Example 6 with ClaimMetaData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method handlePostConsent.
private void handlePostConsent(OAuthMessage oAuthMessage) throws ConsentHandlingFailedException {
OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
String tenantDomain = EndpointUtil.getSPTenantDomainFromClientId(oauth2Params.getClientId());
setSPAttributeToRequest(oAuthMessage.getRequest(), oauth2Params.getApplicationName(), tenantDomain);
String spTenantDomain = oauth2Params.getTenantDomain();
AuthenticatedUser loggedInUser = getLoggedInUser(oAuthMessage);
String clientId = oauth2Params.getClientId();
ServiceProvider serviceProvider;
if (log.isDebugEnabled()) {
log.debug("Initiating post user consent handling for user: " + loggedInUser.toFullQualifiedUsername() + " for client_id: " + clientId + " of tenantDomain: " + spTenantDomain);
}
try {
if (isConsentHandlingFromFrameworkSkipped(oauth2Params)) {
if (log.isDebugEnabled()) {
log.debug("Consent handling from framework skipped for client_id: " + clientId + " of tenantDomain: " + spTenantDomain + " for user: " + loggedInUser.toFullQualifiedUsername() + ". " + "Therefore handling post consent is not applicable.");
}
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> params = new HashMap<>();
params.put("clientId", clientId);
Map<String, Object> configs = new HashMap<>();
configs.put("skipConsent", "true");
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, "Consent is disabled for the OAuth client.", "handle-consent", configs);
}
return;
}
List<Integer> approvedClaimIds = getUserConsentClaimIds(oAuthMessage);
serviceProvider = getServiceProvider(clientId);
/*
With the current implementation of the SSOConsentService we need to send back the original
ConsentClaimsData object we got during pre consent stage. Currently we are repeating the API call
during post consent handling to get the original ConsentClaimsData object (Assuming there is no
change in SP during pre-consent and post-consent).
The API on the SSO Consent Service will be improved to avoid having to send the original
ConsentClaimsData object.
*/
ConsentClaimsData value = getConsentRequiredClaims(loggedInUser, serviceProvider, oauth2Params);
/*
It is needed to pitch the consent required claims with the OIDC claims. otherwise the consent of the
the claims which are not in the OIDC claims will be saved as consent denied.
*/
if (value != null) {
// Remove the claims which dont have values given by the user.
value.setRequestedClaims(removeConsentRequestedNullUserAttributes(value.getRequestedClaims(), loggedInUser.getUserAttributes(), spTenantDomain));
List<ClaimMetaData> requestedOidcClaimsList = getRequestedOidcClaimsList(value, oauth2Params, spTenantDomain);
value.setRequestedClaims(requestedOidcClaimsList);
}
// Call framework and create the consent receipt.
if (log.isDebugEnabled()) {
log.debug("Creating user consent receipt for user: " + loggedInUser.toFullQualifiedUsername() + " for client_id: " + clientId + " of tenantDomain: " + spTenantDomain);
}
Map<String, Object> params;
if (hasPromptContainsConsent(oauth2Params)) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
params = new HashMap<>();
params.put("clientId", clientId);
params.put("prompt", oauth2Params.getPrompt());
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, null, "hand-over-to-consent-service", null);
}
getSSOConsentService().processConsent(approvedClaimIds, serviceProvider, loggedInUser, value, true);
} else {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
params = new HashMap<>();
params.put("clientId", clientId);
params.put("prompt", oauth2Params.getPrompt());
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, null, "hand-over-to-consent-service", null);
}
getSSOConsentService().processConsent(approvedClaimIds, serviceProvider, loggedInUser, value, false);
}
} catch (OAuthSystemException | SSOConsentServiceException e) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.FAILED, "System error occurred.", "process-consent", null);
}
String msg = "Error while processing consent of user: " + loggedInUser.toFullQualifiedUsername() + " for " + "client_id: " + clientId + " of tenantDomain: " + spTenantDomain;
throw new ConsentHandlingFailedException(msg, e);
