Example 11 with AuthorizationGrant
use of org.gluu.oxauth.model.common.AuthorizationGrant in project oxAuth by GluuFederation.
the class IntrospectionWebService method getAuthorizationGrant.
/**
* @return we return pair of authorization grant or otherwise true - if it's basic client authentication or false if it is not
* @throws UnsupportedEncodingException when encoding is not supported
*/
private Pair<AuthorizationGrant, Boolean> getAuthorizationGrant(String authorization, String accessToken) throws UnsupportedEncodingException {
AuthorizationGrant grant = tokenService.getBearerAuthorizationGrant(authorization);
if (grant != null) {
final String authorizationAccessToken = tokenService.getBearerToken(authorization);
final AbstractToken accessTokenObject = grant.getAccessToken(authorizationAccessToken);
if (accessTokenObject != null && accessTokenObject.isValid()) {
return new Pair<>(grant, false);
} else {
log.error("Access token is not valid: " + authorizationAccessToken);
return EMPTY;
}
}
grant = tokenService.getBasicAuthorizationGrant(authorization);
if (grant != null) {
return new Pair<>(grant, false);
}
if (tokenService.isBasicAuthToken(authorization)) {
String encodedCredentials = tokenService.getBasicToken(authorization);
String token = new String(Base64.decodeBase64(encodedCredentials), StandardCharsets.UTF_8);
int delim = token.indexOf(":");
if (delim != -1) {
String clientId = URLDecoder.decode(token.substring(0, delim), Util.UTF8_STRING_ENCODING);
String password = URLDecoder.decode(token.substring(delim + 1), Util.UTF8_STRING_ENCODING);
if (clientService.authenticate(clientId, password)) {
grant = authorizationGrantList.getAuthorizationGrantByAccessToken(accessToken);
if (grant != null && !grant.getClientId().equals(clientId)) {
log.trace("Failed to match grant object clientId and client id provided during authentication.");
return EMPTY;
}
return new Pair<>(grant, true);
} else {
log.trace("Failed to perform basic authentication for client: " + clientId);
}
}
}
return EMPTY;
}
Also used :
AbstractToken(org.gluu.oxauth.model.common.AbstractToken)
AuthorizationGrant(org.gluu.oxauth.model.common.AuthorizationGrant)
Pair(org.gluu.util.Pair)
Example 12 with AuthorizationGrant
use of org.gluu.oxauth.model.common.AuthorizationGrant in project oxAuth by GluuFederation.
the class EndSessionRestWebServiceImpl method getSsoClients.
private Set<Client> getSsoClients(Pair<SessionId, AuthorizationGrant> pair) {
SessionId sessionId = pair.getFirst();
AuthorizationGrant authorizationGrant = pair.getSecond();
if (sessionId == null) {
log.error("session_id is not passed to endpoint (as cookie or manually). Therefore unable to match clients for session_id.");
return Sets.newHashSet();
}
final Set<Client> clients = sessionId.getPermissionGrantedMap() != null ? clientService.getClient(sessionId.getPermissionGrantedMap().getClientIds(true), true) : Sets.newHashSet();
if (authorizationGrant != null) {
clients.add(authorizationGrant.getClient());
}
return clients;
}
Also used :
Client(org.gluu.oxauth.model.registration.Client)
SessionId(org.gluu.oxauth.model.common.SessionId)
AuthorizationGrant(org.gluu.oxauth.model.common.AuthorizationGrant)
Example 13 with AuthorizationGrant
use of org.gluu.oxauth.model.common.AuthorizationGrant in project oxAuth by GluuFederation.
the class EndSessionRestWebServiceImpl method auditLogging.
