Search in sources :

Example 1 with AuthenticationResult

use of org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult in project carbon-identity-framework by wso2.

the class FrameworkUtils method addAuthenticationResultToCache.

/**
 * @param key
 * @param authenticationResult
 */
public static void addAuthenticationResultToCache(String key, AuthenticationResult authenticationResult) {
    AuthenticationResultCacheKey cacheKey = new AuthenticationResultCacheKey(key);
    AuthenticationResultCacheEntry cacheEntry = new AuthenticationResultCacheEntry();
    cacheEntry.setResult(authenticationResult);
    cacheEntry.setValidityPeriod(TimeUnit.MINUTES.toNanos(IdentityUtil.getOperationCleanUpTimeout()));
    AuthenticationResultCache.getInstance().addToCache(cacheKey, cacheEntry);
}
Also used : AuthenticationResultCacheEntry(org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationResultCacheEntry) AuthenticationResultCacheKey(org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationResultCacheKey)

Example 2 with AuthenticationResult

use of org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult in project carbon-identity-framework by wso2.

the class DefaultAuthenticationRequestHandler method concludeFlow.

/**
 * Sends the response to the servlet that initiated the authentication flow
 *
 * @param request
 * @param response
 * @throws ServletException
 * @throws IOException
 */
protected void concludeFlow(HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws FrameworkException {
    if (log.isDebugEnabled()) {
        log.debug("Concluding the Authentication Flow");
    }
    SequenceConfig sequenceConfig = context.getSequenceConfig();
    sequenceConfig.setCompleted(false);
    AuthenticationResult authenticationResult = new AuthenticationResult();
    boolean isAuthenticated = context.isRequestAuthenticated();
    authenticationResult.setAuthenticated(isAuthenticated);
    String authenticatedUserTenantDomain = getAuthenticatedUserTenantDomain(context, authenticationResult);
    authenticationResult.setSaaSApp(sequenceConfig.getApplicationConfig().isSaaSApp());
    if (isAuthenticated) {
        if (!sequenceConfig.getApplicationConfig().isSaaSApp()) {
            String spTenantDomain = context.getTenantDomain();
            String userTenantDomain = sequenceConfig.getAuthenticatedUser().getTenantDomain();
            if (StringUtils.isNotEmpty(userTenantDomain)) {
                if (StringUtils.isNotEmpty(spTenantDomain) && !spTenantDomain.equals(userTenantDomain)) {
                    throw new FrameworkException("Service Provider tenant domain must be equal to user tenant " + "domain for non-SaaS applications");
                }
            }
        }
        authenticationResult.setSubject(new AuthenticatedUser(sequenceConfig.getAuthenticatedUser()));
        ApplicationConfig appConfig = sequenceConfig.getApplicationConfig();
        if (appConfig.getServiceProvider().getLocalAndOutBoundAuthenticationConfig().isAlwaysSendBackAuthenticatedListOfIdPs()) {
            authenticationResult.setAuthenticatedIdPs(sequenceConfig.getAuthenticatedIdPs());
        }
        // SessionContext is retained across different SP requests in the same browser session.
        // it is tracked by a cookie
        SessionContext sessionContext = null;
        String commonAuthCookie = null;
        String sessionContextKey = null;
        String analyticsSessionAction = null;
        // When getting the cookie, it will not give the path. When paths are tenant qualified, it will only give
        // the cookies matching that path.
        Cookie authCookie = FrameworkUtils.getAuthCookie(request);
        // Force authentication requires the creation of a new session. Therefore skip using the existing session
        if (authCookie != null && !context.isForceAuthenticate()) {
            commonAuthCookie = authCookie.getValue();
            if (commonAuthCookie != null) {
                sessionContextKey = DigestUtils.sha256Hex(commonAuthCookie);
                sessionContext = FrameworkUtils.getSessionContextFromCache(sessionContextKey, context.getLoginTenantDomain());
            }
        }
        String applicationTenantDomain = getApplicationTenantDomain(context);
        // session context may be null when cache expires therefore creating new cookie as well.
        if (sessionContext != null) {
            analyticsSessionAction = FrameworkConstants.AnalyticsAttributes.SESSION_UPDATE;
            sessionContext.getAuthenticatedSequences().put(appConfig.getApplicationName(), sequenceConfig);
            sessionContext.getAuthenticatedIdPs().putAll(context.getCurrentAuthenticatedIdPs());
            if (!context.isPassiveAuthenticate()) {
                setAuthenticatedIDPsOfApp(sessionContext, context.getCurrentAuthenticatedIdPs(), appConfig.getApplicationName());
            }
            sessionContext.getSessionAuthHistory().resetHistory(AuthHistory.merge(sessionContext.getSessionAuthHistory().getHistory(), context.getAuthenticationStepHistory()));
            populateAuthenticationContextHistory(authenticationResult, context, sessionContext);
            long updatedSessionTime = System.currentTimeMillis();
            if (!context.isPreviousAuthTime()) {
                sessionContext.addProperty(FrameworkConstants.UPDATED_TIMESTAMP, updatedSessionTime);
            }
            authenticationResult.addProperty(FrameworkConstants.AnalyticsAttributes.SESSION_ID, sessionContextKey);
            List<AuthenticationContextProperty> authenticationContextProperties = new ArrayList<>();
            // Authentication context properties from already authenticated IdPs
            if (sessionContext.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES) != null) {
