Example 1 with ConsentClaimsData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData in project carbon-identity-framework by wso2.
the class ConsentMgtPostAuthnHandler method handlePreConsent.
protected PostAuthnHandlerFlowStatus handlePreConsent(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws PostAuthenticationFailedException {
String spName = context.getSequenceConfig().getApplicationConfig().getApplicationName();
Map<String, String> claimMappings = context.getSequenceConfig().getApplicationConfig().getClaimMappings();
// Should be removed once the issue is fixed
if (SP_NAME_DEFAULT.equalsIgnoreCase(spName)) {
return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
}
AuthenticatedUser authenticatedUser = getAuthenticatedUser(context);
ServiceProvider serviceProvider = getServiceProvider(context);
try {
ConsentClaimsData consentClaimsData = getSSOConsentService().getConsentRequiredClaimsWithExistingConsents(serviceProvider, authenticatedUser);
if (isDebugEnabled()) {
String message = String.format("Retrieving required consent data of user: %s for service " + "provider: %s in tenant domain: %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
logDebug(message);
}
removeClaimsWithoutConsent(context, consentClaimsData);
// Remove the claims which dont have values given by the user.
consentClaimsData.setRequestedClaims(removeConsentRequestedNullUserAttributes(consentClaimsData.getRequestedClaims(), authenticatedUser.getUserAttributes(), claimMappings));
if (hasConsentForRequiredClaims(consentClaimsData)) {
if (isDebugEnabled()) {
String message = String.format("Required consent data is empty for user: %s for service " + "provider: %s in tenant domain: %s. Post authentication completed.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
logDebug(message);
}
return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
} else {
String mandatoryLocalClaims = buildConsentClaimString(consentClaimsData.getMandatoryClaims());
String requestedLocalClaims = buildConsentClaimString(consentClaimsData.getRequestedClaims());
if (isDebugEnabled()) {
String message = "Require consent for mandatory claims: %s, requested claims: %s, from user: %s " + "for service provider: %s in tenant domain: %s.";
message = String.format(message, consentClaimsData.getMandatoryClaims(), consentClaimsData.getRequestedClaims(), authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
logDebug(message);
}
redirectToConsentPage(response, context, requestedLocalClaims, mandatoryLocalClaims);
setConsentPoppedUpState(context);
context.addParameter(CONSENT_CLAIM_META_DATA, consentClaimsData);
return PostAuthnHandlerFlowStatus.INCOMPLETE;
}
} catch (SSOConsentDisabledException e) {
return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
} catch (SSOConsentServiceException e) {
String error = String.format("Error occurred while retrieving consent data of user: %s for service " + "provider: %s in tenant domain: %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
throw new PostAuthenticationFailedException("Authentication failed. Error occurred while processing user " + "consent.", error, e);
}
}
Also used :
SSOConsentDisabledException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException)
ServiceProvider(org.wso2.carbon.identity.application.common.model.ServiceProvider)
SSOConsentServiceException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)
StringUtils.defaultString(org.apache.commons.lang.StringUtils.defaultString)
PostAuthenticationFailedException(org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException)
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
Example 2 with ConsentClaimsData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData in project carbon-identity-framework by wso2.
the class SSOConsentServiceImpl method getConsentRequiredClaimData.
