use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException in project carbon-identity-framework by wso2.
the class ConsentMgtPostAuthnHandler method handlePreConsent.
protected PostAuthnHandlerFlowStatus handlePreConsent(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws PostAuthenticationFailedException {
String spName = context.getSequenceConfig().getApplicationConfig().getApplicationName();
Map<String, String> claimMappings = context.getSequenceConfig().getApplicationConfig().getClaimMappings();
// Should be removed once the issue is fixed
if (SP_NAME_DEFAULT.equalsIgnoreCase(spName)) {
return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
}
AuthenticatedUser authenticatedUser = getAuthenticatedUser(context);
ServiceProvider serviceProvider = getServiceProvider(context);
try {
ConsentClaimsData consentClaimsData = getSSOConsentService().getConsentRequiredClaimsWithExistingConsents(serviceProvider, authenticatedUser);
if (isDebugEnabled()) {
String message = String.format("Retrieving required consent data of user: %s for service " + "provider: %s in tenant domain: %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
logDebug(message);
}
removeClaimsWithoutConsent(context, consentClaimsData);
// Remove the claims which dont have values given by the user.
consentClaimsData.setRequestedClaims(removeConsentRequestedNullUserAttributes(consentClaimsData.getRequestedClaims(), authenticatedUser.getUserAttributes(), claimMappings));
if (hasConsentForRequiredClaims(consentClaimsData)) {
if (isDebugEnabled()) {
String message = String.format("Required consent data is empty for user: %s for service " + "provider: %s in tenant domain: %s. Post authentication completed.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
logDebug(message);
}
return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
} else {
String mandatoryLocalClaims = buildConsentClaimString(consentClaimsData.getMandatoryClaims());
String requestedLocalClaims = buildConsentClaimString(consentClaimsData.getRequestedClaims());
if (isDebugEnabled()) {
String message = "Require consent for mandatory claims: %s, requested claims: %s, from user: %s " + "for service provider: %s in tenant domain: %s.";
message = String.format(message, consentClaimsData.getMandatoryClaims(), consentClaimsData.getRequestedClaims(), authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
logDebug(message);
}
redirectToConsentPage(response, context, requestedLocalClaims, mandatoryLocalClaims);
setConsentPoppedUpState(context);
context.addParameter(CONSENT_CLAIM_META_DATA, consentClaimsData);
return PostAuthnHandlerFlowStatus.INCOMPLETE;
}
} catch (SSOConsentDisabledException e) {
return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
} catch (SSOConsentServiceException e) {
String error = String.format("Error occurred while retrieving consent data of user: %s for service " + "provider: %s in tenant domain: %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
throw new PostAuthenticationFailedException("Authentication failed. Error occurred while processing user " + "consent.", error, e);
}
}
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException in project carbon-identity-framework by wso2.
the class SSOConsentServiceImpl method getClaimsWithConsents.
/**
* Retrieves claims which a user has provided consent for a given service provider.
*
* @param serviceProvider Service provider to retrieve the consent against.
* @param authenticatedUser Authenticated user to related to consent claim retrieval.
* @return List of claim which the user has provided consent for the given service provider.
* @throws SSOConsentServiceException If error occurs while retrieve user consents.
*/
@Override
public List<ClaimMetaData> getClaimsWithConsents(ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser) throws SSOConsentServiceException {
if (!isSSOConsentManagementEnabled(serviceProvider)) {
String message = "Consent management for SSO is disabled.";
throw new SSOConsentDisabledException(message, message);
}
if (serviceProvider == null) {
throw new SSOConsentServiceException("Service provider cannot be null.");
}
String spName = serviceProvider.getApplicationName();
List<ClaimMetaData> receiptConsentMetaData = new ArrayList<>();
String spTenantDomain = getSPTenantDomain(serviceProvider);
String subject = buildSubjectWithUserStoreDomain(authenticatedUser);
Receipt receipt = getConsentReceiptOfUser(serviceProvider, authenticatedUser, spName, spTenantDomain, subject);
if (receipt == null) {
return receiptConsentMetaData;
} else {
receiptConsentMetaData = getRequestedClaimsFromReceipt(receipt, true);
}
return receiptConsentMetaData;
}
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException in project carbon-identity-framework by wso2.
the class SSOConsentServiceImpl method processConsent.
