use of org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException in project carbon-identity-framework by wso2.
the class JITProvisioningPostAuthenticationHandler method getClaimsForTenant.
/**
* To get the list of claims available in tenant.
*
* @param tenantDomain Relevant tenant domain.
* @param externalIdPConfigName External IDP config name.
* @return list of cliams available in the tenant.
* @throws PostAuthenticationFailedException PostAuthentication Failed Exception.
*/
private org.wso2.carbon.user.api.ClaimMapping[] getClaimsForTenant(String tenantDomain, String externalIdPConfigName) throws PostAuthenticationFailedException {
RealmService realmService = FrameworkServiceComponent.getRealmService();
UserRealm realm = null;
try {
int usersTenantId = IdentityTenantUtil.getTenantId(tenantDomain);
realm = (UserRealm) realmService.getTenantUserRealm(usersTenantId);
} catch (UserStoreException e) {
handleExceptions(String.format(ERROR_WHILE_GETTING_REALM_IN_POST_AUTHENTICATION.getMessage(), tenantDomain), ERROR_WHILE_GETTING_REALM_IN_POST_AUTHENTICATION.getCode(), e);
}
org.wso2.carbon.user.api.ClaimMapping[] claimMappings = null;
try {
if (realm != null) {
ClaimManager claimManager = realm.getClaimManager();
if (claimManager != null) {
claimMappings = claimManager.getAllClaimMappings();
}
}
} catch (UserStoreException e) {
handleExceptions(String.format(ERROR_WHILE_TRYING_TO_GET_CLAIMS_WHILE_TRYING_TO_PASSWORD_PROVISION.getMessage(), externalIdPConfigName), ERROR_WHILE_TRYING_TO_GET_CLAIMS_WHILE_TRYING_TO_PASSWORD_PROVISION.getCode(), e);
}
if (log.isDebugEnabled()) {
if (!ArrayUtils.isEmpty(claimMappings)) {
StringBuilder claimMappingString = new StringBuilder();
for (org.wso2.carbon.user.api.ClaimMapping claimMapping : claimMappings) {
claimMappingString.append(claimMapping.getClaim().getClaimUri()).append(" ");
}
log.debug("Claims in tenant " + tenantDomain + " : " + claimMappingString.toString());
}
}
return claimMappings;
}
use of org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException in project carbon-identity-framework by wso2.
the class JITProvisioningPostAuthenticationHandler method handle.
@Override
public PostAuthnHandlerFlowStatus handle(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws PostAuthenticationFailedException {
if (!FrameworkUtils.isStepBasedSequenceHandlerExecuted(context)) {
return SUCCESS_COMPLETED;
}
if (log.isDebugEnabled()) {
AuthenticatedUser authenticatedUser = context.getSequenceConfig().getAuthenticatedUser();
log.debug("Continuing with JIT flow for the user: " + authenticatedUser);
}
Object isProvisionUIRedirectionTriggered = context.getProperty(FrameworkConstants.PASSWORD_PROVISION_REDIRECTION_TRIGGERED);
if (isProvisionUIRedirectionTriggered != null && (boolean) isProvisionUIRedirectionTriggered) {
if (log.isDebugEnabled()) {
AuthenticatedUser authenticatedUser = context.getSequenceConfig().getAuthenticatedUser();
log.debug("The request has hit the response flow of JIT provisioning flow for the user: " + authenticatedUser.getLoggableUserId());
}
return handleResponseFlow(request, context);
} else {
return handleRequestFlow(request, response, context);
}
}
use of org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException in project carbon-identity-framework by wso2.
the class JITProvisioningPostAuthenticationHandler method callDefaultProvisioningHandler.
/**
* To call the default provisioning handler.
*
* @param username Name of the user to be provisioning.
* @param context Authentication Context.
* @param externalIdPConfig Relevant external IDP Config.
* @param localClaimValues Local Claim Values.
* @param stepConfig Step Config.
* @throws PostAuthenticationFailedException Post Authentication Failed Exception.
*/
private void callDefaultProvisioningHandler(String username, AuthenticationContext context, ExternalIdPConfig externalIdPConfig, Map<String, String> localClaimValues, StepConfig stepConfig) throws PostAuthenticationFailedException {
boolean useDefaultIdpDialect = externalIdPConfig.useDefaultLocalIdpDialect();
ApplicationAuthenticator authenticator = stepConfig.getAuthenticatedAutenticator().getApplicationAuthenticator();
String idPStandardDialect = authenticator.getClaimDialectURI();
String idpRoleClaimUri = FrameworkUtils.getIdpRoleClaimUri(externalIdPConfig);
Map<ClaimMapping, String> extAttrs = stepConfig.getAuthenticatedUser().getUserAttributes();
Map<String, String> originalExternalAttributeValueMap = FrameworkUtils.getClaimMappings(extAttrs, false);
Map<String, String> claimMapping = null;
boolean excludeUnmappedRoles = false;
if (useDefaultIdpDialect && StringUtils.isNotBlank(idPStandardDialect)) {
try {
claimMapping = ClaimMetadataHandler.getInstance().getMappingsMapFromOtherDialectToCarbon(idPStandardDialect, originalExternalAttributeValueMap.keySet(), context.getTenantDomain(), true);
} catch (ClaimMetadataException e) {
throw new PostAuthenticationFailedException(ErrorMessages.ERROR_WHILE_HANDLING_CLAIM_MAPPINGS.getCode(), ErrorMessages.ERROR_WHILE_HANDLING_CLAIM_MAPPINGS.getMessage(), e);
}
}
if (claimMapping != null) {
// Ex. Standard dialects like OIDC.
idpRoleClaimUri = claimMapping.get(IdentityUtil.getLocalGroupsClaimURI());
} else if (idPStandardDialect == null && !useDefaultIdpDialect) {
// Ex. SAML custom claims.
idpRoleClaimUri = FrameworkUtils.getIdpRoleClaimUri(externalIdPConfig);
}
/* Get the mapped user roles according to the mapping in the IDP configuration. Exclude the unmapped from the
returned list.
