Search in sources :

Example 21 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class DeviceCodeVerificationResource method verify.

/**
     * Handles POST requests to the OAuth2 device/user endpoint.
     */
@Post
public Representation verify(Representation body) throws ServerException, NotFoundException, InvalidGrantException, OAuth2RestletException {
    final Request restletRequest = getRequest();
    OAuth2Request request = requestFactory.create(restletRequest);
    DeviceCode deviceCode;
    try {
        deviceCode = tokenStore.readDeviceCode(request.<String>getParameter(OAuth2Constants.DeviceCode.USER_CODE), request);
    } catch (InvalidGrantException e) {
        return getTemplateRepresentation(FORM, request, "not_found");
    }
    if (deviceCode == null || deviceCode.isIssued()) {
        return getTemplateRepresentation(FORM, request, "not_found");
    }
    addRequestParamsFromDeviceCode(restletRequest, deviceCode);
    try {
        final String decision = request.getParameter("decision");
        if (StringUtils.isNotEmpty(decision)) {
            final boolean consentGiven = "allow".equalsIgnoreCase(decision);
            final boolean saveConsent = "on".equalsIgnoreCase(request.<String>getParameter("save_consent"));
            if (saveConsent) {
                saveConsent(request);
            }
            if (consentGiven) {
                ResourceOwner resourceOwner = resourceOwnerSessionValidator.validate(request);
                deviceCode.setResourceOwnerId(resourceOwner.getId());
                deviceCode.setAuthorized(true);
                tokenStore.updateDeviceCode(deviceCode, request);
            } else {
                tokenStore.deleteDeviceCode(deviceCode.getClientId(), deviceCode.getDeviceCode(), request);
            }
        } else {
            authorizationService.authorize(request);
        }
    } catch (IllegalArgumentException e) {
        if (e.getMessage().contains("client_id")) {
            throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), request.<String>getParameter("state"));
        }
        throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), request.<String>getParameter("redirect_uri"), request.<String>getParameter("state"));
    } catch (ResourceOwnerAuthenticationRequired e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), e.getRedirectUri().toString(), null);
    } catch (ResourceOwnerConsentRequired e) {
        return representation.getRepresentation(getContext(), request, "authorize.ftl", getDataModel(e, request));
    } catch (InvalidClientException | RedirectUriMismatchException e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("state"));
    } catch (OAuth2Exception e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("redirect_uri"), request.<String>getParameter("state"), e.getParameterLocation());
    }
    return getTemplateRepresentation(THANKS_PAGE, request, null);
}
Also used : ResourceOwnerAuthenticationRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired) RedirectUriMismatchException(org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException) ResourceOwner(org.forgerock.oauth2.core.ResourceOwner) ResourceOwnerConsentRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerConsentRequired) OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) Request(org.restlet.Request) InvalidGrantException(org.forgerock.oauth2.core.exceptions.InvalidGrantException) OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) InvalidClientException(org.forgerock.oauth2.core.exceptions.InvalidClientException) DeviceCode(org.forgerock.oauth2.core.DeviceCode) OAuth2Exception(org.forgerock.oauth2.core.exceptions.OAuth2Exception) Post(org.restlet.resource.Post)

Example 22 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class DeviceCodeVerificationResource method saveConsent.

private void saveConsent(OAuth2Request request) throws NotFoundException, ServerException, InvalidScopeException, AccessDeniedException, ResourceOwnerAuthenticationRequired, InteractionRequiredException, BadRequestException, LoginRequiredException, InvalidClientException {
    OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
    ResourceOwner resourceOwner = resourceOwnerSessionValidator.validate(request);
    ClientRegistration clientRegistration = clientRegistrationStore.get(request.<String>getParameter(CLIENT_ID), request);
    Set<String> scope = Utils.splitScope(request.<String>getParameter(SCOPE));
    Set<String> validatedScope = providerSettings.validateAuthorizationScope(clientRegistration, scope, request);
    providerSettings.saveConsent(resourceOwner, clientRegistration.getClientId(), validatedScope);
}
Also used : ClientRegistration(org.forgerock.oauth2.core.ClientRegistration) ResourceOwner(org.forgerock.oauth2.core.ResourceOwner) OAuth2ProviderSettings(org.forgerock.oauth2.core.OAuth2ProviderSettings)

Example 23 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class DeviceCodeGrantTypeHandlerTest method shouldCatchInvalidClients.

