use of org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException in project identity-inbound-auth-oauth by wso2-extensions.
the class CibaAuthRequestValidator method validateUserHint.
/**
* Validation for login_hint_token,id_token_hint.
* Anyone and exactly one is mandatory.
*
* @param authRequest CIBA Authentication request.
* @throws CibaAuthFailureException CIBA Authentication Failed Exception.
*/
public void validateUserHint(String authRequest) throws CibaAuthFailureException {
try {
SignedJWT signedJWT = SignedJWT.parse(authRequest);
JWTClaimsSet claimsSet = signedJWT.getJWTClaimsSet();
// Validation to check if any hints present.
if ((claimsSet.getClaim(CibaConstants.LOGIN_HINT_TOKEN) == null) && (claimsSet.getClaim(Constants.LOGIN_HINT) == null) && (claimsSet.getClaim(Constants.ID_TOKEN_HINT) == null)) {
// All hints are null.
if (log.isDebugEnabled()) {
log.debug("Invalid request. Missing mandatory parameter, 'hints' from the request : " + authRequest);
}
throw new CibaAuthFailureException(ErrorCodes.UNAUTHORIZED_USER, "Missing user hints.");
}
// Validation when login_hint_token exists.
if (!(claimsSet.getClaim(CibaConstants.LOGIN_HINT_TOKEN) == null)) {
if (log.isDebugEnabled()) {
log.debug("No Login_hint_token support for current version of IS.Invalid CIBA Authentication " + "request : " + authRequest);
}
throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, "Invalid parameter (login_hint_token)");
}
// Validation when login_hint exists.
if (!(claimsSet.getClaim(Constants.LOGIN_HINT) == null)) {
// id_token_hint is also present
if (!(claimsSet.getClaim(Constants.ID_TOKEN_HINT) == null)) {
throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, "Both ID token hint and " + "login hint present in the request");
}
// Claim exists for login_hint.
if (StringUtils.isBlank(claimsSet.getClaim(Constants.LOGIN_HINT).toString())) {
// Login_hint is blank.
throw new CibaAuthFailureException(ErrorCodes.UNAUTHORIZED_USER, "login_hint is blank.");
}
if (log.isDebugEnabled()) {
log.debug("CIBA Authentication Request made by Client with clientID," + claimsSet.getIssuer() + " is having a proper user hint : " + claimsSet.getClaim(Constants.LOGIN_HINT) + ".");
}
return;
}
if (!(claimsSet.getClaim(Constants.ID_TOKEN_HINT) == null)) {
// Value exists for id_token_hint
if (StringUtils.isBlank(claimsSet.getClaim(Constants.ID_TOKEN_HINT).toString())) {
// Existing values for id_token_hint are blank.
if (log.isDebugEnabled()) {
log.debug("Unknown user identity from the request " + authRequest);
}
throw new CibaAuthFailureException(ErrorCodes.UNAUTHORIZED_USER, "Invalid (sub) value for the provided id_token_hint");
}
if (!OAuth2Util.validateIdToken(String.valueOf(claimsSet.getClaim(Constants.ID_TOKEN_HINT)))) {
// Provided id_token_hint is not valid.
if (log.isDebugEnabled()) {
log.debug("Invalid id_token_hint from the request " + authRequest);
}
throw new CibaAuthFailureException(ErrorCodes.UNAUTHORIZED_USER, "invalid id_token_hint.");
}
if (log.isDebugEnabled()) {
log.debug("CIBA Authentication Request made by Client with clientID," + claimsSet.getAudience() + " is having a proper id_token_hint: " + claimsSet.getClaim(Constants.ID_TOKEN_HINT) + ".");
}
}
} catch (ParseException e) {
throw new CibaAuthFailureException(OAuth2ErrorCodes.SERVER_ERROR, "Error occurred in validating user hints.", e);
}
}
use of org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException in project identity-inbound-auth-oauth by wso2-extensions.
the class CibaAuthRequestValidator method validateAuthRequestParams.
/**
* Validate CIBA Authentication Request.
*
* @param request CIBA Authentication Request.
* @throws CibaAuthFailureException CIBA Authentication Failed Exception.
* @throws CibaAuthFailureException CIBA server serror.
*/
public void validateAuthRequestParams(String request) throws CibaAuthFailureException {
try {
long timeInMillis = Calendar.getInstance(TimeZone.getTimeZone(CibaConstants.UTC)).getTimeInMillis();
long skewTime = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * CibaConstants.SEC_TO_MILLISEC_FACTOR;
SignedJWT signedJWT = SignedJWT.parse(request);
JWTClaimsSet claimsSet = signedJWT.getJWTClaimsSet();
if (!isValidSignature(signedJWT)) {
// Signature is invalid.
throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, "Invalid signature.");
}
// Validate audience of the Request.
validateAudience(claimsSet);
// Validate JWT-ID of the Request.
validateJti(claimsSet);
// Validate the expiryTime of the Request.
validateExpiryTime(claimsSet, timeInMillis, skewTime);
// Validate the issuedTime of the Request.
validateIssuedTime(claimsSet, timeInMillis);
// Validate the NBF of the Request.
validateNBF(claimsSet, timeInMillis, skewTime);
// Validate the scope of the Request.
validateScopes(claimsSet);
// Validate the client_notification_token of the Request.
validateACR(claimsSet);
// Validate the binding_message of the Request.
validateBindingMessage(claimsSet);
// Validate the requested_expiry of the Request.
validateRequestedExpiry(claimsSet);
if (log.isDebugEnabled()) {
log.debug("CIBA Authentication Request made by client with clientID : " + claimsSet.getIssuer() + "is properly validated.");
}
} catch (ParseException e) {
throw new CibaAuthFailureException(OAuth2ErrorCodes.SERVER_ERROR, "Error in validating authentication request.", e);
}
}
use of org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException in project identity-inbound-auth-oauth by wso2-extensions.
the class CibaAuthResponseHandler method handleClientException.