private void auditLogging(HttpServletRequest request, Pair<SessionId, AuthorizationGrant> pair) {
SessionId sessionId = pair.getFirst();
AuthorizationGrant authorizationGrant = pair.getSecond();
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.SESSION_DESTROYED);
oAuth2AuditLog.setSuccess(true);
if (authorizationGrant != null) {
oAuth2AuditLog.setClientId(authorizationGrant.getClientId());
oAuth2AuditLog.setScope(StringUtils.join(authorizationGrant.getScopes(), " "));
oAuth2AuditLog.setUsername(authorizationGrant.getUserId());
} else if (sessionId != null) {
oAuth2AuditLog.setClientId(sessionId.getPermissionGrantedMap().getClientIds(true).toString());
oAuth2AuditLog.setScope(sessionId.getSessionAttributes().get(AuthorizeRequestParam.SCOPE));
oAuth2AuditLog.setUsername(sessionId.getUserDn());
}
applicationAuditLogger.sendMessage(oAuth2AuditLog);
}
Also used :
OAuth2AuditLog(org.gluu.oxauth.model.audit.OAuth2AuditLog)
SessionId(org.gluu.oxauth.model.common.SessionId)
AuthorizationGrant(org.gluu.oxauth.model.common.AuthorizationGrant)
Example 14 with AuthorizationGrant
use of org.gluu.oxauth.model.common.AuthorizationGrant in project oxAuth by GluuFederation.
the class EndSessionRestWebServiceImpl method validateIdTokenHint.
private Jwt validateIdTokenHint(String idTokenHint, String postLogoutRedirectUri) {
if (appConfiguration.getForceIdTokenHintPrecense() && StringUtils.isBlank(idTokenHint)) {
// must be present for logout tests #1279
final String reason = "id_token_hint is not set";
log.trace(reason);
throw new WebApplicationException(createErrorResponse(postLogoutRedirectUri, EndSessionErrorResponseType.INVALID_REQUEST, reason));
}
final AuthorizationGrant tokenHintGrant = getTokenHintGrant(idTokenHint);
if (appConfiguration.getForceIdTokenHintPrecense() && tokenHintGrant == null) {
// must be present for logout tests #1279
final String reason = "id_token_hint is not set";
log.trace(reason);
throw new WebApplicationException(createErrorResponse(postLogoutRedirectUri, EndSessionErrorResponseType.INVALID_REQUEST, reason));
}
// id_token_hint is not required but if it is present then we must validate it #831
if (StringUtils.isNotBlank(idTokenHint)) {
if (tokenHintGrant == null) {
final String reason = "id_token_hint is not valid. Logout is rejected. id_token_hint can be skipped or otherwise valid value must be provided.";
throw new WebApplicationException(createErrorResponse(postLogoutRedirectUri, EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, reason));
}
try {
return Jwt.parse(idTokenHint);
} catch (InvalidJwtException e) {
log.error("Unable to parse id_token_hint as JWT.", e);
throw new WebApplicationException(createErrorResponse(postLogoutRedirectUri, EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, "Unable to parse id_token_hint as JWT."));
}
}
return null;
}
Also used :
InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException)
WebApplicationException(javax.ws.rs.WebApplicationException)
AuthorizationGrant(org.gluu.oxauth.model.common.AuthorizationGrant)
Example 15 with AuthorizationGrant
use of org.gluu.oxauth.model.common.AuthorizationGrant in project oxAuth by GluuFederation.
the class EndSessionRestWebServiceImpl method requestEndSession.
@Override
public Response requestEndSession(String idTokenHint, String postLogoutRedirectUri, String state, String sessionId, String sid, HttpServletRequest httpRequest, HttpServletResponse httpResponse, SecurityContext sec) {
try {
log.debug("Attempting to end session, idTokenHint: {}, postLogoutRedirectUri: {}, sessionId: {}, sid: {}, Is Secure = {}", idTokenHint, postLogoutRedirectUri, sessionId, sid, sec.isSecure());
if (StringUtils.isBlank(sid) && StringUtils.isNotBlank(sessionId))
// backward compatibility. WIll be removed in next major release.
