use of org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState in project OpenAM by OpenRock.
the class TokenGenerationService method createInstance.
@Override
public Promise<ResourceResponse, ResourceException> createInstance(Context context, CreateRequest request) {
TokenGenerationServiceInvocationState invocationState;
try {
invocationState = TokenGenerationServiceInvocationState.fromJson(request.getContent());
} catch (Exception e) {
logger.error("Exception caught marshalling json into TokenGenerationServiceInvocationState instance: " + e);
return new BadRequestException(e.getMessage(), e).asPromise();
}
SSOToken subjectToken;
try {
subjectToken = validateAssertionSubjectSession(invocationState);
} catch (ForbiddenException e) {
return e.asPromise();
}
STSInstanceState stsInstanceState;
try {
stsInstanceState = getSTSInstanceState(invocationState);
} catch (ResourceException e) {
return e.asPromise();
}
if (TokenType.SAML2.equals(invocationState.getTokenType())) {
try {
final String assertion = saml2TokenGeneration.generate(subjectToken, stsInstanceState, invocationState);
return newResultPromise(issuedTokenResource(assertion));
} catch (TokenCreationException e) {
logger.error("Exception caught generating saml2 token: " + e, e);
return e.asPromise();
} catch (Exception e) {
logger.error("Exception caught generating saml2 token: " + e, e);
return new InternalServerErrorException(e.toString(), e).asPromise();
}
} else if (TokenType.OPENIDCONNECT.equals(invocationState.getTokenType())) {
try {
final String assertion = openIdConnectTokenGeneration.generate(subjectToken, stsInstanceState, invocationState);
return newResultPromise(issuedTokenResource(assertion));
} catch (TokenCreationException e) {
logger.error("Exception caught generating OpenIdConnect token: " + e, e);
return e.asPromise();
} catch (Exception e) {
logger.error("Exception caught generating OpenIdConnect token: " + e, e);
return new InternalServerErrorException(e.toString(), e).asPromise();
}
} else {
String message = "Bad request: unexpected token type:" + invocationState.getTokenType();
logger.error(message);
return new BadRequestException(message).asPromise();
}
}
use of org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState in project OpenAM by OpenRock.
the class OpenIdConnectTokenGenerationImplTest method testRSAOpenIdConnectTokenGeneration.
@Test
public void testRSAOpenIdConnectTokenGeneration() throws TokenCreationException {
SSOTokenIdentity mockSSOTokenIdentity = mock(SSOTokenIdentity.class);
when(mockSSOTokenIdentity.validateAndGetTokenPrincipal(any(SSOToken.class))).thenReturn(SUBJECT_NAME);
SSOToken mockSSOToken = mock(SSOToken.class);
STSInstanceState mockSTSInstanceState = mock(STSInstanceState.class);
STSInstanceConfig mockSTSInstanceConfig = mock(STSInstanceConfig.class);
when(mockSTSInstanceState.getConfig()).thenReturn(mockSTSInstanceConfig);
OpenIdConnectTokenConfig openIdConnectTokenConfig = buildRSAOpenIdConnectTokenConfig();
when(mockSTSInstanceConfig.getOpenIdConnectTokenConfig()).thenReturn(openIdConnectTokenConfig);
OpenIdConnectTokenPKIProviderImpl tokenCryptoProvider = new OpenIdConnectTokenPKIProviderImpl(openIdConnectTokenConfig);
when(mockSTSInstanceState.getOpenIdConnectTokenPKIProvider()).thenReturn(tokenCryptoProvider);
TokenGenerationServiceInvocationState mockTokenGenerationInvocationState = mock(TokenGenerationServiceInvocationState.class);
OpenIdConnectTokenClaimMapperProvider mockClaimMapperProvider = mock(OpenIdConnectTokenClaimMapperProvider.class);
OpenIdConnectTokenClaimMapper mockClaimMapper = mock(OpenIdConnectTokenClaimMapper.class);
when(mockClaimMapperProvider.getClaimMapper(any(OpenIdConnectTokenConfig.class))).thenReturn(mockClaimMapper);
when(mockClaimMapper.getCustomClaims(mockSSOToken, mappedClaimConfig)).thenReturn(mappedClaimAttributes);
long authTime = System.currentTimeMillis() / 1000;
OpenIdConnectTokenGenerationState openIdConnectTokenGenerationState = buildOpenIdConnectTokenGenerationState(authTime);
when(mockTokenGenerationInvocationState.getOpenIdConnectTokenGenerationState()).thenReturn(openIdConnectTokenGenerationState);
String oidcToken = new OpenIdConnectTokenGenerationImpl(mockSSOTokenIdentity, new JwtBuilderFactory(), mockClaimMapperProvider, mock(CTSTokenPersistence.class), mock(Logger.class)).generate(mockSSOToken, mockSTSInstanceState, mockTokenGenerationInvocationState);
SignedJwt signedJwt = reconstructSignedJwt(oidcToken);
JwtClaimsSet jwtClaimsSet = signedJwt.getClaimsSet();
assertEquals(SUBJECT_NAME, jwtClaimsSet.getSubject());
assertEquals(AUDIENCE, jwtClaimsSet.getAudience().get(0));
assertEquals(AUTHN_CLASS_REFERENCE, jwtClaimsSet.getClaim("acr", String.class));
assertEquals(ISSUER, jwtClaimsSet.getIssuer());
assertEquals(EMAIL_CLAIM_VALUE, jwtClaimsSet.get(EMAIL_CLAIM_KEY).asString());
assertTrue(verifyRSASignature(signedJwt, openIdConnectTokenConfig));
}
use of org.forgerock.openam.sts.service.invocation.TokenGenerationServiceInvocationState in project OpenAM by OpenRock.
