Example 11 with ResourceOwnerAuthenticationRequired
use of org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired in project OpenAM by OpenRock.
the class OpenAMResourceOwnerSessionValidator method validate.
/**
* {@inheritDoc}
*/
public ResourceOwner validate(OAuth2Request request) throws ResourceOwnerAuthenticationRequired, AccessDeniedException, BadRequestException, InteractionRequiredException, LoginRequiredException, ServerException, NotFoundException {
final OpenIdPrompt openIdPrompt = new OpenIdPrompt(request);
if (!openIdPrompt.isValid()) {
String message = "Invalid prompt parameter \"" + openIdPrompt.getOriginalValue() + "\"";
logger.message(message);
throw new BadRequestException(message);
}
SSOToken token = null;
try {
token = ssoTokenManager.createSSOToken(getHttpServletRequest(request.<Request>getRequest()));
} catch (SSOException e) {
logger.warning("Error authenticating user against OpenAM: ", e);
}
try {
if (token == null) {
token = ssoTokenManager.createSSOToken(request.getSession());
}
} catch (SSOException e) {
logger.warning("Error authenticating user against OpenAM: ", e);
}
try {
if (token != null) {
try {
// As the organization in the token is stored in lowercase, we need to lower case the auth2realm
String auth2Realm = dnWrapper.orgNameToDN(realmNormaliser.normalise((String) request.getParameter("realm"))).toLowerCase();
String tokenRealm = token.getProperty("Organization");
// auth2Realm can't be null as we would have an error earlier
if (!auth2Realm.equals(tokenRealm)) {
throw authenticationRequired(request);
}
} catch (SSOException e) {
throw new AccessDeniedException(e);
}
if (openIdPrompt.containsLogin()) {
throw authenticationRequired(request, token);
}
final String acrValuesStr = request.getParameter(ACR_VALUES);
if (acrValuesStr != null) {
setCurrentAcr(token, request, acrValuesStr);
}
try {
final long authTime = stringToDate(token.getProperty(ISAuthConstants.AUTH_INSTANT)).getTime();
if (isPastMaxAge(getMaxAge(request), authTime)) {
alterMaxAge(request);
throw authenticationRequired(request, token);
}
final AMIdentity id = IdUtils.getIdentity(AccessController.doPrivileged(AdminTokenAction.getInstance()), token.getProperty(Constants.UNIVERSAL_IDENTIFIER));
return new OpenAMResourceOwner(id.getName(), id, authTime);
} catch (Exception e) {
//Exception as chance of MANY exception types here.
logger.error("Error authenticating user against OpenAM: ", e);
throw new LoginRequiredException();
}
} else if (PASSWORD.equals(request.getParameter(GRANT_TYPE))) {
// been null from the attempted creation in L148.
return getResourceOwner(request.getToken(AccessToken.class));
} else {
if (openIdPrompt.containsNone()) {
logger.error("Not pre-authenticated and prompt parameter equals none.");
if (request.getParameter(OAuth2Constants.Params.RESPONSE_TYPE) != null) {
throw new InteractionRequiredException(Utils.isOpenIdConnectFragmentErrorType(splitResponseType(request.<String>getParameter(RESPONSE_TYPE))) ? FRAGMENT : QUERY);
} else {
throw new InteractionRequiredException();
}
} else if (!isRefreshToken(request)) {
throw authenticationRequired(request);
} else {
return getResourceOwner(request.getToken(RefreshToken.class));
}
}
} catch (SSOException | UnsupportedEncodingException | URISyntaxException e) {
throw new AccessDeniedException(e);
}
}
Also used :
LoginRequiredException(org.forgerock.oauth2.core.exceptions.LoginRequiredException)
InteractionRequiredException(org.forgerock.oauth2.core.exceptions.InteractionRequiredException)
AccessDeniedException(org.forgerock.oauth2.core.exceptions.AccessDeniedException)
SSOToken(com.iplanet.sso.SSOToken)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
SSOException(com.iplanet.sso.SSOException)
URISyntaxException(java.net.URISyntaxException)
OpenIdPrompt(org.forgerock.openidconnect.OpenIdPrompt)
