Example 36 with OAuth2Error
use of org.springframework.security.oauth2.core.OAuth2Error in project midpoint by Evolveum.
the class OidcResourceServerModuleAuthentication method getRealmFroHeader.
public String getRealmFroHeader(AuthenticationException authException) {
Map<String, String> parameters = new LinkedHashMap<>();
if (authException instanceof OAuth2AuthenticationException) {
OAuth2Error error = ((OAuth2AuthenticationException) authException).getError();
parameters.put("error", error.getErrorCode());
if (org.springframework.util.StringUtils.hasText(error.getDescription())) {
parameters.put("error_description", error.getDescription());
}
if (org.springframework.util.StringUtils.hasText(error.getUri())) {
parameters.put("error_uri", error.getUri());
}
if (error instanceof BearerTokenError) {
BearerTokenError bearerTokenError = (BearerTokenError) error;
if (StringUtils.hasText(bearerTokenError.getScope())) {
parameters.put("scope", bearerTokenError.getScope());
}
}
}
StringBuilder wwwAuthenticate = new StringBuilder(super.getRealmFroHeader(authException));
if (!parameters.isEmpty()) {
parameters.forEach((key, value) -> {
wwwAuthenticate.append(", ");
wwwAuthenticate.append(key).append("=\"").append(value).append("\"");
});
}
return wwwAuthenticate.toString();
}
Also used :
OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error)
BearerTokenError(org.springframework.security.oauth2.server.resource.BearerTokenError)
OAuth2AuthenticationException(org.springframework.security.oauth2.core.OAuth2AuthenticationException)
LinkedHashMap(java.util.LinkedHashMap)
Example 37 with OAuth2Error
use of org.springframework.security.oauth2.core.OAuth2Error in project midpoint by Evolveum.
the class OidcLoginAuthenticationFilter method attemptAuthentication.
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
MultiValueMap<String, String> params = toMultiMap(request.getParameterMap());
if (!isAuthorizationResponse(params)) {
OAuth2Error oauth2Error = new OAuth2Error(INVALID_REQUEST_ERROR_CODE);
throw new OAuth2AuthenticationException(oauth2Error, "web.security.provider.invalid");
} else {
OAuth2AuthorizationRequest authorizationRequest = this.authorizationRequestRepository.removeAuthorizationRequest(request, response);
if (authorizationRequest == null) {
OAuth2Error oauth2Error = new OAuth2Error(AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE);
throw new OAuth2AuthenticationException(oauth2Error, "web.security.provider.invalid");
} else {
String registrationId = authorizationRequest.getAttribute("registration_id");
ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(registrationId);
if (clientRegistration == null) {
OAuth2Error oauth2Error = new OAuth2Error(CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE, "Client Registration not found with Id: " + registrationId, null);
throw new OAuth2AuthenticationException(oauth2Error, "web.security.provider.invalid");
} else {
String redirectUri = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request)).replaceQuery(null).build().toUriString();
OAuth2AuthorizationResponse authorizationResponse = convert(params, redirectUri);
OAuth2LoginAuthenticationToken authenticationRequest = new OAuth2LoginAuthenticationToken(clientRegistration, new OAuth2AuthorizationExchange(authorizationRequest, authorizationResponse));
MidpointAuthentication authenticationResult = (MidpointAuthentication) this.getAuthenticationManager().authenticate(authenticationRequest);
Assert.notNull(authenticationResult, "authentication result cannot be null");
return authenticationResult;
}
}
}
}
Also used :
ClientRegistration(org.springframework.security.oauth2.client.registration.ClientRegistration)
OAuth2AuthorizationExchange(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange)
OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error)
OAuth2AuthorizationResponse(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse)
OAuth2AuthenticationException(org.springframework.security.oauth2.core.OAuth2AuthenticationException)
OAuth2AuthorizationRequest(org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest)
MidpointAuthentication(com.evolveum.midpoint.authentication.api.config.MidpointAuthentication)
OAuth2LoginAuthenticationToken(org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken)
Example 38 with OAuth2Error
use of org.springframework.security.oauth2.core.OAuth2Error in project midpoint by Evolveum.
the class OidcResourceServerModuleWebSecurityConfiguration method buildInternal.