                List<AuthenticationContextProperty> existingAuthenticationContextProperties = (List<AuthenticationContextProperty>) sessionContext.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES);
                for (AuthenticationContextProperty contextProperty : existingAuthenticationContextProperties) {
                    for (StepConfig stepConfig : context.getSequenceConfig().getStepMap().values()) {
                        if (stepConfig.getAuthenticatedIdP().equals(contextProperty.getIdPName())) {
                            authenticationContextProperties.add(contextProperty);
                            break;
                        }
                    }
                }
            }
            Long createdTime = (Long) sessionContext.getProperty(FrameworkConstants.CREATED_TIMESTAMP);
            if (createdTime != null) {
                authenticationResult.addProperty(FrameworkConstants.CREATED_TIMESTAMP, createdTime);
            }
            // Authentication context properties received from newly authenticated IdPs
            if (context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES) != null) {
                authenticationContextProperties.addAll((List<AuthenticationContextProperty>) context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES));
                if (sessionContext.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES) == null) {
                    sessionContext.addProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES, authenticationContextProperties);
                } else {
                    List<AuthenticationContextProperty> existingAuthenticationContextProperties = (List<AuthenticationContextProperty>) sessionContext.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES);
                    existingAuthenticationContextProperties.addAll((List<AuthenticationContextProperty>) context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES));
                }
            }
            if (!authenticationContextProperties.isEmpty()) {
                if (log.isDebugEnabled()) {
                    log.debug("AuthenticationContextProperties are available.");
                }
                authenticationResult.addProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES, authenticationContextProperties);
            }
            FrameworkUtils.updateSessionLastAccessTimeMetadata(sessionContextKey, updatedSessionTime);
            /*
                 * In the default configuration, the expiry time of the commonAuthCookie is fixed when rememberMe
                 * option is selected. With this config, the expiry time will increase at every authentication.
                 */
            if (sessionContext.isRememberMe() && Boolean.parseBoolean(IdentityUtil.getProperty(IdentityConstants.ServerConfig.EXTEND_REMEMBER_ME_SESSION_ON_AUTH))) {
                context.setRememberMe(sessionContext.isRememberMe());
                setAuthCookie(request, response, context, commonAuthCookie, applicationTenantDomain);
            }
            if (context.getRuntimeClaims().size() > 0) {
                sessionContext.addProperty(FrameworkConstants.RUNTIME_CLAIMS, context.getRuntimeClaims());
            }
            handleSessionContextUpdate(context.getRequestType(), sessionContextKey, sessionContext, request, response, context);
            // TODO add to cache?
            // store again. when replicate  cache is used. this may be needed.
            FrameworkUtils.addSessionContextToCache(sessionContextKey, sessionContext, applicationTenantDomain, context.getLoginTenantDomain());
        } else {
            analyticsSessionAction = FrameworkConstants.AnalyticsAttributes.SESSION_CREATE;
            sessionContext = new SessionContext();
            // To identify first login
            context.setProperty(FrameworkConstants.AnalyticsAttributes.IS_INITIAL_LOGIN, true);
            sessionContext.getAuthenticatedSequences().put(appConfig.getApplicationName(), sequenceConfig);
            sessionContext.setAuthenticatedIdPs(context.getCurrentAuthenticatedIdPs());
            setAuthenticatedIDPsOfApp(sessionContext, context.getCurrentAuthenticatedIdPs(), appConfig.getApplicationName());
            sessionContext.setRememberMe(context.isRememberMe());
            if (context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES) != null) {
                if (log.isDebugEnabled()) {
                    log.debug("AuthenticationContextProperties are available.");
                }
                authenticationResult.addProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES, context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES));
                // Add to session context
                sessionContext.addProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES, context.getProperty(FrameworkConstants.AUTHENTICATION_CONTEXT_PROPERTIES));
            }
            String sessionKey = UUIDGenerator.generateUUID();
            sessionContextKey = DigestUtils.sha256Hex(sessionKey);
            sessionContext.addProperty(FrameworkConstants.AUTHENTICATED_USER, authenticationResult.getSubject());
            sessionContext.addProperty(FrameworkUtils.TENANT_DOMAIN, context.getLoginTenantDomain());
            Long createdTimeMillis = System.currentTimeMillis();
            sessionContext.addProperty(FrameworkConstants.CREATED_TIMESTAMP, createdTimeMillis);
            authenticationResult.addProperty(FrameworkConstants.CREATED_TIMESTAMP, createdTimeMillis);
            authenticationResult.addProperty(FrameworkConstants.AnalyticsAttributes.SESSION_ID, sessionContextKey);
            sessionContext.getSessionAuthHistory().resetHistory(AuthHistory.merge(sessionContext.getSessionAuthHistory().getHistory(), context.getAuthenticationStepHistory()));
