Example 1 with Prompt
use of org.gluu.oxauth.model.common.Prompt in project oxAuth by GluuFederation.
the class AuthorizeAction method checkPermissionGranted.
public void checkPermissionGranted() throws IOException {
if ((clientId == null) || clientId.isEmpty()) {
log.debug("Permission denied. client_id should be not empty.");
permissionDenied();
return;
}
Client client = null;
try {
client = clientService.getClient(clientId);
} catch (EntryPersistenceException ex) {
log.debug("Permission denied. Failed to find client by inum '{}' in LDAP.", clientId, ex);
permissionDenied();
return;
}
if (client == null) {
log.debug("Permission denied. Failed to find client_id '{}' in LDAP.", clientId);
permissionDenied();
return;
}
// Fix the list of scopes in the authorization page. oxAuth #739
Set<String> grantedScopes = scopeChecker.checkScopesPolicy(client, scope);
allowedScope = org.gluu.oxauth.model.util.StringUtils.implode(grantedScopes, " ");
SessionId session = getSession();
List<Prompt> prompts = Prompt.fromString(prompt, " ");
try {
redirectUri = authorizeRestWebServiceValidator.validateRedirectUri(client, redirectUri, state, session != null ? session.getSessionAttributes().get(SESSION_USER_CODE) : null, (HttpServletRequest) externalContext.getRequest());
} catch (WebApplicationException e) {
log.error(e.getMessage(), e);
permissionDenied();
return;
}
try {
session = sessionIdService.assertAuthenticatedSessionCorrespondsToNewRequest(session, acrValues);
} catch (AcrChangedException e) {
log.debug("There is already existing session which has another acr then {}, session: {}", acrValues, session.getId());
if (e.isForceReAuthentication()) {
session = handleAcrChange(session, prompts);
} else {
log.error("ACR is changed, please provide a supported and enabled acr value");
permissionDenied();
return;
}
}
if (session == null || StringUtils.isBlank(session.getUserDn()) || SessionIdState.AUTHENTICATED != session.getState()) {
Map<String, String> parameterMap = externalContext.getRequestParameterMap();
Map<String, String> requestParameterMap = requestParameterService.getAllowedParameters(parameterMap);
String redirectTo = "/login.xhtml";
boolean useExternalAuthenticator = externalAuthenticationService.isEnabled(AuthenticationScriptUsageType.INTERACTIVE);
if (useExternalAuthenticator) {
List<String> acrValuesList = sessionIdService.acrValuesList(this.acrValues);
if (acrValuesList.isEmpty()) {
acrValuesList = Arrays.asList(defaultAuthenticationMode.getName());
}
CustomScriptConfiguration customScriptConfiguration = externalAuthenticationService.determineCustomScriptConfiguration(AuthenticationScriptUsageType.INTERACTIVE, acrValuesList);
if (customScriptConfiguration == null) {
log.error("Failed to get CustomScriptConfiguration. auth_step: {}, acr_values: {}", 1, this.acrValues);
permissionDenied();
return;
}
String acr = customScriptConfiguration.getName();
requestParameterMap.put(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE, acr);
requestParameterMap.put("auth_step", Integer.toString(1));
String tmpRedirectTo = externalAuthenticationService.executeExternalGetPageForStep(customScriptConfiguration, 1);
if (StringHelper.isNotEmpty(tmpRedirectTo)) {
log.trace("Redirect to person authentication login page: {}", tmpRedirectTo);
redirectTo = tmpRedirectTo;
}
}
// Store Remote IP
requestParameterMap.put(Constants.REMOTE_IP, getRemoteIp());
// User Code used in Device Authz flow
if (session != null && session.getSessionAttributes().containsKey(SESSION_USER_CODE)) {
String userCode = session.getSessionAttributes().get(SESSION_USER_CODE);
requestParameterMap.put(SESSION_USER_CODE, userCode);
}
// Create unauthenticated session
