Examples with InvalidRequestException org.forgerock.oauth2.core.exceptions.InvalidRequestException used on opensource projects

Example 1 with InvalidRequestException

use of org.forgerock.oauth2.core.exceptions.InvalidRequestException in project OpenAM by OpenRock.

the class OpenAMOpenIdConnectClientRegistrationService method getRegistration.

/**
     * {@inheritDoc}
     */
public JsonValue getRegistration(String clientId, String accessToken, OAuth2Request request) throws InvalidRequestException, InvalidClientMetadata, InvalidTokenException {
    if (clientId != null) {
        final Client client;
        try {
            client = clientDAO.read(clientId, request);
        } catch (UnauthorizedClientException e) {
            logger.error("ConnectClientRegistration.Validate(): Unable to create client", e);
            throw new InvalidClientMetadata();
        }
        if (!client.getAccessToken().equals(accessToken)) {
            //client access token doesn't match the access token supplied in the request
            logger.error("ConnectClientRegistration.getClient(): Invalid accessToken");
            throw new InvalidTokenException();
        }
        //remove the client fields that don't need to be reported.
        client.remove(REGISTRATION_ACCESS_TOKEN.getType());
        final JsonValue response = new JsonValue(convertClientReadResponseFormat(client.asMap()));
        response.put(EXPIRES_AT, 0);
        return response;
    } else {
        logger.error("ConnectClientRegistration.readRequest(): No client id sent");
        throw new InvalidRequestException();
    }
}

Example 2 with InvalidRequestException

use of org.forgerock.oauth2.core.exceptions.InvalidRequestException in project OpenAM by OpenRock.

the class CodeVerifierValidator method validateRequest.

@Override
public void validateRequest(OAuth2Request request) throws InvalidClientException, InvalidRequestException, RedirectUriMismatchException, UnsupportedResponseTypeException, ServerException, BadRequestException, InvalidScopeException, NotFoundException {
    final OAuth2ProviderSettings settings = providerSettingsFactory.get(request);
    if (!settings.isCodeVerifierRequired() || !isAuthCodeRequest(request)) {
        return;
    } else {
        Reject.ifTrue(isEmpty(request.<String>getParameter(OAuth2Constants.Custom.CODE_CHALLENGE)), "Missing parameter, '" + OAuth2Constants.Custom.CODE_CHALLENGE + "'");
        String codeChallengeMethod = request.getParameter(OAuth2Constants.Custom.CODE_CHALLENGE_METHOD);
        if (codeChallengeMethod != null) {
            Reject.ifFalse(codeChallengeMethod.equals(OAuth2Constants.Custom.CODE_CHALLENGE_METHOD_S_256) || codeChallengeMethod.equals(OAuth2Constants.Custom.CODE_CHALLENGE_METHOD_PLAIN), "Invalid value for " + OAuth2Constants.Custom.CODE_CHALLENGE_METHOD);
        }
        return;
    }
}

Example 3 with InvalidRequestException

use of org.forgerock.oauth2.core.exceptions.InvalidRequestException in project OpenAM by OpenRock.

the class ClaimsParameterValidator method validateRequest.

@Override
public void validateRequest(OAuth2Request request) throws InvalidClientException, InvalidRequestException, RedirectUriMismatchException, UnsupportedResponseTypeException, ServerException, BadRequestException, InvalidScopeException, NotFoundException {
    final OAuth2ProviderSettings settings = providerSettingsFactory.get(request);
    final String claims = request.getParameter(OAuth2Constants.Custom.CLAIMS);
    //if we aren't supporting this no need to validate
    if (!settings.getClaimsParameterSupported()) {
        return;
    }
    //if we support, but it's not requested, no need to validate
    if (claims == null) {
        return;
    }
    final JSONObject claimsJson;
    //convert claims into JSON object
    try {
        claimsJson = new JSONObject(claims);
    } catch (JSONException e) {
        throw new BadRequestException("Invalid JSON in supplied claims parameter.");
    }
    JSONObject userinfoClaims = null;
    try {
        userinfoClaims = claimsJson.getJSONObject(OAuth2Constants.UserinfoEndpoint.USERINFO);
    } catch (Exception e) {
    //fall through
    }
    //results in an Access Token being issued to the Client for use at the UserInfo Endpoint.
    if (userinfoClaims != null) {
        String responseType = request.getParameter(OAuth2Constants.Params.RESPONSE_TYPE);
        if (responseType != null && responseType.trim().equals(OAuth2Constants.JWTTokenParams.ID_TOKEN)) {
            throw new BadRequestException("Must request an access token when providing " + "userinfo in claims parameter.");
        }
    }
}

Example 4 with InvalidRequestException

use of org.forgerock.oauth2.core.exceptions.InvalidRequestException in project OpenAM by OpenRock.

the class AuthorizationServiceImpl method authorize.