            populateAuthenticationContextHistory(authenticationResult, context, sessionContext);
            if (context.getRuntimeClaims().size() > 0) {
                sessionContext.addProperty(FrameworkConstants.RUNTIME_CLAIMS, context.getRuntimeClaims());
            }
            handleInboundSessionCreate(context.getRequestType(), sessionContextKey, sessionContext, request, response, context);
            FrameworkUtils.addSessionContextToCache(sessionContextKey, sessionContext, applicationTenantDomain, context.getLoginTenantDomain());
            setAuthCookie(request, response, context, sessionKey, applicationTenantDomain);
            if (FrameworkServiceDataHolder.getInstance().isUserSessionMappingEnabled()) {
                try {
                    storeSessionMetaData(sessionContextKey, request);
                } catch (UserSessionException e) {
                    log.error("Storing session meta data failed.", e);
                }
            }
        }
        if (authenticatedUserTenantDomain == null) {
            PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
        }
        if (FrameworkServiceDataHolder.getInstance().isUserSessionMappingEnabled()) {
            try {
                storeSessionData(context, sessionContextKey);
            } catch (UserSessionException e) {
                throw new FrameworkException("Error while storing session details of the authenticated user to " + "the database", e);
            }
        }
        // store the saml index with the session context key for the single logout.
        if (context.getAuthenticationStepHistory() != null) {
            UserSessionStore userSessionStore = UserSessionStore.getInstance();
            for (AuthHistory authHistory : context.getAuthenticationStepHistory()) {
                if (StringUtils.isNotBlank(authHistory.getIdpSessionIndex()) && StringUtils.isNotBlank(authHistory.getIdpName())) {
                    try {
                        if (!userSessionStore.hasExistingFederatedAuthSession(authHistory.getIdpSessionIndex())) {
                            userSessionStore.storeFederatedAuthSessionInfo(sessionContextKey, authHistory);
                        } else {
                            if (log.isDebugEnabled()) {
                                log.debug(String.format("Federated auth session with the id: %s already exists", authHistory.getIdpSessionIndex()));
                            }
                            userSessionStore.updateFederatedAuthSessionInfo(sessionContextKey, authHistory);
                        }
                    } catch (UserSessionException e) {
                        throw new FrameworkException("Error while storing federated authentication session details " + "of the authenticated user to the database", e);
                    }
                }
            }
        }
        FrameworkUtils.publishSessionEvent(sessionContextKey, request, context, sessionContext, sequenceConfig.getAuthenticatedUser(), analyticsSessionAction);
        publishAuthenticationSuccess(request, context, sequenceConfig.getAuthenticatedUser());
    }
    // authenticator in multi steps scenario. Ex. Fido
    if (FrameworkUtils.getCacheDisabledAuthenticators().contains(context.getRequestType()) && (response instanceof CommonAuthResponseWrapper) && !((CommonAuthResponseWrapper) response).isWrappedByFramework()) {
        // Set the result as request attribute
        request.setAttribute("sessionDataKey", context.getCallerSessionKey());
        addAuthenticationResultToRequest(request, authenticationResult);
    } else {
        FrameworkUtils.addAuthenticationResultToCache(context.getCallerSessionKey(), authenticationResult);
    }
    /*
         * TODO Cache retaining is a temporary fix. Remove after Google fixes
         * http://code.google.com/p/gdata-issues/issues/detail?id=6628
         */
    String retainCache = System.getProperty("retainCache");
    if (retainCache == null) {
        FrameworkUtils.removeAuthenticationContextFromCache(context.getContextIdentifier());
    }
    sendResponse(request, response, context);
}
Also used : SessionNonceCookieUtil.removeNonceCookie(org.wso2.carbon.identity.application.authentication.framework.util.SessionNonceCookieUtil.removeNonceCookie) SessionNonceCookieUtil.addNonceCookie(org.wso2.carbon.identity.application.authentication.framework.util.SessionNonceCookieUtil.addNonceCookie) SessionNonceCookieUtil.validateNonceCookie(org.wso2.carbon.identity.application.authentication.framework.util.SessionNonceCookieUtil.validateNonceCookie) Cookie(javax.servlet.http.Cookie) FrameworkException(org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException) UserSessionStore(org.wso2.carbon.identity.application.authentication.framework.store.UserSessionStore) ArrayList(java.util.ArrayList) StepConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.StepConfig) AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser) UserSessionException(org.wso2.carbon.identity.application.authentication.framework.exception.UserSessionException) AuthenticationResult(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult) ApplicationConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.ApplicationConfig) SessionContext(org.wso2.carbon.identity.application.authentication.framework.context.SessionContext) SequenceConfig(org.wso2.carbon.identity.application.authentication.framework.config.model.SequenceConfig) List(java.util.List) ArrayList(java.util.ArrayList) AuthHistory(org.wso2.carbon.identity.application.authentication.framework.context.AuthHistory) AuthenticationContextProperty(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationContextProperty) CommonAuthResponseWrapper(org.wso2.carbon.identity.application.authentication.framework.model.CommonAuthResponseWrapper)

