Search in sources :

Example 1 with DynamicScopeExternalContext

use of org.gluu.oxauth.service.external.context.DynamicScopeExternalContext in project oxAuth by GluuFederation.

the class ExternalDynamicScopeService method executeExternalGetSupportedClaimsMethods.

public List<String> executeExternalGetSupportedClaimsMethods(List<Scope> dynamicScope) {
    DynamicScopeExternalContext context = new DynamicScopeExternalContext(dynamicScope, null, null);
    Set<String> result = new HashSet<String>();
    for (CustomScriptConfiguration customScriptConfiguration : getScriptsToExecute(context)) {
        List<String> scriptResult = executeExternalGetSupportedClaimsMethod(customScriptConfiguration);
        if (scriptResult != null) {
            result.addAll(scriptResult);
        }
    }
    return new ArrayList<String>(result);
}
Also used : ArrayList(java.util.ArrayList) DynamicScopeExternalContext(org.gluu.oxauth.service.external.context.DynamicScopeExternalContext) CustomScriptConfiguration(org.gluu.model.custom.script.conf.CustomScriptConfiguration) HashSet(java.util.HashSet)

Example 2 with DynamicScopeExternalContext

use of org.gluu.oxauth.service.external.context.DynamicScopeExternalContext in project oxAuth by GluuFederation.

the class IdTokenFactory method fillClaims.

private void fillClaims(JsonWebResponse jwr, IAuthorizationGrant authorizationGrant, String nonce, AuthorizationCode authorizationCode, AccessToken accessToken, RefreshToken refreshToken, String state, Set<String> scopes, boolean includeIdTokenClaims, Function<JsonWebResponse, Void> preProcessing, Function<JsonWebResponse, Void> postProcessing) throws Exception {
    jwr.getClaims().setIssuer(appConfiguration.getIssuer());
    Audience.setAudience(jwr.getClaims(), authorizationGrant.getClient());
    int lifeTime = appConfiguration.getIdTokenLifetime();
    Calendar calendar = Calendar.getInstance();
    Date issuedAt = calendar.getTime();
    calendar.add(Calendar.SECOND, lifeTime);
    Date expiration = calendar.getTime();
    jwr.getClaims().setExpirationTime(expiration);
    jwr.getClaims().setIssuedAt(issuedAt);
    jwr.setClaim("code", UUID.randomUUID().toString());
    if (preProcessing != null) {
        preProcessing.apply(jwr);
    }
    final SessionId session = sessionIdService.getSessionByDn(authorizationGrant.getSessionDn());
    if (session != null) {
        jwr.setClaim("sid", session.getOutsideSid());
    }
    if (authorizationGrant.getAcrValues() != null) {
        jwr.setClaim(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE, authorizationGrant.getAcrValues());
        setAmrClaim(jwr, authorizationGrant.getAcrValues());
    }
    if (StringUtils.isNotBlank(nonce)) {
        jwr.setClaim(JwtClaimName.NONCE, nonce);
    }
    if (authorizationGrant.getAuthenticationTime() != null) {
        jwr.getClaims().setClaim(JwtClaimName.AUTHENTICATION_TIME, authorizationGrant.getAuthenticationTime());
    }
    if (authorizationCode != null) {
        String codeHash = AbstractToken.getHash(authorizationCode.getCode(), jwr.getHeader().getSignatureAlgorithm());
        jwr.setClaim(JwtClaimName.CODE_HASH, codeHash);
    }
    if (accessToken != null) {
        String accessTokenHash = AbstractToken.getHash(accessToken.getCode(), jwr.getHeader().getSignatureAlgorithm());
        jwr.setClaim(JwtClaimName.ACCESS_TOKEN_HASH, accessTokenHash);