private ConsentClaimsData getConsentRequiredClaimData(List<String> mandatoryClaims, List<String> requestedClaims, String tenantDomain) throws SSOConsentServiceException {
ConsentClaimsData consentClaimsData = new ConsentClaimsData();
try {
List<LocalClaim> localClaims = getClaimMetadataManagementService().getLocalClaims(tenantDomain);
List<ClaimMetaData> mandatoryClaimsMetaData = new ArrayList<>();
List<ClaimMetaData> requestedClaimsMetaData = new ArrayList<>();
int claimId = 0;
if (isNotEmpty(localClaims)) {
for (LocalClaim localClaim : localClaims) {
if (isAllRequiredClaimsChecked(mandatoryClaims, requestedClaims)) {
break;
}
String claimURI = localClaim.getClaimURI();
if (mandatoryClaims.remove(claimURI)) {
ClaimMetaData claimMetaData = buildClaimMetaData(claimId, localClaim, claimURI);
mandatoryClaimsMetaData.add(claimMetaData);
claimId++;
} else if (requestedClaims.remove(claimURI)) {
ClaimMetaData claimMetaData = buildClaimMetaData(claimId, localClaim, claimURI);
requestedClaimsMetaData.add(claimMetaData);
claimId++;
}
}
}
if (isNotEmpty(mandatoryClaims)) {
for (String claimUri : mandatoryClaims) {
ClaimMetaData claimMetaData = buildClaimMetaData(claimId, claimUri);
mandatoryClaimsMetaData.add(claimMetaData);
claimId++;
}
}
if (isNotEmpty(requestedClaims)) {
for (String claimUri : mandatoryClaims) {
ClaimMetaData claimMetaData = buildClaimMetaData(claimId, claimUri);
requestedClaimsMetaData.add(claimMetaData);
claimId++;
}
}
consentClaimsData.setMandatoryClaims(mandatoryClaimsMetaData);
consentClaimsData.setRequestedClaims(requestedClaimsMetaData);
} catch (ClaimMetadataException e) {
throw new SSOConsentServiceException("Error while retrieving local claims", "Error occurred while " + "retrieving local claims for tenant: " + tenantDomain, e);
}
return consentClaimsData;
}
Also used :
ClaimMetadataException(org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException)
ArrayList(java.util.ArrayList)
LocalClaim(org.wso2.carbon.identity.claim.metadata.mgt.model.LocalClaim)
SSOConsentServiceException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)
Example 3 with ConsentClaimsData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData in project carbon-identity-framework by wso2.
the class SSOConsentServiceImpl method processConsent.
@Override
public void processConsent(List<Integer> consentApprovedClaimIds, ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser, ConsentClaimsData consentClaimsData, boolean overrideExistingConsent) throws SSOConsentServiceException {
if (!isSSOConsentManagementEnabled(serviceProvider)) {
String message = "Consent management for SSO is disabled.";
throw new SSOConsentDisabledException(message, message);
}
if (isDebugEnabled()) {
logDebug("User: " + authenticatedUser.getAuthenticatedSubjectIdentifier() + " has approved consent.");
}
UserConsent userConsent = processUserConsent(consentApprovedClaimIds, consentClaimsData);
if (isEmpty(userConsent.getApprovedClaims()) && isEmpty(userConsent.getDisapprovedClaims())) {
if (isDebugEnabled()) {
logDebug("User: " + authenticatedUser.getAuthenticatedSubjectIdentifier() + " has not provided new " + "approved/disapproved consent. Hence skipping the consent progress.");
}
return;
}
String subject = buildSubjectWithUserStoreDomain(authenticatedUser);
List<ClaimMetaData> claimsWithConsent;
List<ClaimMetaData> claimsDeniedConsent;
if (!overrideExistingConsent) {
String spName = serviceProvider.getApplicationName();
String spTenantDomain = getSPTenantDomain(serviceProvider);
Receipt receipt = getConsentReceiptOfUser(serviceProvider, authenticatedUser, spName, spTenantDomain, subject);
claimsWithConsent = getUserRequestedClaims(receipt, userConsent, true);
claimsDeniedConsent = getUserRequestedClaims(receipt, userConsent, false);
} else {
claimsWithConsent = userConsent.getApprovedClaims();
claimsDeniedConsent = userConsent.getDisapprovedClaims();
}
String spTenantDomain = getSPTenantDomain(serviceProvider);
String subjectTenantDomain = authenticatedUser.getTenantDomain();
if (isNotEmpty(claimsWithConsent) || isNotEmpty(claimsDeniedConsent)) {
addReceipt(subject, subjectTenantDomain, serviceProvider, spTenantDomain, claimsWithConsent, claimsDeniedConsent);
}
}
Also used :
SSOConsentDisabledException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException)
Receipt(org.wso2.carbon.consent.mgt.core.model.Receipt)
Example 4 with ConsentClaimsData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData in project carbon-identity-framework by wso2.
the class SSOConsentServiceImplTest method testGetConsentRequiredClaimsWithExistingConsents.
