Examples with UnauthorizedClientException org.forgerock.oauth2.core.exceptions.UnauthorizedClientException used on opensource projects

Example 1 with UnauthorizedClientException

use of org.forgerock.oauth2.core.exceptions.UnauthorizedClientException in project OpenAM by OpenRock.

the class IdentityManager method getClientIdentity.

/**
     * Gets a client's identity.
     *
     * @param clientName The client's name.
     * @param realm The client's realm.
     * @return The Clients identity.
     * @throws UnauthorizedClientException If the client's identity cannot be found.
     */
public AMIdentity getClientIdentity(String clientName, String realm) throws UnauthorizedClientException {
    final SSOToken token = AccessController.doPrivileged(AdminTokenAction.getInstance());
    final AMIdentity amIdentity;
    try {
        final AMIdentityRepository amIdRepo = new AMIdentityRepository(token, realm);
        final IdSearchControl idsc = new IdSearchControl();
        idsc.setRecursive(true);
        idsc.setAllReturnAttributes(true);
        // search for the identity
        idsc.setMaxResults(0);
        final IdSearchResults searchResults = amIdRepo.searchIdentities(IdType.AGENTONLY, clientName, idsc);
        final Set<AMIdentity> results = searchResults.getSearchResults();
        if (results == null || results.size() != 1) {
            logger.error("No client profile or more than one profile found.");
            throw new UnauthorizedClientException("Not able to get client from OpenAM");
        }
        amIdentity = results.iterator().next();
        //if the client is deactivated return null
        if (amIdentity.isActive()) {
            return amIdentity;
        } else {
            return null;
        }
    } catch (Exception e) {
        logger.error("Unable to get client AMIdentity: ", e);
        throw new UnauthorizedClientException("Not able to get client from OpenAM");
    }
}

Example 2 with UnauthorizedClientException

use of org.forgerock.oauth2.core.exceptions.UnauthorizedClientException in project OpenAM by OpenRock.

the class OpenAMClientDAO method createClient.

private Client createClient(Map<String, Set<String>> clientAttributeMap) throws UnauthorizedClientException {
    if (clientAttributeMap == null || clientAttributeMap.isEmpty()) {
        throw new UnauthorizedClientException("Client has no attributes");
    }
    ClientBuilder clientBuilder = new ClientBuilder();
    clientBuilder.setAccessToken(getSingleAttribute(clientAttributeMap, ACCESS_TOKEN));
    clientBuilder.setAllowedGrantScopes(new ArrayList<>(getSetAttribute(clientAttributeMap, SCOPES)));
    clientBuilder.setClientName(new ArrayList<>(getSetAttribute(clientAttributeMap, CLIENT_NAME)));
    clientBuilder.setClientSecret(getSingleAttribute(clientAttributeMap, USERPASSWORD));
    clientBuilder.setClientSessionURI(getSingleAttribute(clientAttributeMap, CLIENT_SESSION_URI));
    clientBuilder.setClientType(getSingleAttribute(clientAttributeMap, CLIENT_TYPE));
    clientBuilder.setContacts(new ArrayList<>(getSetAttribute(clientAttributeMap, CONTACTS)));
    clientBuilder.setDefaultGrantScopes(new ArrayList<>(getSetAttribute(clientAttributeMap, DEFAULT_SCOPES)));
    clientBuilder.setDisplayDescription(new ArrayList<>(getSetAttribute(clientAttributeMap, DESCRIPTION)));
    clientBuilder.setDisplayName(new ArrayList<>(getSetAttribute(clientAttributeMap, NAME)));
    clientBuilder.setIdTokenSignedResponseAlgorithm(getSingleAttribute(clientAttributeMap, IDTOKEN_SIGNED_RESPONSE_ALG));
    clientBuilder.setRedirectionURIs(new ArrayList<>(getSetAttribute(clientAttributeMap, REDIRECT_URI)));
    clientBuilder.setPostLogoutRedirectionURIs(new ArrayList<>(getSetAttribute(clientAttributeMap, POST_LOGOUT_URI)));
    clientBuilder.setResponseTypes(new ArrayList<>(getSetAttribute(clientAttributeMap, RESPONSE_TYPES)));
    clientBuilder.setDefaultMaxAgeEnabled(Boolean.valueOf(getSingleAttribute(clientAttributeMap, DEFAULT_MAX_AGE_ENABLED)));
    clientBuilder.setTokenEndpointAuthMethod(getSingleAttribute(clientAttributeMap, TOKEN_ENDPOINT_AUTH_METHOD));
    clientBuilder.setSubjectType(getSingleAttribute(clientAttributeMap, SUBJECT_TYPE));
    clientBuilder.setApplicationType(APPLICATION_TYPE_DEFAULT);
    clientBuilder.setJwks(getSingleAttribute(clientAttributeMap, JWKS));
    clientBuilder.setJwksUri(getSingleAttribute(clientAttributeMap, JWKS_URI));
    clientBuilder.setX509(getSingleAttribute(clientAttributeMap, CLIENT_JWT_PUBLIC_KEY));
    clientBuilder.setPublicKeySelector(getSingleAttribute(clientAttributeMap, PUBLIC_KEY_SELECTOR));
    clientBuilder.setDefaultMaxAge(getLongMapAttr(clientAttributeMap, DEFAULT_MAX_AGE, MIN_DEFAULT_MAX_AGE, logger));
    return clientBuilder.createClient();
}

