use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.
the class ClientCredentialsReader method extractCredentials.
/**
* Extracts the client's credentials from the OAuth2 request.
*
* @param request The OAuth2 request.
* @param endpoint The endpoint this request should be for, or null to disable audience verification.
* @return The client's credentials.
* @throws InvalidRequestException If the request contains multiple client credentials.
* @throws InvalidClientException If the request does not contain the client's id.
*/
public ClientCredentials extractCredentials(OAuth2Request request, String endpoint) throws InvalidRequestException, InvalidClientException, NotFoundException {
final Request req = request.getRequest();
boolean basicAuth = false;
if (req.getChallengeResponse() != null) {
basicAuth = true;
}
final ClientCredentials client;
Client.TokenEndpointAuthMethod method = CLIENT_SECRET_POST;
//jwt type first
if (JWT_PROFILE_CLIENT_ASSERTION_TYPE.equalsIgnoreCase(request.<String>getParameter(CLIENT_ASSERTION_TYPE))) {
client = verifyJwtBearer(request, basicAuth, endpoint);
method = PRIVATE_KEY_JWT;
} else {
String clientId = request.getParameter(OAuth2Constants.Params.CLIENT_ID);
String clientSecret = request.getParameter(OAuth2Constants.Params.CLIENT_SECRET);
if (basicAuth && clientId != null) {
logger.error("Client (" + clientId + ") using multiple authentication methods");
throw new InvalidRequestException("Client authentication failed");
}
if (req.getChallengeResponse() != null) {
final ChallengeResponse challengeResponse = req.getChallengeResponse();
clientId = challengeResponse.getIdentifier();
clientSecret = "";
if (challengeResponse.getSecret() != null && challengeResponse.getSecret().length > 0) {
clientSecret = String.valueOf(req.getChallengeResponse().getSecret());
}
method = CLIENT_SECRET_BASIC;
}
if (clientId == null || clientId.isEmpty()) {
logger.error("Client Id is not set");
throw failureFactory.getException(request, "Client authentication failed");
}
client = new ClientCredentials(clientId, clientSecret == null ? null : clientSecret.toCharArray(), false, basicAuth);
}
final OpenIdConnectClientRegistration cr = clientRegistrationStore.get(client.getClientId(), request);
final Set<String> scopes = cr.getAllowedScopes();
//if we're accessing the token endpoint, check we're authenticating using the appropriate method
if (scopes.contains(OAuth2Constants.Params.OPENID) && req.getResourceRef().getLastSegment().equals(OAuth2Constants.Params.ACCESS_TOKEN) && !cr.getTokenEndpointAuthMethod().equals(method.getType())) {
throw failureFactory.getException(request, "Invalid authentication method for accessing this endpoint.");
}
return client;
}
use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.
the class OpenIdConnectAuthorizeRequestValidator method validateOpenIdScope.
private void validateOpenIdScope(OAuth2Request request) throws InvalidClientException, InvalidRequestException, InvalidScopeException, NotFoundException {
final ClientRegistration clientRegistration = clientRegistrationStore.get(request.<String>getParameter(CLIENT_ID), request);
if (Utils.isOpenIdConnectClient(clientRegistration)) {
final Set<String> responseTypes = Utils.splitResponseType(request.<String>getParameter(RESPONSE_TYPE));
Set<String> requestedScopes = Utils.splitScope(request.<String>getParameter(SCOPE));
if (CollectionUtils.isEmpty(requestedScopes)) {
requestedScopes = clientRegistration.getDefaultScopes();
}
if (!requestedScopes.contains(OPENID)) {
throw new InvalidRequestException("Missing expected scope=openid from request", Utils.isOpenIdConnectFragmentErrorType(responseTypes) ? FRAGMENT : QUERY);
}
validateNonce(request, responseTypes);
}
}
use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.
the class ClientCredentialsReader method verifyJwtBearer.
private ClientCredentials verifyJwtBearer(OAuth2Request request, boolean basicAuth, String endpoint) throws InvalidClientException, InvalidRequestException, NotFoundException {
final OAuth2Jwt jwt = OAuth2Jwt.create(request.<String>getParameter(CLIENT_ASSERTION));
final ClientRegistration clientRegistration = clientRegistrationStore.get(jwt.getSubject(), request);
if (jwt.isExpired()) {
throw failureFactory.getException(request, "JWT has expired");
}
if (!clientRegistration.verifyJwtIdentity(jwt)) {
throw failureFactory.getException(request, "JWT is not valid");
}
if (basicAuth && jwt.getSubject() != null) {
logger.error("Client (" + jwt.getSubject() + ") using multiple authentication methods");
throw failureFactory.getException(request, "Client authentication failed");
}
if (endpoint != null && !jwt.isIntendedForAudience(endpoint)) {
throw failureFactory.getException(request, "Audience validation failed");
}
return new ClientCredentials(jwt.getSubject(), null, true, false);
}
use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.
the class ClaimsParameterValidatorTest method shouldErrorValidatingJson.
@Test(expectedExceptions = BadRequestException.class)
public void shouldErrorValidatingJson() throws NotFoundException, BadRequestException, RedirectUriMismatchException, InvalidScopeException, InvalidRequestException, InvalidClientException, ServerException, UnsupportedResponseTypeException {
//given
OAuth2Request mockRequest = mock(OAuth2Request.class);
OAuth2ProviderSettings mockProviderSettings = mock(OAuth2ProviderSettings.class);
String responseTypes = "id_token";
given(mockProviderSettingsFactory.get(mockRequest)).willReturn(mockProviderSettings);
given(mockProviderSettings.getClaimsParameterSupported()).willReturn(true);
given(mockRequest.getParameter(OAuth2Constants.Custom.CLAIMS)).willReturn(invalidClaimsString);
given(mockRequest.getParameter(OAuth2Constants.Params.RESPONSE_TYPE)).willReturn(responseTypes);
//when
claimsParameterValidator.validateRequest(mockRequest);
//then
}
use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.
the class ClaimsParameterValidatorTest method shouldErrorValidatingResponseType.
@Test(expectedExceptions = BadRequestException.class)
public void shouldErrorValidatingResponseType() throws NotFoundException, BadRequestException, RedirectUriMismatchException, InvalidScopeException, InvalidRequestException, InvalidClientException, ServerException, UnsupportedResponseTypeException {
//given
OAuth2Request mockRequest = mock(OAuth2Request.class);
OAuth2ProviderSettings mockProviderSettings = mock(OAuth2ProviderSettings.class);
String responseTypes = "id_token";
given(mockProviderSettingsFactory.get(mockRequest)).willReturn(mockProviderSettings);
given(mockProviderSettings.getClaimsParameterSupported()).willReturn(true);
given(mockRequest.getParameter(OAuth2Constants.Custom.CLAIMS)).willReturn(validClaimsString);
given(mockRequest.getParameter(OAuth2Constants.Params.RESPONSE_TYPE)).willReturn(responseTypes);
//when
claimsParameterValidator.validateRequest(mockRequest);
//then
}
Aggregations