Search in sources :

Example 1 with SessionClient

use of org.gluu.oxauth.model.session.SessionClient in project oxAuth by GluuFederation.

the class BackchannelAuthorizeRestWebServiceImpl method requestBackchannelAuthorizationPost.

@Override
public Response requestBackchannelAuthorizationPost(String clientId, String scope, String clientNotificationToken, String acrValues, String loginHintToken, String idTokenHint, String loginHint, String bindingMessage, String userCodeParam, Integer requestedExpiry, String request, String requestUri, HttpServletRequest httpRequest, HttpServletResponse httpResponse, SecurityContext securityContext) {
    // it may be encoded
    scope = ServerUtil.urlDecode(scope);
    OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpRequest), Action.BACKCHANNEL_AUTHENTICATION);
    oAuth2AuditLog.setClientId(clientId);
    oAuth2AuditLog.setScope(scope);
    // ATTENTION : please do not add more parameter in this debug method because it will not work with Seam 2.2.2.Final,
    // there is limit of 10 parameters (hardcoded), see: org.jboss.seam.core.Interpolator#interpolate
    log.debug("Attempting to request backchannel authorization: " + "clientId = {}, scope = {}, clientNotificationToken = {}, acrValues = {}, loginHintToken = {}, " + "idTokenHint = {}, loginHint = {}, bindingMessage = {}, userCodeParam = {}, requestedExpiry = {}, " + "request= {}", clientId, scope, clientNotificationToken, acrValues, loginHintToken, idTokenHint, loginHint, bindingMessage, userCodeParam, requestedExpiry, request);
    log.debug("Attempting to request backchannel authorization: " + "isSecure = {}", securityContext.isSecure());
    Response.ResponseBuilder builder = Response.ok();
    if (!appConfiguration.getCibaEnabled()) {
        log.warn("Trying to register a CIBA request, however CIBA config is disabled.");
        builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
        builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
        return builder.build();
    }
    SessionClient sessionClient = identity.getSessionClient();
    Client client = null;
    if (sessionClient != null) {
        client = sessionClient.getClient();
    }
    if (client == null) {
        // 401
        builder = Response.status(Response.Status.UNAUTHORIZED.getStatusCode());
        builder.entity(errorResponseFactory.getErrorAsJson(INVALID_CLIENT));
        return builder.build();
    }
    if (!cibaRequestService.hasCibaCompatibility(client)) {
        // 401
        builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
        builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
        return builder.build();
    }
    List<String> scopes = new ArrayList<>();
    if (StringHelper.isNotEmpty(scope)) {
        Set<String> grantedScopes = scopeChecker.checkScopesPolicy(client, scope);
        scopes.addAll(grantedScopes);
    }
    JwtAuthorizationRequest jwtRequest = null;
    if (StringUtils.isNotBlank(request) || StringUtils.isNotBlank(requestUri)) {
        jwtRequest = JwtAuthorizationRequest.createJwtRequest(request, requestUri, client, null, cryptoProvider, appConfiguration);
        if (jwtRequest == null) {
            log.error("The JWT couldn't be processed");
            // 400
            builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
            builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
            throw new WebApplicationException(builder.build());
        }
        authorizeRestWebServiceValidator.validateCibaRequestObject(jwtRequest, client.getClientId());
        // JWT wins
        if (!jwtRequest.getScopes().isEmpty()) {
            scopes.addAll(scopeChecker.checkScopesPolicy(client, jwtRequest.getScopes()));
        }
        if (StringUtils.isNotBlank(jwtRequest.getClientNotificationToken())) {
            clientNotificationToken = jwtRequest.getClientNotificationToken();
        }
        if (StringUtils.isNotBlank(jwtRequest.getAcrValues())) {
            acrValues = jwtRequest.getAcrValues();
        }
        if (StringUtils.isNotBlank(jwtRequest.getLoginHintToken())) {
            loginHintToken = jwtRequest.getLoginHintToken();
        }
        if (StringUtils.isNotBlank(jwtRequest.getIdTokenHint())) {
            idTokenHint = jwtRequest.getIdTokenHint();
        }
        if (StringUtils.isNotBlank(jwtRequest.getLoginHint())) {
            loginHint = jwtRequest.getLoginHint();
        }
        if (StringUtils.isNotBlank(jwtRequest.getBindingMessage())) {
            bindingMessage = jwtRequest.getBindingMessage();
        }
        if (StringUtils.isNotBlank(jwtRequest.getUserCode())) {
            userCodeParam = jwtRequest.getUserCode();
        }
        if (jwtRequest.getRequestedExpiry() != null) {
            requestedExpiry = jwtRequest.getRequestedExpiry();
        } else if (jwtRequest.getExp() != null) {
            requestedExpiry = Math.toIntExact(jwtRequest.getExp() - System.currentTimeMillis() / 1000);
        }
    }
    if (appConfiguration.getFapiCompatibility() && jwtRequest == null) {
        // 400
        builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
        builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
        return builder.build();
    }
    User user = null;
    try {
        if (Strings.isNotBlank(loginHint)) {
            // login_hint
            user = userService.getUniqueUserByAttributes(appConfiguration.getBackchannelLoginHintClaims(), loginHint);
        } else if (Strings.isNotBlank(idTokenHint)) {
            // id_token_hint
            AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByIdToken(idTokenHint);
            if (authorizationGrant == null) {
                // 400
                builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
                builder.entity(errorResponseFactory.getErrorAsJson(UNKNOWN_USER_ID));
                return builder.build();
            }
            user = authorizationGrant.getUser();
        }
        if (Strings.isNotBlank(loginHintToken)) {
            // login_hint_token
            Jwt jwt = Jwt.parse(loginHintToken);
            SignatureAlgorithm algorithm = jwt.getHeader().getSignatureAlgorithm();
            String keyId = jwt.getHeader().getKeyId();
            if (algorithm == null || Strings.isBlank(keyId)) {
