Search in sources :

Example 11 with ClaimMetaData

use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project carbon-identity-framework by wso2.

the class SSOConsentServiceImpl method buildReceiptInput.

private ReceiptInput buildReceiptInput(String subject, ServiceProvider serviceProvider, String spTenantDomain, List<ClaimMetaData> claimsWithConsent, List<ClaimMetaData> claimsDeniedConsent) throws SSOConsentServiceException {
    String collectionMethod = "Web Form - Sign-in";
    String jurisdiction = "NONE";
    String language = "us_EN";
    String consentType = "EXPLICIT";
    String termination = CONSENT_VALIDITY_TYPE_VALID_UNTIL + CONSENT_VALIDITY_TYPE_SEPARATOR + CONSENT_VALIDITY_TYPE_VALID_UNTIL_INDEFINITE;
    String policyUrl = "NONE";
    Purpose purpose = getDefaultPurpose();
    PurposeCategory purposeCategory = getDefaultPurposeCategory();
    List<PIICategoryValidity> piiCategoryIds = getPiiCategoryValidityForClaims(claimsWithConsent, claimsDeniedConsent, termination);
    List<ReceiptServiceInput> serviceInputs = new ArrayList<>();
    List<ReceiptPurposeInput> purposeInputs = new ArrayList<>();
    List<Integer> purposeCategoryIds = new ArrayList<>();
    Map<String, String> properties = new HashMap<>();
    purposeCategoryIds.add(purposeCategory.getId());
    ReceiptPurposeInput purposeInput = getReceiptPurposeInput(consentType, termination, purpose, piiCategoryIds, purposeCategoryIds);
    purposeInputs.add(purposeInput);
    ReceiptServiceInput serviceInput = getReceiptServiceInput(serviceProvider, spTenantDomain, purposeInputs);
    serviceInputs.add(serviceInput);
    return getReceiptInput(subject, collectionMethod, jurisdiction, language, policyUrl, serviceInputs, properties);
}
Also used : ReceiptServiceInput(org.wso2.carbon.consent.mgt.core.model.ReceiptServiceInput) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) ConsentPurpose(org.wso2.carbon.consent.mgt.core.model.ConsentPurpose) Purpose(org.wso2.carbon.consent.mgt.core.model.Purpose) ReceiptPurposeInput(org.wso2.carbon.consent.mgt.core.model.ReceiptPurposeInput) PIICategoryValidity(org.wso2.carbon.consent.mgt.core.model.PIICategoryValidity) PurposeCategory(org.wso2.carbon.consent.mgt.core.model.PurposeCategory)

Example 12 with ClaimMetaData

use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project carbon-identity-framework by wso2.

the class SSOConsentServiceImpl method addPIICategoryForClaim.

private PIICategory addPIICategoryForClaim(ClaimMetaData claim) throws SSOConsentServiceException {
    PIICategory piiCategory;
    PIICategory piiCategoryInput = new PIICategory(claim.getClaimUri(), claim.getDescription(), false, claim.getDisplayName());
    try {
        piiCategory = getConsentManager().addPIICategory(piiCategoryInput);
    } catch (ConsentManagementException e) {
        throw new SSOConsentServiceException("Consent PII category error", "Error while adding" + " PII category:" + DEFAULT_PURPOSE_CATEGORY, e);
    }
    return piiCategory;
}
Also used : PIICategory(org.wso2.carbon.consent.mgt.core.model.PIICategory) ConsentManagementException(org.wso2.carbon.consent.mgt.core.exception.ConsentManagementException) SSOConsentServiceException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)

Example 13 with ClaimMetaData

use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method handlePreConsent.

