Search in sources :

Example 1 with CibaAuthFailureException

use of org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException in project identity-inbound-auth-oauth by wso2-extensions.

the class CibaAuthRequestValidator method validateUserHint.

/**
 * Validation for login_hint_token,id_token_hint.
 * Anyone and exactly one is mandatory.
 *
 * @param authRequest CIBA Authentication request.
 * @throws CibaAuthFailureException CIBA Authentication Failed Exception.
 */
public void validateUserHint(String authRequest) throws CibaAuthFailureException {
    try {
        SignedJWT signedJWT = SignedJWT.parse(authRequest);
        JWTClaimsSet claimsSet = signedJWT.getJWTClaimsSet();
        // Validation to  check if any hints present.
        if ((claimsSet.getClaim(CibaConstants.LOGIN_HINT_TOKEN) == null) && (claimsSet.getClaim(Constants.LOGIN_HINT) == null) && (claimsSet.getClaim(Constants.ID_TOKEN_HINT) == null)) {
            // All hints are null.
            if (log.isDebugEnabled()) {
                log.debug("Invalid request. Missing mandatory parameter, 'hints' from the request : " + authRequest);
            }
            throw new CibaAuthFailureException(ErrorCodes.UNAUTHORIZED_USER, "Missing user hints.");
        }
        // Validation when login_hint_token exists.
        if (!(claimsSet.getClaim(CibaConstants.LOGIN_HINT_TOKEN) == null)) {
            if (log.isDebugEnabled()) {
                log.debug("No Login_hint_token support for current version of IS.Invalid CIBA Authentication " + "request : " + authRequest);
            }
            throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, "Invalid parameter (login_hint_token)");
        }
        // Validation when login_hint exists.
        if (!(claimsSet.getClaim(Constants.LOGIN_HINT) == null)) {
            // id_token_hint is also present
            if (!(claimsSet.getClaim(Constants.ID_TOKEN_HINT) == null)) {
                throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, "Both ID token hint and " + "login hint present in the request");
            }
            // Claim exists for login_hint.
            if (StringUtils.isBlank(claimsSet.getClaim(Constants.LOGIN_HINT).toString())) {
                // Login_hint is blank.
                throw new CibaAuthFailureException(ErrorCodes.UNAUTHORIZED_USER, "login_hint is blank.");
            }
            if (log.isDebugEnabled()) {
                log.debug("CIBA Authentication Request made by Client with clientID," + claimsSet.getIssuer() + " is having a proper user hint  : " + claimsSet.getClaim(Constants.LOGIN_HINT) + ".");
            }
            return;
        }
        if (!(claimsSet.getClaim(Constants.ID_TOKEN_HINT) == null)) {
            // Value exists for id_token_hint
            if (StringUtils.isBlank(claimsSet.getClaim(Constants.ID_TOKEN_HINT).toString())) {
                // Existing values for id_token_hint are blank.
                if (log.isDebugEnabled()) {
                    log.debug("Unknown user identity from the request " + authRequest);
                }
                throw new CibaAuthFailureException(ErrorCodes.UNAUTHORIZED_USER, "Invalid (sub) value for the provided id_token_hint");
            }
            if (!OAuth2Util.validateIdToken(String.valueOf(claimsSet.getClaim(Constants.ID_TOKEN_HINT)))) {
                // Provided id_token_hint is not valid.
                if (log.isDebugEnabled()) {
                    log.debug("Invalid id_token_hint from the request " + authRequest);
                }
                throw new CibaAuthFailureException(ErrorCodes.UNAUTHORIZED_USER, "invalid id_token_hint.");
            }
            if (log.isDebugEnabled()) {
                log.debug("CIBA Authentication Request made by Client with clientID," + claimsSet.getAudience() + " is having a proper id_token_hint: " + claimsSet.getClaim(Constants.ID_TOKEN_HINT) + ".");
            }
        }
    } catch (ParseException e) {
        throw new CibaAuthFailureException(OAuth2ErrorCodes.SERVER_ERROR, "Error occurred in validating user hints.", e);
    }
}
Also used : CibaAuthFailureException(org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) SignedJWT(com.nimbusds.jwt.SignedJWT) ParseException(java.text.ParseException)

Example 2 with CibaAuthFailureException

use of org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException in project identity-inbound-auth-oauth by wso2-extensions.

the class CibaAuthRequestValidator method validateAuthRequestParams.

