Search in sources :

Example 1 with JwtSubClaimObject

use of org.gluu.oxauth.model.jwt.JwtSubClaimObject in project oxAuth by GluuFederation.

the class IdTokenFactory method fillClaims.

private void fillClaims(JsonWebResponse jwr, IAuthorizationGrant authorizationGrant, String nonce, AuthorizationCode authorizationCode, AccessToken accessToken, RefreshToken refreshToken, String state, Set<String> scopes, boolean includeIdTokenClaims, Function<JsonWebResponse, Void> preProcessing, Function<JsonWebResponse, Void> postProcessing) throws Exception {
    jwr.getClaims().setIssuer(appConfiguration.getIssuer());
    Audience.setAudience(jwr.getClaims(), authorizationGrant.getClient());
    int lifeTime = appConfiguration.getIdTokenLifetime();
    Calendar calendar = Calendar.getInstance();
    Date issuedAt = calendar.getTime();
    calendar.add(Calendar.SECOND, lifeTime);
    Date expiration = calendar.getTime();
    jwr.getClaims().setExpirationTime(expiration);
    jwr.getClaims().setIssuedAt(issuedAt);
    jwr.setClaim("code", UUID.randomUUID().toString());
    if (preProcessing != null) {
        preProcessing.apply(jwr);
    }
    final SessionId session = sessionIdService.getSessionByDn(authorizationGrant.getSessionDn());
    if (session != null) {
        jwr.setClaim("sid", session.getOutsideSid());
    }
    if (authorizationGrant.getAcrValues() != null) {
        jwr.setClaim(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE, authorizationGrant.getAcrValues());
        setAmrClaim(jwr, authorizationGrant.getAcrValues());
    }
    if (StringUtils.isNotBlank(nonce)) {
        jwr.setClaim(JwtClaimName.NONCE, nonce);
    }
    if (authorizationGrant.getAuthenticationTime() != null) {
        jwr.getClaims().setClaim(JwtClaimName.AUTHENTICATION_TIME, authorizationGrant.getAuthenticationTime());
    }
    if (authorizationCode != null) {
        String codeHash = AbstractToken.getHash(authorizationCode.getCode(), jwr.getHeader().getSignatureAlgorithm());
        jwr.setClaim(JwtClaimName.CODE_HASH, codeHash);
    }
    if (accessToken != null) {
        String accessTokenHash = AbstractToken.getHash(accessToken.getCode(), jwr.getHeader().getSignatureAlgorithm());
        jwr.setClaim(JwtClaimName.ACCESS_TOKEN_HASH, accessTokenHash);
    }
    if (Strings.isNotBlank(state)) {
        String stateHash = AbstractToken.getHash(state, jwr.getHeader().getSignatureAlgorithm());
        jwr.setClaim(JwtClaimName.STATE_HASH, stateHash);
    }
    if (authorizationGrant.getGrantType() != null) {
        jwr.setClaim("grant", authorizationGrant.getGrantType().getValue());
    }
    jwr.setClaim(JwtClaimName.OX_OPENID_CONNECT_VERSION, appConfiguration.getOxOpenIdConnectVersion());
    User user = authorizationGrant.getUser();
    List<Scope> dynamicScopes = new ArrayList<>();
    if (includeIdTokenClaims && authorizationGrant.getClient().isIncludeClaimsInIdToken()) {
        for (String scopeName : scopes) {
            Scope scope = scopeService.getScopeById(scopeName);
            if (scope == null) {
                continue;
            }
            if (DYNAMIC == scope.getScopeType()) {
                dynamicScopes.add(scope);
                continue;
            }
            Map<String, Object> claims = scopeService.getClaims(user, scope);
            if (Boolean.TRUE.equals(scope.isOxAuthGroupClaims())) {
                JwtSubClaimObject groupClaim = new JwtSubClaimObject();
                groupClaim.setName(scope.getId());
                for (Map.Entry<String, Object> entry : claims.entrySet()) {
                    String key = entry.getKey();
                    Object value = entry.getValue();
                    if (value instanceof List) {
                        groupClaim.setClaim(key, (List) value);
                    } else {
                        groupClaim.setClaim(key, (String) value);
                    }
                }
                jwr.getClaims().setClaim(scope.getId(), groupClaim);
            } else {
                for (Map.Entry<String, Object> entry : claims.entrySet()) {
                    String key = entry.getKey();
                    Object value = entry.getValue();
                    if (value instanceof List) {
                        jwr.getClaims().setClaim(key, (List) value);
                    } else if (value instanceof Boolean) {
                        jwr.getClaims().setClaim(key, (Boolean) value);
                    } else if (value instanceof Date) {
                        jwr.getClaims().setClaim(key, ((Date) value).getTime() / 1000);
                    } else {
                        jwr.setClaim(key, (String) value);
                    }
                }
            }
            jwr.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute("inum"));
        }
    }
    setClaimsFromJwtAuthorizationRequest(jwr, authorizationGrant, scopes);
    jwrService.setSubjectIdentifier(jwr, authorizationGrant);
    if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
        final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
        DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jwr, unmodifiableAuthorizationGrant);
        externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
    }
    processCiba(jwr, authorizationGrant, refreshToken);
    if (postProcessing != null) {
        postProcessing.apply(jwr);
    }
}
Also used : DynamicScopeExternalContext(org.gluu.oxauth.service.external.context.DynamicScopeExternalContext) JwtSubClaimObject(org.gluu.oxauth.model.jwt.JwtSubClaimObject) Scope(org.oxauth.persistence.model.Scope) JwtSubClaimObject(org.gluu.oxauth.model.jwt.JwtSubClaimObject)

Example 2 with JwtSubClaimObject

use of org.gluu.oxauth.model.jwt.JwtSubClaimObject in project oxAuth by GluuFederation.

the class UserInfoRestWebServiceImpl method getJSonResponse.

