Search in sources :

Example 76 with NotFoundException

use of org.forgerock.oauth2.core.exceptions.NotFoundException in project OpenAM by OpenRock.

the class OpenAMTokenStore method appendRequestedIdTokenClaims.

//See spec section 5.5. - add claims to id_token based on 'claims' parameter in the access token
private void appendRequestedIdTokenClaims(OAuth2Request request, OAuth2ProviderSettings providerSettings, OpenAMOpenIdConnectToken oidcToken) throws ServerException, NotFoundException, InvalidClientException {
    AccessToken accessToken = request.getToken(AccessToken.class);
    String claims;
    if (accessToken != null) {
        claims = (String) accessToken.toMap().get(OAuth2Constants.Custom.CLAIMS);
    } else {
        claims = request.getParameter(OAuth2Constants.Custom.CLAIMS);
    }
    if (claims != null) {
        try {
            JSONObject claimsObject = new JSONObject(claims);
            JSONObject idTokenClaimsRequest = claimsObject.getJSONObject(OAuth2Constants.JWTTokenParams.ID_TOKEN);
            Map<String, Object> userInfo = providerSettings.getUserInfo(accessToken, request).getValues();
            Iterator<String> it = idTokenClaimsRequest.keys();
            while (it.hasNext()) {
                String keyName = it.next();
                if (userInfo.containsKey(keyName)) {
                    oidcToken.put(keyName, userInfo.get(keyName));
                }
            }
        } catch (UnauthorizedClientException e) {
            throw failureFactory.getException(request, e.getMessage());
        } catch (JSONException e) {
        //if claims object not found, fall through
        }
    }
}
Also used : JSONObject(org.json.JSONObject) AccessToken(org.forgerock.oauth2.core.AccessToken) UnauthorizedClientException(org.forgerock.oauth2.core.exceptions.UnauthorizedClientException) JSONException(org.json.JSONException) JSONObject(org.json.JSONObject)

Example 77 with NotFoundException

use of org.forgerock.oauth2.core.exceptions.NotFoundException in project OpenAM by OpenRock.

the class OpenAMTokenStore method readDeviceCode.

@Override
public DeviceCode readDeviceCode(String clientId, String code, OAuth2Request request) throws ServerException, NotFoundException, InvalidGrantException {
    DeviceCode deviceCode = request.getToken(DeviceCode.class);
    if (deviceCode == null) {
        try {
            JsonValue token = tokenStore.read(code);
            if (token == null) {
                return null;
            }
            deviceCode = new DeviceCode(token);
        } catch (CoreTokenException e) {
            logger.error("Unable to read device code corresponding to id: " + code, e);
            throw new ServerException("Could not read token in CTS: " + e.getMessage());
        }
    }
    if (!clientId.equals(deviceCode.getClientId())) {
        throw new InvalidGrantException();
    }
    validateTokenRealm(deviceCode.getRealm(), request);
    request.setToken(DeviceCode.class, deviceCode);
    return deviceCode;
}
Also used : ServerException(org.forgerock.oauth2.core.exceptions.ServerException) JsonValue(org.forgerock.json.JsonValue) DeviceCode(org.forgerock.oauth2.core.DeviceCode) CoreTokenException(org.forgerock.openam.cts.exceptions.CoreTokenException) InvalidGrantException(org.forgerock.oauth2.core.exceptions.InvalidGrantException)

Example 78 with NotFoundException

use of org.forgerock.oauth2.core.exceptions.NotFoundException in project OpenAM by OpenRock.

the class DeviceCodeVerificationResource method verify.

/**
     * Handles POST requests to the OAuth2 device/user endpoint.
     */
@Post
public Representation verify(Representation body) throws ServerException, NotFoundException, InvalidGrantException, OAuth2RestletException {
    final Request restletRequest = getRequest();
    OAuth2Request request = requestFactory.create(restletRequest);
    DeviceCode deviceCode;
    try {
        deviceCode = tokenStore.readDeviceCode(request.<String>getParameter(OAuth2Constants.DeviceCode.USER_CODE), request);
    } catch (InvalidGrantException e) {
        return getTemplateRepresentation(FORM, request, "not_found");
    }
    if (deviceCode == null || deviceCode.isIssued()) {
        return getTemplateRepresentation(FORM, request, "not_found");
    }
    addRequestParamsFromDeviceCode(restletRequest, deviceCode);
    try {
        final String decision = request.getParameter("decision");
        if (StringUtils.isNotEmpty(decision)) {
            final boolean consentGiven = "allow".equalsIgnoreCase(decision);
            final boolean saveConsent = "on".equalsIgnoreCase(request.<String>getParameter("save_consent"));
            if (saveConsent) {
                saveConsent(request);
            }
            if (consentGiven) {
                ResourceOwner resourceOwner = resourceOwnerSessionValidator.validate(request);
                deviceCode.setResourceOwnerId(resourceOwner.getId());
                deviceCode.setAuthorized(true);
                tokenStore.updateDeviceCode(deviceCode, request);
            } else {
                tokenStore.deleteDeviceCode(deviceCode.getClientId(), deviceCode.getDeviceCode(), request);
            }
        } else {
            authorizationService.authorize(request);
        }
    } catch (IllegalArgumentException e) {
        if (e.getMessage().contains("client_id")) {
            throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), request.<String>getParameter("state"));
        }
        throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), request.<String>getParameter("redirect_uri"), request.<String>getParameter("state"));
    } catch (ResourceOwnerAuthenticationRequired e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), e.getRedirectUri().toString(), null);
    } catch (ResourceOwnerConsentRequired e) {
        return representation.getRepresentation(getContext(), request, "authorize.ftl", getDataModel(e, request));
    } catch (InvalidClientException | RedirectUriMismatchException e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("state"));
    } catch (OAuth2Exception e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("redirect_uri"), request.<String>getParameter("state"), e.getParameterLocation());
    }
    return getTemplateRepresentation(THANKS_PAGE, request, null);
}
Also used : ResourceOwnerAuthenticationRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired) RedirectUriMismatchException(org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException) ResourceOwner(org.forgerock.oauth2.core.ResourceOwner) ResourceOwnerConsentRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerConsentRequired) OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) Request(org.restlet.Request) InvalidGrantException(org.forgerock.oauth2.core.exceptions.InvalidGrantException) OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) InvalidClientException(org.forgerock.oauth2.core.exceptions.InvalidClientException) DeviceCode(org.forgerock.oauth2.core.DeviceCode) OAuth2Exception(org.forgerock.oauth2.core.exceptions.OAuth2Exception) Post(org.restlet.resource.Post)

