Example 11 with ClaimMetaData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project carbon-identity-framework by wso2.
the class SSOConsentServiceImpl method buildReceiptInput.
private ReceiptInput buildReceiptInput(String subject, ServiceProvider serviceProvider, String spTenantDomain, List<ClaimMetaData> claimsWithConsent, List<ClaimMetaData> claimsDeniedConsent) throws SSOConsentServiceException {
String collectionMethod = "Web Form - Sign-in";
String jurisdiction = "NONE";
String language = "us_EN";
String consentType = "EXPLICIT";
String termination = CONSENT_VALIDITY_TYPE_VALID_UNTIL + CONSENT_VALIDITY_TYPE_SEPARATOR + CONSENT_VALIDITY_TYPE_VALID_UNTIL_INDEFINITE;
String policyUrl = "NONE";
Purpose purpose = getDefaultPurpose();
PurposeCategory purposeCategory = getDefaultPurposeCategory();
List<PIICategoryValidity> piiCategoryIds = getPiiCategoryValidityForClaims(claimsWithConsent, claimsDeniedConsent, termination);
List<ReceiptServiceInput> serviceInputs = new ArrayList<>();
List<ReceiptPurposeInput> purposeInputs = new ArrayList<>();
List<Integer> purposeCategoryIds = new ArrayList<>();
Map<String, String> properties = new HashMap<>();
purposeCategoryIds.add(purposeCategory.getId());
ReceiptPurposeInput purposeInput = getReceiptPurposeInput(consentType, termination, purpose, piiCategoryIds, purposeCategoryIds);
purposeInputs.add(purposeInput);
ReceiptServiceInput serviceInput = getReceiptServiceInput(serviceProvider, spTenantDomain, purposeInputs);
serviceInputs.add(serviceInput);
return getReceiptInput(subject, collectionMethod, jurisdiction, language, policyUrl, serviceInputs, properties);
}
Also used :
ReceiptServiceInput(org.wso2.carbon.consent.mgt.core.model.ReceiptServiceInput)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
ConsentPurpose(org.wso2.carbon.consent.mgt.core.model.ConsentPurpose)
Purpose(org.wso2.carbon.consent.mgt.core.model.Purpose)
ReceiptPurposeInput(org.wso2.carbon.consent.mgt.core.model.ReceiptPurposeInput)
PIICategoryValidity(org.wso2.carbon.consent.mgt.core.model.PIICategoryValidity)
PurposeCategory(org.wso2.carbon.consent.mgt.core.model.PurposeCategory)
Example 12 with ClaimMetaData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project carbon-identity-framework by wso2.
the class SSOConsentServiceImpl method addPIICategoryForClaim.
private PIICategory addPIICategoryForClaim(ClaimMetaData claim) throws SSOConsentServiceException {
PIICategory piiCategory;
PIICategory piiCategoryInput = new PIICategory(claim.getClaimUri(), claim.getDescription(), false, claim.getDisplayName());
try {
piiCategory = getConsentManager().addPIICategory(piiCategoryInput);
} catch (ConsentManagementException e) {
throw new SSOConsentServiceException("Consent PII category error", "Error while adding" + " PII category:" + DEFAULT_PURPOSE_CATEGORY, e);
}
return piiCategory;
}
Also used :
PIICategory(org.wso2.carbon.consent.mgt.core.model.PIICategory)
ConsentManagementException(org.wso2.carbon.consent.mgt.core.exception.ConsentManagementException)
SSOConsentServiceException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)
Example 13 with ClaimMetaData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method handlePreConsent.
/**
* Handle user consent from claims that will be shared in OIDC responses. Claims that require consent will be
* sent to the consent page as query params. Consent page will interpret the query params and prompt the user
* for consent.