/**
     * {@inheritDoc}
     */
public AuthorizationToken authorize(OAuth2Request request) throws ResourceOwnerAuthenticationRequired, ResourceOwnerConsentRequired, InvalidClientException, UnsupportedResponseTypeException, RedirectUriMismatchException, InvalidRequestException, AccessDeniedException, ServerException, LoginRequiredException, BadRequestException, InteractionRequiredException, ResourceOwnerConsentRequiredException, InvalidScopeException, NotFoundException {
    final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
    for (final AuthorizeRequestValidator requestValidator : requestValidators) {
        requestValidator.validateRequest(request);
    }
    final String clientId = request.getParameter(CLIENT_ID);
    final ClientRegistration clientRegistration = clientRegistrationStore.get(clientId, request);
    final Set<String> scope = Utils.splitScope(request.<String>getParameter(SCOPE));
    //plugin point
    final Set<String> validatedScope = providerSettings.validateAuthorizationScope(clientRegistration, scope, request);
    // is resource owner authenticated?
    final ResourceOwner resourceOwner = resourceOwnerSessionValidator.validate(request);
    final boolean consentSaved = providerSettings.isConsentSaved(resourceOwner, clientRegistration.getClientId(), validatedScope);
    //plugin point
    final boolean haveConsent = consentVerifier.verify(consentSaved, request, clientRegistration);
    if (!haveConsent) {
        String localeParameter = request.getParameter(LOCALE);
        String uiLocaleParameter = request.getParameter(UI_LOCALES);
        Locale locale = getLocale(uiLocaleParameter, localeParameter);
        if (locale == null) {
            locale = request.getLocale();
        }
        UserInfoClaims userInfo = null;
        try {
            userInfo = providerSettings.getUserInfo(request.getToken(AccessToken.class), request);
        } catch (UnauthorizedClientException e) {
            logger.debug("Couldn't get user info - continuing to display consent page without claims.", e);
        }
        String clientName = clientRegistration.getDisplayName(locale);
        if (clientName == null) {
            clientName = clientRegistration.getClientId();
            logger.warn("Client does not have a display name or client name set. using client ID {} for display", clientName);
        }
        final String displayDescription = clientRegistration.getDisplayDescription(locale);
        final String clientDescription = displayDescription == null ? "" : displayDescription;
        final Map<String, String> scopeDescriptions = getScopeDescriptions(validatedScope, clientRegistration.getScopeDescriptions(locale));
        final Map<String, String> claimDescriptions = getClaimDescriptions(userInfo.getValues(), clientRegistration.getClaimDescriptions(locale));
        throw new ResourceOwnerConsentRequired(clientName, clientDescription, scopeDescriptions, claimDescriptions, userInfo, resourceOwner.getName(providerSettings));
    }
    return tokenIssuer.issueTokens(request, clientRegistration, resourceOwner, scope, providerSettings);
}

Example 5 with InvalidRequestException

use of org.forgerock.oauth2.core.exceptions.InvalidRequestException in project OpenAM by OpenRock.

the class TokenInfoServiceImpl method getTokenInfo.

/**
     * {@inheritDoc}
     */
public JsonValue getTokenInfo(OAuth2Request request) throws InvalidTokenException, InvalidRequestException, ExpiredTokenException, ServerException, BadRequestException, InvalidGrantException, NotFoundException {
    final AccessTokenVerifier.TokenState headerToken = headerTokenVerifier.verify(request);
    final AccessTokenVerifier.TokenState queryToken = queryTokenVerifier.verify(request);
    final Map<String, Object> response = new HashMap<String, Object>();
    if (!headerToken.isValid() && !queryToken.isValid()) {
        logger.error("Access Token not valid");
        throw new InvalidRequestException("Access Token not valid");
    } else if (headerToken.isValid() && queryToken.isValid()) {
        logger.error("Access Token provided in both query and header in request");
        throw new InvalidRequestException("Access Token cannot be provided in both query and header");
    } else {
        final AccessToken accessToken = request.getToken(AccessToken.class);
        logger.trace("In Validator resource - got token = " + accessToken);
        final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
        final Map<String, Object> scopeEvaluation = providerSettings.evaluateScope(accessToken);
        response.putAll(accessToken.getTokenInfo());
        response.putAll(scopeEvaluation);
        return new JsonValue(response);
    }
}