} catch (ClaimMetadataException e) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.FAILED, String.format("Error occurred while getting " + "claim mappings for %s.", OIDC_DIALECT), "process-consent", null);
}
throw new ConsentHandlingFailedException("Error while getting claim mappings for " + OIDC_DIALECT, e);
} catch (RequestObjectException e) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.FAILED, String.format("Error occurred while getting essential claims for the session data key : %s.", oauth2Params.getSessionDataKey()), "process-consent", null);
}
throw new ConsentHandlingFailedException("Error while getting essential claims for the session data key " + ": " + oauth2Params.getSessionDataKey(), e);
}
}
Also used :
RequestObjectException(org.wso2.carbon.identity.oauth2.RequestObjectException)
ClaimMetadataException(org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
HashMap(java.util.HashMap)
OAuthSystemException(org.apache.oltu.oauth2.common.exception.OAuthSystemException)
ConsentClaimsData(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData)
SSOConsentServiceException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)
ClaimMetaData(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData)
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
ConsentHandlingFailedException(org.wso2.carbon.identity.oauth.endpoint.exception.ConsentHandlingFailedException)
OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)
ServiceProvider(org.wso2.carbon.identity.application.common.model.ServiceProvider)
RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject)
JSONObject(org.json.JSONObject)
Example 7 with ClaimMetaData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project identity-inbound-auth-oauth by wso2-extensions.
the class OpenIDConnectClaimFilterImplTest method getClaimsWithConsent.
private List<ClaimMetaData> getClaimsWithConsent() {
List<ClaimMetaData> claimsWithConsent = new ArrayList<>();
ClaimMetaData claimMetaData = new ClaimMetaData();
claimMetaData.setId(1);
claimMetaData.setClaimUri("testUserClaimURI");
claimMetaData.setDisplayName("claimMetaData");
claimMetaData.setDescription("claimMetaDataDescription");
claimsWithConsent.add(claimMetaData);
return claimsWithConsent;
}
Also used :
ArrayList(java.util.ArrayList)
ClaimMetaData(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData)
Example 8 with ClaimMetaData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project carbon-identity-framework by wso2.
the class ConsentMgtPostAuthnHandler method processUserConsent.
private UserConsent processUserConsent(HttpServletRequest request, AuthenticationContext context) throws PostAuthenticationFailedException {
String consentClaimsPrefix = "consent_";
UserConsent userConsent = new UserConsent();
ConsentClaimsData consentClaimsData = (ConsentClaimsData) context.getParameter(CONSENT_CLAIM_META_DATA);
Map<String, String[]> requestParams = request.getParameterMap();
List<ClaimMetaData> approvedClamMetaData = buildApprovedClaimList(consentClaimsPrefix, requestParams, consentClaimsData);
List<ClaimMetaData> consentRequiredClaimMetaData = getConsentRequiredClaimMetaData(consentClaimsData);
List<ClaimMetaData> disapprovedClaims = buildDisapprovedClaimList(consentRequiredClaimMetaData, approvedClamMetaData);
if (isMandatoryClaimsDisapproved(consentClaimsData.getMandatoryClaims(), disapprovedClaims)) {
throw new PostAuthenticationFailedException("Authentication failed. Consent denied for mandatory " + "attributes.", "User denied consent to share mandatory " + "attributes.");
}
userConsent.setApprovedClaims(approvedClamMetaData);
userConsent.setDisapprovedClaims(disapprovedClaims);
return userConsent;
}
Also used :
StringUtils.defaultString(org.apache.commons.lang.StringUtils.defaultString)
PostAuthenticationFailedException(org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException)
Example 9 with ClaimMetaData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project carbon-identity-framework by wso2.
the class SSOConsentServiceImpl method getConsentRequiredClaims.
/**
* Get consent required claims for a given service from a user.
*
* @param serviceProvider Service provider requesting consent.
* @param authenticatedUser Authenticated user requesting consent form.
* @param useExistingConsents Use existing consent given by the user.
* @param claimsListOfScopes Claims list of requested scopes.
