Example 21 with OAuth2Parameters
use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method handleDeniedConsent.
private Response handleDeniedConsent(OAuthMessage oAuthMessage) throws OAuthSystemException, URISyntaxException {
OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
OpenIDConnectUserRPStore.getInstance().putUserRPToStore(getLoggedInUser(oAuthMessage), getOauth2Params(oAuthMessage).getApplicationName(), false, oauth2Params.getClientId());
OAuthErrorDTO oAuthErrorDTO = EndpointUtil.getOAuth2Service().handleUserConsentDenial(oauth2Params);
OAuthProblemException consentDenialException = buildConsentDenialException(oAuthErrorDTO);
String denyResponse = EndpointUtil.getErrorRedirectURL(oAuthMessage.getRequest(), consentDenialException, oauth2Params);
if (StringUtils.equals(oauth2Params.getResponseMode(), RESPONSE_MODE_FORM_POST)) {
return handleFailedState(oAuthMessage, oauth2Params, consentDenialException);
}
return Response.status(HttpServletResponse.SC_FOUND).location(new URI(denyResponse)).build();
}
Also used :
OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)
OAuthProblemException(org.apache.oltu.oauth2.common.exception.OAuthProblemException)
OAuthErrorDTO(org.wso2.carbon.identity.oauth.dto.OAuthErrorDTO)
URI(java.net.URI)
REDIRECT_URI(org.wso2.carbon.identity.oauth.common.OAuthConstants.OAuth20Params.REDIRECT_URI)
Example 22 with OAuth2Parameters
use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method validatePKCEParameters.
private String validatePKCEParameters(OAuthMessage oAuthMessage, OAuth2ClientValidationResponseDTO validationResponse, String pkceChallengeCode, String pkceChallengeMethod) {
OAuth2Parameters oAuth2Parameters = getOAuth2ParamsFromOAuthMessage(oAuthMessage);
// Check if PKCE is mandatory for the application
if (validationResponse.isPkceMandatory()) {
if (pkceChallengeCode == null || !OAuth2Util.validatePKCECodeChallenge(pkceChallengeCode, pkceChallengeMethod)) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> params = new HashMap<>();
params.put("clientId", oAuth2Parameters.getClientId());
params.put("pkceChallenge", pkceChallengeCode);
params.put("pkceMethod", pkceChallengeMethod);
Map<String, Object> configs = new HashMap<>();
configs.put("isPkceMandatory", "true");
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "PKCE Challenge is not provided or is not upto RFC 7636 specification.", "validate-pkce", configs);
}
return getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_PKCE_CHALLENGE_CODE, "PKCE is mandatory for this application. " + "PKCE Challenge is not provided or is not upto RFC 7636 " + "specification.", null, oAuth2Parameters);
}
}
// Check if the code challenge method value is neither "plain" or "s256", if so return error
if (pkceChallengeCode != null && pkceChallengeMethod != null) {
if (!OAuthConstants.OAUTH_PKCE_PLAIN_CHALLENGE.equals(pkceChallengeMethod) && !OAuthConstants.OAUTH_PKCE_S256_CHALLENGE.equals(pkceChallengeMethod)) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> params = new HashMap<>();
params.put("clientId", oAuth2Parameters.getClientId());
params.put("pkceChallenge", pkceChallengeCode);
params.put("pkceMethod", pkceChallengeMethod);
Map<String, Object> configs = new HashMap<>();
configs.put("isPkceMandatory", Boolean.toString(validationResponse.isPkceMandatory()));
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "Unsupported PKCE Challenge Method.", "validate-pkce", configs);
}
return getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_PKCE_CHALLENGE_CODE, "Unsupported PKCE Challenge Method", null, oAuth2Parameters);
}
}
// Check if "plain" transformation algorithm is disabled for the application
if (pkceChallengeCode != null && !validationResponse.isPkceSupportPlain()) {
if (pkceChallengeMethod == null || OAuthConstants.OAUTH_PKCE_PLAIN_CHALLENGE.equals(pkceChallengeMethod)) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> params = new HashMap<>();
params.put("clientId", oAuth2Parameters.getClientId());
params.put("pkceChallenge", pkceChallengeCode);
params.put("pkceMethod", pkceChallengeMethod);
Map<String, Object> configs = new HashMap<>();
configs.put("isPkceMandatory", Boolean.toString(validationResponse.isPkceMandatory()));
configs.put("isPkceSupportPlain", "false");
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "OAuth client does not support 'plain' transformation algorithm.", "validate-pkce", configs);
}
return getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_PKCE_CHALLENGE_CODE, "This application does not support " + "\"plain\" transformation algorithm.", null, oAuth2Parameters);
}
}
// If PKCE challenge code was sent, check if the code challenge is upto specifications
if (pkceChallengeCode != null && !OAuth2Util.validatePKCECodeChallenge(pkceChallengeCode, pkceChallengeMethod)) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> params = new HashMap<>();
params.put("clientId", oAuth2Parameters.getClientId());
params.put("pkceChallenge", pkceChallengeCode);
params.put("pkceMethod", pkceChallengeMethod);
Map<String, Object> configs = new HashMap<>();
configs.put("isPkceMandatory", Boolean.toString(validationResponse.isPkceMandatory()));
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "Code challenge used is not up to RFC 7636 specifications.", "validate-pkce", configs);
}
return getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_PKCE_CHALLENGE_CODE, "Code challenge used is not up to RFC 7636 " + "specifications.", null, oAuth2Parameters);
}
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.SUCCESS, "PKCE validation is successful.", "validate-pkce", null);
return null;
}
Also used :
OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
HashMap(java.util.HashMap)
RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject)
JSONObject(org.json.JSONObject)
Example 23 with OAuth2Parameters
use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method handleApproveAlwaysWithPromptForNewConsent.