/**
* Handles client exception.
*
* @param cibaAuthFailureException Authentication Failure Exception.
* @return Response for AuthenticationRequest.
*/
private Response handleClientException(CibaAuthFailureException cibaAuthFailureException) {
String errorCode = cibaAuthFailureException.getErrorCode();
JSONObject cibaErrorResponse = new JSONObject();
cibaErrorResponse.put(ERROR, cibaAuthFailureException.getErrorCode());
cibaErrorResponse.put(ERROR_DESCRIPRION, cibaAuthFailureException.getMessage());
Response.ResponseBuilder respBuilder;
if (errorCode.equals(OAuth2ErrorCodes.INVALID_CLIENT)) {
// Creating error response for the request.
respBuilder = Response.status(HttpServletResponse.SC_UNAUTHORIZED);
} else {
respBuilder = Response.status(HttpServletResponse.SC_BAD_REQUEST);
}
return respBuilder.entity(cibaErrorResponse.toString()).build();
}
use of org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2CibaEndpoint method ciba.
@POST
@Path("/")
@Consumes("application/x-www-form-urlencoded")
@Produces("application/json")
public Response ciba(@Context HttpServletRequest request, @Context HttpServletResponse response, MultivaluedMap paramMap) {
OAuthClientAuthnContext oAuthClientAuthnContext = getClientAuthnContext(request);
if (!oAuthClientAuthnContext.isAuthenticated()) {
return getErrorResponse(new CibaAuthFailureException(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT, "Client authentication required"));
}
request = new OAuthRequestWrapper(request, (Map<String, List<String>>) paramMap);
if (log.isDebugEnabled()) {
log.debug("Authentication request has hit Client Initiated Back-channel Authentication EndPoint.");
}
try {
// Check whether request has the 'request' parameter.
checkForRequestParam(request);
// Capturing authentication request.
String authRequest = request.getParameter(CibaConstants.REQUEST);
// Validate authentication request.
validateAuthenticationRequest(authRequest, oAuthClientAuthnContext.getClientId());
// Prepare RequestDTO with validated parameters.
cibaAuthCodeRequest = getCibaAuthCodeRequest(authRequest);
// Obtain Response from service layer of CIBA.
cibaAuthCodeResponse = getCibaAuthCodeResponse(cibaAuthCodeRequest);
// Create an internal authorize call to the authorize endpoint.
generateAuthorizeCall(request, response, cibaAuthCodeResponse);
// Create and return Ciba Authentication Response.
return getAuthResponse(response, cibaAuthCodeResponse);
} catch (CibaAuthFailureException e) {
// Returning error response.
return getErrorResponse(e);
}
}
use of org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2CibaEndpoint method validateAuthenticationRequest.
/**
* Validate whether Request JWT is in proper formatting.
*
* @param authRequest CIBA Authentication Request as a String.
* @throws CibaAuthFailureException CIBA Authentication Failed Exception.
*/
private void validateAuthenticationRequest(String authRequest, String clientId) throws CibaAuthFailureException {
// Validation for the proper formatting of signedJWT.
cibaAuthRequestValidator.validateRequest(authRequest);
// Validation for the client.
cibaAuthRequestValidator.validateClient(authRequest, clientId);
// Validation for the userHint.
cibaAuthRequestValidator.validateUserHint(authRequest);
// Validate Authentication request.
cibaAuthRequestValidator.validateAuthRequestParams(authRequest);
try {
RequestObject requestObject;
RequestObjectBuilder requestObjectBuilder;
requestObjectBuilder = OAuthServerConfiguration.getInstance().getRequestObjectBuilders().get(REQUEST_PARAM_VALUE_BUILDER);
OAuth2Parameters parameters = new OAuth2Parameters();
parameters.setClientId(clientId);
parameters.setTenantDomain(getSpTenantDomain(clientId));
if (requestObjectBuilder == null) {
String error = "Unable to build the OIDC Request Object";
throw new CibaAuthFailureException(OAuth2ErrorCodes.SERVER_ERROR, error);
}
requestObject = requestObjectBuilder.buildRequestObject(authRequest, parameters);
RequestObjectValidator requestObjectValidator = OAuthServerConfiguration.getInstance().getCIBARequestObjectValidator();
OIDCRequestObjectUtil.validateRequestObjectSignature(parameters, requestObject, requestObjectValidator);
if (!requestObjectValidator.validateRequestObject(requestObject, parameters)) {
throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, "Invalid parameters " + "found in the Request Object.");
}
} catch (InvalidRequestException | RequestObjectException e) {
if (log.isDebugEnabled()) {
log.debug(OAuth2ErrorCodes.INVALID_REQUEST, e);
}
throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, e.getMessage());
}
}
Aggregations