Search in sources :

Example 6 with ResourceOwnerAuthenticationRequired

use of org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired in project OpenAM by OpenRock.

the class AuthorizationServiceImpl method authorize.

/**
     * {@inheritDoc}
     */
public AuthorizationToken authorize(OAuth2Request request) throws ResourceOwnerAuthenticationRequired, ResourceOwnerConsentRequired, InvalidClientException, UnsupportedResponseTypeException, RedirectUriMismatchException, InvalidRequestException, AccessDeniedException, ServerException, LoginRequiredException, BadRequestException, InteractionRequiredException, ResourceOwnerConsentRequiredException, InvalidScopeException, NotFoundException {
    final OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
    for (final AuthorizeRequestValidator requestValidator : requestValidators) {
        requestValidator.validateRequest(request);
    }
    final String clientId = request.getParameter(CLIENT_ID);
    final ClientRegistration clientRegistration = clientRegistrationStore.get(clientId, request);
    final Set<String> scope = Utils.splitScope(request.<String>getParameter(SCOPE));
    //plugin point
    final Set<String> validatedScope = providerSettings.validateAuthorizationScope(clientRegistration, scope, request);
    // is resource owner authenticated?
    final ResourceOwner resourceOwner = resourceOwnerSessionValidator.validate(request);
    final boolean consentSaved = providerSettings.isConsentSaved(resourceOwner, clientRegistration.getClientId(), validatedScope);
    //plugin point
    final boolean haveConsent = consentVerifier.verify(consentSaved, request, clientRegistration);
    if (!haveConsent) {
        String localeParameter = request.getParameter(LOCALE);
        String uiLocaleParameter = request.getParameter(UI_LOCALES);
        Locale locale = getLocale(uiLocaleParameter, localeParameter);
        if (locale == null) {
            locale = request.getLocale();
        }
        UserInfoClaims userInfo = null;
        try {
            userInfo = providerSettings.getUserInfo(request.getToken(AccessToken.class), request);
        } catch (UnauthorizedClientException e) {
            logger.debug("Couldn't get user info - continuing to display consent page without claims.", e);
        }
        String clientName = clientRegistration.getDisplayName(locale);
        if (clientName == null) {
            clientName = clientRegistration.getClientId();
            logger.warn("Client does not have a display name or client name set. using client ID {} for display", clientName);
        }
        final String displayDescription = clientRegistration.getDisplayDescription(locale);
        final String clientDescription = displayDescription == null ? "" : displayDescription;
        final Map<String, String> scopeDescriptions = getScopeDescriptions(validatedScope, clientRegistration.getScopeDescriptions(locale));
        final Map<String, String> claimDescriptions = getClaimDescriptions(userInfo.getValues(), clientRegistration.getClaimDescriptions(locale));
        throw new ResourceOwnerConsentRequired(clientName, clientDescription, scopeDescriptions, claimDescriptions, userInfo, resourceOwner.getName(providerSettings));
    }
    return tokenIssuer.issueTokens(request, clientRegistration, resourceOwner, scope, providerSettings);
}
Also used : Locale(java.util.Locale) UnauthorizedClientException(org.forgerock.oauth2.core.exceptions.UnauthorizedClientException) ResourceOwnerConsentRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerConsentRequired)

Example 7 with ResourceOwnerAuthenticationRequired

use of org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired in project OpenAM by OpenRock.

the class DeviceCodeVerificationResource method verify.

