Example 1 with AuthenticationMethod
use of org.gluu.oxauth.model.common.AuthenticationMethod in project oxAuth by GluuFederation.
the class ClientAssertion method load.
private boolean load(AppConfiguration appConfiguration, AbstractCryptoProvider cryptoProvider, String clientId, ClientAssertionType clientAssertionType, String encodedAssertion) throws Exception {
boolean result;
if (clientAssertionType == ClientAssertionType.JWT_BEARER) {
if (StringUtils.isNotBlank(encodedAssertion)) {
jwt = Jwt.parse(encodedAssertion);
// TODO: Store jti this value to check for duplicates
// Validate clientId
String issuer = jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER);
String subject = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER);
List<String> audience = jwt.getClaims().getClaimAsStringList(JwtClaimName.AUDIENCE);
Date expirationTime = jwt.getClaims().getClaimAsDate(JwtClaimName.EXPIRATION_TIME);
// SignatureAlgorithm algorithm = SignatureAlgorithm.fromName(jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM));
if ((clientId == null && StringUtils.isNotBlank(issuer) && StringUtils.isNotBlank(subject) && issuer.equals(subject)) || (StringUtils.isNotBlank(clientId) && StringUtils.isNotBlank(issuer) && StringUtils.isNotBlank(subject) && clientId.equals(issuer) && issuer.equals(subject))) {
// Validate audience
String tokenUrl = appConfiguration.getTokenEndpoint();
String cibaAuthUrl = appConfiguration.getBackchannelAuthenticationEndpoint();
if (audience != null && (audience.contains(appConfiguration.getIssuer()) || audience.contains(tokenUrl) || audience.contains(cibaAuthUrl))) {
// Validate expiration
if (expirationTime.after(new Date())) {
ClientService clientService = CdiUtil.bean(ClientService.class);
Client client = clientService.getClient(subject);
// Validate client
if (client != null) {
JwtType jwtType = JwtType.fromString(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE));
AuthenticationMethod authenticationMethod = client.getAuthenticationMethod();
SignatureAlgorithm signatureAlgorithm = jwt.getHeader().getSignatureAlgorithm();
if (jwtType == null && signatureAlgorithm != null) {
jwtType = signatureAlgorithm.getJwtType();
}
if (jwtType != null && signatureAlgorithm != null && signatureAlgorithm.getFamily() != null && ((authenticationMethod == AuthenticationMethod.CLIENT_SECRET_JWT && AlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily())) || (authenticationMethod == AuthenticationMethod.PRIVATE_KEY_JWT && (AlgorithmFamily.RSA.equals(signatureAlgorithm.getFamily()) || AlgorithmFamily.EC.equals(signatureAlgorithm.getFamily()))))) {
if (client.getTokenEndpointAuthSigningAlg() == null || SignatureAlgorithm.fromString(client.getTokenEndpointAuthSigningAlg()).equals(signatureAlgorithm)) {
clientSecret = clientService.decryptSecret(client.getClientSecret());
// Validate the crypto segment
String keyId = jwt.getHeader().getKeyId();
JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ? JwtUtil.getJSONWebKeys(client.getJwksUri()) : new JSONObject(client.getJwks());
String sharedSecret = clientService.decryptSecret(client.getClientSecret());
boolean validSignature = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), keyId, jwks, sharedSecret, signatureAlgorithm);
if (validSignature) {
result = true;
} else {
throw new InvalidJwtException("Invalid cryptographic segment");
}
} else {
throw new InvalidJwtException("Invalid signing algorithm");
}
} else {
throw new InvalidJwtException("Invalid authentication method");
}
} else {
throw new InvalidJwtException("Invalid client");
}
} else {
throw new InvalidJwtException("JWT has expired");
}
} else {
throw new InvalidJwtException("Invalid audience: " + audience);
}
} else {
throw new InvalidJwtException("Invalid clientId");
}
} else {
throw new InvalidJwtException("The Client Assertion is null or empty");
}
} else {
throw new InvalidJwtException("Invalid Client Assertion Type");
}
return result;
}
Also used :
InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException)
JSONObject(org.json.JSONObject)
ClientService(org.gluu.oxauth.service.ClientService)
JwtType(org.gluu.oxauth.model.jwt.JwtType)
SignatureAlgorithm(org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm)
AuthenticationMethod(org.gluu.oxauth.model.common.AuthenticationMethod)
Client(org.gluu.oxauth.model.registration.Client)
Date(java.util.Date)
Example 2 with AuthenticationMethod
use of org.gluu.oxauth.model.common.AuthenticationMethod in project oxAuth by GluuFederation.
the class RevokeSessionHttpTest method revokeSession.