/**
 * Builds a JSon String with the response parameters.
 */
public String getJSonResponse(User user, AuthorizationGrant authorizationGrant, Collection<String> scopes) throws Exception {
    log.trace("Building JSON reponse with next scopes {0} for user {1} and user custom attributes {0}", scopes, user.getUserId(), user.getCustomAttributes());
    JsonWebResponse jsonWebResponse = new JsonWebResponse();
    // Claims
    List<Scope> dynamicScopes = new ArrayList<Scope>();
    for (String scopeName : scopes) {
        org.oxauth.persistence.model.Scope scope = scopeService.getScopeById(scopeName);
        if ((scope != null) && (org.gluu.oxauth.model.common.ScopeType.DYNAMIC == scope.getScopeType())) {
            dynamicScopes.add(scope);
            continue;
        }
        Map<String, Object> claims = scopeService.getClaims(user, scope);
        if (claims == null) {
            continue;
        }
        if (scope != null && Boolean.TRUE.equals(scope.isOxAuthGroupClaims())) {
            JwtSubClaimObject groupClaim = new JwtSubClaimObject();
            groupClaim.setName(scope.getId());
            for (Map.Entry<String, Object> entry : claims.entrySet()) {
                String key = entry.getKey();
                Object value = entry.getValue();
                if (value instanceof List) {
                    groupClaim.setClaim(key, (List<String>) value);
                } else {
                    groupClaim.setClaim(key, String.valueOf(value));
                }
            }
            jsonWebResponse.getClaims().setClaim(scope.getId(), groupClaim);
        } else {
            for (Map.Entry<String, Object> entry : claims.entrySet()) {
                String key = entry.getKey();
                Object value = entry.getValue();
                if (value instanceof List) {
                    jsonWebResponse.getClaims().setClaim(key, (List<String>) value);
                } else if (value instanceof Boolean) {
                    jsonWebResponse.getClaims().setClaim(key, (Boolean) value);
                } else if (value instanceof Date) {
                    jsonWebResponse.getClaims().setClaim(key, ((Date) value).getTime() / 1000);
                } else {
                    jsonWebResponse.getClaims().setClaim(key, String.valueOf(value));
                }
            }
        }
    }
    if (authorizationGrant.getClaims() != null) {
        JSONObject claimsObj = new JSONObject(authorizationGrant.getClaims());
        if (claimsObj.has("userinfo")) {
            JSONObject userInfoObj = claimsObj.getJSONObject("userinfo");
            for (Iterator<String> it = userInfoObj.keys(); it.hasNext(); ) {
                String claimName = it.next();
                // ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
                boolean optional = true;
                GluuAttribute gluuAttribute = attributeService.getByClaimName(claimName);
                if (gluuAttribute != null) {
                    String ldapClaimName = gluuAttribute.getName();
                    Object attribute = user.getAttribute(ldapClaimName, optional, gluuAttribute.getOxMultiValuedAttribute());
                    jsonWebResponse.getClaims().setClaimFromJsonObject(claimName, attribute);
                }
            }
        }
    }
    if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
        for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
            // ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
            boolean optional = true;
            GluuAttribute gluuAttribute = attributeService.getByClaimName(claim.getName());
            if (gluuAttribute != null) {
                Client client = authorizationGrant.getClient();
                if (validateRequesteClaim(gluuAttribute, client.getClaims(), scopes)) {
                    String ldapClaimName = gluuAttribute.getName();
                    Object attribute = user.getAttribute(ldapClaimName, optional, gluuAttribute.getOxMultiValuedAttribute());
                    jsonWebResponse.getClaims().setClaimFromJsonObject(claim.getName(), attribute);
                }
            }
        }
    }
    jsonWebResponse.getClaims().setSubjectIdentifier(authorizationGrant.getSub());
    if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
        final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
        DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jsonWebResponse, unmodifiableAuthorizationGrant);
        externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
    }
    return jsonWebResponse.toString();
}
Also used : JsonWebResponse(org.gluu.oxauth.model.token.JsonWebResponse) DynamicScopeExternalContext(org.gluu.oxauth.service.external.context.DynamicScopeExternalContext) JwtSubClaimObject(org.gluu.oxauth.model.jwt.JwtSubClaimObject) GluuAttribute(org.gluu.model.GluuAttribute) Scope(org.oxauth.persistence.model.Scope) JSONObject(org.json.JSONObject) JwtSubClaimObject(org.gluu.oxauth.model.jwt.JwtSubClaimObject) JSONObject(org.json.JSONObject) Client(org.gluu.oxauth.model.registration.Client) Claim(org.gluu.oxauth.model.authorize.Claim) Scope(org.oxauth.persistence.model.Scope)

Aggregations

JwtSubClaimObject (org.gluu.oxauth.model.jwt.JwtSubClaimObject)2 DynamicScopeExternalContext (org.gluu.oxauth.service.external.context.DynamicScopeExternalContext)2 Scope (org.oxauth.persistence.model.Scope)2 GluuAttribute (org.gluu.model.GluuAttribute)1 Claim (org.gluu.oxauth.model.authorize.Claim)1 Client (org.gluu.oxauth.model.registration.Client)1 JsonWebResponse (org.gluu.oxauth.model.token.JsonWebResponse)1 JSONObject (org.json.JSONObject)1