SessionId unauthenticatedSession = sessionIdService.generateUnauthenticatedSessionId(null, new Date(), SessionIdState.UNAUTHENTICATED, requestParameterMap, false);
unauthenticatedSession.setSessionAttributes(requestParameterMap);
unauthenticatedSession.addPermission(clientId, false);
// Copy ACR script parameters
if (appConfiguration.getKeepAuthenticatorAttributesOnAcrChange()) {
authenticationService.copyAuthenticatorExternalAttributes(session, unauthenticatedSession);
}
// #1030, fix for flow 4 - transfer previous session permissions to new session
if (session != null && session.getPermissionGrantedMap() != null && session.getPermissionGrantedMap().getPermissionGranted() != null) {
for (Map.Entry<String, Boolean> entity : session.getPermissionGrantedMap().getPermissionGranted().entrySet()) {
unauthenticatedSession.addPermission(entity.getKey(), entity.getValue());
}
// #1030, remove previous session
sessionIdService.remove(session);
}
// always persist is prompt is not none
boolean persisted = sessionIdService.persistSessionId(unauthenticatedSession, !prompts.contains(Prompt.NONE));
if (persisted && log.isTraceEnabled()) {
log.trace("Session '{}' persisted to LDAP", unauthenticatedSession.getId());
}
this.sessionId = unauthenticatedSession.getId();
cookieService.createSessionIdCookie(unauthenticatedSession, false);
cookieService.creatRpOriginIdCookie(redirectUri);
identity.setSessionId(unauthenticatedSession);
Map<String, Object> loginParameters = new HashMap<String, Object>();
if (requestParameterMap.containsKey(AuthorizeRequestParam.LOGIN_HINT)) {
loginParameters.put(AuthorizeRequestParam.LOGIN_HINT, requestParameterMap.get(AuthorizeRequestParam.LOGIN_HINT));
}
boolean enableRedirect = StringHelper.toBoolean(System.getProperty("gluu.enable-redirect", "false"), false);
if (!enableRedirect && redirectTo.toLowerCase().endsWith("xhtml")) {
if (redirectTo.toLowerCase().endsWith("postlogin.xhtml")) {
authenticator.authenticateWithOutcome();
} else {
authenticator.prepareAuthenticationForStep(unauthenticatedSession);
facesService.renderView(redirectTo);
}
} else {
facesService.redirectWithExternal(redirectTo, loginParameters);
}
return;
}
String userCode = session.getSessionAttributes().get(SESSION_USER_CODE);
if (StringUtils.isBlank(userCode) && StringUtils.isBlank(redirectionUriService.validateRedirectionUri(clientId, redirectUri))) {
ExternalContext externalContext = facesContext.getExternalContext();
externalContext.setResponseStatus(HttpServletResponse.SC_BAD_REQUEST);
externalContext.setResponseContentType(MediaType.APPLICATION_JSON);
externalContext.getResponseOutputWriter().write(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_REDIRECT_URI, state, ""));
facesContext.responseComplete();
}
if (log.isTraceEnabled()) {
log.trace("checkPermissionGranted, userDn = " + session.getUserDn());
}
if (prompts.contains(Prompt.SELECT_ACCOUNT)) {
Map requestParameterMap = requestParameterService.getAllowedParameters(externalContext.getRequestParameterMap());
facesService.redirect("/selectAccount.xhtml", requestParameterMap);
return;
}
if (prompts.contains(Prompt.NONE) && prompts.size() > 1) {
invalidRequest();
return;
}
ExternalPostAuthnContext postAuthnContext = new ExternalPostAuthnContext(client, session, (HttpServletRequest) externalContext.getRequest(), (HttpServletResponse) externalContext.getResponse());
final boolean forceAuthorization = externalPostAuthnService.externalForceAuthorization(client, postAuthnContext);
final boolean hasConsentPrompt = prompts.contains(Prompt.CONSENT);
if (!hasConsentPrompt && !forceAuthorization) {
if (appConfiguration.getTrustedClientEnabled() && client.getTrustedClient()) {
// if trusted client = true, then skip authorization page and grant access directly
permissionGranted(session);
return;