@Parameters({ "redirectUris", "userId", "userSecret", "redirectUri", "sectorIdentifierUri", "umaPatClientId", "umaPatClientSecret" })
@Test
public void revokeSession(final String redirectUris, final String userId, final String userSecret, final String redirectUri, final String sectorIdentifierUri, String umaPatClientId, String umaPatClientSecret) throws Exception {
showTitle("revokeSession");
final AuthenticationMethod authnMethod = AuthenticationMethod.CLIENT_SECRET_BASIC;
// 1. Register client
List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.ID_TOKEN);
RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "oxAuth test app", StringUtils.spaceSeparatedToList(redirectUris));
registerRequest.setTokenEndpointAuthMethod(authnMethod);
registerRequest.setSectorIdentifierUri(sectorIdentifierUri);
registerRequest.setResponseTypes(responseTypes);
RegisterClient registerClient = newRegisterClient(registerRequest);
RegisterResponse registerResponse = registerClient.exec();
showClient(registerClient);
assertOk(registerResponse);
assertNotNull(registerResponse.getRegistrationAccessToken());
// 3. Request authorization
List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
String state = UUID.randomUUID().toString();
String nonce = UUID.randomUUID().toString();
AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, registerResponse.getClientId(), scopes, redirectUri, nonce);
authorizationRequest.setState(state);
AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(authorizationEndpoint, authorizationRequest, userId, userSecret);
assertNotNull(authorizationResponse.getLocation(), "The location is null");
assertNotNull(authorizationResponse.getCode(), "The authorization code is null");
assertNotNull(authorizationResponse.getIdToken(), "The ID Token is null");
assertNotNull(authorizationResponse.getState(), "The state is null");
assertNotNull(authorizationResponse.getScope(), "The scope is null");
RevokeSessionRequest revokeSessionRequest = new RevokeSessionRequest("uid", "test");
revokeSessionRequest.setAuthenticationMethod(authnMethod);
// it must be client with revoke_session scope
revokeSessionRequest.setAuthUsername(umaPatClientId);
revokeSessionRequest.setAuthPassword(umaPatClientSecret);
RevokeSessionClient revokeSessionClient = newRevokeSessionClient(revokeSessionRequest);
final RevokeSessionResponse revokeSessionResponse = revokeSessionClient.exec();
showClient(revokeSessionClient);
assertEquals(revokeSessionResponse.getStatus(), 200);
}
Also used :
RegisterRequest(org.gluu.oxauth.client.RegisterRequest)
AuthorizationRequest(org.gluu.oxauth.client.AuthorizationRequest)
RevokeSessionRequest(org.gluu.oxauth.client.RevokeSessionRequest)
AuthenticationMethod(org.gluu.oxauth.model.common.AuthenticationMethod)
RevokeSessionResponse(org.gluu.oxauth.client.RevokeSessionResponse)
ResponseType(org.gluu.oxauth.model.common.ResponseType)
AuthorizationResponse(org.gluu.oxauth.client.AuthorizationResponse)
RegisterResponse(org.gluu.oxauth.client.RegisterResponse)
RegisterClient(org.gluu.oxauth.client.RegisterClient)
RevokeSessionClient(org.gluu.oxauth.client.RevokeSessionClient)
Parameters(org.testng.annotations.Parameters)
BaseTest(org.gluu.oxauth.BaseTest)
Test(org.testng.annotations.Test)
Aggregations
AuthenticationMethod (org.gluu.oxauth.model.common.AuthenticationMethod)2
Date (java.util.Date)1
BaseTest (org.gluu.oxauth.BaseTest)1
AuthorizationRequest (org.gluu.oxauth.client.AuthorizationRequest)1
AuthorizationResponse (org.gluu.oxauth.client.AuthorizationResponse)1
RegisterClient (org.gluu.oxauth.client.RegisterClient)1
RegisterRequest (org.gluu.oxauth.client.RegisterRequest)1
RegisterResponse (org.gluu.oxauth.client.RegisterResponse)1
RevokeSessionClient (org.gluu.oxauth.client.RevokeSessionClient)1
RevokeSessionRequest (org.gluu.oxauth.client.RevokeSessionRequest)1
RevokeSessionResponse (org.gluu.oxauth.client.RevokeSessionResponse)1
ResponseType (org.gluu.oxauth.model.common.ResponseType)1
SignatureAlgorithm (org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm)1
InvalidJwtException (org.gluu.oxauth.model.exception.InvalidJwtException)1
JwtType (org.gluu.oxauth.model.jwt.JwtType)1
Client (org.gluu.oxauth.model.registration.Client)1
ClientService (org.gluu.oxauth.service.ClientService)1
JSONObject (org.json.JSONObject)1
Parameters (org.testng.annotations.Parameters)1
Test (org.testng.annotations.Test)1