    }
    if (Strings.isNotBlank(state)) {
        String stateHash = AbstractToken.getHash(state, jwr.getHeader().getSignatureAlgorithm());
        jwr.setClaim(JwtClaimName.STATE_HASH, stateHash);
    }
    if (authorizationGrant.getGrantType() != null) {
        jwr.setClaim("grant", authorizationGrant.getGrantType().getValue());
    }
    jwr.setClaim(JwtClaimName.OX_OPENID_CONNECT_VERSION, appConfiguration.getOxOpenIdConnectVersion());
    User user = authorizationGrant.getUser();
    List<Scope> dynamicScopes = new ArrayList<>();
    if (includeIdTokenClaims && authorizationGrant.getClient().isIncludeClaimsInIdToken()) {
        for (String scopeName : scopes) {
            Scope scope = scopeService.getScopeById(scopeName);
            if (scope == null) {
                continue;
            }
            if (DYNAMIC == scope.getScopeType()) {
                dynamicScopes.add(scope);
                continue;
            }
            Map<String, Object> claims = scopeService.getClaims(user, scope);
            if (Boolean.TRUE.equals(scope.isOxAuthGroupClaims())) {
                JwtSubClaimObject groupClaim = new JwtSubClaimObject();
                groupClaim.setName(scope.getId());
                for (Map.Entry<String, Object> entry : claims.entrySet()) {
                    String key = entry.getKey();
                    Object value = entry.getValue();
                    if (value instanceof List) {
                        groupClaim.setClaim(key, (List) value);
                    } else {
                        groupClaim.setClaim(key, (String) value);
                    }
                }
                jwr.getClaims().setClaim(scope.getId(), groupClaim);
            } else {
                for (Map.Entry<String, Object> entry : claims.entrySet()) {
                    String key = entry.getKey();
                    Object value = entry.getValue();
                    if (value instanceof List) {
                        jwr.getClaims().setClaim(key, (List) value);
                    } else if (value instanceof Boolean) {
                        jwr.getClaims().setClaim(key, (Boolean) value);
                    } else if (value instanceof Date) {
                        jwr.getClaims().setClaim(key, ((Date) value).getTime() / 1000);
                    } else {
                        jwr.setClaim(key, (String) value);
                    }
                }
            }
            jwr.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute("inum"));
        }
    }
    setClaimsFromJwtAuthorizationRequest(jwr, authorizationGrant, scopes);
    jwrService.setSubjectIdentifier(jwr, authorizationGrant);
    if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
        final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
        DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jwr, unmodifiableAuthorizationGrant);
        externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
    }
    processCiba(jwr, authorizationGrant, refreshToken);
    if (postProcessing != null) {
        postProcessing.apply(jwr);
    }
}
Also used : DynamicScopeExternalContext(org.gluu.oxauth.service.external.context.DynamicScopeExternalContext) JwtSubClaimObject(org.gluu.oxauth.model.jwt.JwtSubClaimObject) Scope(org.oxauth.persistence.model.Scope) JwtSubClaimObject(org.gluu.oxauth.model.jwt.JwtSubClaimObject)

