Search in sources :

Example 71 with ClaimMapping

use of org.wso2.carbon.identity.application.common.model.xsd.ClaimMapping in project identity-inbound-auth-oauth by wso2-extensions.

the class SAML2BearerGrantHandlerTest method buildAuthnReqDTO.

private SAMLSSOAuthnReqDTO buildAuthnReqDTO(Map<String, String> attributes, String nameIDFormat, String issuer, String subjectName) {
    SAMLSSOAuthnReqDTO authnReqDTO = new SAMLSSOAuthnReqDTO();
    authnReqDTO.setUser(AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(subjectName));
    authnReqDTO.setNameIDFormat(nameIDFormat);
    authnReqDTO.setIssuer(issuer);
    Map<ClaimMapping, String> userAttributes = new HashMap<>();
    for (Map.Entry<String, String> entry : attributes.entrySet()) {
        userAttributes.put(buildClaimMapping(entry.getKey()), entry.getValue());
    }
    authnReqDTO.getUser().setUserAttributes(userAttributes);
    return authnReqDTO;
}
Also used : ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping) HashMap(java.util.HashMap) SAMLSSOAuthnReqDTO(org.wso2.carbon.identity.sso.saml.dto.SAMLSSOAuthnReqDTO) Matchers.anyString(org.mockito.Matchers.anyString) Map(java.util.Map) HashMap(java.util.HashMap)

Example 72 with ClaimMapping

use of org.wso2.carbon.identity.application.common.model.xsd.ClaimMapping in project identity-inbound-auth-oauth by wso2-extensions.

the class DefaultOIDCClaimsCallbackHandlerTest method testHandleCustomClaimsWithOAuthTokenReqMsgCtxtAddressClaim.

@Test
public void testHandleCustomClaimsWithOAuthTokenReqMsgCtxtAddressClaim() throws Exception {
    JWTClaimsSet.Builder jwtClaimsSetBuilder = new JWTClaimsSet.Builder();
    OAuthTokenReqMessageContext requestMsgCtx = getTokenReqMessageContextForLocalUser();
    ClaimMapping[] claimMappings = new ClaimMapping[] { ClaimMapping.build(LOCAL_COUNTRY_CLAIM_URI, ADDRESS, "", true), ClaimMapping.build(LOCAL_STREET_CLAIM_URI, STREET, "", true), ClaimMapping.build(LOCAL_PROVINCE_CLAIM_URI, PROVINCE, "", true), ClaimMapping.build(LOCAL_ADDRESS_CLAIM_URI, ADDRESS, "", true) };
    ServiceProvider serviceProvider = getSpWithRequestedClaimsMappings(claimMappings);
    mockApplicationManagementService(serviceProvider);
    Map<String, String> userClaims = new HashMap<>();
    userClaims.put(LOCAL_COUNTRY_CLAIM_URI, "Sri Lanka");
    userClaims.put(LOCAL_STREET_CLAIM_URI, "Lily Avenue");
    userClaims.put(LOCAL_PROVINCE_CLAIM_URI, "Western");
    userClaims.put(LOCAL_ADDRESS_CLAIM_URI, "matara");
    UserRealm userRealm = getUserRealmWithUserClaims(userClaims);
    mockUserRealm(requestMsgCtx.getAuthorizedUser().toString(), userRealm);
    mockClaimHandler();
    JWTClaimsSet jwtClaimsSet = getJwtClaimSet(jwtClaimsSetBuilder, requestMsgCtx);
    assertNotNull(jwtClaimsSet);
    assertNotNull(jwtClaimsSet.getClaim(ADDRESS));
}
Also used : ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping) UserRealm(org.wso2.carbon.user.core.UserRealm) HashMap(java.util.HashMap) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) AttributeBuilder(org.opensaml.saml.saml2.core.impl.AttributeBuilder) OAuthTokenReqMessageContext(org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext) ServiceProvider(org.wso2.carbon.identity.application.common.model.ServiceProvider) Matchers.anyString(org.mockito.Matchers.anyString) SAML2BearerGrantHandlerTest(org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandlerTest) Test(org.testng.annotations.Test) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)

Example 73 with ClaimMapping

use of org.wso2.carbon.identity.application.common.model.xsd.ClaimMapping in project identity-inbound-auth-oauth by wso2-extensions.

the class ClaimsUtil method handleClaimMapping.