} else if (ServerUtil.isTrue(appConfiguration.getSkipAuthorizationForOpenIdScopeAndPairwiseId()) && SubjectType.PAIRWISE.toString().equals(client.getSubjectType()) && hasOnlyOpenidScope()) {
// If a client has only openid scope and pairwise id, person should not have to authorize. oxAuth-743
permissionGranted(session);
return;
}
final User user = sessionIdService.getUser(session);
ClientAuthorization clientAuthorization = clientAuthorizationsService.find(user.getAttribute("inum"), client.getClientId());
if (clientAuthorization != null && clientAuthorization.getScopes() != null && Arrays.asList(clientAuthorization.getScopes()).containsAll(org.gluu.oxauth.model.util.StringUtils.spaceSeparatedToList(scope))) {
permissionGranted(session);
return;
}
}
if (externalConsentGatheringService.isEnabled()) {
if (consentGatherer.isConsentGathered()) {
log.trace("Consent-gathered flow passed successfully");
permissionGranted(session);
return;
}
log.trace("Starting external consent-gathering flow");
boolean result = consentGatherer.configure(session.getUserDn(), clientId, state);
if (!result) {
log.error("Failed to initialize external consent-gathering flow.");
permissionDenied();
return;
}
}
}
Also used :
User(org.gluu.oxauth.model.common.User)
WebApplicationException(javax.ws.rs.WebApplicationException)
HashMap(java.util.HashMap)
EntryPersistenceException(org.gluu.persist.exception.EntryPersistenceException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AcrChangedException(org.gluu.oxauth.model.exception.AcrChangedException)
ExternalContext(javax.faces.context.ExternalContext)
Client(org.gluu.oxauth.model.registration.Client)
SessionId(org.gluu.oxauth.model.common.SessionId)
ClientAuthorization(org.gluu.oxauth.model.ldap.ClientAuthorization)
ExternalPostAuthnContext(org.gluu.oxauth.service.external.context.ExternalPostAuthnContext)
Date(java.util.Date)
Prompt(org.gluu.oxauth.model.common.Prompt)
CustomScriptConfiguration(org.gluu.model.custom.script.conf.CustomScriptConfiguration)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 2 with Prompt
use of org.gluu.oxauth.model.common.Prompt in project oxAuth by GluuFederation.
the class MTLSService method authenticatedSuccessfully.
private void authenticatedSuccessfully(Client client, HttpServletRequest httpRequest) {
authenticator.configureSessionClient(client);
List<Prompt> prompts = Prompt.fromString(httpRequest.getParameter(AuthorizeRequestParam.PROMPT), " ");
if (prompts.contains(Prompt.LOGIN)) {
// skip session authentication if we have prompt=login
return;
}
SessionId sessionIdObject = sessionIdService.getSessionId(httpRequest);
if (sessionIdObject == null || sessionIdObject.getState() != SessionIdState.AUTHENTICATED) {
return;
}
authenticator.authenticateBySessionId(sessionIdObject);
}Example 3 with Prompt
use of org.gluu.oxauth.model.common.Prompt in project oxAuth by GluuFederation.
the class JwtAuthorizationRequest method loadPayload.
private void loadPayload(String payload) throws JSONException, UnsupportedEncodingException {
this.payload = payload;
JSONObject jsonPayload = new JSONObject(payload);
if (jsonPayload.has("response_type")) {
JSONArray responseTypeJsonArray = jsonPayload.optJSONArray("response_type");
if (responseTypeJsonArray != null) {
for (int i = 0; i < responseTypeJsonArray.length(); i++) {
ResponseType responseType = ResponseType.fromString(responseTypeJsonArray.getString(i));
responseTypes.add(responseType);
}
} else {
responseTypes.addAll(ResponseType.fromString(jsonPayload.getString("response_type"), " "));
}
}
if (jsonPayload.has("exp")) {
exp = jsonPayload.getInt("exp");
}
if (jsonPayload.has("aud")) {
final String audStr = jsonPayload.optString("aud");
if (StringUtils.isNotBlank(audStr)) {
this.aud.add(audStr);
}
