use of org.forgerock.openam.authentication.modules.oidc.JwtHandler in project OpenAM by OpenRock.
the class OAuth method process.
public int process(Callback[] callbacks, int state) throws LoginException {
OAuthUtil.debugMessage("process: state = " + state);
HttpServletRequest request = getHttpServletRequest();
HttpServletResponse response = getHttpServletResponse();
if (request == null) {
OAuthUtil.debugError("OAuth.process(): The request was null, this is " + "an interactive module");
return ISAuthConstants.LOGIN_IGNORE;
}
// We are being redirected back from an OAuth 2 Identity Provider
String code = request.getParameter(PARAM_CODE);
if (code != null) {
OAuthUtil.debugMessage("OAuth.process(): GOT CODE: " + code);
state = GET_OAUTH_TOKEN_STATE;
}
// The Proxy is used to return with a POST to the module
proxyURL = config.getProxyURL();
switch(state) {
case ISAuthConstants.LOGIN_START:
{
config.validateConfiguration();
serverName = request.getServerName();
StringBuilder originalUrl = new StringBuilder();
String requestedQuery = request.getQueryString();
String realm = null;
String authCookieName = AuthUtils.getAuthCookieName();
final XUIState xuiState = InjectorHolder.getInstance(XUIState.class);
if (xuiState.isXUIEnabled()) {
// When XUI is in use the request URI points to the authenticate REST endpoint, which shouldn't be
// presented to the end-user, hence we use the contextpath only and rely on index.html and the
// XUIFilter to direct the user towards the XUI.
originalUrl.append(request.getContextPath());
// the realm parameter was not present on the querystring, then we add it there.
if (requestedQuery != null && !requestedQuery.contains("realm=")) {
realm = request.getParameter("realm");
}
} else {
//In case of legacy UI the request URI will be /openam/UI/Login, which is safe to use.
originalUrl.append(request.getRequestURI());
}
if (StringUtils.isNotEmpty(realm)) {
originalUrl.append("?realm=").append(URLEncDec.encode(realm));
}
if (requestedQuery != null) {
if (requestedQuery.endsWith(authCookieName + "=")) {
requestedQuery = requestedQuery.substring(0, requestedQuery.length() - authCookieName.length() - 1);
}
originalUrl.append(originalUrl.indexOf("?") == -1 ? '?' : '&');
originalUrl.append(requestedQuery);
}
// Find the domains for which we are configured
Set<String> domains = AuthClientUtils.getCookieDomainsForRequest(request);
String ProviderLogoutURL = config.getLogoutServiceUrl();
String csrfStateTokenId = RandomStringUtils.randomAlphanumeric(32);
String csrfState = createAuthorizationState();
Token csrfStateToken = new Token(csrfStateTokenId, TokenType.GENERIC);
csrfStateToken.setAttribute(CoreTokenField.STRING_ONE, csrfState);
try {
ctsStore.create(csrfStateToken);
} catch (CoreTokenException e) {
OAuthUtil.debugError("OAuth.process(): Authorization redirect failed to be sent because the state " + "could not be stored");
throw new AuthLoginException("OAuth.process(): Authorization redirect failed to be sent because " + "the state could not be stored", e);
}
// when retrieving the token
for (String domain : domains) {
CookieUtils.addCookieToResponse(response, CookieUtils.newCookie(COOKIE_PROXY_URL, proxyURL, "/", domain));
CookieUtils.addCookieToResponse(response, CookieUtils.newCookie(COOKIE_ORIG_URL, originalUrl.toString(), "/", domain));
CookieUtils.addCookieToResponse(response, CookieUtils.newCookie(NONCE_TOKEN_ID, csrfStateTokenId, "/", domain));
if (ProviderLogoutURL != null && !ProviderLogoutURL.isEmpty()) {
CookieUtils.addCookieToResponse(response, CookieUtils.newCookie(COOKIE_LOGOUT_URL, ProviderLogoutURL, "/", domain));
}
}
// The Proxy is used to return with a POST to the module
setUserSessionProperty(ISAuthConstants.FULL_LOGIN_URL, originalUrl.toString());
setUserSessionProperty(SESSION_LOGOUT_BEHAVIOUR, config.getLogoutBhaviour());
String authServiceUrl = config.getAuthServiceUrl(proxyURL, csrfState);
OAuthUtil.debugMessage("OAuth.process(): New RedirectURL=" + authServiceUrl);
Callback[] callbacks1 = getCallback(2);