@Test
public void testGetConsentRequiredClaimsWithExistingConsents() throws Exception {
ServiceProvider serviceProvider = new ServiceProvider();
serviceProvider.setApplicationName("Travelocity.com");
User user = new User();
user.setTenantDomain("carbon.super");
user.setUserStoreDomain("PRIMARY");
serviceProvider.setOwner(user);
ClaimConfig claimConfig = new ClaimConfig();
Claim tempClaim1 = new Claim();
tempClaim1.setClaimUri("http://wso2.org/claims/organization");
ClaimMapping tempClaimMapping1 = new ClaimMapping();
tempClaimMapping1.setRequested(true);
tempClaimMapping1.setMandatory(false);
tempClaimMapping1.setLocalClaim(tempClaim1);
tempClaimMapping1.setRemoteClaim(tempClaim1);
Claim tempClaim2 = new Claim();
tempClaim2.setClaimUri("http://wso2.org/claims/country");
ClaimMapping tempClaimMapping2 = new ClaimMapping();
tempClaimMapping2.setRequested(true);
tempClaimMapping2.setMandatory(true);
tempClaimMapping2.setLocalClaim(tempClaim2);
tempClaimMapping2.setRemoteClaim(tempClaim2);
claimConfig.setClaimMappings(new ClaimMapping[] { tempClaimMapping1, tempClaimMapping2 });
serviceProvider.setClaimConfig(claimConfig);
LocalAndOutboundAuthenticationConfig localAndOutboundAuthenticationConfig = new LocalAndOutboundAuthenticationConfig();
localAndOutboundAuthenticationConfig.setSubjectClaimUri(null);
serviceProvider.setLocalAndOutBoundAuthenticationConfig(localAndOutboundAuthenticationConfig);
AuthenticatedUser authenticatedUser = getAuthenticatedUser();
mockStatic(IdentityUtil.class);
when(IdentityUtil.getProperty("Consent.PromptSubjectClaimRequestedConsent")).thenReturn(null);
mockCarbonContextForTenant();
mockStatic(FrameworkServiceDataHolder.class);
when(FrameworkServiceDataHolder.getInstance()).thenReturn(frameworkServiceDataHolder);
setConsentManagerConfigurationHolder();
RealmService realmService = mock(RealmService.class);
configurationHolder.setRealmService(realmService);
ConsentManager consentManager = new ConsentManagerImpl(configurationHolder);
when(frameworkServiceDataHolder.getConsentManager()).thenReturn(consentManager);
mockStatic(ConsentUtils.class);
when(ConsentUtils.getTenantDomainFromCarbonContext()).thenReturn("carbon.super");
mockRealmService(realmService);
when(frameworkServiceDataHolder.getClaimMetadataManagementService()).thenReturn(claimMetadataManagementService);
List<LocalClaim> localClaims = new ArrayList<>();
LocalClaim localClaim = new LocalClaim("http://wso2.org/claims/country");
LocalClaim localClaim2 = new LocalClaim("http://wso2.org/claims/organization");
localClaims.add(localClaim);
localClaims.add(localClaim2);
when(claimMetadataManagementService.getLocalClaims(anyString())).thenReturn(localClaims);
ConsentClaimsData consentClaimsData = ssoConsentService.getConsentRequiredClaimsWithExistingConsents(serviceProvider, authenticatedUser);
assertEquals(consentClaimsData.getRequestedClaims().get(0).getClaimUri(), "http://wso2.org/claims/organization", "Incorrect requested claim URI");
assertEquals(consentClaimsData.getMandatoryClaims().get(0).getClaimUri(), "http://wso2.org/claims/country", "Incorrect mandatory claim URI");
assertNotNull(consentClaimsData.getMandatoryClaims().get(0).getClaimUri());
}
Also used :
User(org.wso2.carbon.identity.application.common.model.User)
