Example 6 with UnauthorizedClientException
use of org.forgerock.oauth2.core.exceptions.UnauthorizedClientException in project OpenAM by OpenRock.
the class OpenAMClientDAO method createClient.
private Client createClient(Map<String, Set<String>> clientAttributeMap) throws UnauthorizedClientException {
if (clientAttributeMap == null || clientAttributeMap.isEmpty()) {
throw new UnauthorizedClientException("Client has no attributes");
}
ClientBuilder clientBuilder = new ClientBuilder();
clientBuilder.setAccessToken(getSingleAttribute(clientAttributeMap, ACCESS_TOKEN));
clientBuilder.setAllowedGrantScopes(new ArrayList<>(getSetAttribute(clientAttributeMap, SCOPES)));
clientBuilder.setClientName(new ArrayList<>(getSetAttribute(clientAttributeMap, CLIENT_NAME)));
clientBuilder.setClientSecret(getSingleAttribute(clientAttributeMap, USERPASSWORD));
clientBuilder.setClientSessionURI(getSingleAttribute(clientAttributeMap, CLIENT_SESSION_URI));
clientBuilder.setClientType(getSingleAttribute(clientAttributeMap, CLIENT_TYPE));
clientBuilder.setContacts(new ArrayList<>(getSetAttribute(clientAttributeMap, CONTACTS)));
clientBuilder.setDefaultGrantScopes(new ArrayList<>(getSetAttribute(clientAttributeMap, DEFAULT_SCOPES)));
clientBuilder.setDisplayDescription(new ArrayList<>(getSetAttribute(clientAttributeMap, DESCRIPTION)));
clientBuilder.setDisplayName(new ArrayList<>(getSetAttribute(clientAttributeMap, NAME)));
clientBuilder.setIdTokenSignedResponseAlgorithm(getSingleAttribute(clientAttributeMap, IDTOKEN_SIGNED_RESPONSE_ALG));
clientBuilder.setRedirectionURIs(new ArrayList<>(getSetAttribute(clientAttributeMap, REDIRECT_URI)));
clientBuilder.setPostLogoutRedirectionURIs(new ArrayList<>(getSetAttribute(clientAttributeMap, POST_LOGOUT_URI)));
clientBuilder.setResponseTypes(new ArrayList<>(getSetAttribute(clientAttributeMap, RESPONSE_TYPES)));
clientBuilder.setDefaultMaxAgeEnabled(Boolean.valueOf(getSingleAttribute(clientAttributeMap, DEFAULT_MAX_AGE_ENABLED)));
clientBuilder.setTokenEndpointAuthMethod(getSingleAttribute(clientAttributeMap, TOKEN_ENDPOINT_AUTH_METHOD));
clientBuilder.setSubjectType(getSingleAttribute(clientAttributeMap, SUBJECT_TYPE));
clientBuilder.setApplicationType(APPLICATION_TYPE_DEFAULT);
clientBuilder.setJwks(getSingleAttribute(clientAttributeMap, JWKS));
clientBuilder.setJwksUri(getSingleAttribute(clientAttributeMap, JWKS_URI));
clientBuilder.setX509(getSingleAttribute(clientAttributeMap, CLIENT_JWT_PUBLIC_KEY));
clientBuilder.setPublicKeySelector(getSingleAttribute(clientAttributeMap, PUBLIC_KEY_SELECTOR));
clientBuilder.setDefaultMaxAge(getLongMapAttr(clientAttributeMap, DEFAULT_MAX_AGE, MIN_DEFAULT_MAX_AGE, logger));
return clientBuilder.createClient();
}
Also used :
UnauthorizedClientException(org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)
ClientBuilder(org.forgerock.openidconnect.ClientBuilder)
Example 7 with UnauthorizedClientException
use of org.forgerock.oauth2.core.exceptions.UnauthorizedClientException in project OpenAM by OpenRock.
the class OpenAMClientDAO method read.