                // 400
                builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
                builder.entity(errorResponseFactory.getErrorAsJson(UNKNOWN_USER_ID));
                return builder.build();
            }
            boolean validSignature = false;
            if (algorithm.getFamily() == AlgorithmFamily.RSA) {
                RSAPublicKey publicKey = JwkClient.getRSAPublicKey(client.getJwksUri(), keyId);
                RSASigner rsaSigner = new RSASigner(algorithm, publicKey);
                validSignature = rsaSigner.validate(jwt);
            } else if (algorithm.getFamily() == AlgorithmFamily.EC) {
                ECDSAPublicKey publicKey = JwkClient.getECDSAPublicKey(client.getJwksUri(), keyId);
                ECDSASigner ecdsaSigner = new ECDSASigner(algorithm, publicKey);
                validSignature = ecdsaSigner.validate(jwt);
            }
            if (!validSignature) {
                // 400
                builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
                builder.entity(errorResponseFactory.getErrorAsJson(UNKNOWN_USER_ID));
                return builder.build();
            }
            JSONObject subject = jwt.getClaims().getClaimAsJSON("subject");
            if (subject == null || !subject.has("subject_type") || !subject.has(subject.getString("subject_type"))) {
                // 400
                builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
                builder.entity(errorResponseFactory.getErrorAsJson(UNKNOWN_USER_ID));
                return builder.build();
            }
            String subjectTypeKey = subject.getString("subject_type");
            String subjectTypeValue = subject.getString(subjectTypeKey);
            user = userService.getUniqueUserByAttributes(appConfiguration.getBackchannelLoginHintClaims(), subjectTypeValue);
        }
    } catch (InvalidJwtException e) {
        log.error(e.getMessage(), e);
    } catch (JSONException e) {
        log.error(e.getMessage(), e);
    }
    if (user == null) {
        // 400
        builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
        builder.entity(errorResponseFactory.getErrorAsJson(UNKNOWN_USER_ID));
        return builder.build();
    }
    try {
        String userCode = (String) user.getAttribute("oxAuthBackchannelUserCode", true, false);
        DefaultErrorResponse cibaAuthorizeParamsValidation = cibaAuthorizeParamsValidatorService.validateParams(scopes, clientNotificationToken, client.getBackchannelTokenDeliveryMode(), loginHintToken, idTokenHint, loginHint, bindingMessage, client.getBackchannelUserCodeParameter(), userCodeParam, userCode, requestedExpiry);
        if (cibaAuthorizeParamsValidation != null) {
            builder = Response.status(cibaAuthorizeParamsValidation.getStatus());
            builder.entity(errorResponseFactory.errorAsJson(cibaAuthorizeParamsValidation.getType(), cibaAuthorizeParamsValidation.getReason()));
            return builder.build();
        }
        String deviceRegistrationToken = (String) user.getAttribute("oxAuthBackchannelDeviceRegistrationToken", true, false);
        if (deviceRegistrationToken == null) {
            // 401
            builder = Response.status(Response.Status.UNAUTHORIZED.getStatusCode());
            builder.entity(errorResponseFactory.getErrorAsJson(UNAUTHORIZED_END_USER_DEVICE));
            return builder.build();
        }
        int expiresIn = requestedExpiry != null ? requestedExpiry : appConfiguration.getBackchannelAuthenticationResponseExpiresIn();
        Integer interval = client.getBackchannelTokenDeliveryMode() == BackchannelTokenDeliveryMode.PUSH ? null : appConfiguration.getBackchannelAuthenticationResponseInterval();
        long currentTime = new Date().getTime();
        CibaRequestCacheControl cibaRequestCacheControl = new CibaRequestCacheControl(user, client, expiresIn, scopes, clientNotificationToken, bindingMessage, currentTime, acrValues);
        cibaRequestService.save(cibaRequestCacheControl, expiresIn);
        String authReqId = cibaRequestCacheControl.getAuthReqId();
        // Notify End-User to obtain Consent/Authorization
        cibaEndUserNotificationService.notifyEndUser(cibaRequestCacheControl.getScopesAsString(), cibaRequestCacheControl.getAcrValues(), authReqId, deviceRegistrationToken);
        builder.entity(getJSONObject(authReqId, expiresIn, interval).toString(4).replace("\\/", "/"));
        builder.type(MediaType.APPLICATION_JSON_TYPE);
        builder.cacheControl(ServerUtil.cacheControl(true, false));
    } catch (JSONException e) {
        builder = Response.status(400);
        builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
        log.error(e.getMessage(), e);
    } catch (InvalidClaimException e) {
        builder = Response.status(400);
        builder.entity(errorResponseFactory.getErrorAsJson(INVALID_REQUEST));
        log.error(e.getMessage(), e);
    }
    applicationAuditLogger.sendMessage(oAuth2AuditLog);
    return builder.build();
}
Also used : InvalidJwtException(org.gluu.oxauth.model.exception.InvalidJwtException) WebApplicationException(javax.ws.rs.WebApplicationException) SessionClient(org.gluu.oxauth.model.session.SessionClient) OAuth2AuditLog(org.gluu.oxauth.model.audit.OAuth2AuditLog) ArrayList(java.util.ArrayList) SignatureAlgorithm(org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm) InvalidClaimException(org.gluu.oxauth.model.exception.InvalidClaimException) RSAPublicKey(org.gluu.oxauth.model.crypto.signature.RSAPublicKey) RSASigner(org.gluu.oxauth.model.jws.RSASigner) JwtAuthorizationRequest(org.gluu.oxauth.model.authorize.JwtAuthorizationRequest) SessionClient(org.gluu.oxauth.model.session.SessionClient) Client(org.gluu.oxauth.model.registration.Client) JwkClient(org.gluu.oxauth.client.JwkClient) DefaultErrorResponse(org.gluu.oxauth.model.error.DefaultErrorResponse) ECDSAPublicKey(org.gluu.oxauth.model.crypto.signature.ECDSAPublicKey) ECDSASigner(org.gluu.oxauth.model.jws.ECDSASigner) Jwt(org.gluu.oxauth.model.jwt.Jwt) JSONException(org.json.JSONException) Date(java.util.Date) DefaultErrorResponse(org.gluu.oxauth.model.error.DefaultErrorResponse) Response(javax.ws.rs.core.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) JSONObject(org.json.JSONObject)