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
ConsentManagerImpl(org.wso2.carbon.consent.mgt.core.ConsentManagerImpl)
ArrayList(java.util.ArrayList)
LocalClaim(org.wso2.carbon.identity.claim.metadata.mgt.model.LocalClaim)
ConsentManager(org.wso2.carbon.consent.mgt.core.ConsentManager)
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping)
LocalAndOutboundAuthenticationConfig(org.wso2.carbon.identity.application.common.model.LocalAndOutboundAuthenticationConfig)
ClaimConfig(org.wso2.carbon.identity.application.common.model.ClaimConfig)
RealmService(org.wso2.carbon.user.core.service.RealmService)
ServiceProvider(org.wso2.carbon.identity.application.common.model.ServiceProvider)
Claim(org.wso2.carbon.identity.application.common.model.Claim)
LocalClaim(org.wso2.carbon.identity.claim.metadata.mgt.model.LocalClaim)
Test(org.testng.annotations.Test)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Example 5 with ConsentClaimsData
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method handlePostConsent.
private void handlePostConsent(OAuthMessage oAuthMessage) throws ConsentHandlingFailedException {
OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
String tenantDomain = EndpointUtil.getSPTenantDomainFromClientId(oauth2Params.getClientId());
setSPAttributeToRequest(oAuthMessage.getRequest(), oauth2Params.getApplicationName(), tenantDomain);
String spTenantDomain = oauth2Params.getTenantDomain();
AuthenticatedUser loggedInUser = getLoggedInUser(oAuthMessage);
String clientId = oauth2Params.getClientId();
ServiceProvider serviceProvider;
if (log.isDebugEnabled()) {
log.debug("Initiating post user consent handling for user: " + loggedInUser.toFullQualifiedUsername() + " for client_id: " + clientId + " of tenantDomain: " + spTenantDomain);
}
try {
if (isConsentHandlingFromFrameworkSkipped(oauth2Params)) {
if (log.isDebugEnabled()) {
log.debug("Consent handling from framework skipped for client_id: " + clientId + " of tenantDomain: " + spTenantDomain + " for user: " + loggedInUser.toFullQualifiedUsername() + ". " + "Therefore handling post consent is not applicable.");
}
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> params = new HashMap<>();
params.put("clientId", clientId);
Map<String, Object> configs = new HashMap<>();
configs.put("skipConsent", "true");
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, "Consent is disabled for the OAuth client.", "handle-consent", configs);
}
return;
}
List<Integer> approvedClaimIds = getUserConsentClaimIds(oAuthMessage);
serviceProvider = getServiceProvider(clientId);
/*
With the current implementation of the SSOConsentService we need to send back the original
ConsentClaimsData object we got during pre consent stage. Currently we are repeating the API call
during post consent handling to get the original ConsentClaimsData object (Assuming there is no
change in SP during pre-consent and post-consent).
The API on the SSO Consent Service will be improved to avoid having to send the original
ConsentClaimsData object.
*/
ConsentClaimsData value = getConsentRequiredClaims(loggedInUser, serviceProvider, oauth2Params);
/*
It is needed to pitch the consent required claims with the OIDC claims. otherwise the consent of the
the claims which are not in the OIDC claims will be saved as consent denied.
