use of org.forgerock.oauth2.core.Token in project OpenAM by OpenRock.
the class EndSession method endSession.
/**
* Handles GET requests to the OpenId Connect end session endpoint for ending OpenId Connect user sessions.
*
* @return The OpenId Connect token of the session that has ended.
* @throws OAuth2RestletException If an error occurs whilst ending the users session.
*/
@Get
public Representation endSession() throws OAuth2RestletException {
final OAuth2Request request = requestFactory.create(getRequest());
final String idToken = request.getParameter(OAuth2Constants.Params.END_SESSION_ID_TOKEN_HINT);
final String redirectUri = request.getParameter(OAuth2Constants.Params.POST_LOGOUT_REDIRECT_URI);
try {
openIDConnectEndSession.endSession(idToken);
if (StringUtils.isNotEmpty(redirectUri)) {
return handleRedirect(request, idToken, redirectUri);
}
} catch (OAuth2Exception e) {
throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), null);
}
return null;
}
use of org.forgerock.oauth2.core.Token in project OpenAM by OpenRock.
the class IdentityManager method getClientIdentity.
/**
* Gets a client's identity.
*
* @param clientName The client's name.
* @param realm The client's realm.
* @return The Clients identity.
* @throws UnauthorizedClientException If the client's identity cannot be found.
*/
public AMIdentity getClientIdentity(String clientName, String realm) throws UnauthorizedClientException {
final SSOToken token = AccessController.doPrivileged(AdminTokenAction.getInstance());
final AMIdentity amIdentity;
try {
final AMIdentityRepository amIdRepo = new AMIdentityRepository(token, realm);
final IdSearchControl idsc = new IdSearchControl();
idsc.setRecursive(true);
idsc.setAllReturnAttributes(true);
// search for the identity
idsc.setMaxResults(0);
final IdSearchResults searchResults = amIdRepo.searchIdentities(IdType.AGENTONLY, clientName, idsc);
final Set<AMIdentity> results = searchResults.getSearchResults();
if (results == null || results.size() != 1) {
logger.error("No client profile or more than one profile found.");
throw new UnauthorizedClientException("Not able to get client from OpenAM");
}
amIdentity = results.iterator().next();
//if the client is deactivated return null
if (amIdentity.isActive()) {
return amIdentity;
} else {
return null;
}
} catch (Exception e) {
logger.error("Unable to get client AMIdentity: ", e);
throw new UnauthorizedClientException("Not able to get client from OpenAM");
}
}
use of org.forgerock.oauth2.core.Token in project OpenAM by OpenRock.
the class OpenAMClientDAO method read.
/**
* {@inheritDoc}
*/
public Client read(String clientId, OAuth2Request request) throws UnauthorizedClientException {
Map<String, Set<String>> clientAttributes = new HashMap<String, Set<String>>();
try {
AMIdentity theID = null;
final SSOToken token = AccessController.doPrivileged(AdminTokenAction.getInstance());
final String realm = request.getParameter(OAuth2Constants.Custom.REALM);
AMIdentityRepository repo = idRepoFactory.create(realm, token);
IdSearchControl idsc = new IdSearchControl();
idsc.setRecursive(true);
idsc.setAllReturnAttributes(true);
// search for the identity
Set<AMIdentity> results;
idsc.setMaxResults(0);
IdSearchResults searchResults = repo.searchIdentities(IdType.AGENTONLY, clientId, idsc);
results = searchResults.getSearchResults();
if (results == null || results.size() != 1) {
logger.error("OpenAMClientDAO.read(): No client profile or more than one profile found.");
throw new UnauthorizedClientException("Not able to get client from OpenAM");
}
theID = results.iterator().next();
//if the client is deactivated return null
if (!theID.isActive()) {
theID = null;
} else {
clientAttributes = theID.getAttributes();
}
} catch (UnauthorizedClientException e) {
logger.error("OpenAMClientDAO.read(): Unable to get client AMIdentity: ", e);
throw new UnauthorizedClientException("Not able to get client from OpenAM");
} catch (SSOException e) {
logger.error("OpenAMClientDAO.read(): Unable to get client AMIdentity: ", e);
throw new UnauthorizedClientException("Not able to get client from OpenAM");
} catch (IdRepoException e) {
logger.error("OpenAMClientDAO.read(): Unable to get client AMIdentity: ", e);
throw new UnauthorizedClientException("Not able to get client from OpenAM");
}
Client client = createClient(clientAttributes);
client.setClientID(clientId);
return client;
}
use of org.forgerock.oauth2.core.Token in project OpenAM by OpenRock.
the class OpenIDConnectEndSession method endSession.
/**
* Ends an OpenId Connect session.
*
* @param idToken The OpenId Token.
* @throws BadRequestException If the request is malformed.
* @throws ServerException If any internal server error occurs.
*/
public void endSession(String idToken) throws BadRequestException, ServerException {
if (idToken == null || idToken.isEmpty()) {
logger.warn("No id_token_hint parameter supplied to the endSession endpoint");
throw new BadRequestException("The endSession endpoint requires an id_token_hint parameter");
}
JwtReconstruction jwtReconstruction = new JwtReconstruction();
SignedJwt jwt = jwtReconstruction.reconstructJwt(idToken, SignedJwt.class);
JwtClaimsSet claims = jwt.getClaimsSet();
String opsId = (String) claims.getClaim(OAuth2Constants.JWTTokenParams.OPS);
if (opsId == null) {
opsId = (String) claims.getClaim(OAuth2Constants.JWTTokenParams.LEGACY_OPS);
}
openIDConnectProvider.destroySession(opsId);
}
use of org.forgerock.oauth2.core.Token in project OpenAM by OpenRock.
the class ClaimsParameterValidator method validateRequest.
@Override
public void validateRequest(OAuth2Request request) throws InvalidClientException, InvalidRequestException, RedirectUriMismatchException, UnsupportedResponseTypeException, ServerException, BadRequestException, InvalidScopeException, NotFoundException {
final OAuth2ProviderSettings settings = providerSettingsFactory.get(request);
final String claims = request.getParameter(OAuth2Constants.Custom.CLAIMS);
//if we aren't supporting this no need to validate
if (!settings.getClaimsParameterSupported()) {
return;
}
//if we support, but it's not requested, no need to validate
if (claims == null) {
return;
}
final JSONObject claimsJson;
//convert claims into JSON object
try {
claimsJson = new JSONObject(claims);
} catch (JSONException e) {
throw new BadRequestException("Invalid JSON in supplied claims parameter.");
}
JSONObject userinfoClaims = null;
try {
userinfoClaims = claimsJson.getJSONObject(OAuth2Constants.UserinfoEndpoint.USERINFO);
} catch (Exception e) {
//fall through
}
//results in an Access Token being issued to the Client for use at the UserInfo Endpoint.
if (userinfoClaims != null) {
String responseType = request.getParameter(OAuth2Constants.Params.RESPONSE_TYPE);
if (responseType != null && responseType.trim().equals(OAuth2Constants.JWTTokenParams.ID_TOKEN)) {
throw new BadRequestException("Must request an access token when providing " + "userinfo in claims parameter.");
}
}
}
Aggregations