* @return ConsentClaimsData which contains mandatory and required claims for consent.
* @throws SSOConsentServiceException If error occurs while building claim information.
*/
protected ConsentClaimsData getConsentRequiredClaims(ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser, boolean useExistingConsents, List<String> claimsListOfScopes) throws SSOConsentServiceException {
if (!isSSOConsentManagementEnabled(serviceProvider)) {
String message = "Consent management for SSO is disabled.";
throw new SSOConsentDisabledException(message, message);
}
if (serviceProvider == null) {
throw new SSOConsentServiceException("Service provider cannot be null.");
}
String spName = serviceProvider.getApplicationName();
String spTenantDomain = getSPTenantDomain(serviceProvider);
String subject = buildSubjectWithUserStoreDomain(authenticatedUser);
ClaimMapping[] claimMappings = getSpClaimMappings(serviceProvider);
if (claimMappings == null || claimMappings.length == 0) {
if (log.isDebugEnabled()) {
log.debug("No claim mapping configured from the application. Hence skipping getting consent.");
}
return new ConsentClaimsData();
}
if (claimsListOfScopes != null) {
try {
claimMappings = FrameworkUtils.getFilteredScopeClaims(claimsListOfScopes, Arrays.asList(claimMappings), serviceProvider.getOwner().getTenantDomain()).toArray(new ClaimMapping[0]);
} catch (ClaimManagementException e) {
throw new SSOConsentServiceException("Error occurred while filtering claims of requested scopes");
}
}
List<String> requestedClaims = new ArrayList<>();
List<String> mandatoryClaims = new ArrayList<>();
Map<ClaimMapping, String> userAttributes = authenticatedUser.getUserAttributes();
String subjectClaimUri = getSubjectClaimUri(serviceProvider);
boolean subjectClaimUriRequested = false;
boolean subjectClaimUriMandatory = false;
boolean promptSubjectClaimRequestedConsent = true;
if (StringUtils.isNotBlank(IdentityUtil.getProperty(CONFIG_PROMPT_SUBJECT_CLAIM_REQUESTED_CONSENT))) {
promptSubjectClaimRequestedConsent = Boolean.parseBoolean(IdentityUtil.getProperty(CONFIG_PROMPT_SUBJECT_CLAIM_REQUESTED_CONSENT));
}
if (isPassThroughScenario(claimMappings, userAttributes)) {
for (Map.Entry<ClaimMapping, String> userAttribute : userAttributes.entrySet()) {
String remoteClaimUri = userAttribute.getKey().getRemoteClaim().getClaimUri();
if (subjectClaimUri.equals(remoteClaimUri) || IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR.equals(remoteClaimUri)) {
continue;
}
mandatoryClaims.add(remoteClaimUri);
}
} else {
boolean isCustomClaimMapping = isCustomClaimMapping(serviceProvider);
for (ClaimMapping claimMapping : claimMappings) {
if (isCustomClaimMapping) {
if (subjectClaimUri.equals(claimMapping.getRemoteClaim().getClaimUri())) {
subjectClaimUri = claimMapping.getLocalClaim().getClaimUri();
if (promptSubjectClaimRequestedConsent) {
if (claimMapping.isMandatory()) {
subjectClaimUriMandatory = true;
} else if (claimMapping.isRequested()) {
subjectClaimUriRequested = true;
}
}
continue;
}
} else {
if (subjectClaimUri.equals(claimMapping.getLocalClaim().getClaimUri())) {
if (promptSubjectClaimRequestedConsent) {
if (claimMapping.isMandatory()) {
subjectClaimUriMandatory = true;
} else if (claimMapping.isRequested()) {
subjectClaimUriRequested = true;
}
}
continue;
}
}
if (claimMapping.isMandatory()) {
mandatoryClaims.add(claimMapping.getLocalClaim().getClaimUri());
} else if (claimMapping.isRequested()) {
requestedClaims.add(claimMapping.getLocalClaim().getClaimUri());
}
}
}
if (promptSubjectClaimRequestedConsent) {
if (subjectClaimUriMandatory) {
mandatoryClaims.add(subjectClaimUri);
} else if (subjectClaimUriRequested) {
requestedClaims.add(subjectClaimUri);