/**
 * Handle user consent from claims that will be shared in OIDC responses. Claims that require consent will be
 * sent to the consent page as query params. Consent page will interpret the query params and prompt the user
 * for consent.
 *
 * @param oauth2Params
 * @param user                Authenticated User
 * @param useExistingConsents Whether to consider existing user consents
 * @return
 * @throws ConsentHandlingFailedException
 * @throws OAuthSystemException
 */
private String handlePreConsent(OAuth2Parameters oauth2Params, AuthenticatedUser user, boolean useExistingConsents) throws ConsentHandlingFailedException, OAuthSystemException {
    String additionalQueryParam = StringUtils.EMPTY;
    String clientId = oauth2Params.getClientId();
    String spTenantDomain = oauth2Params.getTenantDomain();
    ServiceProvider serviceProvider = getServiceProvider(clientId);
    Map<String, Object> params = new HashMap<>();
    params.put("clientId", clientId);
    try {
        params.put("user", user.getUserId());
    } catch (UserIdNotFoundException e) {
        if (StringUtils.isNotBlank(user.getAuthenticatedSubjectIdentifier())) {
            params.put("user", user.getAuthenticatedSubjectIdentifier());
        }
    }
    if (log.isDebugEnabled()) {
        log.debug("Initiating consent handling for user: " + user.toFullQualifiedUsername() + " for client_id: " + clientId + " of tenantDomain: " + spTenantDomain);
    }
    if (isConsentHandlingFromFrameworkSkipped(oauth2Params)) {
        if (log.isDebugEnabled()) {
            log.debug("Consent handling from framework skipped for client_id: " + clientId + " of tenantDomain: " + spTenantDomain + " for user: " + user.toFullQualifiedUsername());
        }
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            Map<String, Object> configs = new HashMap<>();
            configs.put("skipConsent", "true");
            LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, "'skipConsent' is enabled for the OAuth client. Hence consent claims not generated.", "generate-consent-claims", configs);
        }
        return StringUtils.EMPTY;
    }
    try {
        ConsentClaimsData claimsForApproval = getConsentRequiredClaims(user, serviceProvider, useExistingConsents, oauth2Params);
        if (claimsForApproval != null) {
            String requestClaimsQueryParam = null;
            // Get the mandatory claims and append as query param.
            String mandatoryClaimsQueryParam = null;
            // Remove the claims which dont have values given by the user.
            claimsForApproval.setRequestedClaims(removeConsentRequestedNullUserAttributes(claimsForApproval.getRequestedClaims(), user.getUserAttributes(), spTenantDomain));
            List<ClaimMetaData> requestedOidcClaimsList = getRequestedOidcClaimsList(claimsForApproval, oauth2Params, spTenantDomain);
            if (CollectionUtils.isNotEmpty(requestedOidcClaimsList)) {
                requestClaimsQueryParam = REQUESTED_CLAIMS + "=" + buildConsentClaimString(requestedOidcClaimsList);
            }
            if (CollectionUtils.isNotEmpty(claimsForApproval.getMandatoryClaims())) {
                mandatoryClaimsQueryParam = MANDATORY_CLAIMS + "=" + buildConsentClaimString(claimsForApproval.getMandatoryClaims());
            }
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                Map<String, Object> configs = new HashMap<>();
                List<String> requestedClaims = new ArrayList<>();
                requestedOidcClaimsList.forEach(claim -> requestedClaims.add(claim.getClaimUri()));
                List<String> mandatoryClaims = new ArrayList<>();
                claimsForApproval.getMandatoryClaims().forEach(claim -> mandatoryClaims.add(claim.getClaimUri()));
                configs.put("skipConsent", "false");
                configs.put("requestedClaims", requestedClaims);
                configs.put("mandatoryClaims", mandatoryClaims);
                LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, "Consent claims generation successful. Consent claims query parameter: " + additionalQueryParam, "generate-consent-claims", configs);
            }
            additionalQueryParam = buildQueryParamString(requestClaimsQueryParam, mandatoryClaimsQueryParam);
        }
    } catch (UnsupportedEncodingException | SSOConsentServiceException e) {
        String msg = "Error while handling user consent for claim for user: " + user.toFullQualifiedUsername() + " for client_id: " + clientId + " of tenantDomain: " + spTenantDomain;
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "System error occurred.", "generate-consent-claims", null);
        }
        throw new ConsentHandlingFailedException(msg, e);
    } catch (ClaimMetadataException e) {
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "System error occurred.", "generate-consent-claims", null);
        }
        throw new ConsentHandlingFailedException("Error while getting claim mappings for " + OIDC_DIALECT, e);
    } catch (RequestObjectException e) {
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "System error occurred.", "generate-consent-claims", null);
        }
        throw new ConsentHandlingFailedException("Error while getting essential claims for the session data key " + ": " + oauth2Params.getSessionDataKey(), e);
    }
    if (log.isDebugEnabled()) {
        log.debug("Additional Query param to be sent to consent page for user: " + user.toFullQualifiedUsername() + " for client_id: " + clientId + " is '" + additionalQueryParam + "'");
    }
    return additionalQueryParam;
}
Also used : RequestObjectException(org.wso2.carbon.identity.oauth2.RequestObjectException) ClaimMetadataException(org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) ConsentClaimsData(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData) UnsupportedEncodingException(java.io.UnsupportedEncodingException) SSOConsentServiceException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException) UserIdNotFoundException(org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException) ClaimMetaData(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData) ConsentHandlingFailedException(org.wso2.carbon.identity.oauth.endpoint.exception.ConsentHandlingFailedException) ServiceProvider(org.wso2.carbon.identity.application.common.model.ServiceProvider) RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject) JSONObject(org.json.JSONObject)