/**
 * Handle claims from identity provider based on claim configurations.
 *
 * @param identityProvider Identity Provider
 * @param attributes       Relevant Claims coming from IDP
 * @param tenantDomain     Tenant Domain.
 * @param tokenReqMsgCtx   Token request message context.
 * @return mapped local claims.
 * @throws IdentityException
 * @throws IdentityApplicationManagementException
 */
public static Map<String, String> handleClaimMapping(IdentityProvider identityProvider, Map<String, String> attributes, String tenantDomain, OAuthTokenReqMessageContext tokenReqMsgCtx) throws IdentityException, IdentityApplicationManagementException {
    boolean proxyUserAttributes = !OAuthServerConfiguration.getInstance().isConvertOriginalClaimsFromAssertionsToOIDCDialect();
    if (proxyUserAttributes) {
        setHasNonOIDCClaimsProperty(tokenReqMsgCtx);
        return attributes;
    }
    ClaimMapping[] idPClaimMappings = identityProvider.getClaimConfig().getClaimMappings();
    Map<String, String> claimsAfterIdpMapping;
    Map<String, String> claimsAfterSPMapping = new HashMap<>();
    ServiceProvider serviceProvider = getServiceProvider(tokenReqMsgCtx);
    if (ArrayUtils.isNotEmpty(idPClaimMappings)) {
        if (log.isDebugEnabled()) {
            log.debug("Claim mappings exist for identity provider " + identityProvider.getIdentityProviderName());
        }
        claimsAfterIdpMapping = handleClaimsForIDP(attributes, tenantDomain, identityProvider, false, idPClaimMappings);
        if (isUserClaimsInTokenLoggable()) {
            if (log.isDebugEnabled()) {
                log.debug("Claims of user : " + tokenReqMsgCtx.getAuthorizedUser() + " after IDP " + " claim mapping " + claimsAfterIdpMapping.toString());
            }
        }
        if (isSPRequestedClaimsExist(tokenReqMsgCtx)) {
            claimsAfterSPMapping = ClaimsUtil.convertClaimsToOIDCDialect(tokenReqMsgCtx, claimsAfterIdpMapping);
            claimsAfterSPMapping = handleUnMappedClaims(tokenReqMsgCtx, attributes, claimsAfterSPMapping, idPClaimMappings);
        } else {
            if (isUserClaimsInTokenLoggable()) {
                if (log.isDebugEnabled()) {
                    log.debug("IDP claims exists, SP claims does not exist, for the identity provider " + identityProvider.getIdentityProviderName() + ", service provider " + serviceProvider.getApplicationName() + ", hence cannot do claim mapping");
                }
            }
        }
    } else {
        claimsAfterIdpMapping = attributes;
        if (isUserClaimsInTokenLoggable()) {
            if (log.isDebugEnabled()) {
                log.debug("IDP claims do not exist for, identity provider, " + identityProvider.getIdentityProviderName() + ", hence directly copying custom claims, " + claimsAfterIdpMapping.toString());
            }
        }
        if (isSPRequestedClaimsExist(tokenReqMsgCtx)) {
            claimsAfterSPMapping = ClaimsUtil.convertClaimsToOIDCDialect(tokenReqMsgCtx, claimsAfterIdpMapping);
            if (isUserClaimsInTokenLoggable()) {
                if (log.isDebugEnabled()) {
                    log.debug("IDP claims do not exist but SP Claim mappings exists for, identity provider, " + identityProvider.getIdentityProviderName() + ", and Service Provider, " + serviceProvider.getApplicationName() + ", claims after SP mapping, " + claimsAfterSPMapping.toString());
                }
            }
            claimsAfterSPMapping = handleUnMappedClaims(tokenReqMsgCtx, attributes, claimsAfterSPMapping, idPClaimMappings);
        } else {
            setHasNonOIDCClaimsProperty(tokenReqMsgCtx);
            claimsAfterSPMapping = attributes;
            if (isUserClaimsInTokenLoggable()) {
                if (log.isDebugEnabled()) {
                    log.debug("IDP claims and SP Claim mappings do not exists for, identity provider, " + identityProvider.getIdentityProviderName() + ", and Service Provider, " + serviceProvider.getApplicationName() + ", hence claims are proxied, " + claimsAfterSPMapping.toString());
                }
            }
        }
    }
    return claimsAfterSPMapping;
}
Also used : ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping) HashMap(java.util.HashMap) ServiceProvider(org.wso2.carbon.identity.application.common.model.ServiceProvider)

