Example 1 with InvalidClientException
use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.
the class Saml2GrantTypeHandler method handle.
public AccessToken handle(OAuth2Request request) throws InvalidGrantException, InvalidClientException, InvalidRequestException, ServerException, InvalidScopeException, NotFoundException {
String clientId = request.getParameter(OAuth2Constants.Params.CLIENT_ID);
Reject.ifTrue(isEmpty(clientId), "Missing parameter, 'client_id'");
final ClientRegistration clientRegistration = clientRegistrationStore.get(clientId, request);
Reject.ifTrue(isEmpty(request.<String>getParameter("assertion")), "Missing parameter, 'assertion'");
final String assertion = request.getParameter(OAuth2Constants.SAML20.ASSERTION);
logger.trace("Assertion:\n" + assertion);
final byte[] decodedAssertion = Base64.decode(assertion.replace(" ", "+"));
if (decodedAssertion == null) {
logger.error("Decoding assertion failed\nassertion:" + assertion);
}
final String finalAssertion = new String(decodedAssertion);
logger.trace("Decoded assertion:\n" + finalAssertion);
final Assertion assertionObject;
final boolean valid;
try {
final AssertionFactory factory = AssertionFactory.getInstance();
assertionObject = factory.createAssertion(finalAssertion);
valid = validAssertion(assertionObject, getDeploymentUrl(request));
} catch (SAML2Exception e) {
logger.error("Error parsing assertion", e);
throw new InvalidGrantException("Assertion is invalid");
}
if (!valid) {
logger.error("Error parsing assertion");
throw new InvalidGrantException("Assertion is invalid.");
}
logger.trace("Assertion is valid");
final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
final String validatedClaims = providerSettings.validateRequestedClaims((String) request.getParameter(OAuth2Constants.Custom.CLAIMS));
final String grantType = request.getParameter(OAuth2Constants.Params.GRANT_TYPE);
final Set<String> scope = splitScope(request.<String>getParameter(OAuth2Constants.Params.SCOPE));
final Set<String> validatedScope = providerSettings.validateAccessTokenScope(clientRegistration, scope, request);
logger.trace("Granting scope: " + validatedScope.toString());
logger.trace("Creating token with data: " + clientRegistration.getAccessTokenType() + "\n" + validatedScope.toString() + "\n" + normaliseRealm(request.<String>getParameter(OAuth2Constants.Params.REALM)) + "\n" + assertionObject.getSubject().getNameID().getValue() + "\n" + clientRegistration.getClientId());
final AccessToken accessToken = tokenStore.createAccessToken(grantType, BEARER, null, assertionObject.getSubject().getNameID().getValue(), clientRegistration.getClientId(), null, validatedScope, null, null, validatedClaims, request);
logger.trace("Token created: " + accessToken.toString());
providerSettings.additionalDataToReturnFromTokenEndpoint(accessToken, request);
if (validatedScope != null && !validatedScope.isEmpty()) {
accessToken.put(SCOPE, joinScope(validatedScope));
}
tokenStore.updateAccessToken(accessToken);
return accessToken;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
ClientRegistration(org.forgerock.oauth2.core.ClientRegistration)
AccessToken(org.forgerock.oauth2.core.AccessToken)
Assertion(com.sun.identity.saml2.assertion.Assertion)
OAuth2ProviderSettings(org.forgerock.oauth2.core.OAuth2ProviderSettings)
InvalidGrantException(org.forgerock.oauth2.core.exceptions.InvalidGrantException)
Example 2 with InvalidClientException
use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.
the class ClientAuthenticatorImpl method authenticate.