Example 14 with ClaimMetaData

use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method removeConsentRequestedNullUserAttributes.

/**
 * Filter out the requested claims with the user attributes.
 *
 * @param requestedClaims List of requested claims metadata.
 * @param userAttributes  Authenticated users' attributes.
 * @param spTenantDomain  Tenant domain.
 * @return Filtered claims with user attributes.
 * @throws ClaimMetadataException If an error occurred while getting claim mappings.
 */
private List<ClaimMetaData> removeConsentRequestedNullUserAttributes(List<ClaimMetaData> requestedClaims, Map<ClaimMapping, String> userAttributes, String spTenantDomain) throws ClaimMetadataException {
    List<String> localClaims = new ArrayList<>();
    List<ClaimMetaData> filteredRequestedClaims = new ArrayList<>();
    List<String> localClaimUris = new ArrayList<>();
    if (requestedClaims != null && userAttributes != null) {
        for (Map.Entry<ClaimMapping, String> attribute : userAttributes.entrySet()) {
            localClaims.add(attribute.getKey().getLocalClaim().getClaimUri());
        }
        if (CollectionUtils.isNotEmpty(localClaims)) {
            Set<ExternalClaim> externalClaimSetOfOidcClaims = ClaimMetadataHandler.getInstance().getMappingsFromOtherDialectToCarbon(OIDC_DIALECT, new HashSet<String>(localClaims), spTenantDomain);
            for (ExternalClaim externalClaim : externalClaimSetOfOidcClaims) {
                localClaimUris.add(externalClaim.getMappedLocalClaim());
            }
        }
        for (ClaimMetaData claimMetaData : requestedClaims) {
            if (localClaimUris.contains(claimMetaData.getClaimUri())) {
                filteredRequestedClaims.add(claimMetaData);
            }
        }
    }
    return filteredRequestedClaims;
}
Also used : ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping) ExternalClaim(org.wso2.carbon.identity.claim.metadata.mgt.model.ExternalClaim) ArrayList(java.util.ArrayList) ClaimMetaData(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) HashMap(java.util.HashMap) MultivaluedMap(javax.ws.rs.core.MultivaluedMap)

Example 15 with ClaimMetaData

use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method getRequestedOidcClaimsList.