private String handleApproveAlwaysWithPromptForNewConsent(OAuthMessage oAuthMessage, OIDCSessionState sessionState, OAuth2Parameters oauth2Params) throws ConsentHandlingFailedException, OAuthSystemException {
AuthenticatedUser authenticatedUser = getLoggedInUser(oAuthMessage);
String preConsent = handlePreConsentIncludingExistingConsents(oauth2Params, authenticatedUser);
if (isConsentFromUserRequired(preConsent)) {
String sessionDataKeyFromLogin = getSessionDataKeyFromLogin(oAuthMessage);
preConsent = buildQueryParamString(preConsent, USER_CLAIMS_CONSENT_ONLY + "=true");
return getUserConsentURL(sessionDataKeyFromLogin, oauth2Params, authenticatedUser, preConsent, oAuthMessage);
} else {
sessionState.setAddSessionState(true);
return handleUserConsent(oAuthMessage, APPROVE, sessionState);
}
}
Also used :
AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)
Example 24 with OAuth2Parameters
use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class CibaResponseTypeHandlerTest method provideConsentDenialErrorInfo.
@DataProvider(name = "provideConsentDenialErrorInfo")
public Object[][] provideConsentDenialErrorInfo() {
OAuth2Parameters oAuth2Parameters = new OAuth2Parameters();
oAuth2Parameters.setNonce(NONCE);
return new Object[][] { { oAuth2Parameters, "User denied the consent." } };
}
Also used :
OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)
DataProvider(org.testng.annotations.DataProvider)
Example 25 with OAuth2Parameters
use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2ServiceTest method testHandleUserConsentDenial.
@Test
public void testHandleUserConsentDenial() throws Exception {
OAuth2Parameters oAuth2Parameters = new OAuth2Parameters();
when(getResponseHander(oAuth2Parameters).handleUserConsentDenial(oAuth2Parameters)).thenReturn(null);
assertNull(oAuth2Service.handleUserConsentDenial(oAuth2Parameters));
}
Also used :
OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)
Test(org.testng.annotations.Test)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
PowerMockIdentityBaseTest(org.wso2.carbon.identity.testutil.powermock.PowerMockIdentityBaseTest)
Aggregations
OAuth2Parameters (org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)40
RequestObject (org.wso2.carbon.identity.openidconnect.model.RequestObject)23
HashMap (java.util.HashMap)22
PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)19
Test (org.testng.annotations.Test)19
ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)17
Matchers.anyString (org.mockito.Matchers.anyString)14
BeforeTest (org.testng.annotations.BeforeTest)13
AuthenticatedUser (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)13
RequestObjectException (org.wso2.carbon.identity.oauth2.RequestObjectException)12
JSONObject (org.json.JSONObject)10
OAuthResponse (org.apache.oltu.oauth2.common.message.OAuthResponse)9
OAuthSystemException (org.apache.oltu.oauth2.common.exception.OAuthSystemException)8
ArrayList (java.util.ArrayList)7
HttpServletResponse (javax.servlet.http.HttpServletResponse)7
OAuthProblemException (org.apache.oltu.oauth2.common.exception.OAuthProblemException)7
ServiceProvider (org.wso2.carbon.identity.application.common.model.ServiceProvider)7
SessionDataCacheKey (org.wso2.carbon.identity.oauth.cache.SessionDataCacheKey)7
OAuth2ScopeConsentResponse (org.wso2.carbon.identity.oauth2.model.OAuth2ScopeConsentResponse)7
URI (java.net.URI)6