/**
* {@inheritDoc}
*/
public ClientRegistration authenticate(OAuth2Request request, String endpoint) throws InvalidClientException, InvalidRequestException, NotFoundException {
final ClientCredentials clientCredentials = clientCredentialsReader.extractCredentials(request, endpoint);
Reject.ifTrue(isEmpty(clientCredentials.getClientId()), "Missing parameter, 'client_id'");
final String realm = realmNormaliser.normalise(request.<String>getParameter(OAuth2Constants.Custom.REALM));
boolean authenticated = false;
try {
final ClientRegistration clientRegistration = clientRegistrationStore.get(clientCredentials.getClientId(), request);
// Do not need to authenticate public clients
if (!clientRegistration.isConfidential()) {
return clientRegistration;
}
if (!clientCredentials.isAuthenticated() && !authenticate(request, clientCredentials.getClientId(), clientCredentials.getClientSecret(), realm)) {
logger.error("ClientVerifierImpl::Unable to verify password for: " + clientCredentials.getClientId());
throw failureFactory.getException(request, "Client authentication failed");
}
authenticated = true;
return clientRegistration;
} finally {
if (auditLogger.isAuditLogEnabled()) {
if (authenticated) {
String[] obs = { clientCredentials.getClientId() };
auditLogger.logAccessMessage("AUTHENTICATED_CLIENT", obs, null);
} else {
String[] obs = { clientCredentials.getClientId() };
auditLogger.logErrorMessage("FAILED_AUTHENTICATE_CLIENT", obs, null);
}
}
}
}
Also used :
ClientRegistration(org.forgerock.oauth2.core.ClientRegistration)
Example 3 with InvalidClientException
use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.
the class ClientCredentialsReader method extractCredentials.
/**
* Extracts the client's credentials from the OAuth2 request.
*
* @param request The OAuth2 request.
* @param endpoint The endpoint this request should be for, or null to disable audience verification.
* @return The client's credentials.
* @throws InvalidRequestException If the request contains multiple client credentials.
* @throws InvalidClientException If the request does not contain the client's id.
*/
public ClientCredentials extractCredentials(OAuth2Request request, String endpoint) throws InvalidRequestException, InvalidClientException, NotFoundException {
final Request req = request.getRequest();
boolean basicAuth = false;
if (req.getChallengeResponse() != null) {
basicAuth = true;
}
final ClientCredentials client;
Client.TokenEndpointAuthMethod method = CLIENT_SECRET_POST;
//jwt type first
if (JWT_PROFILE_CLIENT_ASSERTION_TYPE.equalsIgnoreCase(request.<String>getParameter(CLIENT_ASSERTION_TYPE))) {
client = verifyJwtBearer(request, basicAuth, endpoint);
method = PRIVATE_KEY_JWT;
} else {
String clientId = request.getParameter(OAuth2Constants.Params.CLIENT_ID);
String clientSecret = request.getParameter(OAuth2Constants.Params.CLIENT_SECRET);
if (basicAuth && clientId != null) {
logger.error("Client (" + clientId + ") using multiple authentication methods");
throw new InvalidRequestException("Client authentication failed");
}
if (req.getChallengeResponse() != null) {
final ChallengeResponse challengeResponse = req.getChallengeResponse();
clientId = challengeResponse.getIdentifier();
clientSecret = "";
if (challengeResponse.getSecret() != null && challengeResponse.getSecret().length > 0) {
clientSecret = String.valueOf(req.getChallengeResponse().getSecret());
}
method = CLIENT_SECRET_BASIC;
}
if (clientId == null || clientId.isEmpty()) {
logger.error("Client Id is not set");
throw failureFactory.getException(request, "Client authentication failed");
}
client = new ClientCredentials(clientId, clientSecret == null ? null : clientSecret.toCharArray(), false, basicAuth);
}
final OpenIdConnectClientRegistration cr = clientRegistrationStore.get(client.getClientId(), request);
final Set<String> scopes = cr.getAllowedScopes();
//if we're accessing the token endpoint, check we're authenticating using the appropriate method
if (scopes.contains(OAuth2Constants.Params.OPENID) && req.getResourceRef().getLastSegment().equals(OAuth2Constants.Params.ACCESS_TOKEN) && !cr.getTokenEndpointAuthMethod().equals(method.getType())) {
throw failureFactory.getException(request, "Invalid authentication method for accessing this endpoint.");
}
return client;
}
Also used :
OpenIdConnectClientRegistration(org.forgerock.openidconnect.OpenIdConnectClientRegistration)
TokenEndpointAuthMethod(org.forgerock.openidconnect.Client.TokenEndpointAuthMethod)
Request(org.restlet.Request)
OAuth2Request(org.forgerock.oauth2.core.OAuth2Request)
InvalidRequestException(org.forgerock.oauth2.core.exceptions.InvalidRequestException)
Client(org.forgerock.openidconnect.Client)
ChallengeResponse(org.restlet.data.ChallengeResponse)
Example 4 with InvalidClientException
use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.
