Search in sources :

Example 11 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class ClientCredentialsReader method extractCredentials.

/**
     * Extracts the client's credentials from the OAuth2 request.
     *
     * @param request The OAuth2 request.
     * @param endpoint The endpoint this request should be for, or null to disable audience verification.
     * @return The client's credentials.
     * @throws InvalidRequestException If the request contains multiple client credentials.
     * @throws InvalidClientException If the request does not contain the client's id.
     */
public ClientCredentials extractCredentials(OAuth2Request request, String endpoint) throws InvalidRequestException, InvalidClientException, NotFoundException {
    final Request req = request.getRequest();
    boolean basicAuth = false;
    if (req.getChallengeResponse() != null) {
        basicAuth = true;
    }
    final ClientCredentials client;
    Client.TokenEndpointAuthMethod method = CLIENT_SECRET_POST;
    //jwt type first
    if (JWT_PROFILE_CLIENT_ASSERTION_TYPE.equalsIgnoreCase(request.<String>getParameter(CLIENT_ASSERTION_TYPE))) {
        client = verifyJwtBearer(request, basicAuth, endpoint);
        method = PRIVATE_KEY_JWT;
    } else {
        String clientId = request.getParameter(OAuth2Constants.Params.CLIENT_ID);
        String clientSecret = request.getParameter(OAuth2Constants.Params.CLIENT_SECRET);
        if (basicAuth && clientId != null) {
            logger.error("Client (" + clientId + ") using multiple authentication methods");
            throw new InvalidRequestException("Client authentication failed");
        }
        if (req.getChallengeResponse() != null) {
            final ChallengeResponse challengeResponse = req.getChallengeResponse();
            clientId = challengeResponse.getIdentifier();
            clientSecret = "";
            if (challengeResponse.getSecret() != null && challengeResponse.getSecret().length > 0) {
                clientSecret = String.valueOf(req.getChallengeResponse().getSecret());
            }
            method = CLIENT_SECRET_BASIC;
        }
        if (clientId == null || clientId.isEmpty()) {
            logger.error("Client Id is not set");
            throw failureFactory.getException(request, "Client authentication failed");
        }
        client = new ClientCredentials(clientId, clientSecret == null ? null : clientSecret.toCharArray(), false, basicAuth);
    }
    final OpenIdConnectClientRegistration cr = clientRegistrationStore.get(client.getClientId(), request);
    final Set<String> scopes = cr.getAllowedScopes();
    //if we're accessing the token endpoint, check we're authenticating using the appropriate method
    if (scopes.contains(OAuth2Constants.Params.OPENID) && req.getResourceRef().getLastSegment().equals(OAuth2Constants.Params.ACCESS_TOKEN) && !cr.getTokenEndpointAuthMethod().equals(method.getType())) {
        throw failureFactory.getException(request, "Invalid authentication method for accessing this endpoint.");
    }
    return client;
}
Also used : OpenIdConnectClientRegistration(org.forgerock.openidconnect.OpenIdConnectClientRegistration) TokenEndpointAuthMethod(org.forgerock.openidconnect.Client.TokenEndpointAuthMethod) Request(org.restlet.Request) OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) InvalidRequestException(org.forgerock.oauth2.core.exceptions.InvalidRequestException) Client(org.forgerock.openidconnect.Client) ChallengeResponse(org.restlet.data.ChallengeResponse)

Example 12 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class OpenIdConnectAuthorizeRequestValidator method validateOpenIdScope.

private void validateOpenIdScope(OAuth2Request request) throws InvalidClientException, InvalidRequestException, InvalidScopeException, NotFoundException {
    final ClientRegistration clientRegistration = clientRegistrationStore.get(request.<String>getParameter(CLIENT_ID), request);
    if (Utils.isOpenIdConnectClient(clientRegistration)) {
        final Set<String> responseTypes = Utils.splitResponseType(request.<String>getParameter(RESPONSE_TYPE));
        Set<String> requestedScopes = Utils.splitScope(request.<String>getParameter(SCOPE));
        if (CollectionUtils.isEmpty(requestedScopes)) {
            requestedScopes = clientRegistration.getDefaultScopes();
        }
        if (!requestedScopes.contains(OPENID)) {
            throw new InvalidRequestException("Missing expected scope=openid from request", Utils.isOpenIdConnectFragmentErrorType(responseTypes) ? FRAGMENT : QUERY);
        }
        validateNonce(request, responseTypes);
    }
}
Also used : ClientRegistration(org.forgerock.oauth2.core.ClientRegistration) InvalidRequestException(org.forgerock.oauth2.core.exceptions.InvalidRequestException)

Example 13 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class ClientCredentialsReader method verifyJwtBearer.