/**
 * Validate CIBA Authentication Request.
 *
 * @param request CIBA Authentication Request.
 * @throws CibaAuthFailureException CIBA Authentication Failed Exception.
 * @throws CibaAuthFailureException CIBA server serror.
 */
public void validateAuthRequestParams(String request) throws CibaAuthFailureException {
    try {
        long timeInMillis = Calendar.getInstance(TimeZone.getTimeZone(CibaConstants.UTC)).getTimeInMillis();
        long skewTime = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * CibaConstants.SEC_TO_MILLISEC_FACTOR;
        SignedJWT signedJWT = SignedJWT.parse(request);
        JWTClaimsSet claimsSet = signedJWT.getJWTClaimsSet();
        if (!isValidSignature(signedJWT)) {
            // Signature is invalid.
            throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, "Invalid signature.");
        }
        // Validate audience of the Request.
        validateAudience(claimsSet);
        // Validate  JWT-ID of the Request.
        validateJti(claimsSet);
        // Validate the expiryTime of the Request.
        validateExpiryTime(claimsSet, timeInMillis, skewTime);
        // Validate the issuedTime of the Request.
        validateIssuedTime(claimsSet, timeInMillis);
        // Validate the NBF of the Request.
        validateNBF(claimsSet, timeInMillis, skewTime);
        // Validate the scope of the Request.
        validateScopes(claimsSet);
        // Validate the client_notification_token of the Request.
        validateACR(claimsSet);
        // Validate the binding_message of the Request.
        validateBindingMessage(claimsSet);
        // Validate the requested_expiry of the Request.
        validateRequestedExpiry(claimsSet);
        if (log.isDebugEnabled()) {
            log.debug("CIBA Authentication Request made by client with clientID : " + claimsSet.getIssuer() + "is properly validated.");
        }
    } catch (ParseException e) {
        throw new CibaAuthFailureException(OAuth2ErrorCodes.SERVER_ERROR, "Error in validating authentication request.", e);
    }
}
Also used : CibaAuthFailureException(org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) SignedJWT(com.nimbusds.jwt.SignedJWT) ParseException(java.text.ParseException)

Example 3 with CibaAuthFailureException

use of org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException in project identity-inbound-auth-oauth by wso2-extensions.

the class CibaAuthResponseHandler method handleClientException.

/**
 * Handles client exception.
 *
 * @param cibaAuthFailureException Authentication Failure Exception.
 * @return Response for AuthenticationRequest.
 */
private Response handleClientException(CibaAuthFailureException cibaAuthFailureException) {
    String errorCode = cibaAuthFailureException.getErrorCode();
    JSONObject cibaErrorResponse = new JSONObject();
    cibaErrorResponse.put(ERROR, cibaAuthFailureException.getErrorCode());
    cibaErrorResponse.put(ERROR_DESCRIPRION, cibaAuthFailureException.getMessage());
    Response.ResponseBuilder respBuilder;
    if (errorCode.equals(OAuth2ErrorCodes.INVALID_CLIENT)) {
        // Creating error response for the request.
        respBuilder = Response.status(HttpServletResponse.SC_UNAUTHORIZED);
    } else {
        respBuilder = Response.status(HttpServletResponse.SC_BAD_REQUEST);
    }
    return respBuilder.entity(cibaErrorResponse.toString()).build();
}
Also used : Response(javax.ws.rs.core.Response) HttpServletResponse(javax.servlet.http.HttpServletResponse) CibaAuthCodeResponse(org.wso2.carbon.identity.oauth.ciba.model.CibaAuthCodeResponse) JSONObject(net.minidev.json.JSONObject)

Example 4 with CibaAuthFailureException

use of org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2CibaEndpoint method ciba.

@POST
@Path("/")
@Consumes("application/x-www-form-urlencoded")
@Produces("application/json")
public Response ciba(@Context HttpServletRequest request, @Context HttpServletResponse response, MultivaluedMap paramMap) {
    OAuthClientAuthnContext oAuthClientAuthnContext = getClientAuthnContext(request);
    if (!oAuthClientAuthnContext.isAuthenticated()) {
        return getErrorResponse(new CibaAuthFailureException(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT, "Client authentication required"));
    }
    request = new OAuthRequestWrapper(request, (Map<String, List<String>>) paramMap);
    if (log.isDebugEnabled()) {
        log.debug("Authentication request has hit Client Initiated Back-channel Authentication EndPoint.");
    }
    try {
        // Check whether request has the 'request' parameter.
        checkForRequestParam(request);
        // Capturing authentication request.
        String authRequest = request.getParameter(CibaConstants.REQUEST);
        // Validate authentication request.
        validateAuthenticationRequest(authRequest, oAuthClientAuthnContext.getClientId());
        // Prepare RequestDTO with validated parameters.
        cibaAuthCodeRequest = getCibaAuthCodeRequest(authRequest);
        // Obtain Response from service layer of CIBA.
        cibaAuthCodeResponse = getCibaAuthCodeResponse(cibaAuthCodeRequest);
        // Create an internal authorize call to the authorize endpoint.
        generateAuthorizeCall(request, response, cibaAuthCodeResponse);
        // Create and return Ciba Authentication Response.
        return getAuthResponse(response, cibaAuthCodeResponse);
    } catch (CibaAuthFailureException e) {
        // Returning error response.
        return getErrorResponse(e);
    }
}
Also used : OAuthRequestWrapper(org.wso2.carbon.identity.oauth.endpoint.OAuthRequestWrapper) CibaAuthFailureException(org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException) OAuthClientAuthnContext(org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext) Map(java.util.Map) MultivaluedMap(javax.ws.rs.core.MultivaluedMap) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces)