@Override
public void processConsent(List<Integer> consentApprovedClaimIds, ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser, ConsentClaimsData consentClaimsData, boolean overrideExistingConsent) throws SSOConsentServiceException {
if (!isSSOConsentManagementEnabled(serviceProvider)) {
String message = "Consent management for SSO is disabled.";
throw new SSOConsentDisabledException(message, message);
}
if (isDebugEnabled()) {
logDebug("User: " + authenticatedUser.getAuthenticatedSubjectIdentifier() + " has approved consent.");
}
UserConsent userConsent = processUserConsent(consentApprovedClaimIds, consentClaimsData);
if (isEmpty(userConsent.getApprovedClaims()) && isEmpty(userConsent.getDisapprovedClaims())) {
if (isDebugEnabled()) {
logDebug("User: " + authenticatedUser.getAuthenticatedSubjectIdentifier() + " has not provided new " + "approved/disapproved consent. Hence skipping the consent progress.");
}
return;
}
String subject = buildSubjectWithUserStoreDomain(authenticatedUser);
List<ClaimMetaData> claimsWithConsent;
List<ClaimMetaData> claimsDeniedConsent;
if (!overrideExistingConsent) {
String spName = serviceProvider.getApplicationName();
String spTenantDomain = getSPTenantDomain(serviceProvider);
Receipt receipt = getConsentReceiptOfUser(serviceProvider, authenticatedUser, spName, spTenantDomain, subject);
claimsWithConsent = getUserRequestedClaims(receipt, userConsent, true);
claimsDeniedConsent = getUserRequestedClaims(receipt, userConsent, false);
} else {
claimsWithConsent = userConsent.getApprovedClaims();
claimsDeniedConsent = userConsent.getDisapprovedClaims();
}
String spTenantDomain = getSPTenantDomain(serviceProvider);
String subjectTenantDomain = authenticatedUser.getTenantDomain();
if (isNotEmpty(claimsWithConsent) || isNotEmpty(claimsDeniedConsent)) {
addReceipt(subject, subjectTenantDomain, serviceProvider, spTenantDomain, claimsWithConsent, claimsDeniedConsent);
}
}
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException in project carbon-identity-framework by wso2.
the class ConsentMgtPostAuthnHandler method handlePostConsent.
protected PostAuthnHandlerFlowStatus handlePostConsent(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws PostAuthenticationFailedException {
AuthenticatedUser authenticatedUser = getAuthenticatedUser(context);
ApplicationConfig applicationConfig = context.getSequenceConfig().getApplicationConfig();
Map<String, String> claimMappings = applicationConfig.getClaimMappings();
ServiceProvider serviceProvider = getServiceProvider(context);
if (request.getParameter(USER_CONSENT_INPUT).equalsIgnoreCase(USER_CONSENT_APPROVE)) {
if (isDebugEnabled()) {
String message = "User: %s has approved consent for service provider: %s in tenant domain %s.";
message = String.format(message, authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
logDebug(message);
}
UserConsent userConsent = processUserConsent(request, context);
ConsentClaimsData consentClaimsData = getConsentClaimsData(context, authenticatedUser, serviceProvider);
// Remove the claims which dont have values given by the user.
consentClaimsData.setRequestedClaims(removeConsentRequestedNullUserAttributes(consentClaimsData.getRequestedClaims(), authenticatedUser.getUserAttributes(), claimMappings));
try {
List<Integer> claimIdsWithConsent = getClaimIdsWithConsent(userConsent);
getSSOConsentService().processConsent(claimIdsWithConsent, serviceProvider, authenticatedUser, consentClaimsData);
removeDisapprovedClaims(context, authenticatedUser);
} catch (SSOConsentDisabledException e) {
String error = "Authentication Failure: Consent management is disabled for SSO.";
String errorDesc = "Illegal operation. Consent management is disabled, but post authentication for " + "sso consent management is invoked.";
throw new PostAuthenticationFailedException(error, errorDesc, e);
} catch (SSOConsentServiceException e) {
String error = "Error occurred while processing consent input of user: %s, for service provider: %s " + "in tenant domain: %s.";
error = String.format(error, authenticatedUser.getAuthenticatedSubjectIdentifier(), serviceProvider.getApplicationName(), getSPTenantDomain(serviceProvider));
throw new PostAuthenticationFailedException("Authentication failed. Error while processing user " + "consent input.", error, e);
}
} else {
String error = String.format("Authentication failed. User denied consent to share information with %s.", applicationConfig.getApplicationName());
if (isDebugEnabled()) {
logDebug(String.format("User: %s denied consent to share information with the service " + "provider: %s.", authenticatedUser.getAuthenticatedSubjectIdentifier(), applicationConfig.getApplicationName()));
}
throw new PostAuthenticationFailedException(error, error);
}
return PostAuthnHandlerFlowStatus.SUCCESS_COMPLETED;
}
use of org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.consent.exception.SSOConsentDisabledException in project carbon-identity-framework by wso2.
the class SSOConsentServiceImpl method getConsentRequiredClaims.
/**
* Get consent required claims for a given service from a user.
*
* @param serviceProvider Service provider requesting consent.
* @param authenticatedUser Authenticated user requesting consent form.
* @param useExistingConsents Use existing consent given by the user.
* @param claimsListOfScopes Claims list of requested scopes.
* @return ConsentClaimsData which contains mandatory and required claims for consent.
* @throws SSOConsentServiceException If error occurs while building claim information.
