Example 11 with InvalidGrantException
use of org.forgerock.oauth2.core.exceptions.InvalidGrantException in project OpenAM by OpenRock.
the class Saml2GrantTypeHandler method handle.
public AccessToken handle(OAuth2Request request) throws InvalidGrantException, InvalidClientException, InvalidRequestException, ServerException, InvalidScopeException, NotFoundException {
String clientId = request.getParameter(OAuth2Constants.Params.CLIENT_ID);
Reject.ifTrue(isEmpty(clientId), "Missing parameter, 'client_id'");
final ClientRegistration clientRegistration = clientRegistrationStore.get(clientId, request);
Reject.ifTrue(isEmpty(request.<String>getParameter("assertion")), "Missing parameter, 'assertion'");
final String assertion = request.getParameter(OAuth2Constants.SAML20.ASSERTION);
logger.trace("Assertion:\n" + assertion);
final byte[] decodedAssertion = Base64.decode(assertion.replace(" ", "+"));
if (decodedAssertion == null) {
logger.error("Decoding assertion failed\nassertion:" + assertion);
}
final String finalAssertion = new String(decodedAssertion);
logger.trace("Decoded assertion:\n" + finalAssertion);
final Assertion assertionObject;
final boolean valid;
try {
final AssertionFactory factory = AssertionFactory.getInstance();
assertionObject = factory.createAssertion(finalAssertion);
valid = validAssertion(assertionObject, getDeploymentUrl(request));
} catch (SAML2Exception e) {
logger.error("Error parsing assertion", e);
throw new InvalidGrantException("Assertion is invalid");
}
if (!valid) {
logger.error("Error parsing assertion");
throw new InvalidGrantException("Assertion is invalid.");
}
logger.trace("Assertion is valid");
final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
final String validatedClaims = providerSettings.validateRequestedClaims((String) request.getParameter(OAuth2Constants.Custom.CLAIMS));
final String grantType = request.getParameter(OAuth2Constants.Params.GRANT_TYPE);
final Set<String> scope = splitScope(request.<String>getParameter(OAuth2Constants.Params.SCOPE));
final Set<String> validatedScope = providerSettings.validateAccessTokenScope(clientRegistration, scope, request);
logger.trace("Granting scope: " + validatedScope.toString());
logger.trace("Creating token with data: " + clientRegistration.getAccessTokenType() + "\n" + validatedScope.toString() + "\n" + normaliseRealm(request.<String>getParameter(OAuth2Constants.Params.REALM)) + "\n" + assertionObject.getSubject().getNameID().getValue() + "\n" + clientRegistration.getClientId());
final AccessToken accessToken = tokenStore.createAccessToken(grantType, BEARER, null, assertionObject.getSubject().getNameID().getValue(), clientRegistration.getClientId(), null, validatedScope, null, null, validatedClaims, request);
logger.trace("Token created: " + accessToken.toString());
providerSettings.additionalDataToReturnFromTokenEndpoint(accessToken, request);
if (validatedScope != null && !validatedScope.isEmpty()) {
accessToken.put(SCOPE, joinScope(validatedScope));
}
tokenStore.updateAccessToken(accessToken);
return accessToken;
}
Also used :
SAML2Exception(com.sun.identity.saml2.common.SAML2Exception)
AssertionFactory(com.sun.identity.saml2.assertion.AssertionFactory)
ClientRegistration(org.forgerock.oauth2.core.ClientRegistration)
AccessToken(org.forgerock.oauth2.core.AccessToken)
Assertion(com.sun.identity.saml2.assertion.Assertion)
OAuth2ProviderSettings(org.forgerock.oauth2.core.OAuth2ProviderSettings)
InvalidGrantException(org.forgerock.oauth2.core.exceptions.InvalidGrantException)
Example 12 with InvalidGrantException
use of org.forgerock.oauth2.core.exceptions.InvalidGrantException in project OpenAM by OpenRock.
the class AuthorizationRequestEndpointTest method setup.
