Examples with InvalidClientException org.forgerock.oauth2.core.exceptions.InvalidClientException used on opensource projects

Example 16 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class OpenIdConnectAuthorizeRequestValidatorTest method setUp.

@BeforeMethod
public void setUp() throws InvalidClientException, NotFoundException {
    ClientRegistrationStore clientRegistrationStore = mock(ClientRegistrationStore.class);
    clientRegistration = mock(ClientRegistration.class);
    given(clientRegistrationStore.get(anyString(), Matchers.<OAuth2Request>anyObject())).willReturn(clientRegistration);
    requestValidator = new OpenIdConnectAuthorizeRequestValidator(clientRegistrationStore);
}

Example 17 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class IdTokenClaimGatherer method getRequestingPartyId.

@Override
public String getRequestingPartyId(OAuth2Request oAuth2Request, AccessToken authorizationApiToken, JsonValue claimToken) {
    try {
        SignedJwt idToken = jwtReconstruction.reconstructJwt(claimToken.asString(), SignedJwt.class);
        OAuth2ProviderSettings oAuth2ProviderSettings = oauth2ProviderSettingsFactory.get(oAuth2Request);
        OAuth2Uris oAuth2Uris = oAuth2UrisFactory.get(oAuth2Request);
        byte[] clientSecret = clientRegistrationStore.get(authorizationApiToken.getClientId(), oAuth2Request).getClientSecret().getBytes(Utils.CHARSET);
        KeyPair keyPair = oAuth2ProviderSettings.getServerKeyPair();
        if (!idToken.getClaimsSet().getIssuer().equals(oAuth2Uris.getIssuer())) {
            logger.warn("Issuer of id token, {0}, does not match issuer of authorization server, {1}.", idToken.getClaimsSet().getIssuer(), oAuth2Uris.getIssuer());
            return null;
        }
        if (!verify(clientSecret, keyPair, idToken)) {
            logger.warn("Signature of id token is invalid.");
            return null;
        }
        return idToken.getClaimsSet().getSubject();
    } catch (InvalidClientException e) {
        logger.error("Failed to find client", e);
        return null;
    } catch (NotFoundException | ServerException e) {
        logger.error("Failed to find OAuth2 settings", e);
        return null;
    }
}

Example 18 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class OpenAMTokenStore method appendIdTokenClaims.

//return all claims from scopes + claims requested in the id_token
private void appendIdTokenClaims(OAuth2Request request, OAuth2ProviderSettings providerSettings, OpenAMOpenIdConnectToken oidcToken) throws ServerException, NotFoundException, InvalidClientException {
    try {
        AccessToken accessToken = request.getToken(AccessToken.class);
        Map<String, Object> userInfo = providerSettings.getUserInfo(accessToken, request).getValues();
        for (Map.Entry<String, Object> claim : userInfo.entrySet()) {
            oidcToken.put(claim.getKey(), claim.getValue());
        }
    } catch (UnauthorizedClientException e) {
        throw failureFactory.getException(request, e.getMessage());
    }
}

Example 19 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class OpenAMTokenStore method createOpenIDToken.

/**
     * {@inheritDoc}
     */
public OpenIdConnectToken createOpenIDToken(ResourceOwner resourceOwner, String clientId, String authorizationParty, String nonce, String ops, OAuth2Request request) throws ServerException, InvalidClientException, NotFoundException {
    final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
    OAuth2Uris oAuth2Uris = oauth2UrisFactory.get(request);
    final OpenIdConnectClientRegistration clientRegistration = clientRegistrationStore.get(clientId, request);
    final String algorithm = clientRegistration.getIDTokenSignedResponseAlgorithm();
    final long currentTimeInSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis());
    final long exp = TimeUnit.MILLISECONDS.toSeconds(clientRegistration.getJwtTokenLifeTime(providerSettings)) + currentTimeInSeconds;
    final String realm = realmNormaliser.normalise(request.<String>getParameter(REALM));
    final String iss = oAuth2Uris.getIssuer();
    final List<String> amr = getAMRFromAuthModules(request, providerSettings);
    final byte[] clientSecret = clientRegistration.getClientSecret().getBytes(Utils.CHARSET);
    final KeyPair keyPair = providerSettings.getServerKeyPair();
    final String atHash = generateAtHash(algorithm, request, providerSettings);
    final String cHash = generateCHash(algorithm, request, providerSettings);
    final String acr = getAuthenticationContextClassReference(request);
    final String kid = generateKid(providerSettings.getJWKSet(), algorithm);
    final String opsId = UUID.randomUUID().toString();
    final long authTime = resourceOwner.getAuthTime();
    final String subId = clientRegistration.getSubValue(resourceOwner.getId(), providerSettings);
    try {
        tokenStore.create(json(object(field(OAuth2Constants.CoreTokenParams.ID, set(opsId)), field(OAuth2Constants.JWTTokenParams.LEGACY_OPS, set(ops)), field(OAuth2Constants.CoreTokenParams.EXPIRE_TIME, set(Long.toString(TimeUnit.SECONDS.toMillis(exp)))))));
    } catch (CoreTokenException e) {
        logger.error("Unable to create id_token user session token", e);
        throw new ServerException("Could not create token in CTS");
    }
    final OpenAMOpenIdConnectToken oidcToken = new OpenAMOpenIdConnectToken(kid, clientSecret, keyPair, algorithm, iss, subId, clientId, authorizationParty, exp, currentTimeInSeconds, authTime, nonce, opsId, atHash, cHash, acr, amr, realm);
    request.setSession(ops);
    //See spec section 5.4. - add claims to id_token based on 'response_type' parameter
    String responseType = request.getParameter(OAuth2Constants.Params.RESPONSE_TYPE);
    if (providerSettings.isAlwaysAddClaimsToToken() || (responseType != null && responseType.trim().equals(OAuth2Constants.JWTTokenParams.ID_TOKEN))) {
        appendIdTokenClaims(request, providerSettings, oidcToken);
    } else if (providerSettings.getClaimsParameterSupported()) {
        appendRequestedIdTokenClaims(request, providerSettings, oidcToken);
    }
    return oidcToken;
}

Example 20 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class OpenAMTokenStore method appendRequestedIdTokenClaims.

//See spec section 5.5. - add claims to id_token based on 'claims' parameter in the access token
private void appendRequestedIdTokenClaims(OAuth2Request request, OAuth2ProviderSettings providerSettings, OpenAMOpenIdConnectToken oidcToken) throws ServerException, NotFoundException, InvalidClientException {
    AccessToken accessToken = request.getToken(AccessToken.class);
    String claims;
    if (accessToken != null) {
        claims = (String) accessToken.toMap().get(OAuth2Constants.Custom.CLAIMS);
    } else {
        claims = request.getParameter(OAuth2Constants.Custom.CLAIMS);
    }
    if (claims != null) {
        try {
            JSONObject claimsObject = new JSONObject(claims);
            JSONObject idTokenClaimsRequest = claimsObject.getJSONObject(OAuth2Constants.JWTTokenParams.ID_TOKEN);
            Map<String, Object> userInfo = providerSettings.getUserInfo(accessToken, request).getValues();
            Iterator<String> it = idTokenClaimsRequest.keys();
            while (it.hasNext()) {
                String keyName = it.next();
                if (userInfo.containsKey(keyName)) {
                    oidcToken.put(keyName, userInfo.get(keyName));
                }
            }
        } catch (UnauthorizedClientException e) {
            throw failureFactory.getException(request, e.getMessage());
        } catch (JSONException e) {
        //if claims object not found, fall through
        }
    }
}