final JSONArray audArray = jsonPayload.optJSONArray("aud");
if (audArray != null && audArray.length() > 0) {
this.aud.addAll(Util.asList(audArray));
}
}
clientId = jsonPayload.optString("client_id", null);
if (jsonPayload.has("scope")) {
JSONArray scopesJsonArray = jsonPayload.optJSONArray("scope");
if (scopesJsonArray != null) {
for (int i = 0; i < scopesJsonArray.length(); i++) {
String scope = scopesJsonArray.getString(i);
scopes.add(scope);
}
} else {
String scopeStringList = jsonPayload.getString("scope");
scopes.addAll(Util.splittedStringAsList(scopeStringList, " "));
}
}
if (jsonPayload.has("redirect_uri")) {
redirectUri = URLDecoder.decode(jsonPayload.getString("redirect_uri"), "UTF-8");
}
nonce = jsonPayload.optString("nonce", null);
state = jsonPayload.optString("state", null);
if (jsonPayload.has("display")) {
display = Display.fromString(jsonPayload.getString("display"));
}
if (jsonPayload.has("prompt")) {
JSONArray promptJsonArray = jsonPayload.optJSONArray("prompt");
if (promptJsonArray != null) {
for (int i = 0; i < promptJsonArray.length(); i++) {
Prompt prompt = Prompt.fromString(promptJsonArray.getString(i));
prompts.add(prompt);
}
} else {
prompts.addAll(Prompt.fromString(jsonPayload.getString("prompt"), " "));
}
}
if (jsonPayload.has("claims")) {
JSONObject claimsJsonObject = jsonPayload.getJSONObject("claims");
if (claimsJsonObject.has("userinfo")) {
userInfoMember = new UserInfoMember(claimsJsonObject.getJSONObject("userinfo"));
}
if (claimsJsonObject.has("id_token")) {
idTokenMember = new IdTokenMember(claimsJsonObject.getJSONObject("id_token"));
}
}
iss = jsonPayload.optString("iss", null);
if (jsonPayload.has("exp")) {
exp = jsonPayload.getInt("exp");
}
if (jsonPayload.has("iat")) {
iat = jsonPayload.getInt("iat");
}
if (jsonPayload.has("nbf")) {
nbf = jsonPayload.getInt("nbf");
}
jti = jsonPayload.optString("jti", null);
clientNotificationToken = jsonPayload.optString("client_notification_token", null);
acrValues = jsonPayload.optString("acr_values", null);
loginHintToken = jsonPayload.optString("login_hint_token", null);
idTokenHint = jsonPayload.optString("id_token_hint", null);
loginHint = jsonPayload.optString("login_hint", null);
bindingMessage = jsonPayload.optString("binding_message", null);
userCode = jsonPayload.optString("user_code", null);
if (jsonPayload.has("requested_expiry")) {
// requested_expirity is an exception, it could be String or Number.
if (jsonPayload.get("requested_expiry") instanceof Number) {
requestedExpiry = jsonPayload.getInt("requested_expiry");
} else {
requestedExpiry = Integer.parseInt(jsonPayload.getString("requested_expiry"));
}
}
}
Also used :
JSONObject(org.json.JSONObject)
JSONArray(org.json.JSONArray)
Prompt(org.gluu.oxauth.model.common.Prompt)
ResponseType(org.gluu.oxauth.model.common.ResponseType)
Example 4 with Prompt
use of org.gluu.oxauth.model.common.Prompt in project oxAuth by GluuFederation.
the class JwtAuthorizationRequest method payloadToJSONObject.
protected JSONObject payloadToJSONObject() throws JSONException {
JSONObject obj = new JSONObject();
try {
if (responseTypes != null && !responseTypes.isEmpty()) {
if (responseTypes.size() == 1) {
ResponseType responseType = responseTypes.get(0);
obj.put("response_type", responseType);
} else {
JSONArray responseTypeJsonArray = new JSONArray();
for (ResponseType responseType : responseTypes) {
responseTypeJsonArray.put(responseType);
}
obj.put("response_type", responseTypeJsonArray);
}
}
if (StringUtils.isNotBlank(clientId)) {
obj.put("client_id", clientId);
}
if (scopes != null && !scopes.isEmpty()) {
if (scopes.size() == 1) {
String scope = scopes.get(0);
obj.put("scope", scope);
} else {
JSONArray scopeJsonArray = new JSONArray();
for (String scope : scopes) {
scopeJsonArray.put(scope);