/**
 * Filter requested claims based on OIDC claims and return the claims which includes in OIDC.
 *
 * @param claimsForApproval         Consent required claims.
 * @param oauth2Params              OAuth parameters.
 * @param spTenantDomain            Tenant domain.
 * @return                          Requested OIDC claim list.
 * @throws RequestObjectException   If an error occurred while getting essential claims for the session data key.
 * @throws ClaimMetadataException   If an error occurred while getting claim mappings.
 */
private List<ClaimMetaData> getRequestedOidcClaimsList(ConsentClaimsData claimsForApproval, OAuth2Parameters oauth2Params, String spTenantDomain) throws RequestObjectException, ClaimMetadataException {
    List<ClaimMetaData> requestedOidcClaimsList = new ArrayList<>();
    List<String> localClaimsOfOidcClaims = new ArrayList<>();
    List<String> localClaimsOfEssentialClaims = new ArrayList<>();
    // Get the claims uri list of all the requested scopes. Eg:- country, email.
    List<String> claimListOfScopes = openIDConnectClaimFilter.getClaimsFilteredByOIDCScopes(oauth2Params.getScopes(), spTenantDomain);
    List<String> essentialRequestedClaims = new ArrayList<>();
    if (oauth2Params.isRequestObjectFlow()) {
        // Get the requested claims came through request object.
        List<RequestedClaim> requestedClaimsOfIdToken = EndpointUtil.getRequestObjectService().getRequestedClaimsForSessionDataKey(oauth2Params.getSessionDataKey(), false);
        List<RequestedClaim> requestedClaimsOfUserInfo = EndpointUtil.getRequestObjectService().getRequestedClaimsForSessionDataKey(oauth2Params.getSessionDataKey(), true);
        // Get the list of id token's essential claims.
        for (RequestedClaim requestedClaim : requestedClaimsOfIdToken) {
            if (requestedClaim.isEssential()) {
                essentialRequestedClaims.add(requestedClaim.getName());
            }
        }
        // Get the list of user info's essential claims.
        for (RequestedClaim requestedClaim : requestedClaimsOfUserInfo) {
            if (requestedClaim.isEssential()) {
                essentialRequestedClaims.add(requestedClaim.getName());
            }
        }
    }
    if (CollectionUtils.isNotEmpty(claimListOfScopes)) {
        // Get the external claims relevant to all oidc scope claims and essential claims.
        Set<ExternalClaim> externalClaimSetOfOidcClaims = ClaimMetadataHandler.getInstance().getMappingsFromOtherDialectToCarbon(OIDC_DIALECT, new HashSet<String>(claimListOfScopes), spTenantDomain);
        /* Get the locally mapped claims for all the external claims of requested scope and essential claims.
            Eg:- http://wso2.org/claims/country, http://wso2.org/claims/emailaddress
             */
        for (ExternalClaim externalClaim : externalClaimSetOfOidcClaims) {
            localClaimsOfOidcClaims.add(externalClaim.getMappedLocalClaim());
        }
    }
    if (CollectionUtils.isNotEmpty(essentialRequestedClaims)) {
        // Get the external claims relevant to all essential requested claims.
        Set<ExternalClaim> externalClaimSetOfEssentialClaims = ClaimMetadataHandler.getInstance().getMappingsFromOtherDialectToCarbon(OIDC_DIALECT, new HashSet<String>(essentialRequestedClaims), spTenantDomain);
        /* Get the locally mapped claims for all the external claims of essential claims.
            Eg:- http://wso2.org/claims/country, http://wso2.org/claims/emailaddress
             */
        for (ExternalClaim externalClaim : externalClaimSetOfEssentialClaims) {
            localClaimsOfEssentialClaims.add(externalClaim.getMappedLocalClaim());
        }
    }
    /* Check whether the local claim of oidc claims contains the requested claims or essential claims of
         request object contains the requested claims, If it contains add it as requested claim.
         */
    for (ClaimMetaData claimMetaData : claimsForApproval.getRequestedClaims()) {
        if (localClaimsOfOidcClaims.contains(claimMetaData.getClaimUri()) || localClaimsOfEssentialClaims.contains(claimMetaData.getClaimUri())) {
            requestedOidcClaimsList.add(claimMetaData);
        }
    }
    return requestedOidcClaimsList;
}
Also used : RequestedClaim(org.wso2.carbon.identity.openidconnect.model.RequestedClaim) ExternalClaim(org.wso2.carbon.identity.claim.metadata.mgt.model.ExternalClaim) ArrayList(java.util.ArrayList) ClaimMetaData(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData)

Aggregations

ArrayList (java.util.ArrayList)10 SSOConsentServiceException (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)8 HashMap (java.util.HashMap)5 ClaimMetaData (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData)5 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)3 ConsentManagementException (org.wso2.carbon.consent.mgt.core.exception.ConsentManagementException)3 PIICategoryValidity (org.wso2.carbon.consent.mgt.core.model.PIICategoryValidity)3 Receipt (org.wso2.carbon.consent.mgt.core.model.Receipt)3 SSOConsentDisabledException (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException)3 ClaimMetadataException (org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException)3 Map (java.util.Map)2 JSONObject (org.json.JSONObject)2 PIICategory (org.wso2.carbon.consent.mgt.core.model.PIICategory)2 ConsentClaimsData (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData)2 ClaimMapping (org.wso2.carbon.identity.application.common.model.ClaimMapping)2 ServiceProvider (org.wso2.carbon.identity.application.common.model.ServiceProvider)2 ExternalClaim (org.wso2.carbon.identity.claim.metadata.mgt.model.ExternalClaim)2 ConsentHandlingFailedException (org.wso2.carbon.identity.oauth.endpoint.exception.ConsentHandlingFailedException)2 RequestObjectException (org.wso2.carbon.identity.oauth2.RequestObjectException)2 RequestObject (org.wso2.carbon.identity.openidconnect.model.RequestObject)2