*
* @param oauth2Params
* @param user Authenticated User
* @param useExistingConsents Whether to consider existing user consents
* @return
* @throws ConsentHandlingFailedException
* @throws OAuthSystemException
*/
private String handlePreConsent(OAuth2Parameters oauth2Params, AuthenticatedUser user, boolean useExistingConsents) throws ConsentHandlingFailedException, OAuthSystemException {
String additionalQueryParam = StringUtils.EMPTY;
String clientId = oauth2Params.getClientId();
String spTenantDomain = oauth2Params.getTenantDomain();
ServiceProvider serviceProvider = getServiceProvider(clientId);
Map<String, Object> params = new HashMap<>();
params.put("clientId", clientId);
try {
params.put("user", user.getUserId());
} catch (UserIdNotFoundException e) {
if (StringUtils.isNotBlank(user.getAuthenticatedSubjectIdentifier())) {
params.put("user", user.getAuthenticatedSubjectIdentifier());
}
}
if (log.isDebugEnabled()) {
log.debug("Initiating consent handling for user: " + user.toFullQualifiedUsername() + " for client_id: " + clientId + " of tenantDomain: " + spTenantDomain);
}
if (isConsentHandlingFromFrameworkSkipped(oauth2Params)) {
if (log.isDebugEnabled()) {
log.debug("Consent handling from framework skipped for client_id: " + clientId + " of tenantDomain: " + spTenantDomain + " for user: " + user.toFullQualifiedUsername());
}
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> configs = new HashMap<>();
configs.put("skipConsent", "true");
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, "'skipConsent' is enabled for the OAuth client. Hence consent claims not generated.", "generate-consent-claims", configs);
}
return StringUtils.EMPTY;
}
try {
ConsentClaimsData claimsForApproval = getConsentRequiredClaims(user, serviceProvider, useExistingConsents, oauth2Params);
if (claimsForApproval != null) {
String requestClaimsQueryParam = null;
// Get the mandatory claims and append as query param.
String mandatoryClaimsQueryParam = null;
// Remove the claims which dont have values given by the user.
claimsForApproval.setRequestedClaims(removeConsentRequestedNullUserAttributes(claimsForApproval.getRequestedClaims(), user.getUserAttributes(), spTenantDomain));
List<ClaimMetaData> requestedOidcClaimsList = getRequestedOidcClaimsList(claimsForApproval, oauth2Params, spTenantDomain);
if (CollectionUtils.isNotEmpty(requestedOidcClaimsList)) {
requestClaimsQueryParam = REQUESTED_CLAIMS + "=" + buildConsentClaimString(requestedOidcClaimsList);
}
if (CollectionUtils.isNotEmpty(claimsForApproval.getMandatoryClaims())) {
mandatoryClaimsQueryParam = MANDATORY_CLAIMS + "=" + buildConsentClaimString(claimsForApproval.getMandatoryClaims());
}
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> configs = new HashMap<>();
List<String> requestedClaims = new ArrayList<>();
requestedOidcClaimsList.forEach(claim -> requestedClaims.add(claim.getClaimUri()));
List<String> mandatoryClaims = new ArrayList<>();
claimsForApproval.getMandatoryClaims().forEach(claim -> mandatoryClaims.add(claim.getClaimUri()));
configs.put("skipConsent", "false");
configs.put("requestedClaims", requestedClaims);
configs.put("mandatoryClaims", mandatoryClaims);
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, "Consent claims generation successful. Consent claims query parameter: " + additionalQueryParam, "generate-consent-claims", configs);
}
additionalQueryParam = buildQueryParamString(requestClaimsQueryParam, mandatoryClaimsQueryParam);
}
} catch (UnsupportedEncodingException | SSOConsentServiceException e) {
String msg = "Error while handling user consent for claim for user: " + user.toFullQualifiedUsername() + " for client_id: " + clientId + " of tenantDomain: " + spTenantDomain;
if (LoggerUtils.isDiagnosticLogsEnabled()) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "System error occurred.", "generate-consent-claims", null);
}
throw new ConsentHandlingFailedException(msg, e);
} catch (ClaimMetadataException e) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "System error occurred.", "generate-consent-claims", null);
}
throw new ConsentHandlingFailedException("Error while getting claim mappings for " + OIDC_DIALECT, e);
} catch (RequestObjectException e) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "System error occurred.", "generate-consent-claims", null);
}
throw new ConsentHandlingFailedException("Error while getting essential claims for the session data key " + ": " + oauth2Params.getSessionDataKey(), e);
}
if (log.isDebugEnabled()) {
log.debug("Additional Query param to be sent to consent page for user: " + user.toFullQualifiedUsername() + " for client_id: " + clientId + " is '" + additionalQueryParam + "'");
}
return additionalQueryParam;
}
Also used :
RequestObjectException(org.wso2.carbon.identity.oauth2.RequestObjectException)
ClaimMetadataException(org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
ConsentClaimsData(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
SSOConsentServiceException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)
UserIdNotFoundException(org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException)
ClaimMetaData(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData)
ConsentHandlingFailedException(org.wso2.carbon.identity.oauth.endpoint.exception.ConsentHandlingFailedException)
ServiceProvider(org.wso2.carbon.identity.application.common.model.ServiceProvider)
RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject)
JSONObject(org.json.JSONObject)
Example 14 with ClaimMetaData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method removeConsentRequestedNullUserAttributes.