Example 3 with UnauthorizedClientException

use of org.forgerock.oauth2.core.exceptions.UnauthorizedClientException in project OpenAM by OpenRock.

the class OpenAMClientDAO method read.

/**
     * {@inheritDoc}
     */
public Client read(String clientId, OAuth2Request request) throws UnauthorizedClientException {
    Map<String, Set<String>> clientAttributes = new HashMap<String, Set<String>>();
    try {
        AMIdentity theID = null;
        final SSOToken token = AccessController.doPrivileged(AdminTokenAction.getInstance());
        final String realm = request.getParameter(OAuth2Constants.Custom.REALM);
        AMIdentityRepository repo = idRepoFactory.create(realm, token);
        IdSearchControl idsc = new IdSearchControl();
        idsc.setRecursive(true);
        idsc.setAllReturnAttributes(true);
        // search for the identity
        Set<AMIdentity> results;
        idsc.setMaxResults(0);
        IdSearchResults searchResults = repo.searchIdentities(IdType.AGENTONLY, clientId, idsc);
        results = searchResults.getSearchResults();
        if (results == null || results.size() != 1) {
            logger.error("OpenAMClientDAO.read(): No client profile or more than one profile found.");
            throw new UnauthorizedClientException("Not able to get client from OpenAM");
        }
        theID = results.iterator().next();
        //if the client is deactivated return null
        if (!theID.isActive()) {
            theID = null;
        } else {
            clientAttributes = theID.getAttributes();
        }
    } catch (UnauthorizedClientException e) {
        logger.error("OpenAMClientDAO.read(): Unable to get client AMIdentity: ", e);
        throw new UnauthorizedClientException("Not able to get client from OpenAM");
    } catch (SSOException e) {
        logger.error("OpenAMClientDAO.read(): Unable to get client AMIdentity: ", e);
        throw new UnauthorizedClientException("Not able to get client from OpenAM");
    } catch (IdRepoException e) {
        logger.error("OpenAMClientDAO.read(): Unable to get client AMIdentity: ", e);
        throw new UnauthorizedClientException("Not able to get client from OpenAM");
    }
    Client client = createClient(clientAttributes);
    client.setClientID(clientId);
    return client;
}

Example 4 with UnauthorizedClientException

use of org.forgerock.oauth2.core.exceptions.UnauthorizedClientException in project OpenAM by OpenRock.

the class OpenAMScopeValidator method getUserInfo.