Example 2 with SessionClient

use of org.gluu.oxauth.model.session.SessionClient in project oxAuth by GluuFederation.

the class RevokeSessionRestWebService method validateAccess.

private void validateAccess() {
    SessionClient sessionClient = identity.getSessionClient();
    if (sessionClient == null || sessionClient.getClient() == null || ArrayUtils.isEmpty(sessionClient.getClient().getScopes())) {
        log.debug("Client failed to authenticate.");
        throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED.getStatusCode()).entity(errorResponseFactory.getErrorAsJson(EndSessionErrorResponseType.INVALID_REQUEST)).build());
    }
    List<String> scopesAllowedIds = scopeService.getScopeIdsByDns(Arrays.asList(sessionClient.getClient().getScopes()));
    if (!scopesAllowedIds.contains(Constants.REVOKE_SESSION_SCOPE)) {
        log.debug("Client does not have required revoke_session scope.");
        throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED.getStatusCode()).entity(errorResponseFactory.getErrorAsJson(EndSessionErrorResponseType.INVALID_REQUEST)).build());
    }
}
Also used : SessionClient(org.gluu.oxauth.model.session.SessionClient)

Example 3 with SessionClient

use of org.gluu.oxauth.model.session.SessionClient in project oxAuth by GluuFederation.

the class RevokeRestWebServiceImpl method requestAccessToken.

