use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method manageOIDCSessionState.
private String manageOIDCSessionState(OAuthMessage oAuthMessage, OIDCSessionState sessionState, String redirectURL) {
OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
boolean isOIDCRequest = OAuth2Util.isOIDCAuthzRequest(oauth2Params.getScopes());
if (isOIDCRequest) {
sessionState.setAddSessionState(true);
return manageOIDCSessionState(oAuthMessage, sessionState, oauth2Params, getLoggedInUser(oAuthMessage).getAuthenticatedSubjectIdentifier(), redirectURL, oAuthMessage.getSessionDataCacheEntry());
}
return redirectURL;
}
use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method populateOauthParameters.
private String populateOauthParameters(OAuth2Parameters params, OAuthMessage oAuthMessage, OAuth2ClientValidationResponseDTO validationResponse, OAuthAuthzRequest oauthRequest) throws OAuthSystemException, InvalidRequestException {
String clientId = oAuthMessage.getClientId();
params.setClientId(clientId);
params.setRedirectURI(validationResponse.getCallbackURL());
params.setResponseType(oauthRequest.getResponseType());
params.setResponseMode(oauthRequest.getParam(RESPONSE_MODE));
params.setScopes(oauthRequest.getScopes());
if (params.getScopes() == null) {
// to avoid null pointers
Set<String> scopeSet = new HashSet<String>();
scopeSet.add("");
params.setScopes(scopeSet);
}
params.setState(oauthRequest.getState());
params.setApplicationName(validationResponse.getApplicationName());
String spDisplayName = getSpDisplayName(clientId);
if (StringUtils.isNotBlank(spDisplayName)) {
params.setDisplayName(spDisplayName);
}
// OpenID Connect specific request parameters
params.setNonce(oauthRequest.getParam(OAuthConstants.OAuth20Params.NONCE));
params.setDisplay(oauthRequest.getParam(OAuthConstants.OAuth20Params.DISPLAY));
params.setIDTokenHint(oauthRequest.getParam(OAuthConstants.OAuth20Params.ID_TOKEN_HINT));
params.setLoginHint(oauthRequest.getParam(OAuthConstants.OAuth20Params.LOGIN_HINT));
// Set the service provider tenant domain.
params.setTenantDomain(getSpTenantDomain(clientId));
// Set the login tenant domain.
String loginTenantDomain = getLoginTenantDomain(oAuthMessage, clientId);
params.setLoginTenantDomain(loginTenantDomain);
if (StringUtils.isNotBlank(oauthRequest.getParam(ACR_VALUES)) && !"null".equals(oauthRequest.getParam(ACR_VALUES))) {
List acrValuesList = Arrays.asList(oauthRequest.getParam(ACR_VALUES).split(" "));
LinkedHashSet acrValuesHashSet = new LinkedHashSet<>(acrValuesList);
params.setACRValues(acrValuesHashSet);
oAuthMessage.getRequest().setAttribute(ACR_VALUES, acrValuesList);
}
if (StringUtils.isNotBlank(oauthRequest.getParam(CLAIMS))) {
params.setEssentialClaims(oauthRequest.getParam(CLAIMS));
}
handleMaxAgeParameter(oauthRequest, params);
/*
OIDC Request object will supersede parameters sent in the OAuth Authorization request. So handling the
OIDC Request object needs to done after processing all request parameters.
*/
if (OAuth2Util.isOIDCAuthzRequest(oauthRequest.getScopes())) {
try {
handleOIDCRequestObject(oAuthMessage, oauthRequest, params);
} catch (RequestObjectException e) {
if (log.isDebugEnabled()) {
log.debug("Request Object Handling failed due to : " + e.getErrorCode() + " for client_id: " + clientId + " of tenantDomain: " + params.getTenantDomain(), e);
}
if (StringUtils.isNotBlank(oAuthMessage.getRequest().getParameter(REQUEST_URI))) {
return EndpointUtil.getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_REQUEST_URI, e.getErrorCode(), e.getErrorMessage(), null, params);
} else {
return EndpointUtil.getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_REQUEST_OBJECT, e.getErrorCode(), e.getErrorMessage(), null, params);
}
}
}
if (isPkceSupportEnabled()) {
String pkceChallengeCode = getPkceCodeChallenge(oAuthMessage, params);
String pkceChallengeMethod = getPkceCodeChallengeMethod(oAuthMessage, params);
String redirectURI = validatePKCEParameters(oAuthMessage, validationResponse, pkceChallengeCode, pkceChallengeMethod);
if (redirectURI != null) {
return redirectURI;
}
params.setPkceCodeChallenge(pkceChallengeCode);
params.setPkceCodeChallengeMethod(pkceChallengeMethod);
}
return null;
}
use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method handleRequestObject.
private void handleRequestObject(OAuthMessage oAuthMessage, OAuthAuthzRequest oauthRequest, OAuth2Parameters parameters) throws RequestObjectException, InvalidRequestException {
RequestObject requestObject = OIDCRequestObjectUtil.buildRequestObject(oauthRequest, parameters);
if (requestObject == null) {
throw new RequestObjectException(OAuth2ErrorCodes.INVALID_REQUEST, "Unable to build a valid Request " + "Object from the authorization request.");
}
/*
When the request parameter is used, the OpenID Connect request parameter values contained in the JWT
supersede those passed using the OAuth 2.0 request syntax
*/
overrideAuthzParameters(oAuthMessage, parameters, oauthRequest.getParam(REQUEST), oauthRequest.getParam(REQUEST_URI), requestObject);
// so validating if the registered redirect uri is a single uri that can be properly redirected.
if (StringUtils.isBlank(parameters.getRedirectURI()) || StringUtils.startsWith(parameters.getRedirectURI(), REGEX_PATTERN)) {
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.FAILED, "Redirect URI is not present in the authorization request.", "validate-input-parameters", null);
throw new InvalidRequestException("Redirect URI is not present in the authorization request.", OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_REDIRECT_URI);
}
persistRequestObject(parameters, requestObject);
}
use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2CibaEndpoint method validateAuthenticationRequest.