/**
     * Handles POST requests to the OAuth2 device/user endpoint.
     */
@Post
public Representation verify(Representation body) throws ServerException, NotFoundException, InvalidGrantException, OAuth2RestletException {
    final Request restletRequest = getRequest();
    OAuth2Request request = requestFactory.create(restletRequest);
    DeviceCode deviceCode;
    try {
        deviceCode = tokenStore.readDeviceCode(request.<String>getParameter(OAuth2Constants.DeviceCode.USER_CODE), request);
    } catch (InvalidGrantException e) {
        return getTemplateRepresentation(FORM, request, "not_found");
    }
    if (deviceCode == null || deviceCode.isIssued()) {
        return getTemplateRepresentation(FORM, request, "not_found");
    }
    addRequestParamsFromDeviceCode(restletRequest, deviceCode);
    try {
        final String decision = request.getParameter("decision");
        if (StringUtils.isNotEmpty(decision)) {
            final boolean consentGiven = "allow".equalsIgnoreCase(decision);
            final boolean saveConsent = "on".equalsIgnoreCase(request.<String>getParameter("save_consent"));
            if (saveConsent) {
                saveConsent(request);
            }
            if (consentGiven) {
                ResourceOwner resourceOwner = resourceOwnerSessionValidator.validate(request);
                deviceCode.setResourceOwnerId(resourceOwner.getId());
                deviceCode.setAuthorized(true);
                tokenStore.updateDeviceCode(deviceCode, request);
            } else {
                tokenStore.deleteDeviceCode(deviceCode.getClientId(), deviceCode.getDeviceCode(), request);
            }
        } else {
            authorizationService.authorize(request);
        }
    } catch (IllegalArgumentException e) {
        if (e.getMessage().contains("client_id")) {
            throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), request.<String>getParameter("state"));
        }
        throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), request.<String>getParameter("redirect_uri"), request.<String>getParameter("state"));
    } catch (ResourceOwnerAuthenticationRequired e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), e.getRedirectUri().toString(), null);
    } catch (ResourceOwnerConsentRequired e) {
        return representation.getRepresentation(getContext(), request, "authorize.ftl", getDataModel(e, request));
    } catch (InvalidClientException | RedirectUriMismatchException e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("state"));
    } catch (OAuth2Exception e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("redirect_uri"), request.<String>getParameter("state"), e.getParameterLocation());
    }
    return getTemplateRepresentation(THANKS_PAGE, request, null);
}
Also used : ResourceOwnerAuthenticationRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired) RedirectUriMismatchException(org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException) ResourceOwner(org.forgerock.oauth2.core.ResourceOwner) ResourceOwnerConsentRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerConsentRequired) OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) Request(org.restlet.Request) InvalidGrantException(org.forgerock.oauth2.core.exceptions.InvalidGrantException) OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) InvalidClientException(org.forgerock.oauth2.core.exceptions.InvalidClientException) DeviceCode(org.forgerock.oauth2.core.DeviceCode) OAuth2Exception(org.forgerock.oauth2.core.exceptions.OAuth2Exception) Post(org.restlet.resource.Post)

Example 8 with ResourceOwnerAuthenticationRequired

use of org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired in project OpenAM by OpenRock.

the class DeviceCodeVerificationResource method saveConsent.

private void saveConsent(OAuth2Request request) throws NotFoundException, ServerException, InvalidScopeException, AccessDeniedException, ResourceOwnerAuthenticationRequired, InteractionRequiredException, BadRequestException, LoginRequiredException, InvalidClientException {
    OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
    ResourceOwner resourceOwner = resourceOwnerSessionValidator.validate(request);
    ClientRegistration clientRegistration = clientRegistrationStore.get(request.<String>getParameter(CLIENT_ID), request);
    Set<String> scope = Utils.splitScope(request.<String>getParameter(SCOPE));
    Set<String> validatedScope = providerSettings.validateAuthorizationScope(clientRegistration, scope, request);
    providerSettings.saveConsent(resourceOwner, clientRegistration.getClientId(), validatedScope);
}
Also used : ClientRegistration(org.forgerock.oauth2.core.ClientRegistration) ResourceOwner(org.forgerock.oauth2.core.ResourceOwner) OAuth2ProviderSettings(org.forgerock.oauth2.core.OAuth2ProviderSettings)

Example 9 with ResourceOwnerAuthenticationRequired

use of org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired in project OpenAM by OpenRock.

the class AuthorizeResource method authorize.

/**
     * Handles GET requests to the OAuth2 authorize endpoint.
     * <br/>
     * This method will be called when a client has requested a resource owner grants it authorization to access a
     * resource.
     *
     * @return The body to be sent in the response to the user agent.
     * @throws OAuth2RestletException If a OAuth2 error occurs whilst processing the authorization request.
     */
@Get
public Representation authorize() throws OAuth2RestletException {
    final OAuth2Request request = requestFactory.create(getRequest());
    for (AuthorizeRequestHook hook : hooks) {
        hook.beforeAuthorizeHandling(request, getRequest(), getResponse());
    }
    try {
        final AuthorizationToken authorizationToken = authorizationService.authorize(request);
        final String redirectUri = getQueryValue("redirect_uri");
        Representation response = representation.toRepresentation(getContext(), getRequest(), getResponse(), authorizationToken, redirectUri);
        for (AuthorizeRequestHook hook : hooks) {
            hook.afterAuthorizeSuccess(request, getRequest(), getResponse());
        }
        return response;
    } catch (IllegalArgumentException e) {
        if (e.getMessage().contains("client_id")) {
            throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), request.<String>getParameter("state"));
        }
        throw new OAuth2RestletException(400, "invalid_request", e.getMessage(), request.<String>getParameter("redirect_uri"), request.<String>getParameter("state"));
    } catch (ResourceOwnerAuthenticationRequired e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), e.getRedirectUri().toString(), null);
    } catch (ResourceOwnerConsentRequired e) {
        return representation.getRepresentation(getContext(), request, "authorize.ftl", getDataModel(e, request));
    } catch (InvalidClientException e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("state"));
    } catch (RedirectUriMismatchException e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("state"));
    } catch (OAuth2Exception e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("redirect_uri"), request.<String>getParameter("state"), e.getParameterLocation());
    }
}
Also used : ResourceOwnerAuthenticationRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired) OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) AuthorizationToken(org.forgerock.oauth2.core.AuthorizationToken) RedirectUriMismatchException(org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException) ResourceOwnerConsentRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerConsentRequired) InvalidClientException(org.forgerock.oauth2.core.exceptions.InvalidClientException) Representation(org.restlet.representation.Representation) OAuth2Exception(org.forgerock.oauth2.core.exceptions.OAuth2Exception) Get(org.restlet.resource.Get)