/**
* Filter out the requested claims with the user attributes.
*
* @param requestedClaims List of requested claims metadata.
* @param userAttributes Authenticated users' attributes.
* @param spTenantDomain Tenant domain.
* @return Filtered claims with user attributes.
* @throws ClaimMetadataException If an error occurred while getting claim mappings.
*/
private List<ClaimMetaData> removeConsentRequestedNullUserAttributes(List<ClaimMetaData> requestedClaims, Map<ClaimMapping, String> userAttributes, String spTenantDomain) throws ClaimMetadataException {
List<String> localClaims = new ArrayList<>();
List<ClaimMetaData> filteredRequestedClaims = new ArrayList<>();
List<String> localClaimUris = new ArrayList<>();
if (requestedClaims != null && userAttributes != null) {
for (Map.Entry<ClaimMapping, String> attribute : userAttributes.entrySet()) {
localClaims.add(attribute.getKey().getLocalClaim().getClaimUri());
}
if (CollectionUtils.isNotEmpty(localClaims)) {
Set<ExternalClaim> externalClaimSetOfOidcClaims = ClaimMetadataHandler.getInstance().getMappingsFromOtherDialectToCarbon(OIDC_DIALECT, new HashSet<String>(localClaims), spTenantDomain);
for (ExternalClaim externalClaim : externalClaimSetOfOidcClaims) {
localClaimUris.add(externalClaim.getMappedLocalClaim());
}
}
for (ClaimMetaData claimMetaData : requestedClaims) {
if (localClaimUris.contains(claimMetaData.getClaimUri())) {
filteredRequestedClaims.add(claimMetaData);
}
}
}
return filteredRequestedClaims;
}
Also used :
ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping)
ExternalClaim(org.wso2.carbon.identity.claim.metadata.mgt.model.ExternalClaim)
ArrayList(java.util.ArrayList)
ClaimMetaData(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData)
Map(java.util.Map)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
HashMap(java.util.HashMap)
MultivaluedMap(javax.ws.rs.core.MultivaluedMap)
Example 15 with ClaimMetaData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method getRequestedOidcClaimsList.
/**
* Filter requested claims based on OIDC claims and return the claims which includes in OIDC.
*
* @param claimsForApproval Consent required claims.
* @param oauth2Params OAuth parameters.
* @param spTenantDomain Tenant domain.
* @return Requested OIDC claim list.
* @throws RequestObjectException If an error occurred while getting essential claims for the session data key.
* @throws ClaimMetadataException If an error occurred while getting claim mappings.
*/
private List<ClaimMetaData> getRequestedOidcClaimsList(ConsentClaimsData claimsForApproval, OAuth2Parameters oauth2Params, String spTenantDomain) throws RequestObjectException, ClaimMetadataException {
List<ClaimMetaData> requestedOidcClaimsList = new ArrayList<>();
List<String> localClaimsOfOidcClaims = new ArrayList<>();
List<String> localClaimsOfEssentialClaims = new ArrayList<>();
// Get the claims uri list of all the requested scopes. Eg:- country, email.
List<String> claimListOfScopes = openIDConnectClaimFilter.getClaimsFilteredByOIDCScopes(oauth2Params.getScopes(), spTenantDomain);
List<String> essentialRequestedClaims = new ArrayList<>();
if (oauth2Params.isRequestObjectFlow()) {
// Get the requested claims came through request object.
