use of org.wso2.carbon.identity.oauth2.RequestObjectException in project identity-inbound-auth-oauth by wso2-extensions.
the class UserInfoJSONResponseBuilderTest method setUpRequestObjectService.
private void setUpRequestObjectService() throws RequestObjectException {
List<RequestedClaim> requestedClaims = Collections.emptyList();
when(requestObjectService.getRequestedClaimsForIDToken(anyString())).thenReturn(requestedClaims);
when(requestObjectService.getRequestedClaimsForUserInfo(anyString())).thenReturn(requestedClaims);
OpenIDConnectServiceComponentHolder.getInstance().getOpenIDConnectClaimFilters().add(new OpenIDConnectClaimFilterImpl());
OpenIDConnectServiceComponentHolder.setRequestObjectService(requestObjectService);
}
use of org.wso2.carbon.identity.oauth2.RequestObjectException in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method populateOauthParameters.
private String populateOauthParameters(OAuth2Parameters params, OAuthMessage oAuthMessage, OAuth2ClientValidationResponseDTO validationResponse, OAuthAuthzRequest oauthRequest) throws OAuthSystemException, InvalidRequestException {
String clientId = oAuthMessage.getClientId();
params.setClientId(clientId);
params.setRedirectURI(validationResponse.getCallbackURL());
params.setResponseType(oauthRequest.getResponseType());
params.setResponseMode(oauthRequest.getParam(RESPONSE_MODE));
params.setScopes(oauthRequest.getScopes());
if (params.getScopes() == null) {
// to avoid null pointers
Set<String> scopeSet = new HashSet<String>();
scopeSet.add("");
params.setScopes(scopeSet);
}
params.setState(oauthRequest.getState());
params.setApplicationName(validationResponse.getApplicationName());
String spDisplayName = getSpDisplayName(clientId);
if (StringUtils.isNotBlank(spDisplayName)) {
params.setDisplayName(spDisplayName);
}
// OpenID Connect specific request parameters
params.setNonce(oauthRequest.getParam(OAuthConstants.OAuth20Params.NONCE));
params.setDisplay(oauthRequest.getParam(OAuthConstants.OAuth20Params.DISPLAY));
params.setIDTokenHint(oauthRequest.getParam(OAuthConstants.OAuth20Params.ID_TOKEN_HINT));
params.setLoginHint(oauthRequest.getParam(OAuthConstants.OAuth20Params.LOGIN_HINT));
// Set the service provider tenant domain.
params.setTenantDomain(getSpTenantDomain(clientId));
// Set the login tenant domain.
String loginTenantDomain = getLoginTenantDomain(oAuthMessage, clientId);
params.setLoginTenantDomain(loginTenantDomain);
if (StringUtils.isNotBlank(oauthRequest.getParam(ACR_VALUES)) && !"null".equals(oauthRequest.getParam(ACR_VALUES))) {
List acrValuesList = Arrays.asList(oauthRequest.getParam(ACR_VALUES).split(" "));
LinkedHashSet acrValuesHashSet = new LinkedHashSet<>(acrValuesList);
params.setACRValues(acrValuesHashSet);
oAuthMessage.getRequest().setAttribute(ACR_VALUES, acrValuesList);
}
if (StringUtils.isNotBlank(oauthRequest.getParam(CLAIMS))) {
params.setEssentialClaims(oauthRequest.getParam(CLAIMS));
}
handleMaxAgeParameter(oauthRequest, params);
/*
OIDC Request object will supersede parameters sent in the OAuth Authorization request. So handling the
OIDC Request object needs to done after processing all request parameters.
*/
if (OAuth2Util.isOIDCAuthzRequest(oauthRequest.getScopes())) {
try {
handleOIDCRequestObject(oAuthMessage, oauthRequest, params);
} catch (RequestObjectException e) {
if (log.isDebugEnabled()) {
log.debug("Request Object Handling failed due to : " + e.getErrorCode() + " for client_id: " + clientId + " of tenantDomain: " + params.getTenantDomain(), e);
}
if (StringUtils.isNotBlank(oAuthMessage.getRequest().getParameter(REQUEST_URI))) {
return EndpointUtil.getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_REQUEST_URI, e.getErrorCode(), e.getErrorMessage(), null, params);
} else {
return EndpointUtil.getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_REQUEST_OBJECT, e.getErrorCode(), e.getErrorMessage(), null, params);
}
}
}
if (isPkceSupportEnabled()) {
String pkceChallengeCode = getPkceCodeChallenge(oAuthMessage, params);
String pkceChallengeMethod = getPkceCodeChallengeMethod(oAuthMessage, params);
String redirectURI = validatePKCEParameters(oAuthMessage, validationResponse, pkceChallengeCode, pkceChallengeMethod);
if (redirectURI != null) {
return redirectURI;
}
params.setPkceCodeChallenge(pkceChallengeCode);
params.setPkceCodeChallengeMethod(pkceChallengeMethod);
}
return null;
}
use of org.wso2.carbon.identity.oauth2.RequestObjectException in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method handleRequestObject.