RedirectCallback rc = (RedirectCallback) callbacks1[0];
RedirectCallback rcNew = new RedirectCallback(authServiceUrl, null, "GET", rc.getStatusParameter(), rc.getRedirectBackUrlCookieName());
rcNew.setTrackingCookie(true);
replaceCallback(2, 0, rcNew);
return GET_OAUTH_TOKEN_STATE;
}
case GET_OAUTH_TOKEN_STATE:
{
final String csrfState;
if (request.getParameter("jsonContent") != null) {
final JsonValue jval = JsonValueBuilder.toJsonValue(request.getParameter("jsonContent"));
csrfState = jval.get("state").asString();
code = jval.get(PARAM_CODE).asString();
} else {
csrfState = request.getParameter("state");
code = request.getParameter(PARAM_CODE);
}
if (csrfState == null) {
OAuthUtil.debugError("OAuth.process(): Authorization call-back failed because there was no state " + "parameter");
throw new AuthLoginException(BUNDLE_NAME, "noState", null);
}
try {
Token csrfStateToken = ctsStore.read(OAuthUtil.findCookie(request, NONCE_TOKEN_ID));
ctsStore.deleteAsync(csrfStateToken);
String expectedCsrfState = csrfStateToken.getValue(CoreTokenField.STRING_ONE);
if (!expectedCsrfState.equals(csrfState)) {
OAuthUtil.debugError("OAuth.process(): Authorization call-back failed because the state parameter " + "contained an unexpected value");
throw new AuthLoginException(BUNDLE_NAME, "incorrectState", null);
}
// We are being redirected back from an OAuth 2 Identity Provider
if (code == null || code.isEmpty()) {
OAuthUtil.debugMessage("OAuth.process(): LOGIN_IGNORE");
return ISAuthConstants.LOGIN_START;
}
validateInput("code", code, "HTTPParameterValue", 2000, false);
OAuthUtil.debugMessage("OAuth.process(): code parameter: " + code);
String tokenSvcResponse = getContent(config.getTokenServiceUrl(code, proxyURL), null);
OAuthUtil.debugMessage("OAuth.process(): token=" + tokenSvcResponse);
JwtClaimsSet jwtClaims = null;
String idToken = null;
if (config.isOpenIDConnect()) {
idToken = extractToken(ID_TOKEN, tokenSvcResponse);
JwtHandler jwtHandler = new JwtHandler(jwtHandlerConfig);
try {
jwtClaims = jwtHandler.validateJwt(idToken);
} catch (RuntimeException | AuthLoginException e) {
debug.warning("Cannot validate JWT", e);
throw e;
}
if (!JwtHandler.isIntendedForAudience(config.getClientId(), jwtClaims)) {
OAuthUtil.debugError("OAuth.process(): ID token is not for this client as audience.");
throw new AuthLoginException(BUNDLE_NAME, "audience", null);
}
}
String token = extractToken(PARAM_ACCESS_TOKEN, tokenSvcResponse);
setUserSessionProperty(SESSION_OAUTH_TOKEN, token);
String profileSvcResponse = null;
if (StringUtils.isNotEmpty(config.getProfileServiceUrl())) {
profileSvcResponse = getContent(config.getProfileServiceUrl(), "Bearer " + token);
OAuthUtil.debugMessage("OAuth.process(): Profile Svc response: " + profileSvcResponse);
}
String realm = getRequestOrg();
if (realm == null) {
realm = "/";
}
AccountProvider accountProvider = instantiateAccountProvider();
AttributeMapper accountAttributeMapper = instantiateAccountMapper();
Map<String, Set<String>> userNames = getAttributes(profileSvcResponse, config.getAccountMapperConfig(), accountAttributeMapper, jwtClaims);
String user = null;
if (!userNames.isEmpty()) {
user = getUser(realm, accountProvider, userNames);
}
if (user == null && !config.getCreateAccountFlag()) {
authenticatedUser = getDynamicUser(userNames);
if (authenticatedUser != null) {
if (config.getSaveAttributesToSessionFlag()) {
Map<String, Set<String>> attributes = getAttributesMap(profileSvcResponse, jwtClaims);
saveAttributes(attributes);
}
OAuthUtil.debugMessage("OAuth.process(): LOGIN_SUCCEED " + "with user " + authenticatedUser);
storeUsernamePasswd(authenticatedUser, null);
return ISAuthConstants.LOGIN_SUCCEED;
} else {
throw new AuthLoginException("No user mapped!");
}
}
if (user == null && config.getCreateAccountFlag()) {
if (config.getPromptPasswordFlag()) {
setUserSessionProperty(PROFILE_SERVICE_RESPONSE, profileSvcResponse);
if (config.isOpenIDConnect()) {
setUserSessionProperty(OPENID_TOKEN, idToken);
}
return SET_PASSWORD_STATE;
} else {