/**
     * {@inheritDoc}
     */
public UserInfoClaims getUserInfo(AccessToken token, OAuth2Request request) throws UnauthorizedClientException, NotFoundException {
    Map<String, Object> response = new HashMap<>();
    Bindings scriptVariables = new SimpleBindings();
    SSOToken ssoToken = getUsersSession(request);
    String realm;
    Set<String> scopes;
    AMIdentity id;
    OAuth2ProviderSettings providerSettings = providerSettingsFactory.get(request);
    Map<String, Set<String>> requestedClaimsValues = gatherRequestedClaims(providerSettings, request, token);
    try {
        if (token != null) {
            OpenIdConnectClientRegistration clientRegistration;
            try {
                clientRegistration = clientRegistrationStore.get(token.getClientId(), request);
            } catch (InvalidClientException e) {
                logger.message("Unable to retrieve client from store.");
                throw new NotFoundException("No valid client registration found.");
            }
            final String subId = clientRegistration.getSubValue(token.getResourceOwnerId(), providerSettings);
            //data comes from token when we have one
            realm = token.getRealm();
            scopes = token.getScope();
            id = identityManager.getResourceOwnerIdentity(token.getResourceOwnerId(), realm);
            response.put(OAuth2Constants.JWTTokenParams.SUB, subId);
            response.put(OAuth2Constants.JWTTokenParams.UPDATED_AT, getUpdatedAt(token.getResourceOwnerId(), token.getRealm(), request));
        } else {
            //otherwise we're simply reading claims into the id_token, so grab it from the request/ssoToken
            realm = DNMapper.orgNameToRealmName(ssoToken.getProperty(ISAuthConstants.ORGANIZATION));
            id = identityManager.getResourceOwnerIdentity(ssoToken.getProperty(ISAuthConstants.USER_ID), realm);
            String scopeStr = request.getParameter(OAuth2Constants.Params.SCOPE);
            scopes = splitScope(scopeStr);
        }
        scriptVariables.put(OAuth2Constants.ScriptParams.SCOPES, getScriptFriendlyScopes(scopes));
        scriptVariables.put(OAuth2Constants.ScriptParams.IDENTITY, id);
        scriptVariables.put(OAuth2Constants.ScriptParams.LOGGER, logger);
        scriptVariables.put(OAuth2Constants.ScriptParams.CLAIMS, response);
        scriptVariables.put(OAuth2Constants.ScriptParams.SESSION, ssoToken);
        scriptVariables.put(OAuth2Constants.ScriptParams.REQUESTED_CLAIMS, requestedClaimsValues);
        ScriptObject script = getOIDCClaimsExtensionScript(realm);
        try {
            return scriptEvaluator.evaluateScript(script, scriptVariables);
        } catch (ScriptException e) {
            logger.message("Error running OIDC claims script", e);
            throw new ServerException("Error running OIDC claims script: " + e.getMessage());
        }
    } catch (ServerException e) {
        //API does not allow ServerExceptions to be thrown!
        throw new NotFoundException(e.getMessage());
    } catch (SSOException e) {
        throw new NotFoundException(e.getMessage());
    }
}

Example 5 with UnauthorizedClientException

use of org.forgerock.oauth2.core.exceptions.UnauthorizedClientException in project OpenAM by OpenRock.

the class OpenAMOpenIdConnectClientRegistrationService method getRegistration.

/**
     * {@inheritDoc}
     */
public JsonValue getRegistration(String clientId, String accessToken, OAuth2Request request) throws InvalidRequestException, InvalidClientMetadata, InvalidTokenException {
    if (clientId != null) {
        final Client client;
        try {
            client = clientDAO.read(clientId, request);
        } catch (UnauthorizedClientException e) {
            logger.error("ConnectClientRegistration.Validate(): Unable to create client", e);
            throw new InvalidClientMetadata();
        }
        if (!client.getAccessToken().equals(accessToken)) {
            //client access token doesn't match the access token supplied in the request
            logger.error("ConnectClientRegistration.getClient(): Invalid accessToken");
            throw new InvalidTokenException();
        }
        //remove the client fields that don't need to be reported.
        client.remove(REGISTRATION_ACCESS_TOKEN.getType());
        final JsonValue response = new JsonValue(convertClientReadResponseFormat(client.asMap()));
        response.put(EXPIRES_AT, 0);
        return response;
    } else {
        logger.error("ConnectClientRegistration.readRequest(): No client id sent");
        throw new InvalidRequestException();
    }
}