Examples with WebContext org.pac4j.core.context.WebContext used on opensource projects

Example 51 with WebContext

use of org.pac4j.core.context.WebContext in project cas by apereo.

the class OAuth20AuthorizationCodeGrantTypeTokenRequestValidator method validateInternal.

@Override
protected boolean validateInternal(final WebContext context, final String grantType, final ProfileManager manager, final UserProfile uProfile) {
    val clientId = uProfile.getId();
    val redirectUri = OAuth20Utils.getRequestParameter(context, OAuth20Constants.REDIRECT_URI);
    val code = OAuth20Utils.getRequestParameter(context, OAuth20Constants.CODE);
    LOGGER.debug("Locating registered service for client id [{}]", clientId);
    val registeredService = OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), clientId);
    RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService);
    LOGGER.debug("Received grant type [{}] with client id [{}] and redirect URI [{}]", grantType, clientId, redirectUri);
    val valid = redirectUri.isPresent() && code.isPresent() && OAuth20Utils.checkCallbackValid(registeredService, redirectUri.get());
    if (valid) {
        val token = getConfigurationContext().getTicketRegistry().getTicket(code.get(), OAuth20Code.class);
        if (token == null || token.isExpired()) {
            LOGGER.debug("Code [{}] is invalid or expired. Attempting to revoke access tokens issued to the code", code.get());
            val accessTokensByCode = getConfigurationContext().getTicketRegistry().getTickets(ticket -> ticket instanceof OAuth20AccessToken && StringUtils.equalsIgnoreCase(((OAuth20AccessToken) ticket).getToken(), code.get()));
            accessTokensByCode.forEach(Unchecked.consumer(ticket -> {
                LOGGER.debug("Removing access token [{}] issued via expired/unknown code [{}]", ticket.getId(), code.get());
                getConfigurationContext().getTicketRegistry().deleteTicket(ticket);
            }));
            LOGGER.warn("Request OAuth code [{}] is not found or has expired", code.get());
            return false;
        }
        val id = token.getService().getId();
        val codeRegisteredService = OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), id);
        val audit = AuditableContext.builder().service(token.getService()).authentication(token.getAuthentication()).registeredService(codeRegisteredService).build();
        val accessResult = getConfigurationContext().getRegisteredServiceAccessStrategyEnforcer().execute(audit);
        accessResult.throwExceptionIfNeeded();
        if (!registeredService.equals(codeRegisteredService)) {
            LOGGER.warn("OAuth code [{}] issued to service [{}] does not match [{}] provided, given the redirect URI [{}]", code, id, registeredService.getName(), redirectUri);
            return false;
        }
        if (!isGrantTypeSupportedBy(registeredService, grantType)) {
            LOGGER.warn("Requested grant type [{}] is not authorized by service definition [{}]", getGrantType(), registeredService.getServiceId());
            return false;
        }
        return true;
    }
    LOGGER.warn("Access token request cannot be validated for grant type [{}] and client id [{}] given the redirect URI [{}]", grantType, clientId, redirectUri);
    return false;
}

Example 52 with WebContext

use of org.pac4j.core.context.WebContext in project cas by apereo.

the class BaseDelegatedAuthenticationController method configureWebContextForRegisteredService.

/**
 * Configure web context for registered service.
 *
 * @param webContext the web context
 * @param ticket     the ticket
 */
protected void configureWebContextForRegisteredService(final WebContext webContext, final TransientSessionTicket ticket) {
    val registeredService = configurationContext.getServicesManager().findServiceBy(ticket.getService());
    val audit = AuditableContext.builder().service(ticket.getService()).registeredService(registeredService).build();
    val result = configurationContext.getRegisteredServiceAccessStrategyEnforcer().execute(audit);
    result.throwExceptionIfNeeded();
    if (!registeredService.getProperties().isEmpty()) {
        val delegatedAuthnProperties = Arrays.stream(RegisteredServiceProperties.values()).filter(prop -> prop.isMemberOf(RegisteredServicePropertyGroups.DELEGATED_AUTHN)).collect(Collectors.toList());
        configureWebContextForRegisteredServiceProperties(registeredService, webContext, delegatedAuthnProperties);
        val saml2ServiceProperties = Arrays.stream(RegisteredServiceProperties.values()).filter(prop -> prop.isMemberOf(RegisteredServicePropertyGroups.DELEGATED_AUTHN_SAML2)).collect(Collectors.toList());
        configureWebContextForRegisteredServiceProperties(registeredService, webContext, saml2ServiceProperties);
        val oidcProperties = Arrays.stream(RegisteredServiceProperties.values()).filter(prop -> prop.isMemberOf(RegisteredServicePropertyGroups.DELEGATED_AUTHN_OIDC)).collect(Collectors.toList());
        configureWebContextForRegisteredServiceProperties(registeredService, webContext, oidcProperties);
    }
}

Example 53 with WebContext

use of org.pac4j.core.context.WebContext in project cas by apereo.

the class BaseDelegatedAuthenticationController method getRedirectionAction.