@BeforeMethod
@SuppressWarnings("unchecked")
public void setup() throws ServerException, InvalidGrantException, NotFoundException, EntitlementException, JSONException {
requestFactory = mock(OAuth2RequestFactory.class);
OAuth2Request oAuth2Request = mock(OAuth2Request.class);
given(requestFactory.create(any(Request.class))).willReturn(oAuth2Request);
given(oAuth2Request.getParameter("realm")).willReturn("REALM");
accessToken = mock(AccessToken.class);
oauth2TokenStore = mock(TokenStore.class);
given(oauth2TokenStore.readAccessToken(Matchers.<OAuth2Request>anyObject(), anyString())).willReturn(accessToken);
given(accessToken.getClientId()).willReturn(RS_CLIENT_ID);
given(accessToken.getResourceOwnerId()).willReturn(REQUESTING_PARTY_ID);
umaAuditLogger = mock(UmaAuditLogger.class);
umaTokenStore = mock(UmaTokenStore.class);
rpt = mock(RequestingPartyToken.class);
given(rpt.getId()).willReturn("1");
permissionTicket = mock(PermissionTicket.class);
given(permissionTicket.getExpiryTime()).willReturn(System.currentTimeMillis() + 10000);
given(permissionTicket.getResourceSetId()).willReturn(RS_ID);
given(permissionTicket.getResourceServerClientId()).willReturn(RS_CLIENT_ID);
given(permissionTicket.getRealm()).willReturn("REALM");
given(umaTokenStore.readPermissionTicket(anyString())).willReturn(permissionTicket);
given(umaTokenStore.createRPT(Matchers.<PermissionTicket>anyObject())).willReturn(rpt);
resourceSetStore = mock(ResourceSetStore.class);
ResourceSetDescription resourceSet = new ResourceSetDescription();
resourceSet.setId(RS_DESCRIPTION_ID);
resourceSet.setResourceOwnerId(RESOURCE_OWNER_ID);
given(resourceSetStore.query(QueryFilter.equalTo(ResourceSetTokenField.RESOURCE_SET_ID, RS_ID))).willReturn(Collections.singleton(resourceSet));
umaProviderSettings = mock(UmaProviderSettings.class);
policyEvaluator = mock(Evaluator.class);
given(umaProviderSettings.getPolicyEvaluator(any(Subject.class), eq(RS_CLIENT_ID.toLowerCase()))).willReturn(policyEvaluator);
given(umaProviderSettings.getUmaTokenStore()).willReturn(umaTokenStore);
umaProviderSettingsFactory = mock(UmaProviderSettingsFactory.class);
given(umaProviderSettingsFactory.get(Matchers.<Request>anyObject())).willReturn(umaProviderSettings);
given(umaProviderSettings.getUmaTokenStore()).willReturn(umaTokenStore);
OAuth2ProviderSettingsFactory oauth2ProviderSettingsFactory = mock(OAuth2ProviderSettingsFactory.class);
OAuth2ProviderSettings oauth2ProviderSettings = mock(OAuth2ProviderSettings.class);
given(oauth2ProviderSettingsFactory.get(any(OAuth2Request.class))).willReturn(oauth2ProviderSettings);
given(oauth2ProviderSettings.getResourceSetStore()).willReturn(resourceSetStore);
OAuth2UrisFactory<RealmInfo> oauth2UrisFactory = mock(OAuth2UrisFactory.class);
OAuth2Uris oauth2Uris = mock(OAuth2Uris.class);
given(oauth2UrisFactory.get(any(OAuth2Request.class))).willReturn(oauth2Uris);
given(oauth2Uris.getIssuer()).willReturn("ISSUER");
pendingRequestsService = mock(PendingRequestsService.class);
Map<String, ClaimGatherer> claimGatherers = new HashMap<>();
idTokenClaimGatherer = mock(IdTokenClaimGatherer.class);
claimGatherers.put(IdTokenClaimGatherer.FORMAT, idTokenClaimGatherer);
ExtensionFilterManager extensionFilterManager = mock(ExtensionFilterManager.class);
requestAuthorizationFilter = mock(RequestAuthorizationFilter.class);
given(extensionFilterManager.getFilters(RequestAuthorizationFilter.class)).willReturn(Collections.singletonList(requestAuthorizationFilter));
UmaExceptionHandler exceptionHandler = mock(UmaExceptionHandler.class);
endpoint = spy(new AuthorizationRequestEndpoint2(umaProviderSettingsFactory, oauth2TokenStore, requestFactory, oauth2ProviderSettingsFactory, oauth2UrisFactory, umaAuditLogger, pendingRequestsService, claimGatherers, extensionFilterManager, exceptionHandler, jacksonRepresentationFactory));
request = mock(Request.class);
given(endpoint.getRequest()).willReturn(request);