Example 10 with ResourceOwnerAuthenticationRequired

use of org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired in project OpenAM by OpenRock.

the class AuthorizeResource method authorize.

/**
     * Handles POST requests to the OAuth2 authorize endpoint.
     * <br/>
     * This method will be called when a user has given their consent for an authorization request.
     *
     * @param entity The entity on the request.
     * @return The body to be sent in the response to the user agent.
     * @throws OAuth2RestletException If a OAuth2 error occurs whilst processing the authorization request.
     */
@Post
public Representation authorize(Representation entity) throws OAuth2RestletException {
    final OAuth2Request request = requestFactory.create(getRequest());
    for (AuthorizeRequestHook hook : hooks) {
        hook.beforeAuthorizeHandling(request, getRequest(), getResponse());
    }
    final boolean consentGiven = "allow".equalsIgnoreCase(request.<String>getParameter("decision"));
    final boolean saveConsent = "on".equalsIgnoreCase(request.<String>getParameter("save_consent"));
    try {
        final AuthorizationToken authorizationToken = authorizationService.authorize(request, consentGiven, saveConsent);
        final String redirectUri = request.getParameter("redirect_uri");
        Representation response = representation.toRepresentation(getContext(), getRequest(), getResponse(), authorizationToken, redirectUri);
        for (AuthorizeRequestHook hook : hooks) {
            hook.afterAuthorizeSuccess(request, getRequest(), getResponse());
        }
        return response;
    } catch (ResourceOwnerAuthenticationRequired e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), e.getRedirectUri().toString(), null);
    } catch (InvalidClientException e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("state"));
    } catch (RedirectUriMismatchException e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("state"));
    } catch (OAuth2Exception e) {
        throw new OAuth2RestletException(e.getStatusCode(), e.getError(), e.getMessage(), request.<String>getParameter("redirect_uri"), request.<String>getParameter("state"), e.getParameterLocation());
    }
}
Also used : ResourceOwnerAuthenticationRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired) OAuth2Request(org.forgerock.oauth2.core.OAuth2Request) AuthorizationToken(org.forgerock.oauth2.core.AuthorizationToken) RedirectUriMismatchException(org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException) InvalidClientException(org.forgerock.oauth2.core.exceptions.InvalidClientException) Representation(org.restlet.representation.Representation) OAuth2Exception(org.forgerock.oauth2.core.exceptions.OAuth2Exception) Post(org.restlet.resource.Post)

Aggregations

ResourceOwnerAuthenticationRequired (org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired)8 URI (java.net.URI)5 OAuth2Request (org.forgerock.oauth2.core.OAuth2Request)5 InvalidClientException (org.forgerock.oauth2.core.exceptions.InvalidClientException)4 Test (org.testng.annotations.Test)4 OAuth2ProviderSettings (org.forgerock.oauth2.core.OAuth2ProviderSettings)3 OAuth2Exception (org.forgerock.oauth2.core.exceptions.OAuth2Exception)3 RedirectUriMismatchException (org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException)3 ResourceOwnerConsentRequired (org.forgerock.oauth2.core.exceptions.ResourceOwnerConsentRequired)3 Request (org.restlet.Request)3 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 AuthenticationMethod (org.forgerock.oauth2.core.AuthenticationMethod)2 AuthorizationToken (org.forgerock.oauth2.core.AuthorizationToken)2 ResourceOwner (org.forgerock.oauth2.core.ResourceOwner)2 UnauthorizedClientException (org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)2 Representation (org.restlet.representation.Representation)2 Post (org.restlet.resource.Post)2 SSOException (com.iplanet.sso.SSOException)1 SSOToken (com.iplanet.sso.SSOToken)1 AMIdentity (com.sun.identity.idm.AMIdentity)1