@Override
public Response requestAccessToken(String token, String tokenTypeHint, String clientId, HttpServletRequest request, HttpServletResponse response, SecurityContext sec) {
    log.debug("Attempting to revoke token: token = {}, tokenTypeHint = {}, isSecure = {}", token, tokenTypeHint, sec.isSecure());
    OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.TOKEN_REVOCATION);
    validateToken(token);
    Response.ResponseBuilder builder = Response.ok();
    SessionClient sessionClient = identity.getSessionClient();
    Client client = sessionClient != null ? sessionClient.getClient() : null;
    if (client == null) {
        client = clientService.getClient(clientId);
        if (!clientService.isPublic(client)) {
            log.trace("Client is not public and not authenticated. Skip revoking.");
            return response(builder, oAuth2AuditLog);
        }
    }
    if (client == null) {
        log.trace("Client is not unknown. Skip revoking.");
        return response(builder, oAuth2AuditLog);
    }
    oAuth2AuditLog.setClientId(client.getClientId());
    TokenTypeHint tth = TokenTypeHint.getByValue(tokenTypeHint);
    AuthorizationGrant authorizationGrant = null;
    if (tth == TokenTypeHint.ACCESS_TOKEN) {
        authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(token);
    } else if (tth == TokenTypeHint.REFRESH_TOKEN) {
        authorizationGrant = authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), token);
    } else {
        // Since the hint about the type of the token submitted for revocation is optional. oxAuth will
        // search it as Access Token then as Refresh Token.
        authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(token);
        if (authorizationGrant == null) {
            authorizationGrant = authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), token);
        }
    }
    if (authorizationGrant == null) {
        log.trace("Unable to find token.");
        return response(builder, oAuth2AuditLog);
    }
    if (!authorizationGrant.getClientId().equals(client.getClientId())) {
        log.trace("Token was issued with client {} but revoke is requested with client {}. Skip revoking.", authorizationGrant.getClientId(), client.getClientId());
        return response(builder, oAuth2AuditLog);
    }
    RevokeTokenContext revokeTokenContext = new RevokeTokenContext(request, client, authorizationGrant, builder);
    final boolean scriptResult = externalRevokeTokenService.revokeTokenMethods(revokeTokenContext);
    if (!scriptResult) {
        log.trace("Revoke is forbidden by 'Revoke Token' custom script (method returned false). Exit without revoking.");
        return response(builder, oAuth2AuditLog);
    }
    grantService.removeAllByGrantId(authorizationGrant.getGrantId());
    log.trace("Revoked successfully.");
    return response(builder, oAuth2AuditLog);
}
Also used : HttpServletResponse(javax.servlet.http.HttpServletResponse) Response(javax.ws.rs.core.Response) SessionClient(org.gluu.oxauth.model.session.SessionClient) OAuth2AuditLog(org.gluu.oxauth.model.audit.OAuth2AuditLog) RevokeTokenContext(org.gluu.oxauth.service.external.context.RevokeTokenContext) TokenTypeHint(org.gluu.oxauth.model.common.TokenTypeHint) SessionClient(org.gluu.oxauth.model.session.SessionClient) Client(org.gluu.oxauth.model.registration.Client) AuthorizationGrant(org.gluu.oxauth.model.common.AuthorizationGrant)

Example 4 with SessionClient

use of org.gluu.oxauth.model.session.SessionClient in project oxAuth by GluuFederation.

the class DeviceAuthorizationRestWebServiceImpl method deviceAuthorization.