response = mock(Response.class);
endpoint.setResponse(response);
requestBody = mock(JSONObject.class);
given(requestBody.toString()).willReturn("{\"ticket\": \"016f84e8-f9b9-11e0-bd6f-0021cc6004de\"}");
entity = mock(JsonRepresentation.class);
given(entity.getJsonObject()).willReturn(requestBody);
}
Also used :
OAuth2Uris(org.forgerock.oauth2.core.OAuth2Uris)
HashMap(java.util.HashMap)
Matchers.anyString(org.mockito.Matchers.anyString)
ResourceSetDescription(org.forgerock.oauth2.resources.ResourceSetDescription)
RealmInfo(org.forgerock.openam.core.RealmInfo)
OAuth2RequestFactory(org.forgerock.oauth2.core.OAuth2RequestFactory)
OAuth2ProviderSettingsFactory(org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory)
AccessToken(org.forgerock.oauth2.core.AccessToken)
ResourceSetStore(org.forgerock.oauth2.resources.ResourceSetStore)
OAuth2ProviderSettings(org.forgerock.oauth2.core.OAuth2ProviderSettings)
UmaAuditLogger(org.forgerock.openam.uma.audit.UmaAuditLogger)
UmaPendingRequest(org.forgerock.openam.sm.datalayer.impl.uma.UmaPendingRequest)
OAuth2Request(org.forgerock.oauth2.core.OAuth2Request)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Request(org.restlet.Request)
RequestAuthorizationFilter(org.forgerock.openam.uma.extensions.RequestAuthorizationFilter)
Evaluator(com.sun.identity.entitlement.Evaluator)
Subject(javax.security.auth.Subject)
Response(org.restlet.Response)
OAuth2Request(org.forgerock.oauth2.core.OAuth2Request)
JSONObject(org.json.JSONObject)
TokenStore(org.forgerock.oauth2.core.TokenStore)
JsonRepresentation(org.restlet.ext.json.JsonRepresentation)
ExtensionFilterManager(org.forgerock.openam.oauth2.extensions.ExtensionFilterManager)
BeforeMethod(org.testng.annotations.BeforeMethod)
Example 13 with InvalidGrantException
use of org.forgerock.oauth2.core.exceptions.InvalidGrantException in project OpenAM by OpenRock.
the class OpenAMTokenStore method deleteDeviceCode.
@Override
public void deleteDeviceCode(String clientId, String code, OAuth2Request request) throws ServerException, NotFoundException, InvalidGrantException {
try {
readDeviceCode(clientId, code, request);
tokenStore.delete(code);
} catch (CoreTokenException e) {
throw new ServerException("Could not delete user code state");
}
}
Also used :
ServerException(org.forgerock.oauth2.core.exceptions.ServerException)
CoreTokenException(org.forgerock.openam.cts.exceptions.CoreTokenException)
Example 14 with InvalidGrantException
use of org.forgerock.oauth2.core.exceptions.InvalidGrantException in project OpenAM by OpenRock.
the class OpenAMTokenStore method readDeviceCode.
@Override
public DeviceCode readDeviceCode(String clientId, String code, OAuth2Request request) throws ServerException, NotFoundException, InvalidGrantException {
DeviceCode deviceCode = request.getToken(DeviceCode.class);
if (deviceCode == null) {
try {
JsonValue token = tokenStore.read(code);
if (token == null) {
return null;
}
deviceCode = new DeviceCode(token);
} catch (CoreTokenException e) {
logger.error("Unable to read device code corresponding to id: " + code, e);
throw new ServerException("Could not read token in CTS: " + e.getMessage());
}
}
if (!clientId.equals(deviceCode.getClientId())) {
throw new InvalidGrantException();
}
validateTokenRealm(deviceCode.getRealm(), request);
request.setToken(DeviceCode.class, deviceCode);
return deviceCode;
}
Also used :
ServerException(org.forgerock.oauth2.core.exceptions.ServerException)
JsonValue(org.forgerock.json.JsonValue)
DeviceCode(org.forgerock.oauth2.core.DeviceCode)
CoreTokenException(org.forgerock.openam.cts.exceptions.CoreTokenException)
InvalidGrantException(org.forgerock.oauth2.core.exceptions.InvalidGrantException)
Example 15 with InvalidGrantException
use of org.forgerock.oauth2.core.exceptions.InvalidGrantException in project OpenAM by OpenRock.
the class DeviceCodeVerificationResource method verify.
/**
* Handles POST requests to the OAuth2 device/user endpoint.