Example 79 with NotFoundException

use of org.forgerock.oauth2.core.exceptions.NotFoundException in project OpenAM by OpenRock.

the class DeviceCodeVerificationResource method saveConsent.

private void saveConsent(OAuth2Request request) throws NotFoundException, ServerException, InvalidScopeException, AccessDeniedException, ResourceOwnerAuthenticationRequired, InteractionRequiredException, BadRequestException, LoginRequiredException, InvalidClientException {
    OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
    ResourceOwner resourceOwner = resourceOwnerSessionValidator.validate(request);
    ClientRegistration clientRegistration = clientRegistrationStore.get(request.<String>getParameter(CLIENT_ID), request);
    Set<String> scope = Utils.splitScope(request.<String>getParameter(SCOPE));
    Set<String> validatedScope = providerSettings.validateAuthorizationScope(clientRegistration, scope, request);
    providerSettings.saveConsent(resourceOwner, clientRegistration.getClientId(), validatedScope);
}
Also used : ClientRegistration(org.forgerock.oauth2.core.ClientRegistration) ResourceOwner(org.forgerock.oauth2.core.ResourceOwner) OAuth2ProviderSettings(org.forgerock.oauth2.core.OAuth2ProviderSettings)

Example 80 with NotFoundException

use of org.forgerock.oauth2.core.exceptions.NotFoundException in project OpenAM by OpenRock.

the class AccessTokenProtectionFilter method beforeHandle.

@Override
protected int beforeHandle(Request request, Response response) {
    ChallengeResponse challengeResponse = request.getChallengeResponse();
    Status failure = null;
    if (challengeResponse == null) {
        failure = new Status(401, new InvalidTokenException());
    } else {
        String tokenId = challengeResponse.getRawValue();
        try {
            OAuth2Request oAuth2Request = requestFactory.create(request);
            AccessToken accessToken = tokenStore.readAccessToken(oAuth2Request, tokenId);
            if (accessToken == null || accessToken.isExpired()) {
                failure = new Status(401, new InvalidTokenException());
            } else if (requiredScope != null && !accessToken.getScope().contains(requiredScope)) {
                failure = new Status(403, new InsufficientScopeException(requiredScope));
            } else {
                oAuth2Request.setToken(AccessToken.class, accessToken);
            }
        } catch (ServerException e) {
            failure = new Status(500, e);
        } catch (NotFoundException e) {
            debug.message("Error loading token with id: " + tokenId, e);
            failure = new Status(404, e);
        } catch (InvalidGrantException e) {
            debug.message("Error loading token with id: " + tokenId, e);
            failure = new Status(401, new InvalidTokenException());
        }
    }
    if (failure != null) {
        response.setStatus(failure);
        return STOP;
    }
    return super.beforeHandle(request, response);
}
Also used : Status(org.restlet.data.Status) InvalidTokenException(org.forgerock.oauth2.core.exceptions.InvalidTokenException) InsufficientScopeException(org.forgerock.oauth2.core.exceptions.InsufficientScopeException) OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) ServerException(org.forgerock.oauth2.core.exceptions.ServerException) AccessToken(org.forgerock.oauth2.core.AccessToken) NotFoundException(org.forgerock.oauth2.core.exceptions.NotFoundException) InvalidGrantException(org.forgerock.oauth2.core.exceptions.InvalidGrantException) ChallengeResponse(org.restlet.data.ChallengeResponse)

Aggregations

ServerException (org.forgerock.oauth2.core.exceptions.ServerException)44 OAuth2ProviderSettings (org.forgerock.oauth2.core.OAuth2ProviderSettings)34 OAuth2Request (org.forgerock.oauth2.core.OAuth2Request)28 NotFoundException (org.forgerock.oauth2.core.exceptions.NotFoundException)24 CoreTokenException (org.forgerock.openam.cts.exceptions.CoreTokenException)21 JsonValue (org.forgerock.json.JsonValue)20 ResourceSetDescription (org.forgerock.oauth2.resources.ResourceSetDescription)13 AccessToken (org.forgerock.oauth2.core.AccessToken)12 ClientRegistration (org.forgerock.oauth2.core.ClientRegistration)11 InvalidGrantException (org.forgerock.oauth2.core.exceptions.InvalidGrantException)11 ResourceSetStore (org.forgerock.oauth2.resources.ResourceSetStore)11 Request (org.restlet.Request)11 SSOException (com.iplanet.sso.SSOException)10 HashSet (java.util.HashSet)10 AMIdentity (com.sun.identity.idm.AMIdentity)9 HashMap (java.util.HashMap)9 IdRepoException (com.sun.identity.idm.IdRepoException)8 OAuth2Uris (org.forgerock.oauth2.core.OAuth2Uris)8 InvalidClientException (org.forgerock.oauth2.core.exceptions.InvalidClientException)8 UnauthorizedClientException (org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)8