@Test
public void shouldCatchInvalidClients() throws Exception {
    // Given
    InvalidClientException expectedResult = mock(InvalidClientException.class);
    when(expectedResult.getError()).thenReturn("invalid_client");
    Set<String> scope = new HashSet<>();
    mockRequestRealmClientIdClientSecretAndCode("REALM", "CLIENT_ID", "CLIENT_SECRET", "CODE", scope);
    given(clientRegistrationStore.get(anyString(), any(OAuth2Request.class))).willThrow(expectedResult);
    // When
    try {
        grantTypeHandler.handle(request);
        // Then - exception
        fail("Should have exception");
    } catch (OAuth2Exception e) {
        assertThat(e.getError().equals("invalid_client"));
    }
}
Also used : InvalidClientException(org.forgerock.oauth2.core.exceptions.InvalidClientException) OAuth2Exception(org.forgerock.oauth2.core.exceptions.OAuth2Exception) HashSet(java.util.HashSet) Test(org.testng.annotations.Test)

Example 24 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class DeviceCodeGrantTypeHandlerTest method setup.

@BeforeMethod
public void setup() throws Exception {
    initMocks(this);
    OAuth2ProviderSettingsFactory providerSettingsFactory = mock(OAuth2ProviderSettingsFactory.class);
    when(providerSettingsFactory.get(request)).thenReturn(providerSettings);
    when(providerSettings.getDeviceCodePollInterval()).thenReturn(5);
    when(providerSettings.validateRequestedClaims(anyString())).thenAnswer(new Answer<String>() {

        @Override
        public String answer(InvocationOnMock invocation) throws Throwable {
            return (String) invocation.getArguments()[0];
        }
    });
    OAuth2UrisFactory oAuth2UrisFactory = mock(OAuth2UrisFactory.class);
    when(oAuth2UrisFactory.get(request)).thenReturn(oAuth2Uris);
    ClientAuthenticator clientAuthenticator = mock(ClientAuthenticator.class);
    ClientRegistration clientRegistration = mock(ClientRegistration.class);
    when(clientAuthenticator.authenticate(eq(request), anyString())).thenReturn(clientRegistration);
    accessTokenGenerator = new GrantTypeAccessTokenGenerator(tokenStore);
    when(tokenStore.createAccessToken(anyString(), anyString(), anyString(), anyString(), anyString(), anyString(), anySetOf(String.class), any(RefreshToken.class), anyString(), anyString(), any(OAuth2Request.class))).thenReturn(accessToken);
    when(tokenStore.createRefreshToken(anyString(), anyString(), anyString(), anyString(), anySetOf(String.class), any(OAuth2Request.class), anyString())).thenReturn(refreshToken);
    ClientAuthenticationFailureFactory failureFactory = mock(ClientAuthenticationFailureFactory.class);
    InvalidClientException expectedResult = mock(InvalidClientException.class);
    when(expectedResult.getError()).thenReturn("invalid_client");
    when(failureFactory.getException()).thenReturn(expectedResult);
    when(failureFactory.getException(anyString())).thenReturn(expectedResult);
    when(failureFactory.getException(any(OAuth2Request.class), anyString())).thenReturn(expectedResult);
    grantTypeHandler = new DeviceCodeGrantTypeHandler(providerSettingsFactory, clientAuthenticator, tokenStore, clientRegistrationStore, failureFactory, oAuth2UrisFactory, accessTokenGenerator);
}
Also used : ClientAuthenticationFailureFactory(org.forgerock.oauth2.core.exceptions.ClientAuthenticationFailureFactory) InvocationOnMock(org.mockito.invocation.InvocationOnMock) InvalidClientException(org.forgerock.oauth2.core.exceptions.InvalidClientException) BeforeMethod(org.testng.annotations.BeforeMethod)

Example 25 with InvalidClientException

use of org.forgerock.oauth2.core.exceptions.InvalidClientException in project OpenAM by OpenRock.

the class AuthorizeResource method authorize.