private ClientCredentials verifyJwtBearer(OAuth2Request request, boolean basicAuth, String endpoint) throws InvalidClientException, InvalidRequestException, NotFoundException {
    final OAuth2Jwt jwt = OAuth2Jwt.create(request.<String>getParameter(CLIENT_ASSERTION));
    final ClientRegistration clientRegistration = clientRegistrationStore.get(jwt.getSubject(), request);
    if (jwt.isExpired()) {
        throw failureFactory.getException(request, "JWT has expired");
    }
    if (!clientRegistration.verifyJwtIdentity(jwt)) {
        throw failureFactory.getException(request, "JWT is not valid");
    }
    if (basicAuth && jwt.getSubject() != null) {
        logger.error("Client (" + jwt.getSubject() + ") using multiple authentication methods");
        throw failureFactory.getException(request, "Client authentication failed");
    }
    if (endpoint != null && !jwt.isIntendedForAudience(endpoint)) {
        throw failureFactory.getException(request, "Audience validation failed");
    }
    return new ClientCredentials(jwt.getSubject(), null, true, false);
}
Also used : OpenIdConnectClientRegistration(org.forgerock.openidconnect.OpenIdConnectClientRegistration) ClientRegistration(org.forgerock.oauth2.core.ClientRegistration) OAuth2Jwt(org.forgerock.oauth2.core.OAuth2Jwt)

Example 14 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class ClaimsParameterValidatorTest method shouldErrorValidatingJson.

@Test(expectedExceptions = BadRequestException.class)
public void shouldErrorValidatingJson() throws NotFoundException, BadRequestException, RedirectUriMismatchException, InvalidScopeException, InvalidRequestException, InvalidClientException, ServerException, UnsupportedResponseTypeException {
    //given
    OAuth2Request mockRequest = mock(OAuth2Request.class);
    OAuth2ProviderSettings mockProviderSettings = mock(OAuth2ProviderSettings.class);
    String responseTypes = "id_token";
    given(mockProviderSettingsFactory.get(mockRequest)).willReturn(mockProviderSettings);
    given(mockProviderSettings.getClaimsParameterSupported()).willReturn(true);
    given(mockRequest.getParameter(OAuth2Constants.Custom.CLAIMS)).willReturn(invalidClaimsString);
    given(mockRequest.getParameter(OAuth2Constants.Params.RESPONSE_TYPE)).willReturn(responseTypes);
    //when
    claimsParameterValidator.validateRequest(mockRequest);
//then
}
Also used : OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) OAuth2ProviderSettings(org.forgerock.oauth2.core.OAuth2ProviderSettings) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Example 15 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class ClaimsParameterValidatorTest method shouldErrorValidatingResponseType.

@Test(expectedExceptions = BadRequestException.class)
public void shouldErrorValidatingResponseType() throws NotFoundException, BadRequestException, RedirectUriMismatchException, InvalidScopeException, InvalidRequestException, InvalidClientException, ServerException, UnsupportedResponseTypeException {
    //given
    OAuth2Request mockRequest = mock(OAuth2Request.class);
    OAuth2ProviderSettings mockProviderSettings = mock(OAuth2ProviderSettings.class);
    String responseTypes = "id_token";
    given(mockProviderSettingsFactory.get(mockRequest)).willReturn(mockProviderSettings);
    given(mockProviderSettings.getClaimsParameterSupported()).willReturn(true);
    given(mockRequest.getParameter(OAuth2Constants.Custom.CLAIMS)).willReturn(validClaimsString);
    given(mockRequest.getParameter(OAuth2Constants.Params.RESPONSE_TYPE)).willReturn(responseTypes);
    //when
    claimsParameterValidator.validateRequest(mockRequest);
//then
}
Also used : OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) OAuth2ProviderSettings(org.forgerock.oauth2.core.OAuth2ProviderSettings) Test(org.testng.annotations.Test) BeforeTest(org.testng.annotations.BeforeTest)

Aggregations

OAuth2ProviderSettings (org.forgerock.oauth2.core.OAuth2ProviderSettings)14 OAuth2Request (org.forgerock.oauth2.core.OAuth2Request)13 InvalidClientException (org.forgerock.oauth2.core.exceptions.InvalidClientException)12 ClientRegistration (org.forgerock.oauth2.core.ClientRegistration)11 ServerException (org.forgerock.oauth2.core.exceptions.ServerException)8 Test (org.testng.annotations.Test)6 HashSet (java.util.HashSet)5 NotFoundException (org.forgerock.oauth2.core.exceptions.NotFoundException)5 OAuth2Exception (org.forgerock.oauth2.core.exceptions.OAuth2Exception)5 BeforeTest (org.testng.annotations.BeforeTest)5 JsonValue (org.forgerock.json.JsonValue)4 SignedJwt (org.forgerock.json.jose.jws.SignedJwt)4 RedirectUriMismatchException (org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException)4 JSONObject (org.json.JSONObject)4 Request (org.restlet.Request)4 BeforeMethod (org.testng.annotations.BeforeMethod)4 HashMap (java.util.HashMap)3 Map (java.util.Map)3 AccessToken (org.forgerock.oauth2.core.AccessToken)3 ClientRegistrationStore (org.forgerock.oauth2.core.ClientRegistrationStore)3