@Override
public Response deviceAuthorization(String clientId, String scope, HttpServletRequest httpRequest, HttpServletResponse httpResponse, SecurityContext securityContext) {
    // it may be encoded
    scope = ServerUtil.urlDecode(scope);
    OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpRequest), Action.DEVICE_CODE_AUTHORIZATION);
    oAuth2AuditLog.setClientId(clientId);
    oAuth2AuditLog.setScope(scope);
    try {
        log.debug("Attempting to request device codes: clientId = {}, scope = {}", clientId, scope);
        SessionClient sessionClient = identity.getSessionClient();
        Client client = sessionClient != null ? sessionClient.getClient() : null;
        if (client == null) {
            client = clientService.getClient(clientId);
            if (!clientService.isPublic(client)) {
                log.trace("Client is not public and not authenticated. Skip device authorization, clientId: {}", clientId);
                throw errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, INVALID_CLIENT, "");
            }
        }
        if (client == null) {
            log.trace("Client is not unknown. Skip revoking.");
            throw errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, INVALID_CLIENT, "");
        }
        if (!deviceAuthorizationService.hasDeviceCodeCompatibility(client)) {
            throw errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, INVALID_GRANT, "");
        }
        List<String> scopes = new ArrayList<>();
        if (StringHelper.isNotEmpty(scope)) {
            Set<String> grantedScopes = scopeChecker.checkScopesPolicy(client, scope);
            scopes.addAll(grantedScopes);
        }
        // Entropy 20^8 which is suggested in the RFC8628 section 6.1
        String userCode = StringUtils.generateRandomReadableCode((byte) 8);
        // Entropy 160 bits which is over userCode entropy based on RFC8628 section 5.2
        String deviceCode = StringUtils.generateRandomCode((byte) 24);
        URI verificationUri = UriBuilder.fromUri(appConfiguration.getIssuer()).path("device-code").build();
        int expiresIn = appConfiguration.getDeviceAuthzRequestExpiresIn();
        int interval = appConfiguration.getDeviceAuthzTokenPollInterval();
        long lastAccess = System.currentTimeMillis();
        DeviceAuthorizationStatus status = DeviceAuthorizationStatus.PENDING;
        DeviceAuthorizationCacheControl deviceAuthorizationCacheControl = new DeviceAuthorizationCacheControl(userCode, deviceCode, client, scopes, verificationUri, expiresIn, interval, lastAccess, status);
        deviceAuthorizationService.saveInCache(deviceAuthorizationCacheControl, true, true);
        log.info("Device authorization flow initiated, userCode: {}, deviceCode: {}, clientId: {}, verificationUri: {}, expiresIn: {}, interval: {}", userCode, deviceCode, clientId, verificationUri, expiresIn, interval);
        applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return Response.ok().entity(getResponseJSONObject(deviceAuthorizationCacheControl).toString(4).replace("\\/", "/")).type(MediaType.APPLICATION_JSON_TYPE).build();
    } catch (WebApplicationException wae) {
        throw wae;
    } catch (Exception e) {
        log.error("Problems processing device authorization init flow, clientId: {}, scope: {}", clientId, scope, e);
        return Response.status(Response.Status.INTERNAL_SERVER_ERROR).build();
    }
}
Also used : DeviceAuthorizationCacheControl(org.gluu.oxauth.model.common.DeviceAuthorizationCacheControl) WebApplicationException(javax.ws.rs.WebApplicationException) SessionClient(org.gluu.oxauth.model.session.SessionClient) OAuth2AuditLog(org.gluu.oxauth.model.audit.OAuth2AuditLog) ArrayList(java.util.ArrayList) URI(java.net.URI) JSONException(org.json.JSONException) WebApplicationException(javax.ws.rs.WebApplicationException) DeviceAuthorizationStatus(org.gluu.oxauth.model.common.DeviceAuthorizationStatus) SessionClient(org.gluu.oxauth.model.session.SessionClient) Client(org.gluu.oxauth.model.registration.Client)

Example 5 with SessionClient

use of org.gluu.oxauth.model.session.SessionClient in project oxAuth by GluuFederation.

the class AuthenticationService method configureSessionClient.

public void configureSessionClient(Client client) {
    SessionClient sessionClient = new SessionClient();
    sessionClient.setClient(client);
    identity.setSessionClient(sessionClient);
    clientService.updateAccessTime(client, true);
}
Also used : SessionClient(org.gluu.oxauth.model.session.SessionClient)

Aggregations

SessionClient (org.gluu.oxauth.model.session.SessionClient)6 OAuth2AuditLog (org.gluu.oxauth.model.audit.OAuth2AuditLog)4 Client (org.gluu.oxauth.model.registration.Client)4 HttpServletResponse (javax.servlet.http.HttpServletResponse)3 WebApplicationException (javax.ws.rs.WebApplicationException)3 Response (javax.ws.rs.core.Response)3 JSONException (org.json.JSONException)3 ArrayList (java.util.ArrayList)2 Date (java.util.Date)2 Function (com.google.common.base.Function)1 Strings (com.google.common.base.Strings)1 URI (java.net.URI)1 Arrays (java.util.Arrays)1 Inject (javax.inject.Inject)1 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 Path (javax.ws.rs.Path)1 MediaType (javax.ws.rs.core.MediaType)1 ResponseBuilder (javax.ws.rs.core.Response.ResponseBuilder)1 SecurityContext (javax.ws.rs.core.SecurityContext)1 StringUtils (org.apache.commons.lang.StringUtils)1