/**
* {@inheritDoc}
*/
public Client read(String clientId, OAuth2Request request) throws UnauthorizedClientException {
Map<String, Set<String>> clientAttributes = new HashMap<String, Set<String>>();
try {
AMIdentity theID = null;
final SSOToken token = AccessController.doPrivileged(AdminTokenAction.getInstance());
final String realm = request.getParameter(OAuth2Constants.Custom.REALM);
AMIdentityRepository repo = idRepoFactory.create(realm, token);
IdSearchControl idsc = new IdSearchControl();
idsc.setRecursive(true);
idsc.setAllReturnAttributes(true);
// search for the identity
Set<AMIdentity> results;
idsc.setMaxResults(0);
IdSearchResults searchResults = repo.searchIdentities(IdType.AGENTONLY, clientId, idsc);
results = searchResults.getSearchResults();
if (results == null || results.size() != 1) {
logger.error("OpenAMClientDAO.read(): No client profile or more than one profile found.");
throw new UnauthorizedClientException("Not able to get client from OpenAM");
}
theID = results.iterator().next();
//if the client is deactivated return null
if (!theID.isActive()) {
theID = null;
} else {
clientAttributes = theID.getAttributes();
}
} catch (UnauthorizedClientException e) {
logger.error("OpenAMClientDAO.read(): Unable to get client AMIdentity: ", e);
throw new UnauthorizedClientException("Not able to get client from OpenAM");
} catch (SSOException e) {
logger.error("OpenAMClientDAO.read(): Unable to get client AMIdentity: ", e);
throw new UnauthorizedClientException("Not able to get client from OpenAM");
} catch (IdRepoException e) {
logger.error("OpenAMClientDAO.read(): Unable to get client AMIdentity: ", e);
throw new UnauthorizedClientException("Not able to get client from OpenAM");
}
Client client = createClient(clientAttributes);
client.setClientID(clientId);
return client;
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
SSOToken(com.iplanet.sso.SSOToken)
HashMap(java.util.HashMap)
IdSearchResults(com.sun.identity.idm.IdSearchResults)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
AMIdentity(com.sun.identity.idm.AMIdentity)
UnauthorizedClientException(org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)
AMIdentityRepository(com.sun.identity.idm.AMIdentityRepository)
IdSearchControl(com.sun.identity.idm.IdSearchControl)
OAuth2Client(org.forgerock.oauth2.core.OAuth2Constants.OAuth2Client)
Client(org.forgerock.openidconnect.Client)
Example 8 with UnauthorizedClientException
use of org.forgerock.oauth2.core.exceptions.UnauthorizedClientException in project OpenAM by OpenRock.
the class ScopeImpl method getUserInfo.
/**
* {@inheritDoc}
*/
public UserInfoClaims getUserInfo(CoreToken token) {
Set<String> scopes = token.getScope();
Map<String, Object> response = new HashMap<String, Object>();
AMIdentity id = null;
try {
id = identityManager.getResourceOwnerIdentity(token.getUserID(), token.getRealm());
} catch (UnauthorizedClientException e) {
throw OAuthProblemException.OAuthError.UNAUTHORIZED_CLIENT.handle(null, e.getMessage());
}
//add the subject identifier to the response
response.put("sub", token.getUserID());
for (String scope : scopes) {
if (OPENID_SCOPE.equals(scope)) {
continue;
}
//get the attribute associated with the scope
Object attributes = scopeToUserUserProfileAttributes.get(scope);
if (attributes == null) {
logger.error("ScopeImpl.getUserInfo()::Invalid Scope in token scope=" + scope);
} else if (attributes instanceof String) {
Set<String> attr = null;
//if the attribute is a string get the attribute
try {
attr = id.getAttribute((String) attributes);
} catch (IdRepoException e) {
logger.warning("ScopeImpl.getUserInfo(): Unable to retrieve attribute= " + attributes, e);
} catch (SSOException e) {
logger.warning("ScopeImpl.getUserInfo(): Unable to retrieve attribute= " + attributes, e);
}
//add a single object to the response.
if (attr != null && attr.size() == 1) {
response.put(scope, attr.iterator().next());
} else if (attr != null && attr.size() > 1) {
// add a set to the response
response.put(scope, attr);
} else {
//attr is null or attr is empty
logger.warning("ScopeImpl.getUserInfo(): Got an empty result for attribute=" + attributes + " of scope=" + scope);
}
} else if (attributes instanceof Map) {
//for example profile can be address, email, etc...
if (attributes != null && !((Map<String, String>) attributes).isEmpty()) {
for (Map.Entry<String, String> entry : ((Map<String, String>) attributes).entrySet()) {
String attribute;
attribute = entry.getValue();
Set<String> attr = null;
//get the attribute
try {
attr = id.getAttribute(attribute);
} catch (IdRepoException e) {
logger.warning("ScopeImpl.getUserInfo(): Unable to retrieve attribute", e);
} catch (SSOException e) {
logger.warning("ScopeImpl.getUserInfo(): Unable to retrieve attribute", e);
}
//add the attribute value(s) to the response
if (attr != null && attr.size() == 1) {
response.put(entry.getKey(), attr.iterator().next());
} else if (attr != null && attr.size() > 1) {
response.put(entry.getKey(), attr);
} else {
//attr is null or attr is empty
logger.warning("ScopeImpl.getUserInfo(): Got an empty result for scope=" + scope);
}
}
}
}
}
return new UserInfoClaims(response, Collections.<String, List<String>>emptyMap());
}
Also used :
HashSet(java.util.HashSet)
Set(java.util.Set)
HashMap(java.util.HashMap)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
UserInfoClaims(org.forgerock.oauth2.core.UserInfoClaims)
AMIdentity(com.sun.identity.idm.AMIdentity)
UnauthorizedClientException(org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)
HashMap(java.util.HashMap)
Map(java.util.Map)
Example 9 with UnauthorizedClientException
use of org.forgerock.oauth2.core.exceptions.UnauthorizedClientException in project OpenAM by OpenRock.
the class ScopeImpl method evaluateScope.