*/
if (StringUtils.isNotEmpty(IdentityUtil.getProperty(SEND_ONLY_LOCALLY_MAPPED_ROLES_OF_IDP))) {
excludeUnmappedRoles = Boolean.parseBoolean(IdentityUtil.getProperty(SEND_ONLY_LOCALLY_MAPPED_ROLES_OF_IDP));
}
List<String> identityProviderMappedUserRolesUnmappedExclusive = FrameworkUtils.getIdentityProvideMappedUserRoles(externalIdPConfig, originalExternalAttributeValueMap, idpRoleClaimUri, excludeUnmappedRoles);
localClaimValues.put(FrameworkConstants.ASSOCIATED_ID, stepConfig.getAuthenticatedUser().getAuthenticatedSubjectIdentifier());
localClaimValues.put(FrameworkConstants.IDP_ID, stepConfig.getAuthenticatedIdP());
/*
If TOTP is enabled for federated users, the initial federated user login will be identified with the following
check and will set the secret key claim for the federated user who is going to be provisioned.
*/
if (context.getProperty(FrameworkConstants.SECRET_KEY_CLAIM_URL) != null) {
localClaimValues.put(FrameworkConstants.SECRET_KEY_CLAIM_URL, context.getProperty(FrameworkConstants.SECRET_KEY_CLAIM_URL).toString());
}
// Remove role claim from local claims as roles are specifically handled.
localClaimValues.remove(FrameworkUtils.getLocalClaimUriMappedForIdPRoleClaim(externalIdPConfig));
localClaimValues.remove(UserCoreConstants.USER_STORE_GROUPS_CLAIM);
try {
FrameworkUtils.getStepBasedSequenceHandler().callJitProvisioning(username, context, identityProviderMappedUserRolesUnmappedExclusive, localClaimValues);
} catch (FrameworkException e) {
handleExceptions(String.format(ERROR_WHILE_TRYING_TO_PROVISION_USER_WITHOUT_PASSWORD_PROVISIONING.getMessage(), username, externalIdPConfig.getName()), ERROR_WHILE_TRYING_TO_PROVISION_USER_WITHOUT_PASSWORD_PROVISIONING.getCode(), e);
}
}
use of org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException in project carbon-identity-framework by wso2.
the class ConsentMgtPostAuthnHandler method processUserConsent.
private UserConsent processUserConsent(HttpServletRequest request, AuthenticationContext context) throws PostAuthenticationFailedException {
String consentClaimsPrefix = "consent_";
UserConsent userConsent = new UserConsent();
ConsentClaimsData consentClaimsData = (ConsentClaimsData) context.getParameter(CONSENT_CLAIM_META_DATA);
Map<String, String[]> requestParams = request.getParameterMap();
List<ClaimMetaData> approvedClamMetaData = buildApprovedClaimList(consentClaimsPrefix, requestParams, consentClaimsData);
List<ClaimMetaData> consentRequiredClaimMetaData = getConsentRequiredClaimMetaData(consentClaimsData);
List<ClaimMetaData> disapprovedClaims = buildDisapprovedClaimList(consentRequiredClaimMetaData, approvedClamMetaData);
if (isMandatoryClaimsDisapproved(consentClaimsData.getMandatoryClaims(), disapprovedClaims)) {
throw new PostAuthenticationFailedException("Authentication failed. Consent denied for mandatory " + "attributes.", "User denied consent to share mandatory " + "attributes.");
}
userConsent.setApprovedClaims(approvedClamMetaData);
userConsent.setDisapprovedClaims(disapprovedClaims);
return userConsent;
}
use of org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException in project carbon-identity-framework by wso2.
the class ConsentMgtPostAuthnHandler method getSPMandatoryLocalClaims.
private List<String> getSPMandatoryLocalClaims(AuthenticationContext context) throws PostAuthenticationFailedException {
List<String> spMandatoryLocalClaims = new ArrayList<>();
ApplicationConfig applicationConfig = context.getSequenceConfig().getApplicationConfig();
if (applicationConfig == null) {
ServiceProvider serviceProvider = getServiceProvider(context);
String error = "Application configs are null in AuthenticationContext for SP: " + serviceProvider.getApplicationName() + " in tenant domain: " + getSPTenantDomain(serviceProvider);
throw new PostAuthenticationFailedException("Authentication failed. Error while processing application " + "claim configurations.", error);
}
Map<String, String> claimMappings = applicationConfig.getMandatoryClaimMappings();
if (isNotEmpty(claimMappings) && isNotEmpty(claimMappings.values())) {
spMandatoryLocalClaims = new ArrayList<>(claimMappings.values());
}
String subjectClaimUri = getSubjectClaimUri(applicationConfig);
if (!spMandatoryLocalClaims.contains(subjectClaimUri)) {
spMandatoryLocalClaims.add(subjectClaimUri);
}
if (isDebugEnabled()) {
String message = String.format("Mandatory claims for SP: %s - " + spMandatoryLocalClaims, applicationConfig.getApplicationName());
logDebug(message);
}
return spMandatoryLocalClaims;
}
Aggregations