Examples with UserInfoClaims org.forgerock.oauth2.core.UserInfoClaims used on opensource projects

Example 1 with UserInfoClaims

use of org.forgerock.oauth2.core.UserInfoClaims in project OpenAM by OpenRock.

the class ClaimsParameterValidator method validateRequest.

@Override
public void validateRequest(OAuth2Request request) throws InvalidClientException, InvalidRequestException, RedirectUriMismatchException, UnsupportedResponseTypeException, ServerException, BadRequestException, InvalidScopeException, NotFoundException {
    final OAuth2ProviderSettings settings = providerSettingsFactory.get(request);
    final String claims = request.getParameter(OAuth2Constants.Custom.CLAIMS);
    //if we aren't supporting this no need to validate
    if (!settings.getClaimsParameterSupported()) {
        return;
    }
    //if we support, but it's not requested, no need to validate
    if (claims == null) {
        return;
    }
    final JSONObject claimsJson;
    //convert claims into JSON object
    try {
        claimsJson = new JSONObject(claims);
    } catch (JSONException e) {
        throw new BadRequestException("Invalid JSON in supplied claims parameter.");
    }
    JSONObject userinfoClaims = null;
    try {
        userinfoClaims = claimsJson.getJSONObject(OAuth2Constants.UserinfoEndpoint.USERINFO);
    } catch (Exception e) {
    //fall through
    }
    //results in an Access Token being issued to the Client for use at the UserInfo Endpoint.
    if (userinfoClaims != null) {
        String responseType = request.getParameter(OAuth2Constants.Params.RESPONSE_TYPE);
        if (responseType != null && responseType.trim().equals(OAuth2Constants.JWTTokenParams.ID_TOKEN)) {
            throw new BadRequestException("Must request an access token when providing " + "userinfo in claims parameter.");
        }
    }
}

Example 2 with UserInfoClaims

use of org.forgerock.oauth2.core.UserInfoClaims in project OpenAM by OpenRock.

the class OidcClaimsExtensionTest method testRequestedClaimsNoScope.

@Test
public void testRequestedClaimsNoScope() throws Exception {
    // Given
    Map<String, Set<String>> requestedClaims = new HashMap<String, Set<String>>();
    requestedClaims.put("given_name", asSet("fred"));
    requestedClaims.put("family_name", asSet("flintstone"));
    Bindings variables = testBindings(asSet("openid"), requestedClaims);
    // When
    UserInfoClaims result = scriptEvaluator.evaluateScript(script, variables);
    // Then
    assertThat(result.getValues()).containsOnly(entry("given_name", "fred"), entry("family_name", "flintstone"));
}

Example 3 with UserInfoClaims

use of org.forgerock.oauth2.core.UserInfoClaims in project OpenAM by OpenRock.

the class OidcClaimsExtensionTest method testProfileScope.

@Test
public void testProfileScope() throws Exception {
    // Given
    Bindings variables = testBindings(asSet("profile"));
    when(identity.getAttribute("givenname")).thenReturn(asSet("joe"));
    when(identity.getAttribute("sn")).thenReturn(asSet("bloggs"));
    when(identity.getAttribute("preferredtimezone")).thenReturn(asSet("Europe/London"));
    when(identity.getAttribute("preferredlocale")).thenReturn(asSet("en"));
    when(identity.getAttribute("cn")).thenReturn(asSet("Joe Bloggs"));
    // When
    UserInfoClaims result = scriptEvaluator.evaluateScript(script, variables);
    // Then
    assertThat(result.getValues()).containsOnly(entry("given_name", "joe"), entry("family_name", "bloggs"), entry("name", "Joe Bloggs"), entry("zoneinfo", "Europe/London"), entry("locale", "en"));
    assertThat(result.getCompositeScopes()).hasSize(1);
    ArrayList<String> hashProfile = (ArrayList<String>) result.getCompositeScopes().get("profile");
    assertThat(hashProfile).contains("zoneinfo", "name", "locale", "family_name", "given_name");
    assertThat(hashProfile).hasSize(5);
}

Example 4 with UserInfoClaims

use of org.forgerock.oauth2.core.UserInfoClaims in project OpenAM by OpenRock.

the class OpenAMScopeValidator method getUserInfo.