}
obj.put("scope", scopeJsonArray);
}
}
if (StringUtils.isNotBlank(redirectUri)) {
obj.put("redirect_uri", URLEncoder.encode(redirectUri, "UTF-8"));
}
if (StringUtils.isNotBlank(state)) {
obj.put("state", state);
}
if (StringUtils.isNotBlank(nonce)) {
obj.put("nonce", nonce);
}
if (display != null) {
obj.put("display", display);
}
if (prompts != null && !prompts.isEmpty()) {
JSONArray promptJsonArray = new JSONArray();
for (Prompt prompt : prompts) {
promptJsonArray.put(prompt);
}
obj.put("prompt", promptJsonArray);
}
if (maxAge != null) {
obj.put("max_age", maxAge);
}
if (uiLocales != null && !uiLocales.isEmpty()) {
JSONArray uiLocalesJsonArray = new JSONArray(uiLocales);
obj.put("ui_locales", uiLocalesJsonArray);
}
if (claimsLocales != null && !claimsLocales.isEmpty()) {
JSONArray claimsLocalesJsonArray = new JSONArray(claimsLocales);
obj.put("claims_locales", claimsLocalesJsonArray);
}
if (StringUtils.isNotBlank(idTokenHint)) {
obj.put("id_token_hint", idTokenHint);
}
if (StringUtils.isNotBlank(loginHint)) {
obj.put("login_hint", loginHint);
}
if (acrValues != null && !acrValues.isEmpty()) {
JSONArray acrValuesJsonArray = new JSONArray(acrValues);
obj.put("acr_values", acrValues);
}
if (StringUtils.isNotBlank(registration)) {
obj.put("registration", registration);
}
if (userInfoMember != null || idTokenMember != null) {
JSONObject claimsObj = new JSONObject();
if (userInfoMember != null) {
claimsObj.put("userinfo", userInfoMember.toJSONObject());
}
if (idTokenMember != null) {
claimsObj.put("id_token", idTokenMember.toJSONObject());
}
obj.put("claims", claimsObj);
}
if (StringUtils.isNotBlank(aud)) {
obj.put("aud", aud);
}
if (exp != null && exp > 0) {
obj.put("exp", exp);
}
if (StringUtils.isNotBlank(iss)) {
obj.put("iss", iss);
}
if (iat != null && iat > 0) {
obj.put("iat", iat);
}
if (nbf != null && nbf > 0) {
obj.put("nbf", nbf);
}
if (StringUtils.isNotBlank(jti)) {
obj.put("jti", jti);
}
if (StringUtils.isNotBlank(clientNotificationToken)) {
obj.put("client_notification_token", clientNotificationToken);
}
if (StringUtils.isNotBlank(loginHintToken)) {
obj.put("login_hint_token", loginHintToken);
}
if (StringUtils.isNotBlank(bindingMessage)) {
obj.put("binding_message", bindingMessage);
}
if (StringUtils.isNotBlank(userCode)) {
obj.put("user_code", userCode);
}
if (requestedExpiry != null && requestedExpiry > 0) {
obj.put("requested_expirity", requestedExpiry);
}
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
return obj;
}
Also used :
JSONObject(org.json.JSONObject)
JSONArray(org.json.JSONArray)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
Prompt(org.gluu.oxauth.model.common.Prompt)
ResponseType(org.gluu.oxauth.model.common.ResponseType)
Aggregations
Prompt (org.gluu.oxauth.model.common.Prompt)4
ResponseType (org.gluu.oxauth.model.common.ResponseType)2
SessionId (org.gluu.oxauth.model.common.SessionId)2
JSONArray (org.json.JSONArray)2
JSONObject (org.json.JSONObject)2
UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
Date (java.util.Date)1
HashMap (java.util.HashMap)1
Map (java.util.Map)1
ExternalContext (javax.faces.context.ExternalContext)1
HttpServletRequest (javax.servlet.http.HttpServletRequest)1
WebApplicationException (javax.ws.rs.WebApplicationException)1
CustomScriptConfiguration (org.gluu.model.custom.script.conf.CustomScriptConfiguration)1
User (org.gluu.oxauth.model.common.User)1
AcrChangedException (org.gluu.oxauth.model.exception.AcrChangedException)1
ClientAuthorization (org.gluu.oxauth.model.ldap.ClientAuthorization)1
Client (org.gluu.oxauth.model.registration.Client)1
ExternalPostAuthnContext (org.gluu.oxauth.service.external.context.ExternalPostAuthnContext)1
EntryPersistenceException (org.gluu.persist.exception.EntryPersistenceException)1