/**
     * Handles GET requests to the OAuth2 authorize endpoint.
     * <br/>
     * This method will be called when a client has requested a resource owner grants it authorization to access a
     * resource.
     *
     * @return The body to be sent in the response to the user agent.
     * @throws OAuth2RestletException If a OAuth2 error occurs whilst processing the authorization request.
     */
@Get
public Representation authorize() throws OAuth2RestletException {
    final OAuth2Request request = requestFactory.create(getRequest());
    for (AuthorizeRequestHook hook : hooks) {
        hook.beforeAuthorizeHandling(request, getRequest(), getResponse());
    }
    try {
        final AuthorizationToken authorizationToken = authorizationService.authorize(request);
        final String redirectUri = getQueryValue("redirect_uri");
        Representation response = representation.toRepresentation(getContext(), getRequest(), getResponse(), authorizationToken, redirectUri);
        for (AuthorizeRequestHook hook : hooks) {
            hook.afterAuthorizeSuccess(request, getRequest(), getResponse());
        }
        return response;
    } catch (IllegalArgumentException e) {
        if (e.getMessage().contains("client_id")) {
            throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), request.<String>getParameter("state"));
        }
        throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), request.<String>getParameter("redirect_uri"), request.<String>getParameter("state"));
    } catch (ResourceOwnerAuthenticationRequired e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), e.getRedirectUri().toString(), null);
    } catch (ResourceOwnerConsentRequired e) {
        return representation.getRepresentation(getContext(), request, "authorize.ftl", getDataModel(e, request));
    } catch (InvalidClientException e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("state"));
    } catch (RedirectUriMismatchException e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("state"));
    } catch (OAuth2Exception e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("redirect_uri"), request.<String>getParameter("state"), e.getParameterLocation());
    }
}
Also used : ResourceOwnerAuthenticationRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired) OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) AuthorizationToken(org.forgerock.oauth2.core.AuthorizationToken) RedirectUriMismatchException(org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException) ResourceOwnerConsentRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerConsentRequired) InvalidClientException(org.forgerock.oauth2.core.exceptions.InvalidClientException) Representation(org.restlet.representation.Representation) OAuth2Exception(org.forgerock.oauth2.core.exceptions.OAuth2Exception) Get(org.restlet.resource.Get)

Aggregations

OAuth2ProviderSettings (org.forgerock.oauth2.core.OAuth2ProviderSettings)14 OAuth2Request (org.forgerock.oauth2.core.OAuth2Request)13 InvalidClientException (org.forgerock.oauth2.core.exceptions.InvalidClientException)12 ClientRegistration (org.forgerock.oauth2.core.ClientRegistration)11 ServerException (org.forgerock.oauth2.core.exceptions.ServerException)8 Test (org.testng.annotations.Test)6 HashSet (java.util.HashSet)5 NotFoundException (org.forgerock.oauth2.core.exceptions.NotFoundException)5 OAuth2Exception (org.forgerock.oauth2.core.exceptions.OAuth2Exception)5 BeforeTest (org.testng.annotations.BeforeTest)5 JsonValue (org.forgerock.json.JsonValue)4 SignedJwt (org.forgerock.json.jose.jws.SignedJwt)4 RedirectUriMismatchException (org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException)4 JSONObject (org.json.JSONObject)4 Request (org.restlet.Request)4 BeforeMethod (org.testng.annotations.BeforeMethod)4 HashMap (java.util.HashMap)3 Map (java.util.Map)3 AccessToken (org.forgerock.oauth2.core.AccessToken)3 ClientRegistrationStore (org.forgerock.oauth2.core.ClientRegistrationStore)3