_TOKEN));
return generateHash(algorithm, accessTokenValue, providerSettings);
}
Aggregations