Search in sources :

Example 11 with OAuth2Parameters

use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method manageOIDCSessionState.

private String manageOIDCSessionState(OAuthMessage oAuthMessage, OIDCSessionState sessionState, String redirectURL) {
    OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
    boolean isOIDCRequest = OAuth2Util.isOIDCAuthzRequest(oauth2Params.getScopes());
    if (isOIDCRequest) {
        sessionState.setAddSessionState(true);
        return manageOIDCSessionState(oAuthMessage, sessionState, oauth2Params, getLoggedInUser(oAuthMessage).getAuthenticatedSubjectIdentifier(), redirectURL, oAuthMessage.getSessionDataCacheEntry());
    }
    return redirectURL;
}
Also used : OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)

Example 12 with OAuth2Parameters

use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method populateOauthParameters.

private String populateOauthParameters(OAuth2Parameters params, OAuthMessage oAuthMessage, OAuth2ClientValidationResponseDTO validationResponse, OAuthAuthzRequest oauthRequest) throws OAuthSystemException, InvalidRequestException {
    String clientId = oAuthMessage.getClientId();
    params.setClientId(clientId);
    params.setRedirectURI(validationResponse.getCallbackURL());
    params.setResponseType(oauthRequest.getResponseType());
    params.setResponseMode(oauthRequest.getParam(RESPONSE_MODE));
    params.setScopes(oauthRequest.getScopes());
    if (params.getScopes() == null) {
        // to avoid null pointers
        Set<String> scopeSet = new HashSet<String>();
        scopeSet.add("");
        params.setScopes(scopeSet);
    }
    params.setState(oauthRequest.getState());
    params.setApplicationName(validationResponse.getApplicationName());
    String spDisplayName = getSpDisplayName(clientId);
    if (StringUtils.isNotBlank(spDisplayName)) {
        params.setDisplayName(spDisplayName);
    }
    // OpenID Connect specific request parameters
    params.setNonce(oauthRequest.getParam(OAuthConstants.OAuth20Params.NONCE));
    params.setDisplay(oauthRequest.getParam(OAuthConstants.OAuth20Params.DISPLAY));
    params.setIDTokenHint(oauthRequest.getParam(OAuthConstants.OAuth20Params.ID_TOKEN_HINT));
    params.setLoginHint(oauthRequest.getParam(OAuthConstants.OAuth20Params.LOGIN_HINT));
    // Set the service provider tenant domain.
    params.setTenantDomain(getSpTenantDomain(clientId));
    // Set the login tenant domain.
    String loginTenantDomain = getLoginTenantDomain(oAuthMessage, clientId);
    params.setLoginTenantDomain(loginTenantDomain);
    if (StringUtils.isNotBlank(oauthRequest.getParam(ACR_VALUES)) && !"null".equals(oauthRequest.getParam(ACR_VALUES))) {
        List acrValuesList = Arrays.asList(oauthRequest.getParam(ACR_VALUES).split(" "));
        LinkedHashSet acrValuesHashSet = new LinkedHashSet<>(acrValuesList);
        params.setACRValues(acrValuesHashSet);
        oAuthMessage.getRequest().setAttribute(ACR_VALUES, acrValuesList);
    }
    if (StringUtils.isNotBlank(oauthRequest.getParam(CLAIMS))) {
        params.setEssentialClaims(oauthRequest.getParam(CLAIMS));
    }
    handleMaxAgeParameter(oauthRequest, params);
    /*
            OIDC Request object will supersede parameters sent in the OAuth Authorization request. So handling the
            OIDC Request object needs to done after processing all request parameters.
         */
    if (OAuth2Util.isOIDCAuthzRequest(oauthRequest.getScopes())) {
        try {
            handleOIDCRequestObject(oAuthMessage, oauthRequest, params);
        } catch (RequestObjectException e) {
            if (log.isDebugEnabled()) {
                log.debug("Request Object Handling failed due to : " + e.getErrorCode() + " for client_id: " + clientId + " of tenantDomain: " + params.getTenantDomain(), e);
            }
            if (StringUtils.isNotBlank(oAuthMessage.getRequest().getParameter(REQUEST_URI))) {
                return EndpointUtil.getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_REQUEST_URI, e.getErrorCode(), e.getErrorMessage(), null, params);
            } else {
                return EndpointUtil.getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_REQUEST_OBJECT, e.getErrorCode(), e.getErrorMessage(), null, params);
            }
        }
    }
    if (isPkceSupportEnabled()) {
        String pkceChallengeCode = getPkceCodeChallenge(oAuthMessage, params);
        String pkceChallengeMethod = getPkceCodeChallengeMethod(oAuthMessage, params);
        String redirectURI = validatePKCEParameters(oAuthMessage, validationResponse, pkceChallengeCode, pkceChallengeMethod);
        if (redirectURI != null) {
            return redirectURI;
        }
        params.setPkceCodeChallenge(pkceChallengeCode);
        params.setPkceCodeChallengeMethod(pkceChallengeMethod);
    }
    return null;
}
Also used : LinkedHashSet(java.util.LinkedHashSet) RequestObjectException(org.wso2.carbon.identity.oauth2.RequestObjectException) ArrayList(java.util.ArrayList) List(java.util.List) LinkedHashSet(java.util.LinkedHashSet) HashSet(java.util.HashSet)

