Example 41 with SessionId
use of org.gluu.oxauth.model.common.SessionId in project oxAuth by GluuFederation.
the class EndSessionRestWebServiceImpl method validateSidRequestParameter.
private void validateSidRequestParameter(String sid, String postLogoutRedirectUri) {
// sid is not required but if it is present then we must validate it #831
if (StringUtils.isNotBlank(sid)) {
SessionId sessionIdObject = sessionIdService.getSessionBySid(sid);
if (sessionIdObject == null) {
final String reason = "sid parameter in request is not valid. Logout is rejected. sid parameter in request can be skipped or otherwise valid value must be provided.";
log.error(reason);
throw new WebApplicationException(createErrorResponse(postLogoutRedirectUri, EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, reason));
}
}
}
Also used :
WebApplicationException(javax.ws.rs.WebApplicationException)
SessionId(org.gluu.oxauth.model.common.SessionId)
Example 42 with SessionId
use of org.gluu.oxauth.model.common.SessionId in project oxAuth by GluuFederation.
the class EndSessionRestWebServiceImpl method getSsoClients.
private Set<Client> getSsoClients(Pair<SessionId, AuthorizationGrant> pair) {
SessionId sessionId = pair.getFirst();
AuthorizationGrant authorizationGrant = pair.getSecond();
if (sessionId == null) {
log.error("session_id is not passed to endpoint (as cookie or manually). Therefore unable to match clients for session_id.");
return Sets.newHashSet();
}
final Set<Client> clients = sessionId.getPermissionGrantedMap() != null ? clientService.getClient(sessionId.getPermissionGrantedMap().getClientIds(true), true) : Sets.newHashSet();
if (authorizationGrant != null) {
clients.add(authorizationGrant.getClient());
}
return clients;
}
Also used :
Client(org.gluu.oxauth.model.registration.Client)
SessionId(org.gluu.oxauth.model.common.SessionId)
AuthorizationGrant(org.gluu.oxauth.model.common.AuthorizationGrant)
Example 43 with SessionId
use of org.gluu.oxauth.model.common.SessionId in project oxAuth by GluuFederation.
the class EndSessionRestWebServiceImpl method auditLogging.
private void auditLogging(HttpServletRequest request, Pair<SessionId, AuthorizationGrant> pair) {
SessionId sessionId = pair.getFirst();
AuthorizationGrant authorizationGrant = pair.getSecond();
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.SESSION_DESTROYED);
oAuth2AuditLog.setSuccess(true);
if (authorizationGrant != null) {
oAuth2AuditLog.setClientId(authorizationGrant.getClientId());
oAuth2AuditLog.setScope(StringUtils.join(authorizationGrant.getScopes(), " "));
oAuth2AuditLog.setUsername(authorizationGrant.getUserId());
} else if (sessionId != null) {
oAuth2AuditLog.setClientId(sessionId.getPermissionGrantedMap().getClientIds(true).toString());
oAuth2AuditLog.setScope(sessionId.getSessionAttributes().get(AuthorizeRequestParam.SCOPE));
oAuth2AuditLog.setUsername(sessionId.getUserDn());
}
applicationAuditLogger.sendMessage(oAuth2AuditLog);
}
Also used :
OAuth2AuditLog(org.gluu.oxauth.model.audit.OAuth2AuditLog)
SessionId(org.gluu.oxauth.model.common.SessionId)
AuthorizationGrant(org.gluu.oxauth.model.common.AuthorizationGrant)
Example 44 with SessionId
use of org.gluu.oxauth.model.common.SessionId in project oxAuth by GluuFederation.
the class EndSessionRestWebServiceImpl method requestEndSession.
@Override
public Response requestEndSession(String idTokenHint, String postLogoutRedirectUri, String state, String sessionId, String sid, HttpServletRequest httpRequest, HttpServletResponse httpResponse, SecurityContext sec) {
try {
log.debug("Attempting to end session, idTokenHint: {}, postLogoutRedirectUri: {}, sessionId: {}, sid: {}, Is Secure = {}", idTokenHint, postLogoutRedirectUri, sessionId, sid, sec.isSecure());
if (StringUtils.isBlank(sid) && StringUtils.isNotBlank(sessionId))
// backward compatibility. WIll be removed in next major release.