*/
protected ConsentClaimsData getConsentRequiredClaims(ServiceProvider serviceProvider, AuthenticatedUser authenticatedUser, boolean useExistingConsents, List<String> claimsListOfScopes) throws SSOConsentServiceException {
if (!isSSOConsentManagementEnabled(serviceProvider)) {
String message = "Consent management for SSO is disabled.";
throw new SSOConsentDisabledException(message, message);
}
if (serviceProvider == null) {
throw new SSOConsentServiceException("Service provider cannot be null.");
}
String spName = serviceProvider.getApplicationName();
String spTenantDomain = getSPTenantDomain(serviceProvider);
String subject = buildSubjectWithUserStoreDomain(authenticatedUser);
ClaimMapping[] claimMappings = getSpClaimMappings(serviceProvider);
if (claimMappings == null || claimMappings.length == 0) {
if (log.isDebugEnabled()) {
log.debug("No claim mapping configured from the application. Hence skipping getting consent.");
}
return new ConsentClaimsData();
}
if (claimsListOfScopes != null) {
try {
claimMappings = FrameworkUtils.getFilteredScopeClaims(claimsListOfScopes, Arrays.asList(claimMappings), serviceProvider.getOwner().getTenantDomain()).toArray(new ClaimMapping[0]);
} catch (ClaimManagementException e) {
throw new SSOConsentServiceException("Error occurred while filtering claims of requested scopes");
}
}
List<String> requestedClaims = new ArrayList<>();
List<String> mandatoryClaims = new ArrayList<>();
Map<ClaimMapping, String> userAttributes = authenticatedUser.getUserAttributes();
String subjectClaimUri = getSubjectClaimUri(serviceProvider);
boolean subjectClaimUriRequested = false;
boolean subjectClaimUriMandatory = false;
boolean promptSubjectClaimRequestedConsent = true;
if (StringUtils.isNotBlank(IdentityUtil.getProperty(CONFIG_PROMPT_SUBJECT_CLAIM_REQUESTED_CONSENT))) {
promptSubjectClaimRequestedConsent = Boolean.parseBoolean(IdentityUtil.getProperty(CONFIG_PROMPT_SUBJECT_CLAIM_REQUESTED_CONSENT));
}
if (isPassThroughScenario(claimMappings, userAttributes)) {
for (Map.Entry<ClaimMapping, String> userAttribute : userAttributes.entrySet()) {
String remoteClaimUri = userAttribute.getKey().getRemoteClaim().getClaimUri();
if (subjectClaimUri.equals(remoteClaimUri) || IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR.equals(remoteClaimUri)) {
continue;
}
mandatoryClaims.add(remoteClaimUri);
}
} else {
boolean isCustomClaimMapping = isCustomClaimMapping(serviceProvider);
for (ClaimMapping claimMapping : claimMappings) {
if (isCustomClaimMapping) {
if (subjectClaimUri.equals(claimMapping.getRemoteClaim().getClaimUri())) {
subjectClaimUri = claimMapping.getLocalClaim().getClaimUri();
if (promptSubjectClaimRequestedConsent) {
if (claimMapping.isMandatory()) {
subjectClaimUriMandatory = true;
} else if (claimMapping.isRequested()) {
subjectClaimUriRequested = true;
}
}
continue;
}
} else {
if (subjectClaimUri.equals(claimMapping.getLocalClaim().getClaimUri())) {
if (promptSubjectClaimRequestedConsent) {
if (claimMapping.isMandatory()) {
subjectClaimUriMandatory = true;
} else if (claimMapping.isRequested()) {
subjectClaimUriRequested = true;
}
}
continue;
}
}
if (claimMapping.isMandatory()) {
mandatoryClaims.add(claimMapping.getLocalClaim().getClaimUri());
} else if (claimMapping.isRequested()) {
requestedClaims.add(claimMapping.getLocalClaim().getClaimUri());
}
}
}
if (promptSubjectClaimRequestedConsent) {
if (subjectClaimUriMandatory) {
mandatoryClaims.add(subjectClaimUri);
} else if (subjectClaimUriRequested) {
requestedClaims.add(subjectClaimUri);
}
}
List<ClaimMetaData> receiptConsentMetaData = new ArrayList<>();
List<ClaimMetaData> receiptConsentDeniedMetaData;
Receipt receipt = getConsentReceiptOfUser(serviceProvider, authenticatedUser, spName, spTenantDomain, subject);
if (useExistingConsents && receipt != null) {
receiptConsentMetaData = getRequestedClaimsFromReceipt(receipt, true);
List<String> claimsWithConsent = getClaimsFromConsentMetaData(receiptConsentMetaData);
receiptConsentDeniedMetaData = getRequestedClaimsFromReceipt(receipt, false);
List<String> claimsDeniedConsent = getClaimsFromConsentMetaData(receiptConsentDeniedMetaData);
mandatoryClaims.removeAll(claimsWithConsent);
requestedClaims.removeAll(claimsWithConsent);
requestedClaims.removeAll(claimsDeniedConsent);
}
ConsentClaimsData consentClaimsData = getConsentRequiredClaimData(mandatoryClaims, requestedClaims, spTenantDomain);
consentClaimsData.setClaimsWithConsent(receiptConsentMetaData);
return consentClaimsData;
}
Aggregations