Example 74 with ClaimMapping

use of org.wso2.carbon.identity.application.common.model.xsd.ClaimMapping in project identity-inbound-auth-oauth by wso2-extensions.

the class ClaimsUtil method addMissingClaims.

/**
 * To add the missing claims that are missed in IDP and SP mapping.
 *
 * @param tokenReqMsgCtx             Token request message context.
 * @param userAttributes                 Attributes received from IDP.
 * @param claimsAfterIDPandSPMapping Claims.
 * @param idPClaimMappings           IDP Claim mappings.
 * @return Final claim map with all the claims received from the IDP.
 * @throws IdentityApplicationManagementException Identity Application Management Exception.
 */
private static Map<String, String> addMissingClaims(OAuthTokenReqMessageContext tokenReqMsgCtx, Map<String, String> userAttributes, Map<String, String> claimsAfterIDPandSPMapping, ClaimMapping[] idPClaimMappings) throws IdentityApplicationManagementException {
    boolean isUserClaimsLoggable = isUserClaimsInTokenLoggable();
    ServiceProvider serviceProvider = getServiceProvider(tokenReqMsgCtx);
    ClaimConfig serviceProviderClaimConfig = serviceProvider.getClaimConfig();
    AuthenticatedUser authenticatedUser = tokenReqMsgCtx.getAuthorizedUser();
    userAttributes.forEach((key, value) -> {
        boolean foundMatching = false;
        String localClaimUri = null;
        // If IDP Claim mapping is not empty.
        if (ArrayUtils.isNotEmpty(idPClaimMappings)) {
            // Go through the claim mappings to identify the missed attributes in IDP level claim mapping.
            for (ClaimMapping claimMapping : idPClaimMappings) {
                if (claimMapping.getRemoteClaim().getClaimUri().equals(key)) {
                    localClaimUri = claimMapping.getLocalClaim().getClaimUri();
                    foundMatching = true;
                    break;
                }
            }
            // If the relevant attribute is not mapped in IDP, add that.
            if (!foundMatching) {
                if (isUserClaimsLoggable) {
                    if (log.isDebugEnabled()) {
                        log.debug("IDP Claim mapping does not exist for " + key + ", hence adding value " + value + " for the user : " + authenticatedUser);
                    }
                }
                claimsAfterIDPandSPMapping.put(key, value);
            } else {
                // If the relevant attribute has mapping in IDP level, check for SP level mapping.
                foundMatching = false;
                ClaimMapping[] spClaimMapping = serviceProviderClaimConfig.getClaimMappings();
                for (ClaimMapping claimMapping : spClaimMapping) {
                    if (claimMapping.getLocalClaim().getClaimUri().equals(localClaimUri) && claimMapping.isRequested()) {
                        foundMatching = true;
                        break;
                    }
                }
                // If the relevant attribute has IDP level mapping but not SP level mapping, add it.
                if (!foundMatching) {
                    if (isUserClaimsLoggable) {
                        if (log.isDebugEnabled()) {
                            log.debug("IDP Claim mapping exist, but SP Claim mapping does not exist for " + key + ", hence adding value " + value + " for the user : " + authenticatedUser);
                        }
                    }
                    claimsAfterIDPandSPMapping.put(key, value);
                }
            }
        } else {
            // If the IDP level mapping is not there, all the claims coming from IDP are assumed to be local claim.
            ClaimMapping[] spClaimMapping = serviceProviderClaimConfig.getClaimMappings();
            for (ClaimMapping claimMapping : spClaimMapping) {
                if (claimMapping.getLocalClaim().getClaimUri().equals(key) && claimMapping.isRequested()) {
                    foundMatching = true;
                    break;
                }
            }
            // If the attribute does not have the specific mapping in SP level, add the mapping.
            if (!foundMatching) {
                if (isUserClaimsLoggable) {
                    if (log.isDebugEnabled()) {
                        log.debug("SP Claim mapping does not exist for " + key + ", hence adding value " + value + " for the user : " + authenticatedUser);
                    }
                }
                claimsAfterIDPandSPMapping.put(key, value);
            }
        }
    });
    if (isUserClaimsLoggable) {
        if (log.isDebugEnabled()) {
            log.debug("Final set of claims for the user : " + authenticatedUser + ": " + claimsAfterIDPandSPMapping.toString());
        }
    }
    return claimsAfterIDPandSPMapping;
}
Also used : ClaimMapping(org.wso2.carbon.identity.application.common.model.ClaimMapping) ClaimConfig(org.wso2.carbon.identity.application.common.model.ClaimConfig) ServiceProvider(org.wso2.carbon.identity.application.common.model.ServiceProvider) AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)