/**
* {@inheritDoc}
*/
public Map<String, Object> evaluateScope(CoreToken token) {
final Map<String, Object> map = new HashMap<String, Object>();
final Set<String> scopes = token.getScope();
final String clientId = token.getClientID();
final String resourceOwner = token.getUserID();
final String grantType = token.getGrantType();
AMIdentity id = null;
try {
if (clientId != null && OAuth2Constants.TokenEndpoint.CLIENT_CREDENTIALS.equals(grantType)) {
id = identityManager.getClientIdentity(clientId, token.getRealm());
} else if (resourceOwner != null) {
id = identityManager.getResourceOwnerIdentity(resourceOwner, token.getRealm());
}
} catch (UnauthorizedClientException e) {
logger.error("Unable to get user identity", e);
}
if (id == null || scopes.isEmpty()) {
return map;
}
try {
for (final String scope : scopes) {
final Set<String> attributes = id.getAttribute(scope);
if (attributes != null) {
final Iterator<String> iter = attributes.iterator();
final StringBuilder builder = new StringBuilder();
while (iter.hasNext()) {
builder.append(iter.next());
if (iter.hasNext()) {
builder.append(MULTI_ATTRIBUTE_SEPARATOR);
}
}
map.put(scope, builder.toString());
}
}
} catch (SSOException e) {
logger.error("Unable to get attribute", e);
} catch (IdRepoException e) {
logger.error("Unable to get attribute", e);
}
return map;
}
Also used :
HashMap(java.util.HashMap)
AMIdentity(com.sun.identity.idm.AMIdentity)
UnauthorizedClientException(org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)
IdRepoException(com.sun.identity.idm.IdRepoException)
SSOException(com.iplanet.sso.SSOException)
Example 10 with UnauthorizedClientException
use of org.forgerock.oauth2.core.exceptions.UnauthorizedClientException in project OpenAM by OpenRock.
the class OpenAMTokenStore method appendIdTokenClaims.
//return all claims from scopes + claims requested in the id_token
private void appendIdTokenClaims(OAuth2Request request, OAuth2ProviderSettings providerSettings, OpenAMOpenIdConnectToken oidcToken) throws ServerException, NotFoundException, InvalidClientException {
try {
AccessToken accessToken = request.getToken(AccessToken.class);
Map<String, Object> userInfo = providerSettings.getUserInfo(accessToken, request).getValues();
for (Map.Entry<String, Object> claim : userInfo.entrySet()) {
oidcToken.put(claim.getKey(), claim.getValue());
}
} catch (UnauthorizedClientException e) {
throw failureFactory.getException(request, e.getMessage());
}
}
Also used :
AccessToken(org.forgerock.oauth2.core.AccessToken)
UnauthorizedClientException(org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)
JSONObject(org.json.JSONObject)
Map(java.util.Map)
Aggregations
UnauthorizedClientException (org.forgerock.oauth2.core.exceptions.UnauthorizedClientException)14
AMIdentity (com.sun.identity.idm.AMIdentity)10
SSOException (com.iplanet.sso.SSOException)8
IdRepoException (com.sun.identity.idm.IdRepoException)7
SSOToken (com.iplanet.sso.SSOToken)5
HashSet (java.util.HashSet)5
Set (java.util.Set)5
JsonValue (org.forgerock.json.JsonValue)5
AMIdentityRepository (com.sun.identity.idm.AMIdentityRepository)4
IdSearchControl (com.sun.identity.idm.IdSearchControl)4
IdSearchResults (com.sun.identity.idm.IdSearchResults)4
HashMap (java.util.HashMap)4
NotFoundException (org.forgerock.json.resource.NotFoundException)3
PermanentException (org.forgerock.json.resource.PermanentException)3
ResourceException (org.forgerock.json.resource.ResourceException)3
CoreTokenException (org.forgerock.openam.cts.exceptions.CoreTokenException)3
JSONObject (org.json.JSONObject)3
Locale (java.util.Locale)2
Map (java.util.Map)2
ServiceUnavailableException (org.forgerock.json.resource.ServiceUnavailableException)2