/**
 * Gets redirection action.
 *
 * @param client     the client
 * @param webContext the web context
 * @param ticket     the ticket
 * @return the redirection action
 */
protected Optional<RedirectionAction> getRedirectionAction(final IndirectClient client, final WebContext webContext, final TransientSessionTicket ticket) {
    val properties = ticket.getProperties();
    if (properties.containsKey(RedirectionActionBuilder.ATTRIBUTE_FORCE_AUTHN)) {
        webContext.setRequestAttribute(RedirectionActionBuilder.ATTRIBUTE_FORCE_AUTHN, true);
    }
    if (properties.containsKey(RedirectionActionBuilder.ATTRIBUTE_PASSIVE)) {
        webContext.setRequestAttribute(RedirectionActionBuilder.ATTRIBUTE_PASSIVE, true);
    }
    if (ticket.getService() != null) {
        configureWebContextForRegisteredService(webContext, ticket);
    }
    configurationContext.getDelegatedClientAuthenticationRequestCustomizers().stream().sorted(AnnotationAwareOrderComparator.INSTANCE).filter(c -> c.supports(client, webContext)).forEach(c -> c.customize(client, webContext));
    return client.getRedirectionActionBuilder().getRedirectionAction(webContext, configurationContext.getSessionStore());
}

Example 54 with WebContext

use of org.pac4j.core.context.WebContext in project cas by apereo.

the class OidcAuthenticationAuthorizeSecurityLogic method loadProfiles.

@Override
protected List<UserProfile> loadProfiles(final ProfileManager manager, final WebContext context, final SessionStore sessionStore, final List<Client> clients) {
    val prompts = OidcRequestSupport.getOidcPromptFromAuthorizationRequest(context);
    LOGGER.debug("Located OpenID Connect prompts from request as [{}]", prompts);
    val tooOld = OidcRequestSupport.getOidcMaxAgeFromAuthorizationRequest(context).map(maxAge -> manager.getProfile(BasicUserProfile.class).stream().anyMatch(profile -> OidcRequestSupport.isCasAuthenticationOldForMaxAgeAuthorizationRequest(context, profile))).orElse(Boolean.FALSE);
    return tooOld || prompts.contains(OidcConstants.PROMPT_LOGIN) ? new ArrayList<>(0) : super.loadProfiles(manager, context, sessionStore, clients);
}

Example 55 with WebContext

use of org.pac4j.core.context.WebContext in project cas by apereo.

the class OidcConsentApprovalViewResolver method prepareApprovalViewModel.

@Override
protected void prepareApprovalViewModel(final Map<String, Object> model, final WebContext webContext, final OAuthRegisteredService svc) throws Exception {
    super.prepareApprovalViewModel(model, webContext, svc);
    if (svc instanceof OidcRegisteredService) {
        val oidcRegisteredService = (OidcRegisteredService) svc;
        model.put("dynamic", oidcRegisteredService.isDynamicallyRegistered());
        model.put("dynamicTime", oidcRegisteredService.getDynamicRegistrationDateTime());
        val supportedScopes = new HashSet<>(casProperties.getAuthn().getOidc().getDiscovery().getScopes());
        supportedScopes.retainAll(oidcRegisteredService.getScopes());
        val requestedScopes = OAuth20Utils.getRequestedScopes(webContext);
        val userInfoClaims = OAuth20Utils.parseUserInfoRequestClaims(webContext);
        webContext.getRequestParameter(OidcConstants.REQUEST_URI).ifPresent(Unchecked.consumer(uri -> {
            val authzRequest = centralAuthenticationService.getTicket(uri, OidcPushedAuthorizationRequest.class);
            val uriFactory = (OidcPushedAuthorizationRequestFactory) centralAuthenticationService.getTicketFactory().get(OidcPushedAuthorizationRequest.class);
            val holder = uriFactory.toAccessTokenRequest(authzRequest);
            userInfoClaims.addAll(holder.getClaims().keySet());
            requestedScopes.addAll(holder.getScopes());
        }));
        supportedScopes.retainAll(requestedScopes);
        supportedScopes.add(OidcConstants.StandardScopes.OPENID.getScope());
        model.put("scopes", supportedScopes);
        model.put("userInfoClaims", userInfoClaims);
    }
}