/**
* Validate whether Request JWT is in proper formatting.
*
* @param authRequest CIBA Authentication Request as a String.
* @throws CibaAuthFailureException CIBA Authentication Failed Exception.
*/
private void validateAuthenticationRequest(String authRequest, String clientId) throws CibaAuthFailureException {
// Validation for the proper formatting of signedJWT.
cibaAuthRequestValidator.validateRequest(authRequest);
// Validation for the client.
cibaAuthRequestValidator.validateClient(authRequest, clientId);
// Validation for the userHint.
cibaAuthRequestValidator.validateUserHint(authRequest);
// Validate Authentication request.
cibaAuthRequestValidator.validateAuthRequestParams(authRequest);
try {
RequestObject requestObject;
RequestObjectBuilder requestObjectBuilder;
requestObjectBuilder = OAuthServerConfiguration.getInstance().getRequestObjectBuilders().get(REQUEST_PARAM_VALUE_BUILDER);
OAuth2Parameters parameters = new OAuth2Parameters();
parameters.setClientId(clientId);
parameters.setTenantDomain(getSpTenantDomain(clientId));
if (requestObjectBuilder == null) {
String error = "Unable to build the OIDC Request Object";
throw new CibaAuthFailureException(OAuth2ErrorCodes.SERVER_ERROR, error);
}
requestObject = requestObjectBuilder.buildRequestObject(authRequest, parameters);
RequestObjectValidator requestObjectValidator = OAuthServerConfiguration.getInstance().getCIBARequestObjectValidator();
OIDCRequestObjectUtil.validateRequestObjectSignature(parameters, requestObject, requestObjectValidator);
if (!requestObjectValidator.validateRequestObject(requestObject, parameters)) {
throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, "Invalid parameters " + "found in the Request Object.");
}
} catch (InvalidRequestException | RequestObjectException e) {
if (log.isDebugEnabled()) {
log.debug(OAuth2ErrorCodes.INVALID_REQUEST, e);
}
throw new CibaAuthFailureException(OAuth2ErrorCodes.INVALID_REQUEST, e.getMessage());
}
}
use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method analyzePromptParameter.
private String analyzePromptParameter(OAuthMessage oAuthMessage, OAuth2Parameters params, String prompt) {
List promptsList = getSupportedPromtsValues();
boolean containsNone = (OAuthConstants.Prompt.NONE).equals(prompt);
if (StringUtils.isNotBlank(prompt)) {
List requestedPrompts = getRequestedPromptList(prompt);
if (!CollectionUtils.containsAny(requestedPrompts, promptsList)) {
String message = "Invalid prompt variables passed with the authorization request";
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> logParams = new HashMap<>();
logParams.put("prompt", prompt);
logParams.put("clientId", params.getClientId());
Map<String, Object> configs = new HashMap<>();
configs.put("serverSupportedPrompts", promptsList);
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, logParams, OAuthConstants.LogConstants.FAILED, message, "validate-input-parameters", configs);
}
return handleInvalidPromptValues(oAuthMessage, params, prompt, message);
}
if (requestedPrompts.size() > 1) {
if (requestedPrompts.contains(OAuthConstants.Prompt.NONE)) {
String message = "Invalid prompt variable combination. The value 'none' cannot be used with others " + "prompts. Prompt: ";
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> logParams = new HashMap<>();
logParams.put("prompt", prompt);
logParams.put("clientId", params.getClientId());
Map<String, Object> configs = new HashMap<>();
configs.put("serverSupportedPrompts", promptsList);
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, logParams, OAuthConstants.LogConstants.FAILED, message, "validate-input-parameters", configs);
}
return handleInvalidPromptValues(oAuthMessage, params, prompt, message);
} else if (requestedPrompts.contains(OAuthConstants.Prompt.LOGIN) && (requestedPrompts.contains(OAuthConstants.Prompt.CONSENT))) {
oAuthMessage.setForceAuthenticate(true);
oAuthMessage.setPassiveAuthentication(false);
}
} else {
if ((OAuthConstants.Prompt.LOGIN).equals(prompt)) {
// prompt for authentication
oAuthMessage.setForceAuthenticate(true);
oAuthMessage.setPassiveAuthentication(false);
} else if (containsNone) {
oAuthMessage.setForceAuthenticate(false);
oAuthMessage.setPassiveAuthentication(true);
} else if ((OAuthConstants.Prompt.CONSENT).equals(prompt)) {
oAuthMessage.setForceAuthenticate(false);
oAuthMessage.setPassiveAuthentication(false);
}
}
}
return null;
}
Aggregations