private void handleRequestObject(OAuthMessage oAuthMessage, OAuthAuthzRequest oauthRequest, OAuth2Parameters parameters) throws RequestObjectException, InvalidRequestException {
RequestObject requestObject = OIDCRequestObjectUtil.buildRequestObject(oauthRequest, parameters);
if (requestObject == null) {
throw new RequestObjectException(OAuth2ErrorCodes.INVALID_REQUEST, "Unable to build a valid Request " + "Object from the authorization request.");
}
/*
When the request parameter is used, the OpenID Connect request parameter values contained in the JWT
supersede those passed using the OAuth 2.0 request syntax
*/
overrideAuthzParameters(oAuthMessage, parameters, oauthRequest.getParam(REQUEST), oauthRequest.getParam(REQUEST_URI), requestObject);
// so validating if the registered redirect uri is a single uri that can be properly redirected.
if (StringUtils.isBlank(parameters.getRedirectURI()) || StringUtils.startsWith(parameters.getRedirectURI(), REGEX_PATTERN)) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.FAILED, "Redirect URI is not present in the authorization request.", "validate-input-parameters", null);
throw new InvalidRequestException("Redirect URI is not present in the authorization request.", OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_REDIRECT_URI);
}
persistRequestObject(parameters, requestObject);
}
use of org.wso2.carbon.identity.oauth2.RequestObjectException in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2CibaEndpoint method validateAuthenticationRequest.
/**
* Validate whether Request JWT is in proper formatting.
*
* @param authRequest CIBA Authentication Request as a String.
* @throws CibaAuthFailureException CIBA Authentication Failed Exception.
*/
private void validateAuthenticationRequest(String authRequest, String clientId) throws CibaAuthFailureException {
// Validation for the proper formatting of signedJWT.
cibaAuthRequestValidator.validateRequest(authRequest);
// Validation for the client.
cibaAuthRequestValidator.validateClient(authRequest, clientId);
// Validation for the userHint.
cibaAuthRequestValidator.validateUserHint(authRequest);
// Validate Authentication request.
cibaAuthRequestValidator.validateAuthRequestParams(authRequest);
try {
RequestObject requestObject;
RequestObjectBuilder requestObjectBuilder;
requestObjectBuilder = OAuthServerConfiguration.getInstance().getRequestObjectBuilders().get(REQUEST_PARAM_VALUE_BUILDER);
OAuth2Parameters parameters = new OAuth2Parameters();
parameters.setClientId(clientId);
parameters.setTenantDomain(getSpTenantDomain(clientId));
if (requestObjectBuilder == null) {
String error = "Unable to build the OIDC Request Object";
throw new CibaAuthFailureException(OAuth2ErrorCodes.SERVER_ERROR, error);
}
requestObject = requestObjectBuilder.buildRequestObject(authRequest, parameters);
RequestObjectValidator requestObjectValidator = OAuthServerConfiguration.getInstance().getCIBARequestObjectValidator();
OIDCRequestObjectUtil.validateRequestObjectSignature(parameters, requestObject, requestObjectValidator);
if (!requestObjectValidator.validateRequestObject(requestObject, parameters)) {
throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, "Invalid parameters " + "found in the Request Object.");
}
} catch (InvalidRequestException | RequestObjectException e) {
if (log.isDebugEnabled()) {
log.debug(OAuth2ErrorCodes.INVALID_REQUEST, e);
}
throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, e.getMessage());
}
}
use of org.wso2.carbon.identity.oauth2.RequestObjectException in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method handlePostConsent.