the class OpenIdConnectAuthorizeRequestValidator method validateOpenIdScope.
private void validateOpenIdScope(OAuth2Request request) throws InvalidClientException, InvalidRequestException, InvalidScopeException, NotFoundException {
final ClientRegistration clientRegistration = clientRegistrationStore.get(request.<String>getParameter(CLIENT_ID), request);
if (Utils.isOpenIdConnectClient(clientRegistration)) {
final Set<String> responseTypes = Utils.splitResponseType(request.<String>getParameter(RESPONSE_TYPE));
Set<String> requestedScopes = Utils.splitScope(request.<String>getParameter(SCOPE));
if (CollectionUtils.isEmpty(requestedScopes)) {
requestedScopes = clientRegistration.getDefaultScopes();
}
if (!requestedScopes.contains(OPENID)) {
throw new InvalidRequestException("Missing expected scope=openid from request", Utils.isOpenIdConnectFragmentErrorType(responseTypes) ? FRAGMENT : QUERY);
}
validateNonce(request, responseTypes);
}
}
Also used :
ClientRegistration(org.forgerock.oauth2.core.ClientRegistration)
InvalidRequestException(org.forgerock.oauth2.core.exceptions.InvalidRequestException)
Example 5 with InvalidClientException
use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.
the class ClientCredentialsReader method verifyJwtBearer.
private ClientCredentials verifyJwtBearer(OAuth2Request request, boolean basicAuth, String endpoint) throws InvalidClientException, InvalidRequestException, NotFoundException {
final OAuth2Jwt jwt = OAuth2Jwt.create(request.<String>getParameter(CLIENT_ASSERTION));
final ClientRegistration clientRegistration = clientRegistrationStore.get(jwt.getSubject(), request);
if (jwt.isExpired()) {
throw failureFactory.getException(request, "JWT has expired");
}
if (!clientRegistration.verifyJwtIdentity(jwt)) {
throw failureFactory.getException(request, "JWT is not valid");
}
if (basicAuth && jwt.getSubject() != null) {
logger.error("Client (" + jwt.getSubject() + ") using multiple authentication methods");
throw failureFactory.getException(request, "Client authentication failed");
}
if (endpoint != null && !jwt.isIntendedForAudience(endpoint)) {
throw failureFactory.getException(request, "Audience validation failed");
}
return new ClientCredentials(jwt.getSubject(), null, true, false);
}
Also used :
OpenIdConnectClientRegistration(org.forgerock.openidconnect.OpenIdConnectClientRegistration)
ClientRegistration(org.forgerock.oauth2.core.ClientRegistration)
OAuth2Jwt(org.forgerock.oauth2.core.OAuth2Jwt)
Aggregations
OAuth2ProviderSettings (org.forgerock.oauth2.core.OAuth2ProviderSettings)14
OAuth2Request (org.forgerock.oauth2.core.OAuth2Request)13
InvalidClientException (org.forgerock.oauth2.core.exceptions.InvalidClientException)12
ClientRegistration (org.forgerock.oauth2.core.ClientRegistration)11
ServerException (org.forgerock.oauth2.core.exceptions.ServerException)8
Test (org.testng.annotations.Test)6
HashSet (java.util.HashSet)5
NotFoundException (org.forgerock.oauth2.core.exceptions.NotFoundException)5
OAuth2Exception (org.forgerock.oauth2.core.exceptions.OAuth2Exception)5
BeforeTest (org.testng.annotations.BeforeTest)5
JsonValue (org.forgerock.json.JsonValue)4
SignedJwt (org.forgerock.json.jose.jws.SignedJwt)4
RedirectUriMismatchException (org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException)4
JSONObject (org.json.JSONObject)4
Request (org.restlet.Request)4
BeforeMethod (org.testng.annotations.BeforeMethod)4
HashMap (java.util.HashMap)3
Map (java.util.Map)3
AccessToken (org.forgerock.oauth2.core.AccessToken)3
ClientRegistrationStore (org.forgerock.oauth2.core.ClientRegistrationStore)3