*/
if (value != null) {
// Remove the claims which dont have values given by the user.
value.setRequestedClaims(removeConsentRequestedNullUserAttributes(value.getRequestedClaims(), loggedInUser.getUserAttributes(), spTenantDomain));
List<ClaimMetaData> requestedOidcClaimsList = getRequestedOidcClaimsList(value, oauth2Params, spTenantDomain);
value.setRequestedClaims(requestedOidcClaimsList);
}
// Call framework and create the consent receipt.
if (log.isDebugEnabled()) {
log.debug("Creating user consent receipt for user: " + loggedInUser.toFullQualifiedUsername() + " for client_id: " + clientId + " of tenantDomain: " + spTenantDomain);
}
Map<String, Object> params;
if (hasPromptContainsConsent(oauth2Params)) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
params = new HashMap<>();
params.put("clientId", clientId);
params.put("prompt", oauth2Params.getPrompt());
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, null, "hand-over-to-consent-service", null);
}
getSSOConsentService().processConsent(approvedClaimIds, serviceProvider, loggedInUser, value, true);
} else {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
params = new HashMap<>();
params.put("clientId", clientId);
params.put("prompt", oauth2Params.getPrompt());
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, null, "hand-over-to-consent-service", null);
}
getSSOConsentService().processConsent(approvedClaimIds, serviceProvider, loggedInUser, value, false);
}
} catch (OAuthSystemException | SSOConsentServiceException e) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.FAILED, "System error occurred.", "process-consent", null);
}
String msg = "Error while processing consent of user: " + loggedInUser.toFullQualifiedUsername() + " for " + "client_id: " + clientId + " of tenantDomain: " + spTenantDomain;
throw new ConsentHandlingFailedException(msg, e);
} catch (ClaimMetadataException e) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.FAILED, String.format("Error occurred while getting " + "claim mappings for %s.", OIDC_DIALECT), "process-consent", null);
}
throw new ConsentHandlingFailedException("Error while getting claim mappings for " + OIDC_DIALECT, e);
} catch (RequestObjectException e) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.FAILED, String.format("Error occurred while getting essential claims for the session data key : %s.", oauth2Params.getSessionDataKey()), "process-consent", null);
}
throw new ConsentHandlingFailedException("Error while getting essential claims for the session data key " + ": " + oauth2Params.getSessionDataKey(), e);
}
}
Also used :
RequestObjectException(org.wso2.carbon.identity.oauth2.RequestObjectException)
ClaimMetadataException(org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
HashMap(java.util.HashMap)
OAuthSystemException(org.apache.oltu.oauth2.common.exception.OAuthSystemException)
ConsentClaimsData(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData)
SSOConsentServiceException(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)
ClaimMetaData(org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData)
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
ConsentHandlingFailedException(org.wso2.carbon.identity.oauth.endpoint.exception.ConsentHandlingFailedException)
OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)
ServiceProvider(org.wso2.carbon.identity.application.common.model.ServiceProvider)
RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject)
JSONObject(org.json.JSONObject)
Aggregations
SSOConsentServiceException (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentServiceException)6
ServiceProvider (org.wso2.carbon.identity.application.common.model.ServiceProvider)6
ArrayList (java.util.ArrayList)5
AuthenticatedUser (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)5
SSOConsentDisabledException (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException)4
HashMap (java.util.HashMap)3
StringUtils.defaultString (org.apache.commons.lang.StringUtils.defaultString)3
PostAuthenticationFailedException (org.wso2.carbon.identity.application.authentication.framework.exception.PostAuthenticationFailedException)3
ClaimMetaData (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ClaimMetaData)3
ConsentClaimsData (org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.ConsentClaimsData)3
ClaimMetadataException (org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException)3
ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)2
JSONObject (org.json.JSONObject)2
Receipt (org.wso2.carbon.consent.mgt.core.model.Receipt)2
ClaimMapping (org.wso2.carbon.identity.application.common.model.ClaimMapping)2
LocalClaim (org.wso2.carbon.identity.claim.metadata.mgt.model.LocalClaim)2
ConsentHandlingFailedException (org.wso2.carbon.identity.oauth.endpoint.exception.ConsentHandlingFailedException)2
RequestObjectException (org.wso2.carbon.identity.oauth2.RequestObjectException)2
OAuth2Parameters (org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)2
RequestObject (org.wso2.carbon.identity.openidconnect.model.RequestObject)2