private static OidcResourceServerModuleWebSecurityConfiguration buildInternal(OidcAuthenticationModuleType modelType, String prefixOfSequence) {
OidcResourceServerModuleWebSecurityConfiguration configuration = new OidcResourceServerModuleWebSecurityConfiguration();
build(configuration, modelType, prefixOfSequence);
OidcResourceServerAuthenticationModuleType resourceServer = modelType.getResourceServer();
if (resourceServer.getTrustingAsymmetricCertificate() != null || resourceServer.getKeyStoreTrustingAsymmetricKey() != null) {
NimbusJwtDecoder.PublicKeyJwtDecoderBuilder builder;
if (resourceServer.getKeyStoreTrustingAsymmetricKey() != null) {
builder = initializePublicKeyDecoderFromKeyStore(resourceServer.getKeyStoreTrustingAsymmetricKey());
} else {
builder = initializePublicKeyDecoderFromCertificate(resourceServer.getTrustingAsymmetricCertificate());
}
if (resourceServer.getTrustedAlgorithm() != null) {
builder.signatureAlgorithm(SignatureAlgorithm.from(resourceServer.getTrustedAlgorithm()));
}
configuration.decoder = builder.build();
} else if (resourceServer.getSingleSymmetricKey() != null) {
try {
byte[] key;
String clearValue = protector.decryptString(resourceServer.getSingleSymmetricKey());
if (Base64.isBase64(clearValue)) {
boolean isBase64Url = clearValue.contains("-") || clearValue.contains("_");
key = Base64Utility.decode(clearValue, isBase64Url);
} else {
key = protector.decryptString(resourceServer.getSingleSymmetricKey()).getBytes();
}
String algorithm = MacAlgorithm.HS256.getName();
if (resourceServer.getTrustedAlgorithm() != null) {
algorithm = resourceServer.getTrustedAlgorithm();
}
NimbusJwtDecoder.SecretKeyJwtDecoderBuilder builder = NimbusJwtDecoder.withSecretKey(new SecretKeySpec(key, algorithm));
builder.macAlgorithm(MacAlgorithm.from(algorithm));
configuration.decoder = builder.build();
} catch (EncryptionException e) {
throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get single symmetric key", e);
} catch (Base64Exception e) {
e.printStackTrace();
}
} else if (resourceServer.getJwkSetUri() != null) {
if (resourceServer.getTrustedAlgorithm() != null) {
configuration.decoder = NimbusJwtDecoder.withJwkSetUri(resourceServer.getJwkSetUri()).jwsAlgorithm(SignatureAlgorithm.from(resourceServer.getTrustedAlgorithm())).build();
} else {
try {
JWSKeySelector<SecurityContext> jwsKeySelector = JWSAlgorithmFamilyJWSKeySelector.fromJWKSetURL(new URL(resourceServer.getJwkSetUri()));
DefaultJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>();
jwtProcessor.setJWSKeySelector(jwsKeySelector);
configuration.decoder = new NimbusJwtDecoder(jwtProcessor);
} catch (KeySourceException | MalformedURLException e) {
e.printStackTrace();
}
}
} else if (resourceServer.getIssuerUri() != null) {
configuration.decoder = JwtDecoders.fromIssuerLocation(resourceServer.getIssuerUri());
}
return configuration;
}
Also used :
MalformedURLException(java.net.MalformedURLException)
NimbusJwtDecoder(org.springframework.security.oauth2.jwt.NimbusJwtDecoder)
URL(java.net.URL)
DefaultJWTProcessor(com.nimbusds.jwt.proc.DefaultJWTProcessor)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
Base64Exception(org.apache.cxf.common.util.Base64Exception)
EncryptionException(com.evolveum.midpoint.prism.crypto.EncryptionException)
SecurityContext(com.nimbusds.jose.proc.SecurityContext)
KeySourceException(com.nimbusds.jose.KeySourceException)
Example 39 with OAuth2Error
use of org.springframework.security.oauth2.core.OAuth2Error in project molgenis by molgenis.
the class MolgenisOidcIdTokenDecoderFactory method buildDecoder.
private NimbusJwtDecoder buildDecoder(ClientRegistration clientRegistration) {
JwsAlgorithm jwsAlgorithm = this.jwsAlgorithmResolver.apply(clientRegistration);
if (jwsAlgorithm != null && SignatureAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
//
// 6. If the ID Token is received via direct communication between the Client
// and the Token Endpoint (which it is in this flow),
// the TLS server validation MAY be used to validate the issuer in place of
// checking the token signature.
// The Client MUST validate the signature of all other ID Tokens according to
// JWS [JWS]
// using the algorithm specified in the JWT alg Header Parameter.
// The Client MUST use the keys provided by the Issuer.
//
// 7. The alg value SHOULD be the default of RS256 or the algorithm sent by
// the Client
// in the id_token_signed_response_alg parameter during Registration.
String jwkSetUri = clientRegistration.getProviderDetails().getJwkSetUri();
if (!StringUtils.hasText(jwkSetUri)) {
OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the JwkSet URI.", null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
return NimbusJwtDecoder.withJwkSetUri(jwkSetUri).jwsAlgorithm((SignatureAlgorithm) jwsAlgorithm).build();
}
if (jwsAlgorithm != null && MacAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
//
// 8. If the JWT alg Header Parameter uses a MAC based algorithm such as
// HS256, HS384, or HS512,
// the octets of the UTF-8 representation of the client_secret
// corresponding to the client_id contained in the aud (audience) Claim
// are used as the key to validate the signature.
// For MAC based algorithms, the behavior is unspecified if the aud is
// multi-valued or
// if an azp value is present that is different than the aud value.