private void handlePostConsent(OAuthMessage oAuthMessage) throws ConsentHandlingFailedException {
OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
String tenantDomain = EndpointUtil.getSPTenantDomainFromClientId(oauth2Params.getClientId());
setSPAttributeToRequest(oAuthMessage.getRequest(), oauth2Params.getApplicationName(), tenantDomain);
String spTenantDomain = oauth2Params.getTenantDomain();
AuthenticatedUser loggedInUser = getLoggedInUser(oAuthMessage);
String clientId = oauth2Params.getClientId();
ServiceProvider serviceProvider;
if (log.isDebugEnabled()) {
log.debug("Initiating post user consent handling for user: " + loggedInUser.toFullQualifiedUsername() + " for client_id: " + clientId + " of tenantDomain: " + spTenantDomain);
}
try {
if (isConsentHandlingFromFrameworkSkipped(oauth2Params)) {
if (log.isDebugEnabled()) {
log.debug("Consent handling from framework skipped for client_id: " + clientId + " of tenantDomain: " + spTenantDomain + " for user: " + loggedInUser.toFullQualifiedUsername() + ". " + "Therefore handling post consent is not applicable.");
}
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> params = new HashMap<>();
params.put("clientId", clientId);
Map<String, Object> configs = new HashMap<>();
configs.put("skipConsent", "true");
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, "Consent is disabled for the OAuth client.", "handle-consent", configs);
}
return;
}
List<Integer> approvedClaimIds = getUserConsentClaimIds(oAuthMessage);
serviceProvider = getServiceProvider(clientId);
/*
With the current implementation of the SSOConsentService we need to send back the original
ConsentClaimsData object we got during pre consent stage. Currently we are repeating the API call
during post consent handling to get the original ConsentClaimsData object (Assuming there is no
change in SP during pre-consent and post-consent).
The API on the SSO Consent Service will be improved to avoid having to send the original
ConsentClaimsData object.
*/
ConsentClaimsData value = getConsentRequiredClaims(loggedInUser, serviceProvider, oauth2Params);
/*
It is needed to pitch the consent required claims with the OIDC claims. otherwise the consent of the
the claims which are not in the OIDC claims will be saved as consent denied.
*/
if (value != null) {
// Remove the claims which dont have values given by the user.
value.setRequestedClaims(removeConsentRequestedNullUserAttributes(value.getRequestedClaims(), loggedInUser.getUserAttributes(), spTenantDomain));
List<ClaimMetaData> requestedOidcClaimsList = getRequestedOidcClaimsList(value, oauth2Params, spTenantDomain);
value.setRequestedClaims(requestedOidcClaimsList);
}
// Call framework and create the consent receipt.
if (log.isDebugEnabled()) {
log.debug("Creating user consent receipt for user: " + loggedInUser.toFullQualifiedUsername() + " for client_id: " + clientId + " of tenantDomain: " + spTenantDomain);
}
Map<String, Object> params;
if (hasPromptContainsConsent(oauth2Params)) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
params = new HashMap<>();
params.put("clientId", clientId);
params.put("prompt", oauth2Params.getPrompt());
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, null, "hand-over-to-consent-service", null);
}
getSSOConsentService().processConsent(approvedClaimIds, serviceProvider, loggedInUser, value, true);
} else {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
params = new HashMap<>();
params.put("clientId", clientId);
params.put("prompt", oauth2Params.getPrompt());
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, null, "hand-over-to-consent-service", null);
}
getSSOConsentService().processConsent(approvedClaimIds, serviceProvider, loggedInUser, value, false);
}
} catch (OAuthSystemException | SSOConsentServiceException e) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.FAILED, "System error occurred.", "process-consent", null);
}
String msg = "Error while processing consent of user: " + loggedInUser.toFullQualifiedUsername() + " for " + "client_id: " + clientId + " of tenantDomain: " + spTenantDomain;
throw new ConsentHandlingFailedException(msg, e);
} catch (ClaimMetadataException e) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.FAILED, String.format("Error occurred while getting " + "claim mappings for %s.", OIDC_DIALECT), "process-consent", null);
}
throw new ConsentHandlingFailedException("Error while getting claim mappings for " + OIDC_DIALECT, e);
} catch (RequestObjectException e) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.FAILED, String.format("Error occurred while getting essential claims for the session data key : %s.", oauth2Params.getSessionDataKey()), "process-consent", null);
}
throw new ConsentHandlingFailedException("Error while getting essential claims for the session data key " + ": " + oauth2Params.getSessionDataKey(), e);
}
}
Aggregations