Example 3 with DynamicScopeExternalContext

use of org.gluu.oxauth.service.external.context.DynamicScopeExternalContext in project oxAuth by GluuFederation.

the class UserInfoRestWebServiceImpl method getJSonResponse.

/**
 * Builds a JSon String with the response parameters.
 */
public String getJSonResponse(User user, AuthorizationGrant authorizationGrant, Collection<String> scopes) throws Exception {
    log.trace("Building JSON reponse with next scopes {0} for user {1} and user custom attributes {0}", scopes, user.getUserId(), user.getCustomAttributes());
    JsonWebResponse jsonWebResponse = new JsonWebResponse();
    // Claims
    List<Scope> dynamicScopes = new ArrayList<Scope>();
    for (String scopeName : scopes) {
        org.oxauth.persistence.model.Scope scope = scopeService.getScopeById(scopeName);
        if ((scope != null) && (org.gluu.oxauth.model.common.ScopeType.DYNAMIC == scope.getScopeType())) {
            dynamicScopes.add(scope);
            continue;
        }
        Map<String, Object> claims = scopeService.getClaims(user, scope);
        if (claims == null) {
            continue;
        }
        if (scope != null && Boolean.TRUE.equals(scope.isOxAuthGroupClaims())) {
            JwtSubClaimObject groupClaim = new JwtSubClaimObject();
            groupClaim.setName(scope.getId());
            for (Map.Entry<String, Object> entry : claims.entrySet()) {
                String key = entry.getKey();
                Object value = entry.getValue();
                if (value instanceof List) {
                    groupClaim.setClaim(key, (List<String>) value);
                } else {
                    groupClaim.setClaim(key, String.valueOf(value));
                }
            }
            jsonWebResponse.getClaims().setClaim(scope.getId(), groupClaim);
        } else {
            for (Map.Entry<String, Object> entry : claims.entrySet()) {
                String key = entry.getKey();
                Object value = entry.getValue();
                if (value instanceof List) {
                    jsonWebResponse.getClaims().setClaim(key, (List<String>) value);
                } else if (value instanceof Boolean) {
                    jsonWebResponse.getClaims().setClaim(key, (Boolean) value);
                } else if (value instanceof Date) {
                    jsonWebResponse.getClaims().setClaim(key, ((Date) value).getTime() / 1000);
                } else {
                    jsonWebResponse.getClaims().setClaim(key, String.valueOf(value));
                }
            }
        }
    }
    if (authorizationGrant.getClaims() != null) {
        JSONObject claimsObj = new JSONObject(authorizationGrant.getClaims());
        if (claimsObj.has("userinfo")) {
            JSONObject userInfoObj = claimsObj.getJSONObject("userinfo");
            for (Iterator<String> it = userInfoObj.keys(); it.hasNext(); ) {
                String claimName = it.next();
                // ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
                boolean optional = true;
                GluuAttribute gluuAttribute = attributeService.getByClaimName(claimName);
                if (gluuAttribute != null) {
                    String ldapClaimName = gluuAttribute.getName();
                    Object attribute = user.getAttribute(ldapClaimName, optional, gluuAttribute.getOxMultiValuedAttribute());
                    jsonWebResponse.getClaims().setClaimFromJsonObject(claimName, attribute);
                }
            }
        }
    }
    if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
        for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
            // ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
            boolean optional = true;
            GluuAttribute gluuAttribute = attributeService.getByClaimName(claim.getName());
            if (gluuAttribute != null) {
                Client client = authorizationGrant.getClient();
                if (validateRequesteClaim(gluuAttribute, client.getClaims(), scopes)) {
                    String ldapClaimName = gluuAttribute.getName();
                    Object attribute = user.getAttribute(ldapClaimName, optional, gluuAttribute.getOxMultiValuedAttribute());
                    jsonWebResponse.getClaims().setClaimFromJsonObject(claim.getName(), attribute);
                }
            }
        }
    }
    jsonWebResponse.getClaims().setSubjectIdentifier(authorizationGrant.getSub());
    if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
        final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
        DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jsonWebResponse, unmodifiableAuthorizationGrant);
        externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
    }
    return jsonWebResponse.toString();
}
Also used : JsonWebResponse(org.gluu.oxauth.model.token.JsonWebResponse) DynamicScopeExternalContext(org.gluu.oxauth.service.external.context.DynamicScopeExternalContext) JwtSubClaimObject(org.gluu.oxauth.model.jwt.JwtSubClaimObject) GluuAttribute(org.gluu.model.GluuAttribute) Scope(org.oxauth.persistence.model.Scope) JSONObject(org.json.JSONObject) JwtSubClaimObject(org.gluu.oxauth.model.jwt.JwtSubClaimObject) JSONObject(org.json.JSONObject) Client(org.gluu.oxauth.model.registration.Client) Claim(org.gluu.oxauth.model.authorize.Claim) Scope(org.oxauth.persistence.model.Scope)

Aggregations

DynamicScopeExternalContext (org.gluu.oxauth.service.external.context.DynamicScopeExternalContext)3 JwtSubClaimObject (org.gluu.oxauth.model.jwt.JwtSubClaimObject)2 Scope (org.oxauth.persistence.model.Scope)2 ArrayList (java.util.ArrayList)1 HashSet (java.util.HashSet)1 GluuAttribute (org.gluu.model.GluuAttribute)1 CustomScriptConfiguration (org.gluu.model.custom.script.conf.CustomScriptConfiguration)1 Claim (org.gluu.oxauth.model.authorize.Claim)1 Client (org.gluu.oxauth.model.registration.Client)1 JsonWebResponse (org.gluu.oxauth.model.token.JsonWebResponse)1 JSONObject (org.json.JSONObject)1