String clientSecret = clientRegistration.getClientSecret();
if (!StringUtils.hasText(clientSecret)) {
OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the client secret.", null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
SecretKeySpec secretKeySpec = new SecretKeySpec(clientSecret.getBytes(StandardCharsets.UTF_8), JCA_ALGORITHM_MAPPINGS.get(jwsAlgorithm));
return NimbusJwtDecoder.withSecretKey(secretKeySpec).macAlgorithm((MacAlgorithm) jwsAlgorithm).build();
}
OAuth2Error oauth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured a valid JWS Algorithm: '" + jwsAlgorithm + "'", null);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
Also used :
JwsAlgorithm(org.springframework.security.oauth2.jose.jws.JwsAlgorithm)
MacAlgorithm(org.springframework.security.oauth2.jose.jws.MacAlgorithm)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error)
SignatureAlgorithm(org.springframework.security.oauth2.jose.jws.SignatureAlgorithm)
OAuth2AuthenticationException(org.springframework.security.oauth2.core.OAuth2AuthenticationException)
Example 40 with OAuth2Error
use of org.springframework.security.oauth2.core.OAuth2Error in project siembol by G-Research.
the class Oauth2Helper method createJwtDecoder.
public static JwtDecoder createJwtDecoder(ResourceServerOauth2Properties properties) throws MalformedURLException {
List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
validators.add(new JwtTimestampValidator(Duration.ofSeconds(JWT_CLOCK_SKEW_IN_SECONDS)));
validators.add(new JwtIssuerValidator(properties.getIssuerUrl()));
validators.add(token -> token.getAudience().contains(properties.getAudience()) ? OAuth2TokenValidatorResult.success() : OAuth2TokenValidatorResult.failure(new OAuth2Error(MISSING_REQUIRED_AUDIENCE)));
OAuth2TokenValidator<Jwt> jwtValidator = new DelegatingOAuth2TokenValidator<>(validators);
JWKSource<SecurityContext> jwkSource = new RemoteJWKSet<>(new URL(properties.getJwkSetUrl()), new DefaultResourceRetriever(JWKSET_TIMEOUT_IN_MILLI_SECONDS, JWKSET_TIMEOUT_IN_MILLI_SECONDS));
ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor<>();
jwtProcessor.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(new JOSEObjectType(properties.getJwtType())));
jwtProcessor.setJWSKeySelector(new JWSVerificationKeySelector<>(new JWSAlgorithm(properties.getJwsAlgorithm()), jwkSource));
jwtProcessor.setJWTClaimsSetVerifier((claims, context) -> {
});
NimbusJwtDecoder jwtDecoder = new NimbusJwtDecoder(jwtProcessor);
jwtDecoder.setJwtValidator(jwtValidator);
return jwtDecoder;
}
Also used :
JOSEObjectType(com.nimbusds.jose.JOSEObjectType)
ArrayList(java.util.ArrayList)
OAuth2Error(org.springframework.security.oauth2.core.OAuth2Error)
JWSAlgorithm(com.nimbusds.jose.JWSAlgorithm)
RemoteJWKSet(com.nimbusds.jose.jwk.source.RemoteJWKSet)
URL(java.net.URL)
DelegatingOAuth2TokenValidator(org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator)
DefaultJWTProcessor(com.nimbusds.jwt.proc.DefaultJWTProcessor)
OAuth2TokenValidator(org.springframework.security.oauth2.core.OAuth2TokenValidator)
DelegatingOAuth2TokenValidator(org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator)
SecurityContext(com.nimbusds.jose.proc.SecurityContext)
DefaultResourceRetriever(com.nimbusds.jose.util.DefaultResourceRetriever)
Aggregations
OAuth2Error (org.springframework.security.oauth2.core.OAuth2Error)133
OAuth2AuthenticationException (org.springframework.security.oauth2.core.OAuth2AuthenticationException)57
Test (org.junit.jupiter.api.Test)53
OAuth2AuthorizationException (org.springframework.security.oauth2.core.OAuth2AuthorizationException)25
Authentication (org.springframework.security.core.Authentication)22
OAuth2AccessToken (org.springframework.security.oauth2.core.OAuth2AccessToken)18
ClientRegistration (org.springframework.security.oauth2.client.registration.ClientRegistration)17
MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)16
OAuth2AuthorizationRequest (org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest)16
Jwt (org.springframework.security.oauth2.jwt.Jwt)15
Instant (java.time.Instant)14
Map (java.util.Map)13
FilterChain (javax.servlet.FilterChain)12
OAuth2AuthorizationResponse (org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse)12
MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)10
OAuth2TokenValidatorResult (org.springframework.security.oauth2.core.OAuth2TokenValidatorResult)10
Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)9
OAuth2AuthorizationContext (org.springframework.security.oauth2.client.OAuth2AuthorizationContext)9
OAuth2User (org.springframework.security.oauth2.core.user.OAuth2User)9
ArgumentMatchers.any (org.mockito.ArgumentMatchers.any)8