sid = sessionId;
Jwt idToken = validateIdTokenHint(idTokenHint, postLogoutRedirectUri);
validateSidRequestParameter(sid, postLogoutRedirectUri);
final Pair<SessionId, AuthorizationGrant> pair = getPair(idTokenHint, sid, httpRequest);
if (pair.getFirst() == null) {
final String reason = "Failed to identify session by session_id query parameter or by session_id cookie.";
throw new WebApplicationException(createErrorResponse(postLogoutRedirectUri, EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, reason));
}
postLogoutRedirectUri = validatePostLogoutRedirectUri(postLogoutRedirectUri, pair);
validateSid(postLogoutRedirectUri, idToken, pair.getFirst());
endSession(pair, httpRequest, httpResponse);
auditLogging(httpRequest, pair);
Set<Client> clients = getSsoClients(pair);
Set<String> frontchannelUris = Sets.newHashSet();
Map<String, Client> backchannelUris = Maps.newHashMap();
for (Client client : clients) {
boolean hasBackchannel = false;
for (String logoutUri : client.getAttributes().getBackchannelLogoutUri()) {
if (Util.isNullOrEmpty(logoutUri)) {
// skip if logout_uri is blank
continue;
}
backchannelUris.put(logoutUri, client);
hasBackchannel = true;
}
if (hasBackchannel) {
// client has backchannel_logout_uri
continue;
}
for (String logoutUri : client.getFrontChannelLogoutUri()) {
if (Util.isNullOrEmpty(logoutUri)) {
// skip if logout_uri is blank
continue;
}
if (client.getFrontChannelLogoutSessionRequired()) {
logoutUri = EndSessionUtils.appendSid(logoutUri, pair.getFirst().getOutsideSid(), appConfiguration.getIssuer());
}
frontchannelUris.add(logoutUri);
}
}
backChannel(backchannelUris, pair.getSecond(), pair.getFirst());
if (frontchannelUris.isEmpty() && StringUtils.isNotBlank(postLogoutRedirectUri)) {
// no front-channel
log.trace("No frontchannel_redirect_uri's found in clients involved in SSO.");
try {
log.trace("Redirect to postlogout_redirect_uri: " + postLogoutRedirectUri);
return Response.status(Response.Status.FOUND).location(new URI(postLogoutRedirectUri)).build();
} catch (URISyntaxException e) {
final String message = "Failed to create URI for " + postLogoutRedirectUri + " postlogout_redirect_uri.";
log.error(message);
return Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.errorAsJson(EndSessionErrorResponseType.INVALID_REQUEST, message)).build();
}
}
return httpBased(frontchannelUris, postLogoutRedirectUri, state, pair, httpRequest);
} catch (WebApplicationException e) {
if (e.getResponse() != null) {
return e.getResponse();
}
throw e;
} catch (Exception e) {
log.error(e.getMessage(), e);
throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(GluuErrorResponseType.SERVER_ERROR)).build());
}
}
Also used :
WebApplicationException(javax.ws.rs.WebApplicationException)
Jwt(org.gluu.oxauth.model.jwt.Jwt)
URISyntaxException(java.net.URISyntaxException)
URI(java.net.URI)
URISyntaxException(java.net.URISyntaxException)
InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException)
WebApplicationException(javax.ws.rs.WebApplicationException)
Client(org.gluu.oxauth.model.registration.Client)
SessionId(org.gluu.oxauth.model.common.SessionId)
AuthorizationGrant(org.gluu.oxauth.model.common.AuthorizationGrant)
Aggregations
AuthorizationGrant (org.gluu.oxauth.model.common.AuthorizationGrant)20
IOException (java.io.IOException)6
WebApplicationException (javax.ws.rs.WebApplicationException)5
AbstractToken (org.gluu.oxauth.model.common.AbstractToken)5
SessionId (org.gluu.oxauth.model.common.SessionId)4
Response (javax.ws.rs.core.Response)3
OAuth2AuditLog (org.gluu.oxauth.model.audit.OAuth2AuditLog)3
InvalidJwtException (org.gluu.oxauth.model.exception.InvalidJwtException)3
Client (org.gluu.oxauth.model.registration.Client)3
URISyntaxException (java.net.URISyntaxException)2
HttpServletResponse (javax.servlet.http.HttpServletResponse)2
Pair (org.gluu.util.Pair)2
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
URI (java.net.URI)1
ResponseBuilder (javax.ws.rs.core.Response.ResponseBuilder)1
CustomScriptConfiguration (org.gluu.model.custom.script.conf.CustomScriptConfiguration)1
AccessToken (org.gluu.oxauth.model.common.AccessToken)1
IntrospectionResponse (org.gluu.oxauth.model.common.IntrospectionResponse)1
TokenTypeHint (org.gluu.oxauth.model.common.TokenTypeHint)1
User (org.gluu.oxauth.model.common.User)1