URISyntaxException(java.net.URISyntaxException)
InvalidClientAuthZHeaderException(org.forgerock.oauth2.core.exceptions.InvalidClientAuthZHeaderException)
ParseException(java.text.ParseException)
EncodingException(org.owasp.esapi.errors.EncodingException)
ServerException(org.forgerock.oauth2.core.exceptions.ServerException)
NotFoundException(org.forgerock.oauth2.core.exceptions.NotFoundException)
UnauthorizedClientException(org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)
SSOException(com.iplanet.sso.SSOException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
TemplateException(freemarker.template.TemplateException)
InvalidClientException(org.forgerock.oauth2.core.exceptions.InvalidClientException)
BadRequestException(org.forgerock.oauth2.core.exceptions.BadRequestException)
LoginRequiredException(org.forgerock.oauth2.core.exceptions.LoginRequiredException)
InteractionRequiredException(org.forgerock.oauth2.core.exceptions.InteractionRequiredException)
IOException(java.io.IOException)
InvalidRequestException(org.forgerock.oauth2.core.exceptions.InvalidRequestException)
AccessDeniedException(org.forgerock.oauth2.core.exceptions.AccessDeniedException)
RefreshToken(org.forgerock.oauth2.core.RefreshToken)
AMIdentity(com.sun.identity.idm.AMIdentity)
BadRequestException(org.forgerock.oauth2.core.exceptions.BadRequestException)
Example 12 with ResourceOwnerAuthenticationRequired
use of org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired in project OpenAM by OpenRock.
the class OpenAMResourceOwnerSessionValidatorTest method shouldUseFirstAcrValueThatIsSupported.
@Test
public void shouldUseFirstAcrValueThatIsSupported() throws Exception {
// Given
String acrValues = "1 2 3";
mockPrompt("login");
mockSSOToken(NO_SESSION_TOKEN);
mockRequestAcrValues(acrValues);
final Map<String, AuthenticationMethod> acrMap = new HashMap<>();
acrMap.put("2", new OpenAMAuthenticationMethod("service2", AuthContext.IndexType.SERVICE));
acrMap.put("3", new OpenAMAuthenticationMethod("service3", AuthContext.IndexType.SERVICE));
mockAcrValuesMap(acrMap);
// When
URI loginUri = null;
try {
resourceOwnerSessionValidator.validate(mockOAuth2Request);
fail();
} catch (ResourceOwnerAuthenticationRequired ex) {
loginUri = ex.getRedirectUri();
}
// Then
assertTrue(loginUri.getQuery().contains("service=service2"));
}
Also used :
ResourceOwnerAuthenticationRequired(org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired)
HashMap(java.util.HashMap)
AuthenticationMethod(org.forgerock.oauth2.core.AuthenticationMethod)
URI(java.net.URI)
Test(org.testng.annotations.Test)
Aggregations
ResourceOwnerAuthenticationRequired (org.forgerock.oauth2.core.exceptions.ResourceOwnerAuthenticationRequired)8
URI (java.net.URI)5
OAuth2Request (org.forgerock.oauth2.core.OAuth2Request)5
InvalidClientException (org.forgerock.oauth2.core.exceptions.InvalidClientException)4
Test (org.testng.annotations.Test)4
OAuth2ProviderSettings (org.forgerock.oauth2.core.OAuth2ProviderSettings)3
OAuth2Exception (org.forgerock.oauth2.core.exceptions.OAuth2Exception)3
RedirectUriMismatchException (org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException)3
ResourceOwnerConsentRequired (org.forgerock.oauth2.core.exceptions.ResourceOwnerConsentRequired)3
Request (org.restlet.Request)3
HttpServletRequest (javax.servlet.http.HttpServletRequest)2
AuthenticationMethod (org.forgerock.oauth2.core.AuthenticationMethod)2
AuthorizationToken (org.forgerock.oauth2.core.AuthorizationToken)2
ResourceOwner (org.forgerock.oauth2.core.ResourceOwner)2
UnauthorizedClientException (org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)2
Representation (org.restlet.representation.Representation)2
Post (org.restlet.resource.Post)2
SSOException (com.iplanet.sso.SSOException)1
SSOToken (com.iplanet.sso.SSOToken)1
AMIdentity (com.sun.identity.idm.AMIdentity)1