Example 5 with CibaAuthFailureException

use of org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2CibaEndpoint method validateAuthenticationRequest.

/**
 * Validate whether Request JWT is in proper formatting.
 *
 * @param authRequest CIBA Authentication Request as a String.
 * @throws CibaAuthFailureException CIBA Authentication Failed Exception.
 */
private void validateAuthenticationRequest(String authRequest, String clientId) throws CibaAuthFailureException {
    // Validation for the proper formatting of signedJWT.
    cibaAuthRequestValidator.validateRequest(authRequest);
    // Validation for the client.
    cibaAuthRequestValidator.validateClient(authRequest, clientId);
    // Validation for the userHint.
    cibaAuthRequestValidator.validateUserHint(authRequest);
    // Validate Authentication request.
    cibaAuthRequestValidator.validateAuthRequestParams(authRequest);
    try {
        RequestObject requestObject;
        RequestObjectBuilder requestObjectBuilder;
        requestObjectBuilder = OAuthServerConfiguration.getInstance().getRequestObjectBuilders().get(REQUEST_PARAM_VALUE_BUILDER);
        OAuth2Parameters parameters = new OAuth2Parameters();
        parameters.setClientId(clientId);
        parameters.setTenantDomain(getSpTenantDomain(clientId));
        if (requestObjectBuilder == null) {
            String error = "Unable to build the OIDC Request Object";
            throw new CibaAuthFailureException(OAuth2ErrorCodes.SERVER_ERROR, error);
        }
        requestObject = requestObjectBuilder.buildRequestObject(authRequest, parameters);
        RequestObjectValidator requestObjectValidator = OAuthServerConfiguration.getInstance().getCIBARequestObjectValidator();
        OIDCRequestObjectUtil.validateRequestObjectSignature(parameters, requestObject, requestObjectValidator);
        if (!requestObjectValidator.validateRequestObject(requestObject, parameters)) {
            throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, "Invalid parameters " + "found in the Request Object.");
        }
    } catch (InvalidRequestException | RequestObjectException e) {
        if (log.isDebugEnabled()) {
            log.debug(OAuth2ErrorCodes.INVALID_REQUEST, e);
        }
        throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, e.getMessage());
    }
}
Also used : OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters) RequestObjectException(org.wso2.carbon.identity.oauth2.RequestObjectException) CibaAuthFailureException(org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException) RequestObjectBuilder(org.wso2.carbon.identity.openidconnect.RequestObjectBuilder) InvalidRequestException(org.wso2.carbon.identity.oauth.endpoint.exception.InvalidRequestException) RequestObjectValidator(org.wso2.carbon.identity.openidconnect.RequestObjectValidator) RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject)

Aggregations

CibaAuthFailureException (org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException)9 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)6 SignedJWT (com.nimbusds.jwt.SignedJWT)6 ParseException (java.text.ParseException)6 JSONObject (net.minidev.json.JSONObject)3 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 Response (javax.ws.rs.core.Response)2 CibaAuthCodeResponse (org.wso2.carbon.identity.oauth.ciba.model.CibaAuthCodeResponse)2 JWSHeader (com.nimbusds.jose.JWSHeader)1 Payload (com.nimbusds.jose.Payload)1 Base64URL (com.nimbusds.jose.util.Base64URL)1 Map (java.util.Map)1 Consumes (javax.ws.rs.Consumes)1 POST (javax.ws.rs.POST)1 Path (javax.ws.rs.Path)1 Produces (javax.ws.rs.Produces)1 MultivaluedMap (javax.ws.rs.core.MultivaluedMap)1 CibaAuthCodeRequest (org.wso2.carbon.identity.oauth.ciba.model.CibaAuthCodeRequest)1 CibaAuthRequestWrapper (org.wso2.carbon.identity.oauth.ciba.wrappers.CibaAuthRequestWrapper)1 CibaAuthResponseWrapper (org.wso2.carbon.identity.oauth.ciba.wrappers.CibaAuthResponseWrapper)1