Example 75 with ClaimMapping

use of org.wso2.carbon.identity.application.common.model.xsd.ClaimMapping in project identity-inbound-auth-oauth by wso2-extensions.

the class DefaultOIDCClaimsCallbackHandler method getUserAttributesFromCacheUsingToken.

/**
 * Get user attribute cached against the access token.
 *
 * @param accessToken Access token
 * @return User attributes cached against the access token
 */
private Map<ClaimMapping, String> getUserAttributesFromCacheUsingToken(String accessToken) {
    if (log.isDebugEnabled()) {
        if (IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.ACCESS_TOKEN)) {
            log.debug("Retrieving user attributes cached against access token: " + accessToken);
        } else {
            log.debug("Retrieving user attributes cached against access token.");
        }
    }
    AuthorizationGrantCacheKey cacheKey = new AuthorizationGrantCacheKey(accessToken);
    AuthorizationGrantCacheEntry cacheEntry = AuthorizationGrantCache.getInstance().getValueFromCacheByToken(cacheKey);
    return cacheEntry == null ? new HashMap<>() : cacheEntry.getUserAttributes();
}
Also used : AuthorizationGrantCacheEntry(org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry) AuthorizationGrantCacheKey(org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey)

Aggregations

ClaimMapping (org.wso2.carbon.identity.application.common.model.ClaimMapping)108 HashMap (java.util.HashMap)60 ArrayList (java.util.ArrayList)52 ClaimConfig (org.wso2.carbon.identity.application.common.model.ClaimConfig)27 Map (java.util.Map)26 ServiceProvider (org.wso2.carbon.identity.application.common.model.ServiceProvider)24 ClaimMapping (org.wso2.carbon.identity.application.common.model.xsd.ClaimMapping)24 ClaimMapping (org.wso2.carbon.user.api.ClaimMapping)24 Claim (org.wso2.carbon.identity.application.common.model.Claim)23 Test (org.testng.annotations.Test)22 Claim (org.wso2.carbon.identity.application.common.model.xsd.Claim)21 LocalClaim (org.wso2.carbon.identity.claim.metadata.mgt.model.LocalClaim)21 AuthenticatedUser (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)20 IdentityApplicationManagementException (org.wso2.carbon.identity.application.common.IdentityApplicationManagementException)20 List (java.util.List)17 PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)17 UserStoreException (org.wso2.carbon.user.api.UserStoreException)17 Matchers.anyString (org.mockito.Matchers.anyString)16 IdentityProvider (org.wso2.carbon.identity.application.common.model.IdentityProvider)13 ClaimMetadataException (org.wso2.carbon.identity.claim.metadata.mgt.exception.ClaimMetadataException)13