Search in sources :

Example 1 with PushedAuthzRequestStoreProvider

use of org.keycloak.models.PushedAuthzRequestStoreProvider in project keycloak by keycloak.

the class ParEndpoint method request.

@Path("/")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON)
public Response request() {
    ProfileHelper.requireFeature(Profile.Feature.PAR);
    cors = Cors.add(httpRequest).auth().allowedMethods("POST").auth().exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS);
    event.event(EventType.PUSHED_AUTHORIZATION_REQUEST);
    checkSsl();
    checkRealm();
    authorizeClient();
    if (httpRequest.getDecodedFormParameters().containsKey(REQUEST_URI_PARAM)) {
        throw throwErrorResponseException(OAuthErrorException.INVALID_REQUEST, "It is not allowed to include request_uri to PAR.", Response.Status.BAD_REQUEST);
    }
    try {
        authorizationRequest = AuthorizationEndpointRequestParserProcessor.parseRequest(event, session, client, httpRequest.getDecodedFormParameters());
    } catch (Exception e) {
        throw throwErrorResponseException(OAuthErrorException.INVALID_REQUEST_OBJECT, e.getMessage(), Response.Status.BAD_REQUEST);
    }
    AuthorizationEndpointChecker checker = new AuthorizationEndpointChecker().event(event).client(client).realm(realm).request(authorizationRequest).session(session);
    try {
        checker.checkRedirectUri();
    } catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
        throw throwErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Invalid parameter: redirect_uri", Response.Status.BAD_REQUEST);
    }
    try {
        checker.checkResponseType();
    } catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
        if (ex.getError().equals(OAuthErrorException.UNSUPPORTED_RESPONSE_TYPE)) {
            throw throwErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Unsupported response type", Response.Status.BAD_REQUEST);
        } else {
            ex.throwAsCorsErrorResponseException(cors);
        }
    }
    try {
        checker.checkValidScope();
    } catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
        // PAR throws this as "invalid_request" error
        throw throwErrorResponseException(OAuthErrorException.INVALID_REQUEST, ex.getErrorDescription(), Response.Status.BAD_REQUEST);
    }
    try {
        checker.checkInvalidRequestMessage();
        checker.checkOIDCRequest();
        checker.checkOIDCParams();
        checker.checkPKCEParams();
    } catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
        ex.throwAsCorsErrorResponseException(cors);
    }
    try {
        session.clientPolicy().triggerOnEvent(new PushedAuthorizationRequestContext(authorizationRequest, httpRequest.getDecodedFormParameters()));
    } catch (ClientPolicyException cpe) {
        throw throwErrorResponseException(cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
    }
    Map<String, String> params = new HashMap<>();
    UUID key = UUID.randomUUID();
    String requestUri = REQUEST_URI_PREFIX + key.toString();
    int expiresIn = realm.getParPolicy().getRequestUriLifespan();
    httpRequest.getDecodedFormParameters().forEach((k, v) -> {
        // PAR store only accepts Map so that MultivaluedMap needs to be converted to Map.
        String singleValue = String.valueOf(v).replace("[", "").replace("]", "");
        params.put(k, singleValue);
    });
    params.put(PAR_CREATED_TIME, String.valueOf(System.currentTimeMillis()));
    PushedAuthzRequestStoreProvider parStore = session.getProvider(PushedAuthzRequestStoreProvider.class);
    parStore.put(key, expiresIn, params);
    ParResponse parResponse = new ParResponse(requestUri, expiresIn);
    session.getProvider(SecurityHeadersProvider.class).options().allowEmptyContentType();
    return cors.builder(Response.status(Response.Status.CREATED).entity(parResponse).type(MediaType.APPLICATION_JSON_TYPE)).build();
}
Also used : PushedAuthzRequestStoreProvider(org.keycloak.models.PushedAuthzRequestStoreProvider) ParResponse(org.keycloak.protocol.oidc.par.ParResponse) AuthorizationEndpointChecker(org.keycloak.protocol.oidc.endpoints.AuthorizationEndpointChecker) HashMap(java.util.HashMap) PushedAuthorizationRequestContext(org.keycloak.protocol.oidc.par.clientpolicy.context.PushedAuthorizationRequestContext) UUID(java.util.UUID) OAuthErrorException(org.keycloak.OAuthErrorException) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces)

Aggregations

HashMap (java.util.HashMap)1 UUID (java.util.UUID)1 Consumes (javax.ws.rs.Consumes)1 POST (javax.ws.rs.POST)1 Path (javax.ws.rs.Path)1 Produces (javax.ws.rs.Produces)1 OAuthErrorException (org.keycloak.OAuthErrorException)1 PushedAuthzRequestStoreProvider (org.keycloak.models.PushedAuthzRequestStoreProvider)1 AuthorizationEndpointChecker (org.keycloak.protocol.oidc.endpoints.AuthorizationEndpointChecker)1 ParResponse (org.keycloak.protocol.oidc.par.ParResponse)1 PushedAuthorizationRequestContext (org.keycloak.protocol.oidc.par.clientpolicy.context.PushedAuthorizationRequestContext)1 ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)1