Example 3 with AuthenticationResult

use of org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult in project carbon-identity-framework by wso2.

the class GraphBasedSequenceHandler method displayPrompt.

private void displayPrompt(AuthenticationContext context, HttpServletRequest request, HttpServletResponse response, ShowPromptNode promptNode) throws FrameworkException {
    try {
        String promptPage = ConfigurationFacade.getInstance().getAuthenticationEndpointPromptURL();
        String tenantDomainQueryString = null;
        if (!IdentityTenantUtil.isTenantQualifiedUrlsEnabled()) {
            tenantDomainQueryString = "tenantDomain=" + context.getTenantDomain();
            promptPage = FrameworkUtils.appendQueryParamsStringToUrl(promptPage, tenantDomainQueryString);
        }
        String redirectUrl = FrameworkUtils.appendQueryParamsStringToUrl(promptPage, "templateId=" + URLEncoder.encode(promptNode.getTemplateId(), StandardCharsets.UTF_8.name()) + "&promptId=" + context.getContextIdentifier());
        if (promptNode.getData() != null) {
            context.addEndpointParams(promptNode.getData());
        }
        response.sendRedirect(redirectUrl);
        AuthenticationResult authenticationResult = new AuthenticationResult();
        request.setAttribute(FrameworkConstants.RequestAttribute.AUTH_RESULT, authenticationResult);
        request.setAttribute(RESPONSE_HANDLED_BY_FRAMEWORK, Boolean.TRUE);
        request.setAttribute(FrameworkConstants.RequestParams.FLOW_STATUS, AuthenticatorFlowStatus.INCOMPLETE);
    } catch (UnsupportedEncodingException e) {
        throw new FrameworkException("Error while encoding the data to send to prompt page with session data key" + context.getContextIdentifier(), e);
    } catch (IOException e) {
        throw new FrameworkException("Error while redirecting the user for prompt page with session data key" + context.getContextIdentifier(), e);
    }
}
Also used : FrameworkException(org.wso2.carbon.identity.application.authentication.framework.exception.FrameworkException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) IOException(java.io.IOException) AuthenticationResult(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult)

Example 4 with AuthenticationResult

use of org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult in project carbon-identity-framework by wso2.

the class IdentityUserNameResolverListener method doPostAuthenticateWithID.