sid = sessionId;
Jwt idToken = validateIdTokenHint(idTokenHint, postLogoutRedirectUri);
validateSidRequestParameter(sid, postLogoutRedirectUri);
final Pair<SessionId, AuthorizationGrant> pair = getPair(idTokenHint, sid, httpRequest);
if (pair.getFirst() == null) {
final String reason = "Failed to identify session by session_id query parameter or by session_id cookie.";
throw new WebApplicationException(createErrorResponse(postLogoutRedirectUri, EndSessionErrorResponseType.INVALID_GRANT_AND_SESSION, reason));
}
postLogoutRedirectUri = validatePostLogoutRedirectUri(postLogoutRedirectUri, pair);
validateSid(postLogoutRedirectUri, idToken, pair.getFirst());
endSession(pair, httpRequest, httpResponse);
auditLogging(httpRequest, pair);
Set<Client> clients = getSsoClients(pair);
Set<String> frontchannelUris = Sets.newHashSet();
Map<String, Client> backchannelUris = Maps.newHashMap();
for (Client client : clients) {
boolean hasBackchannel = false;
for (String logoutUri : client.getAttributes().getBackchannelLogoutUri()) {
if (Util.isNullOrEmpty(logoutUri)) {
// skip if logout_uri is blank
continue;
}
backchannelUris.put(logoutUri, client);
hasBackchannel = true;
}
if (hasBackchannel) {
// client has backchannel_logout_uri
continue;
}
for (String logoutUri : client.getFrontChannelLogoutUri()) {
if (Util.isNullOrEmpty(logoutUri)) {
// skip if logout_uri is blank
continue;
}
if (client.getFrontChannelLogoutSessionRequired()) {
logoutUri = EndSessionUtils.appendSid(logoutUri, pair.getFirst().getOutsideSid(), appConfiguration.getIssuer());
}
frontchannelUris.add(logoutUri);
}
}
backChannel(backchannelUris, pair.getSecond(), pair.getFirst());
if (frontchannelUris.isEmpty() && StringUtils.isNotBlank(postLogoutRedirectUri)) {
// no front-channel
log.trace("No frontchannel_redirect_uri's found in clients involved in SSO.");
try {
log.trace("Redirect to postlogout_redirect_uri: " + postLogoutRedirectUri);
return Response.status(Response.Status.FOUND).location(new URI(postLogoutRedirectUri)).build();
} catch (URISyntaxException e) {
final String message = "Failed to create URI for " + postLogoutRedirectUri + " postlogout_redirect_uri.";
log.error(message);
return Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.errorAsJson(EndSessionErrorResponseType.INVALID_REQUEST, message)).build();
}
}
return httpBased(frontchannelUris, postLogoutRedirectUri, state, pair, httpRequest);
} catch (WebApplicationException e) {
if (e.getResponse() != null) {
return e.getResponse();
}
throw e;
} catch (Exception e) {
log.error(e.getMessage(), e);
throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(GluuErrorResponseType.SERVER_ERROR)).build());
}
}
Also used :
WebApplicationException(javax.ws.rs.WebApplicationException)
Jwt(org.gluu.oxauth.model.jwt.Jwt)
URISyntaxException(java.net.URISyntaxException)
URI(java.net.URI)
URISyntaxException(java.net.URISyntaxException)
InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException)
WebApplicationException(javax.ws.rs.WebApplicationException)
Client(org.gluu.oxauth.model.registration.Client)
SessionId(org.gluu.oxauth.model.common.SessionId)
AuthorizationGrant(org.gluu.oxauth.model.common.AuthorizationGrant)
Example 45 with SessionId
use of org.gluu.oxauth.model.common.SessionId in project oxAuth by GluuFederation.
the class EndSessionRestWebServiceImpl method getPair.
private Pair<SessionId, AuthorizationGrant> getPair(String idTokenHint, String sid, HttpServletRequest httpRequest) {
AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByIdToken(idTokenHint);
if (authorizationGrant == null) {
Boolean endSessionWithAccessToken = appConfiguration.getEndSessionWithAccessToken();
if ((endSessionWithAccessToken != null) && endSessionWithAccessToken) {
authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(idTokenHint);
}
}
SessionId ldapSessionId = null;
try {
String id = cookieService.getSessionIdFromCookie(httpRequest);
if (StringHelper.isNotEmpty(id)) {
ldapSessionId = sessionIdService.getSessionId(id);
}
if (StringUtils.isNotBlank(sid) && ldapSessionId == null) {
ldapSessionId = sessionIdService.getSessionBySid(sid);
}
} catch (Exception e) {
log.error("Failed to current session id.", e);
}
return new Pair<>(ldapSessionId, authorizationGrant);
}
Also used :
AuthorizationGrant(org.gluu.oxauth.model.common.AuthorizationGrant)
SessionId(org.gluu.oxauth.model.common.SessionId)
URISyntaxException(java.net.URISyntaxException)
InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException)
WebApplicationException(javax.ws.rs.WebApplicationException)
Pair(org.gluu.util.Pair)
Aggregations
SessionId (org.gluu.oxauth.model.common.SessionId)52
CustomScriptConfiguration (org.gluu.model.custom.script.conf.CustomScriptConfiguration)9
HttpServletRequest (javax.servlet.http.HttpServletRequest)8
User (org.gluu.oxauth.model.common.User)7
Date (java.util.Date)6
HttpServletResponse (javax.servlet.http.HttpServletResponse)6
URISyntaxException (java.net.URISyntaxException)4
HashMap (java.util.HashMap)4
WebApplicationException (javax.ws.rs.WebApplicationException)4
AuthorizationGrant (org.gluu.oxauth.model.common.AuthorizationGrant)4
EntryPersistenceException (org.gluu.persist.exception.EntryPersistenceException)4
UnsupportedEncodingException (java.io.UnsupportedEncodingException)3
BaseComponentTest (org.gluu.oxauth.BaseComponentTest)3
SimpleUser (org.gluu.oxauth.model.common.SimpleUser)3
AcrChangedException (org.gluu.oxauth.model.exception.AcrChangedException)3
InvalidSessionStateException (org.gluu.oxauth.model.exception.InvalidSessionStateException)3
Client (org.gluu.oxauth.model.registration.Client)3
ConsentGatheringContext (org.gluu.oxauth.service.external.context.ConsentGatheringContext)3
UmaGatherContext (org.gluu.oxauth.uma.authorization.UmaGatherContext)3
Parameters (org.testng.annotations.Parameters)3