/**
     * {@inheritDoc}
     */
public UserInfoClaims getUserInfo(AccessToken token, OAuth2Request request) throws UnauthorizedClientException, NotFoundException {
    Map<String, Object> response = new HashMap<>();
    Bindings scriptVariables = new SimpleBindings();
    SSOToken ssoToken = getUsersSession(request);
    String realm;
    Set<String> scopes;
    AMIdentity id;
    OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
    Map<String, Set<String>> requestedClaimsValues = gatherRequestedClaims(providerSettings, request, token);
    try {
        if (token != null) {
            OpenIdConnectClientRegistration clientRegistration;
            try {
                clientRegistration = clientRegistrationStore.get(token.getClientId(), request);
            } catch (InvalidClientException e) {
                logger.message("Unable to retrieve client from store.");
                throw new NotFoundException("No valid client registration found.");
            }
            final String subId = clientRegistration.getSubValue(token.getResourceOwnerId(), providerSettings);
            //data comes from token when we have one
            realm = token.getRealm();
            scopes = token.getScope();
            id = identityManager.getResourceOwnerIdentity(token.getResourceOwnerId(), realm);
            response.put(OAuth2Constants.JWTTokenParams.SUB, subId);
            response.put(OAuth2Constants.JWTTokenParams.UPDATED_AT, getUpdatedAt(token.getResourceOwnerId(), token.getRealm(), request));
        } else {
            //otherwise we're simply reading claims into the id_token, so grab it from the request/ssoToken
            realm = DNMapper.orgNameToRealmName(ssoToken.getProperty(ISAuthConstants.ORGANIZATION));
            id = identityManager.getResourceOwnerIdentity(ssoToken.getProperty(ISAuthConstants.USER_ID), realm);
            String scopeStr = request.getParameter(OAuth2Constants.Params.SCOPE);
            scopes = splitScope(scopeStr);
        }
        scriptVariables.put(OAuth2Constants.ScriptParams.SCOPES, getScriptFriendlyScopes(scopes));
        scriptVariables.put(OAuth2Constants.ScriptParams.IDENTITY, id);
        scriptVariables.put(OAuth2Constants.ScriptParams.LOGGER, logger);
        scriptVariables.put(OAuth2Constants.ScriptParams.CLAIMS, response);
        scriptVariables.put(OAuth2Constants.ScriptParams.SESSION, ssoToken);
        scriptVariables.put(OAuth2Constants.ScriptParams.REQUESTED_CLAIMS, requestedClaimsValues);
        ScriptObject script = getOIDCClaimsExtensionScript(realm);
        try {
            return scriptEvaluator.evaluateScript(script, scriptVariables);
        } catch (ScriptException e) {
            logger.message("Error running OIDC claims script", e);
            throw new ServerException("Error running OIDC claims script: " + e.getMessage());
        }
    } catch (ServerException e) {
        //API does not allow ServerExceptions to be thrown!
        throw new NotFoundException(e.getMessage());
    } catch (SSOException e) {
        throw new NotFoundException(e.getMessage());
    }
}

Example 5 with UserInfoClaims

use of org.forgerock.oauth2.core.UserInfoClaims in project OpenAM by OpenRock.

the class AuthorizationServiceImpl method authorize.

/**
     * {@inheritDoc}
     */
public AuthorizationToken authorize(OAuth2Request request) throws ResourceOwnerAuthenticationRequired, ResourceOwnerConsentRequired, InvalidClientException, UnsupportedResponseTypeException, RedirectUriMismatchException, InvalidRequestException, AccessDeniedException, ServerException, LoginRequiredException, BadRequestException, InteractionRequiredException, ResourceOwnerConsentRequiredException, InvalidScopeException, NotFoundException {
    final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
    for (final AuthorizeRequestValidator requestValidator : requestValidators) {
        requestValidator.validateRequest(request);
    }
    final String clientId = request.getParameter(CLIENT_ID);
    final ClientRegistration clientRegistration = clientRegistrationStore.get(clientId, request);
    final Set<String> scope = Utils.splitScope(request.<String>getParameter(SCOPE));
    //plugin point
    final Set<String> validatedScope = providerSettings.validateAuthorizationScope(clientRegistration, scope, request);
    // is resource owner authenticated?
    final ResourceOwner resourceOwner = resourceOwnerSessionValidator.validate(request);
    final boolean consentSaved = providerSettings.isConsentSaved(resourceOwner, clientRegistration.getClientId(), validatedScope);
    //plugin point
    final boolean haveConsent = consentVerifier.verify(consentSaved, request, clientRegistration);
    if (!haveConsent) {
        String localeParameter = request.getParameter(LOCALE);
        String uiLocaleParameter = request.getParameter(UI_LOCALES);
        Locale locale = getLocale(uiLocaleParameter, localeParameter);
        if (locale == null) {
            locale = request.getLocale();
        }
        UserInfoClaims userInfo = null;
        try {
            userInfo = providerSettings.getUserInfo(request.getToken(AccessToken.class), request);
        } catch (UnauthorizedClientException e) {
            logger.debug("Couldn't get user info - continuing to display consent page without claims.", e);
        }
        String clientName = clientRegistration.getDisplayName(locale);
        if (clientName == null) {
            clientName = clientRegistration.getClientId();
            logger.warn("Client does not have a display name or client name set. using client ID {} for display", clientName);
        }
        final String displayDescription = clientRegistration.getDisplayDescription(locale);
        final String clientDescription = displayDescription == null ? "" : displayDescription;
        final Map<String, String> scopeDescriptions = getScopeDescriptions(validatedScope, clientRegistration.getScopeDescriptions(locale));
        final Map<String, String> claimDescriptions = getClaimDescriptions(userInfo.getValues(), clientRegistration.getClaimDescriptions(locale));
        throw new ResourceOwnerConsentRequired(clientName, clientDescription, scopeDescriptions, claimDescriptions, userInfo, resourceOwner.getName(providerSettings));
    }
    return tokenIssuer.issueTokens(request, clientRegistration, resourceOwner, scope, providerSettings);
}