*/
@Post
public Representation verify(Representation body) throws ServerException, NotFoundException, InvalidGrantException, OAuth2RestletException {
final Request restletRequest = getRequest();
OAuth2Request request = requestFactory.create(restletRequest);
DeviceCode deviceCode;
try {
deviceCode = tokenStore.readDeviceCode(request.<String>getParameter(OAuth2Constants.DeviceCode.USER_CODE), request);
} catch (InvalidGrantException e) {
return getTemplateRepresentation(FORM, request, "not_found");
}
if (deviceCode == null || deviceCode.isIssued()) {
return getTemplateRepresentation(FORM, request, "not_found");
}
addRequestParamsFromDeviceCode(restletRequest, deviceCode);
try {
final String decision = request.getParameter("decision");
if (StringUtils.isNotEmpty(decision)) {
final boolean consentGiven = "allow".equalsIgnoreCase(decision);
final boolean saveConsent = "on".equalsIgnoreCase(request.<String>getParameter("save_consent"));
if (saveConsent) {
saveConsent(request);
}
if (consentGiven) {
ResourceOwner resourceOwner = resourceOwnerSessionValidator.validate(request);
deviceCode.setResourceOwnerId(resourceOwner.getId());
deviceCode.setAuthorized(true);
tokenStore.updateDeviceCode(deviceCode, request);
} else {
tokenStore.deleteDeviceCode(deviceCode.getClientId(), deviceCode.getDeviceCode(), request);
}
} else {
authorizationService.authorize(request);
}
} catch (IllegalArgumentException e) {
if (e.getMessage().contains("client_id")) {
throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), request.<String>getParameter("state"));
}
throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), request.<String>getParameter("redirect_uri"), request.<String>getParameter("state"));
} catch (ResourceOwnerAuthenticationRequired e) {
throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), e.getRedirectUri().toString(), null);
} catch (ResourceOwnerConsentRequired e) {
return representation.getRepresentation(getContext(), request, "authorize.ftl", getDataModel(e, request));
} catch (InvalidClientException | RedirectUriMismatchException e) {
throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("state"));
} catch (OAuth2Exception e) {
throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("redirect_uri"), request.<String>getParameter("state"), e.getParameterLocation());
}
return getTemplateRepresentation(THANKS_PAGE, request, null);
}
Also used :
ResourceOwnerAuthenticationRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired)
RedirectUriMismatchException(org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException)
ResourceOwner(org.forgerock.oauth2.core.ResourceOwner)
ResourceOwnerConsentRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerConsentRequired)
OAuth2Request(org.forgerock.oauth2.core.OAuth2Request)
Request(org.restlet.Request)
InvalidGrantException(org.forgerock.oauth2.core.exceptions.InvalidGrantException)
OAuth2Request(org.forgerock.oauth2.core.OAuth2Request)
InvalidClientException(org.forgerock.oauth2.core.exceptions.InvalidClientException)
DeviceCode(org.forgerock.oauth2.core.DeviceCode)
OAuth2Exception(org.forgerock.oauth2.core.exceptions.OAuth2Exception)
Post(org.restlet.resource.Post)
Aggregations
InvalidGrantException (org.forgerock.oauth2.core.exceptions.InvalidGrantException)12
ServerException (org.forgerock.oauth2.core.exceptions.ServerException)11
OAuth2Request (org.forgerock.oauth2.core.OAuth2Request)10
AccessToken (org.forgerock.oauth2.core.AccessToken)8
CoreTokenException (org.forgerock.openam.cts.exceptions.CoreTokenException)7
JsonValue (org.forgerock.json.JsonValue)6
OAuth2ProviderSettings (org.forgerock.oauth2.core.OAuth2ProviderSettings)5
Request (org.restlet.Request)5
ChallengeResponse (org.restlet.data.ChallengeResponse)5
NotFoundException (org.forgerock.oauth2.core.exceptions.NotFoundException)4
DeviceCode (org.forgerock.oauth2.core.DeviceCode)3
OAuth2ProviderSettingsFactory (org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory)3
ResourceSetStore (org.forgerock.oauth2.resources.ResourceSetStore)3
ExtensionFilterManager (org.forgerock.openam.oauth2.extensions.ExtensionFilterManager)3
HashMap (java.util.HashMap)2
RefreshToken (org.forgerock.oauth2.core.RefreshToken)2
InvalidRequestException (org.forgerock.oauth2.core.exceptions.InvalidRequestException)2
RestletOAuth2Request (org.forgerock.oauth2.restlet.RestletOAuth2Request)2
UmaPendingRequest (org.forgerock.openam.sm.datalayer.impl.uma.UmaPendingRequest)2
Response (org.restlet.Response)2