Example 13 with OAuth2Parameters

use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method handleRequestObject.

private void handleRequestObject(OAuthMessage oAuthMessage, OAuthAuthzRequest oauthRequest, OAuth2Parameters parameters) throws RequestObjectException, InvalidRequestException {
    RequestObject requestObject = OIDCRequestObjectUtil.buildRequestObject(oauthRequest, parameters);
    if (requestObject == null) {
        throw new RequestObjectException(OAuth2ErrorCodes.INVALID_REQUEST, "Unable to build a valid Request " + "Object from the authorization request.");
    }
    /*
              When the request parameter is used, the OpenID Connect request parameter values contained in the JWT
              supersede those passed using the OAuth 2.0 request syntax
             */
    overrideAuthzParameters(oAuthMessage, parameters, oauthRequest.getParam(REQUEST), oauthRequest.getParam(REQUEST_URI), requestObject);
    // so validating if the registered redirect uri is a single uri that can be properly redirected.
    if (StringUtils.isBlank(parameters.getRedirectURI()) || StringUtils.startsWith(parameters.getRedirectURI(), REGEX_PATTERN)) {
        LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.FAILED, "Redirect URI is not present in the authorization request.", "validate-input-parameters", null);
        throw new InvalidRequestException("Redirect URI is not present in the authorization request.", OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_REDIRECT_URI);
    }
    persistRequestObject(parameters, requestObject);
}
Also used : RequestObjectException(org.wso2.carbon.identity.oauth2.RequestObjectException) InvalidRequestException(org.wso2.carbon.identity.oauth.endpoint.exception.InvalidRequestException) RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject)

Example 14 with OAuth2Parameters

use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2CibaEndpoint method validateAuthenticationRequest.

/**
 * Validate whether Request JWT is in proper formatting.
 *
 * @param authRequest CIBA Authentication Request as a String.
 * @throws CibaAuthFailureException CIBA Authentication Failed Exception.
 */
private void validateAuthenticationRequest(String authRequest, String clientId) throws CibaAuthFailureException {
    // Validation for the proper formatting of signedJWT.
    cibaAuthRequestValidator.validateRequest(authRequest);
    // Validation for the client.
    cibaAuthRequestValidator.validateClient(authRequest, clientId);
    // Validation for the userHint.
    cibaAuthRequestValidator.validateUserHint(authRequest);
    // Validate Authentication request.
    cibaAuthRequestValidator.validateAuthRequestParams(authRequest);
    try {
        RequestObject requestObject;
        RequestObjectBuilder requestObjectBuilder;
        requestObjectBuilder = OAuthServerConfiguration.getInstance().getRequestObjectBuilders().get(REQUEST_PARAM_VALUE_BUILDER);
        OAuth2Parameters parameters = new OAuth2Parameters();
        parameters.setClientId(clientId);
        parameters.setTenantDomain(getSpTenantDomain(clientId));
        if (requestObjectBuilder == null) {
            String error = "Unable to build the OIDC Request Object";
            throw new CibaAuthFailureException(OAuth2ErrorCodes.SERVER_ERROR, error);
        }
        requestObject = requestObjectBuilder.buildRequestObject(authRequest, parameters);
        RequestObjectValidator requestObjectValidator = OAuthServerConfiguration.getInstance().getCIBARequestObjectValidator();
        OIDCRequestObjectUtil.validateRequestObjectSignature(parameters, requestObject, requestObjectValidator);
        if (!requestObjectValidator.validateRequestObject(requestObject, parameters)) {
            throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, "Invalid parameters " + "found in the Request Object.");
        }
    } catch (InvalidRequestException | RequestObjectException e) {
        if (log.isDebugEnabled()) {
            log.debug(OAuth2ErrorCodes.INVALID_REQUEST, e);
        }
        throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, e.getMessage());
    }
}
Also used : OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters) RequestObjectException(org.wso2.carbon.identity.oauth2.RequestObjectException) CibaAuthFailureException(org.wso2.carbon.identity.oauth.endpoint.exception.CibaAuthFailureException) RequestObjectBuilder(org.wso2.carbon.identity.openidconnect.RequestObjectBuilder) InvalidRequestException(org.wso2.carbon.identity.oauth.endpoint.exception.InvalidRequestException) RequestObjectValidator(org.wso2.carbon.identity.openidconnect.RequestObjectValidator) RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject)