authenticatedUser = provisionAccountNow(accountProvider, realm, profileSvcResponse, getRandomData(), jwtClaims);
if (authenticatedUser != null) {
OAuthUtil.debugMessage("User created: " + authenticatedUser);
storeUsernamePasswd(authenticatedUser, null);
return ISAuthConstants.LOGIN_SUCCEED;
} else {
return ISAuthConstants.LOGIN_IGNORE;
}
}
}
if (user != null) {
authenticatedUser = user;
OAuthUtil.debugMessage("OAuth.process(): LOGIN_SUCCEED " + "with user " + authenticatedUser);
if (config.getSaveAttributesToSessionFlag()) {
Map<String, Set<String>> attributes = getAttributesMap(profileSvcResponse, jwtClaims);
saveAttributes(attributes);
}
storeUsernamePasswd(authenticatedUser, null);
return ISAuthConstants.LOGIN_SUCCEED;
}
} catch (JSONException je) {
OAuthUtil.debugError("OAuth.process(): JSONException: " + je.getMessage());
throw new AuthLoginException(BUNDLE_NAME, "json", null, je);
} catch (SSOException ssoe) {
OAuthUtil.debugError("OAuth.process(): SSOException: " + ssoe.getMessage());
throw new AuthLoginException(BUNDLE_NAME, "ssoe", null, ssoe);
} catch (IdRepoException ire) {
OAuthUtil.debugError("OAuth.process(): IdRepoException: " + ire.getMessage());
throw new AuthLoginException(BUNDLE_NAME, "ire", null, ire);
} catch (CoreTokenException e) {
OAuthUtil.debugError("OAuth.process(): Authorization call-back failed because the state parameter " + "contained an unexpected value");
throw new AuthLoginException(BUNDLE_NAME, "incorrectState", null, e);
}
break;
}
case SET_PASSWORD_STATE:
{
if (!config.getCreateAccountFlag()) {
return ISAuthConstants.LOGIN_IGNORE;
}
userPassword = request.getParameter(PARAM_TOKEN1);
validateInput(PARAM_TOKEN1, userPassword, "HTTPParameterValue", 512, false);
String userPassword2 = request.getParameter(PARAM_TOKEN2);
validateInput(PARAM_TOKEN2, userPassword2, "HTTPParameterValue", 512, false);
if (!userPassword.equals(userPassword2)) {
OAuthUtil.debugWarning("OAuth.process(): Passwords did not match!");
return SET_PASSWORD_STATE;
}
String terms = request.getParameter("terms");
if (!terms.equalsIgnoreCase("accept")) {
return SET_PASSWORD_STATE;
}
String profileSvcResponse = getUserSessionProperty("ATTRIBUTES");
data = getRandomData();
String mail = getMail(profileSvcResponse, config.getMailAttribute());
OAuthUtil.debugMessage("Mail found = " + mail);
try {
OAuthUtil.sendEmail(config.getEmailFrom(), mail, data, config.getSMTPConfig(), bundle, proxyURL);
} catch (NoEmailSentException ex) {
OAuthUtil.debugError("No mail sent due to error", ex);
throw new AuthLoginException("Aborting authentication, because " + "the mail could not be sent due to a mail sending error");
}
OAuthUtil.debugMessage("User to be created, we need to activate: " + data);
return CREATE_USER_STATE;
}
case CREATE_USER_STATE:
{
String activation = request.getParameter(PARAM_ACTIVATION);
validateInput(PARAM_ACTIVATION, activation, "HTTPParameterValue", 512, false);
OAuthUtil.debugMessage("code entered by the user: " + activation);
if (activation == null || activation.isEmpty() || !activation.trim().equals(data.trim())) {
return CREATE_USER_STATE;
}
String profileSvcResponse = getUserSessionProperty(PROFILE_SERVICE_RESPONSE);
String idToken = getUserSessionProperty(ID_TOKEN);
String realm = getRequestOrg();
if (realm == null) {
realm = "/";
}
OAuthUtil.debugMessage("Got Attributes: " + profileSvcResponse);
AccountProvider accountProvider = instantiateAccountProvider();
JwtClaimsSet jwtClaims = null;
if (idToken != null) {
jwtClaims = new JwtHandler(jwtHandlerConfig).getJwtClaims(idToken);
}
authenticatedUser = provisionAccountNow(accountProvider, realm, profileSvcResponse, userPassword, jwtClaims);
if (authenticatedUser != null) {
OAuthUtil.debugMessage("User created: " + authenticatedUser);
storeUsernamePasswd(authenticatedUser, null);
return ISAuthConstants.LOGIN_SUCCEED;
} else {
return ISAuthConstants.LOGIN_IGNORE;
}
}
default:
{
OAuthUtil.debugError("OAuth.process(): Illegal State");
return ISAuthConstants.LOGIN_IGNORE;
}
}
throw new AuthLoginException(BUNDLE_NAME, "unknownState", null);
}
Aggregations