}
}
List<ClaimMetaData> receiptConsentMetaData = new ArrayList<>();
List<ClaimMetaData> receiptConsentDeniedMetaData;
Receipt receipt = getConsentReceiptOfUser(serviceProvider, authenticatedUser, spName, spTenantDomain, subject);
if (useExistingConsents && receipt != null) {
receiptConsentMetaData = getRequestedClaimsFromReceipt(receipt, true);
List<String> claimsWithConsent = getClaimsFromConsentMetaData(receiptConsentMetaData);
receiptConsentDeniedMetaData = getRequestedClaimsFromReceipt(receipt, false);
List<String> claimsDeniedConsent = getClaimsFromConsentMetaData(receiptConsentDeniedMetaData);
mandatoryClaims.removeAll(claimsWithConsent);
requestedClaims.removeAll(claimsWithConsent);
requestedClaims.removeAll(claimsDeniedConsent);
}
ConsentClaimsData consentClaimsData = getConsentRequiredClaimData(mandatoryClaims, requestedClaims, spTenantDomain);
consentClaimsData.setClaimsWithConsent(receiptConsentMetaData);
return consentClaimsData;
}
Also used :
Receipt(org.wso2.carbon.consent.mgt.core.model.Receipt)
ArrayList(java.util.ArrayList)
SSOConsentServiceException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)
ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping)
SSOConsentDisabledException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException)
ClaimManagementException(org.wso2.carbon.claim.mgt.ClaimManagementException)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 10 with ClaimMetaData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project carbon-identity-framework by wso2.
the class SSOConsentServiceImpl method getClaimsFromPIICategoryValidity.
private List<ClaimMetaData> getClaimsFromPIICategoryValidity(List<PIICategoryValidity> piiCategories) {
List<ClaimMetaData> claimMetaDataList = new ArrayList<>();
for (PIICategoryValidity piiCategoryValidity : piiCategories) {
if (isConsentForClaimValid(piiCategoryValidity)) {
ClaimMetaData claimMetaData = new ClaimMetaData();
claimMetaData.setClaimUri(piiCategoryValidity.getName());
claimMetaData.setDisplayName(piiCategoryValidity.getDisplayName());
claimMetaDataList.add(claimMetaData);
}
}
return claimMetaDataList;
}
Also used :
ArrayList(java.util.ArrayList)
PIICategoryValidity(org.wso2.carbon.consent.mgt.core.model.PIICategoryValidity)
Aggregations
ArrayList (java.util.ArrayList)10
SSOConsentServiceException (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)8
HashMap (java.util.HashMap)5
ClaimMetaData (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData)5
ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)3
ConsentManagementException (org.wso2.carbon.consent.mgt.core.exception.ConsentManagementException)3
PIICategoryValidity (org.wso2.carbon.consent.mgt.core.model.PIICategoryValidity)3
Receipt (org.wso2.carbon.consent.mgt.core.model.Receipt)3
SSOConsentDisabledException (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException)3
ClaimMetadataException (org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException)3
Map (java.util.Map)2
JSONObject (org.json.JSONObject)2
PIICategory (org.wso2.carbon.consent.mgt.core.model.PIICategory)2
ConsentClaimsData (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData)2
ClaimMapping (org.wso2.carbon.identity.application.common.model.ClaimMapping)2
ServiceProvider (org.wso2.carbon.identity.application.common.model.ServiceProvider)2
ExternalClaim (org.wso2.carbon.identity.claim.metadata.mgt.model.ExternalClaim)2
ConsentHandlingFailedException (org.wso2.carbon.identity.oauth.endpoint.exception.ConsentHandlingFailedException)2
RequestObjectException (org.wso2.carbon.identity.oauth2.RequestObjectException)2
RequestObject (org.wso2.carbon.identity.openidconnect.model.RequestObject)2