@Override
public boolean doPostAuthenticateWithID(List<LoginIdentifier> loginIdentifiers, AuthenticationResult authenticationResult, UserStoreManager userStoreManager) throws UserStoreException {
    if (!isEnable()) {
        return true;
    }
    String userName;
    boolean authenticated = authenticationResult.getAuthenticationStatus() == AuthenticationResult.AuthenticationStatus.SUCCESS;
    if (authenticated) {
        userName = authenticationResult.getAuthenticatedUser().get().getUsername();
    } else {
        return true;
    }
    for (UserOperationEventListener listener : getUserStoreManagerListeners()) {
        if (isNotAResolverListener(listener)) {
            if (!listener.doPostAuthenticate(userName, authenticated, userStoreManager)) {
                return false;
            }
        }
    }
    return true;
}
Also used : UserOperationEventListener(org.wso2.carbon.user.core.listener.UserOperationEventListener) AbstractIdentityUserOperationEventListener(org.wso2.carbon.identity.core.AbstractIdentityUserOperationEventListener)

Example 5 with AuthenticationResult

use of org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult in project carbon-identity-framework by wso2.

the class IdentityUserNameResolverListener method doPostAuthenticateWithID.

@Override
public boolean doPostAuthenticateWithID(String userID, AuthenticationResult authenticationResult, UserStoreManager userStoreManager) throws UserStoreException {
    if (!isEnable()) {
        return true;
    }
    String userName;
    boolean authenticated = authenticationResult.getAuthenticationStatus() == AuthenticationResult.AuthenticationStatus.SUCCESS;
    if (authenticated) {
        userName = authenticationResult.getAuthenticatedUser().get().getUsername();
    } else {
        userName = getUserNameFromUserID(userID, (AbstractUserStoreManager) userStoreManager);
    }
    for (UserOperationEventListener listener : getUserStoreManagerListeners()) {
        if (isNotAResolverListener(listener)) {
            if (!listener.doPostAuthenticate(userName, authenticated, userStoreManager)) {
                return false;
            }
        }
    }
    return true;
}
Also used : UserOperationEventListener(org.wso2.carbon.user.core.listener.UserOperationEventListener) AbstractIdentityUserOperationEventListener(org.wso2.carbon.identity.core.AbstractIdentityUserOperationEventListener) AbstractUserStoreManager(org.wso2.carbon.user.core.common.AbstractUserStoreManager)

Aggregations

AuthenticationResult (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticationResult)15 PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)8 Test (org.testng.annotations.Test)8 AuthenticatedUser (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)7 AuthenticationResult (org.wso2.carbon.user.core.common.AuthenticationResult)6 AuthenticationResultCacheEntry (org.wso2.carbon.identity.application.authentication.framework.cache.AuthenticationResultCacheEntry)5 OAuth2Parameters (org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)5 HashMap (java.util.HashMap)4 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)4 AfterTest (org.testng.annotations.AfterTest)4 BeforeTest (org.testng.annotations.BeforeTest)4 RequestObject (org.wso2.carbon.identity.openidconnect.model.RequestObject)4 HttpServletResponse (javax.servlet.http.HttpServletResponse)3 MultivaluedHashMap (javax.ws.rs.core.MultivaluedHashMap)3 Response (javax.ws.rs.core.Response)3 OAuthResponse (org.apache.oltu.oauth2.common.message.OAuthResponse)3 Matchers.anyString (org.mockito.Matchers.anyString)3 CommonAuthResponseWrapper (org.wso2.carbon.identity.application.authentication.framework.model.CommonAuthResponseWrapper)3 AbstractIdentityUserOperationEventListener (org.wso2.carbon.identity.core.AbstractIdentityUserOperationEventListener)3 ResolvedUserResult (org.wso2.carbon.identity.multi.attribute.login.mgt.ResolvedUserResult)3