List<RequestedClaim> requestedClaimsOfIdToken = EndpointUtil.getRequestObjectService().getRequestedClaimsForSessionDataKey(oauth2Params.getSessionDataKey(), false);
List<RequestedClaim> requestedClaimsOfUserInfo = EndpointUtil.getRequestObjectService().getRequestedClaimsForSessionDataKey(oauth2Params.getSessionDataKey(), true);
// Get the list of id token's essential claims.
for (RequestedClaim requestedClaim : requestedClaimsOfIdToken) {
if (requestedClaim.isEssential()) {
essentialRequestedClaims.add(requestedClaim.getName());
}
}
// Get the list of user info's essential claims.
for (RequestedClaim requestedClaim : requestedClaimsOfUserInfo) {
if (requestedClaim.isEssential()) {
essentialRequestedClaims.add(requestedClaim.getName());
}
}
}
if (CollectionUtils.isNotEmpty(claimListOfScopes)) {
// Get the external claims relevant to all oidc scope claims and essential claims.
Set<ExternalClaim> externalClaimSetOfOidcClaims = ClaimMetadataHandler.getInstance().getMappingsFromOtherDialectToCarbon(OIDC_DIALECT, new HashSet<String>(claimListOfScopes), spTenantDomain);
/* Get the locally mapped claims for all the external claims of requested scope and essential claims.
Eg:- http://wso2.org/claims/country, http://wso2.org/claims/emailaddress
*/
for (ExternalClaim externalClaim : externalClaimSetOfOidcClaims) {
localClaimsOfOidcClaims.add(externalClaim.getMappedLocalClaim());
}
}
if (CollectionUtils.isNotEmpty(essentialRequestedClaims)) {
// Get the external claims relevant to all essential requested claims.
Set<ExternalClaim> externalClaimSetOfEssentialClaims = ClaimMetadataHandler.getInstance().getMappingsFromOtherDialectToCarbon(OIDC_DIALECT, new HashSet<String>(essentialRequestedClaims), spTenantDomain);
/* Get the locally mapped claims for all the external claims of essential claims.
Eg:- http://wso2.org/claims/country, http://wso2.org/claims/emailaddress
*/
for (ExternalClaim externalClaim : externalClaimSetOfEssentialClaims) {
localClaimsOfEssentialClaims.add(externalClaim.getMappedLocalClaim());
}
}
/* Check whether the local claim of oidc claims contains the requested claims or essential claims of
request object contains the requested claims, If it contains add it as requested claim.
*/
for (ClaimMetaData claimMetaData : claimsForApproval.getRequestedClaims()) {
if (localClaimsOfOidcClaims.contains(claimMetaData.getClaimUri()) || localClaimsOfEssentialClaims.contains(claimMetaData.getClaimUri())) {
requestedOidcClaimsList.add(claimMetaData);
}
}
return requestedOidcClaimsList;
}
Also used :
RequestedClaim(org.wso2.carbon.identity.openidconnect.model.RequestedClaim)
ExternalClaim(org.wso2.carbon.identity.claim.metadata.mgt.model.ExternalClaim)
ArrayList(java.util.ArrayList)
ClaimMetaData(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData)
Aggregations
ArrayList (java.util.ArrayList)10
SSOConsentServiceException (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)8
HashMap (java.util.HashMap)5
ClaimMetaData (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData)5
ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)3
ConsentManagementException (org.wso2.carbon.consent.mgt.core.exception.ConsentManagementException)3
PIICategoryValidity (org.wso2.carbon.consent.mgt.core.model.PIICategoryValidity)3
Receipt (org.wso2.carbon.consent.mgt.core.model.Receipt)3
SSOConsentDisabledException (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException)3
ClaimMetadataException (org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException)3
Map (java.util.Map)2
JSONObject (org.json.JSONObject)2
PIICategory (org.wso2.carbon.consent.mgt.core.model.PIICategory)2
ConsentClaimsData (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData)2
ClaimMapping (org.wso2.carbon.identity.application.common.model.ClaimMapping)2
ServiceProvider (org.wso2.carbon.identity.application.common.model.ServiceProvider)2
ExternalClaim (org.wso2.carbon.identity.claim.metadata.mgt.model.ExternalClaim)2
ConsentHandlingFailedException (org.wso2.carbon.identity.oauth.endpoint.exception.ConsentHandlingFailedException)2
RequestObjectException (org.wso2.carbon.identity.oauth2.RequestObjectException)2
RequestObject (org.wso2.carbon.identity.openidconnect.model.RequestObject)2