the class OpenIdConnectTokenGenerationImplTest method testHMACOpenIdConnectTokenGeneration.
@Test
public void testHMACOpenIdConnectTokenGeneration() throws TokenCreationException {
SSOTokenIdentity mockSSOTokenIdentity = mock(SSOTokenIdentity.class);
when(mockSSOTokenIdentity.validateAndGetTokenPrincipal(any(SSOToken.class))).thenReturn(SUBJECT_NAME);
SSOToken mockSSOToken = mock(SSOToken.class);
STSInstanceState mockSTSInstanceState = mock(STSInstanceState.class);
STSInstanceConfig mockSTSInstanceConfig = mock(STSInstanceConfig.class);
when(mockSTSInstanceState.getConfig()).thenReturn(mockSTSInstanceConfig);
OpenIdConnectTokenConfig openIdConnectTokenConfig = buildHMACOpenIdConnectTokenConfig();
when(mockSTSInstanceConfig.getOpenIdConnectTokenConfig()).thenReturn(openIdConnectTokenConfig);
TokenGenerationServiceInvocationState mockTokenGenerationInvocationState = mock(TokenGenerationServiceInvocationState.class);
OpenIdConnectTokenClaimMapperProvider mockClaimMapperProvider = mock(OpenIdConnectTokenClaimMapperProvider.class);
OpenIdConnectTokenClaimMapper mockClaimMapper = mock(OpenIdConnectTokenClaimMapper.class);
when(mockClaimMapperProvider.getClaimMapper(any(OpenIdConnectTokenConfig.class))).thenReturn(mockClaimMapper);
when(mockClaimMapper.getCustomClaims(mockSSOToken, mappedClaimConfig)).thenReturn(mappedClaimAttributes);
long authTime = System.currentTimeMillis() / 1000;
OpenIdConnectTokenGenerationState openIdConnectTokenGenerationState = buildOpenIdConnectTokenGenerationState(authTime);
when(mockTokenGenerationInvocationState.getOpenIdConnectTokenGenerationState()).thenReturn(openIdConnectTokenGenerationState);
String oidcToken = new OpenIdConnectTokenGenerationImpl(mockSSOTokenIdentity, new JwtBuilderFactory(), mockClaimMapperProvider, mock(CTSTokenPersistence.class), mock(Logger.class)).generate(mockSSOToken, mockSTSInstanceState, mockTokenGenerationInvocationState);
SignedJwt signedJwt = reconstructSignedJwt(oidcToken);
JwtClaimsSet jwtClaimsSet = signedJwt.getClaimsSet();
assertEquals(SUBJECT_NAME, jwtClaimsSet.getSubject());
assertEquals(AUDIENCE, jwtClaimsSet.getAudience().get(0));
assertEquals(AUTHN_CLASS_REFERENCE, jwtClaimsSet.getClaim("acr", String.class));
assertEquals(ISSUER, jwtClaimsSet.getIssuer());
assertEquals(EMAIL_CLAIM_VALUE, jwtClaimsSet.get(EMAIL_CLAIM_KEY).asString());
assertTrue(verifyHMACSignature(signedJwt));
}
Aggregations