Example 15 with OAuth2Parameters

use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method analyzePromptParameter.

private String analyzePromptParameter(OAuthMessage oAuthMessage, OAuth2Parameters params, String prompt) {
    List promptsList = getSupportedPromtsValues();
    boolean containsNone = (OAuthConstants.Prompt.NONE).equals(prompt);
    if (StringUtils.isNotBlank(prompt)) {
        List requestedPrompts = getRequestedPromptList(prompt);
        if (!CollectionUtils.containsAny(requestedPrompts, promptsList)) {
            String message = "Invalid prompt variables passed with the authorization request";
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                Map<String, Object> logParams = new HashMap<>();
                logParams.put("prompt", prompt);
                logParams.put("clientId", params.getClientId());
                Map<String, Object> configs = new HashMap<>();
                configs.put("serverSupportedPrompts", promptsList);
                LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, logParams, OAuthConstants.LogConstants.FAILED, message, "validate-input-parameters", configs);
            }
            return handleInvalidPromptValues(oAuthMessage, params, prompt, message);
        }
        if (requestedPrompts.size() > 1) {
            if (requestedPrompts.contains(OAuthConstants.Prompt.NONE)) {
                String message = "Invalid prompt variable combination. The value 'none' cannot be used with others " + "prompts. Prompt: ";
                if (LoggerUtils.isDiagnosticLogsEnabled()) {
                    Map<String, Object> logParams = new HashMap<>();
                    logParams.put("prompt", prompt);
                    logParams.put("clientId", params.getClientId());
                    Map<String, Object> configs = new HashMap<>();
                    configs.put("serverSupportedPrompts", promptsList);
                    LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, logParams, OAuthConstants.LogConstants.FAILED, message, "validate-input-parameters", configs);
                }
                return handleInvalidPromptValues(oAuthMessage, params, prompt, message);
            } else if (requestedPrompts.contains(OAuthConstants.Prompt.LOGIN) && (requestedPrompts.contains(OAuthConstants.Prompt.CONSENT))) {
                oAuthMessage.setForceAuthenticate(true);
                oAuthMessage.setPassiveAuthentication(false);
            }
        } else {
            if ((OAuthConstants.Prompt.LOGIN).equals(prompt)) {
                // prompt for authentication
                oAuthMessage.setForceAuthenticate(true);
                oAuthMessage.setPassiveAuthentication(false);
            } else if (containsNone) {
                oAuthMessage.setForceAuthenticate(false);
                oAuthMessage.setPassiveAuthentication(true);
            } else if ((OAuthConstants.Prompt.CONSENT).equals(prompt)) {
                oAuthMessage.setForceAuthenticate(false);
                oAuthMessage.setPassiveAuthentication(false);
            }
        }
    }
    return null;
}
Also used : ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) List(java.util.List) RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject) JSONObject(org.json.JSONObject)

Aggregations

OAuth2Parameters (org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)40 RequestObject (org.wso2.carbon.identity.openidconnect.model.RequestObject)23 HashMap (java.util.HashMap)22 PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)19 Test (org.testng.annotations.Test)19 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)17 Matchers.anyString (org.mockito.Matchers.anyString)14 BeforeTest (org.testng.annotations.BeforeTest)13 AuthenticatedUser (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)13 RequestObjectException (org.wso2.carbon.identity.oauth2.RequestObjectException)12 JSONObject (org.json.JSONObject)10 OAuthResponse (org.apache.oltu.oauth2.common.message.OAuthResponse)9 OAuthSystemException (org.apache.oltu.oauth2.common.exception.OAuthSystemException)8 ArrayList (java.util.ArrayList)7 HttpServletResponse (javax.servlet.http.HttpServletResponse)7 OAuthProblemException (org.apache.oltu.oauth2.common.exception.OAuthProblemException)7 ServiceProvider (org.wso2.carbon.identity.application.common.model.ServiceProvider)7 SessionDataCacheKey (org.wso2.carbon.identity.oauth.cache.SessionDataCacheKey)7 OAuth2ScopeConsentResponse (org.wso2.carbon.identity.oauth2.model.OAuth2ScopeConsentResponse)7 URI (java.net.URI)6