Search in sources :

Example 21 with OAuth2Parameters

use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method handleDeniedConsent.

private Response handleDeniedConsent(OAuthMessage oAuthMessage) throws OAuthSystemException, URISyntaxException {
    OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
    OpenIDConnectUserRPStore.getInstance().putUserRPToStore(getLoggedInUser(oAuthMessage), getOauth2Params(oAuthMessage).getApplicationName(), false, oauth2Params.getClientId());
    OAuthErrorDTO oAuthErrorDTO = EndpointUtil.getOAuth2Service().handleUserConsentDenial(oauth2Params);
    OAuthProblemException consentDenialException = buildConsentDenialException(oAuthErrorDTO);
    String denyResponse = EndpointUtil.getErrorRedirectURL(oAuthMessage.getRequest(), consentDenialException, oauth2Params);
    if (StringUtils.equals(oauth2Params.getResponseMode(), RESPONSE_MODE_FORM_POST)) {
        return handleFailedState(oAuthMessage, oauth2Params, consentDenialException);
    }
    return Response.status(HttpServletResponse.SC_FOUND).location(new URI(denyResponse)).build();
}
Also used : OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters) OAuthProblemException(org.apache.oltu.oauth2.common.exception.OAuthProblemException) OAuthErrorDTO(org.wso2.carbon.identity.oauth.dto.OAuthErrorDTO) URI(java.net.URI) REDIRECT_URI(org.wso2.carbon.identity.oauth.common.OAuthConstants.OAuth20Params.REDIRECT_URI)

Example 22 with OAuth2Parameters

use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method validatePKCEParameters.

private String validatePKCEParameters(OAuthMessage oAuthMessage, OAuth2ClientValidationResponseDTO validationResponse, String pkceChallengeCode, String pkceChallengeMethod) {
    OAuth2Parameters oAuth2Parameters = getOAuth2ParamsFromOAuthMessage(oAuthMessage);
    // Check if PKCE is mandatory for the application
    if (validationResponse.isPkceMandatory()) {
        if (pkceChallengeCode == null || !OAuth2Util.validatePKCECodeChallenge(pkceChallengeCode, pkceChallengeMethod)) {
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                Map<String, Object> params = new HashMap<>();
                params.put("clientId", oAuth2Parameters.getClientId());
                params.put("pkceChallenge", pkceChallengeCode);
                params.put("pkceMethod", pkceChallengeMethod);
                Map<String, Object> configs = new HashMap<>();
                configs.put("isPkceMandatory", "true");
                LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "PKCE Challenge is not provided or is not upto RFC 7636 specification.", "validate-pkce", configs);
            }
            return getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_PKCE_CHALLENGE_CODE, "PKCE is mandatory for this application. " + "PKCE Challenge is not provided or is not upto RFC 7636 " + "specification.", null, oAuth2Parameters);
        }
    }
    // Check if the code challenge method value is neither "plain" or "s256", if so return error
    if (pkceChallengeCode != null && pkceChallengeMethod != null) {
        if (!OAuthConstants.OAUTH_PKCE_PLAIN_CHALLENGE.equals(pkceChallengeMethod) && !OAuthConstants.OAUTH_PKCE_S256_CHALLENGE.equals(pkceChallengeMethod)) {
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                Map<String, Object> params = new HashMap<>();
                params.put("clientId", oAuth2Parameters.getClientId());
                params.put("pkceChallenge", pkceChallengeCode);
                params.put("pkceMethod", pkceChallengeMethod);
                Map<String, Object> configs = new HashMap<>();
                configs.put("isPkceMandatory", Boolean.toString(validationResponse.isPkceMandatory()));
                LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "Unsupported PKCE Challenge Method.", "validate-pkce", configs);
            }
            return getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_PKCE_CHALLENGE_CODE, "Unsupported PKCE Challenge Method", null, oAuth2Parameters);
        }
    }
    // Check if "plain" transformation algorithm is disabled for the application
    if (pkceChallengeCode != null && !validationResponse.isPkceSupportPlain()) {
        if (pkceChallengeMethod == null || OAuthConstants.OAUTH_PKCE_PLAIN_CHALLENGE.equals(pkceChallengeMethod)) {
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                Map<String, Object> params = new HashMap<>();
                params.put("clientId", oAuth2Parameters.getClientId());
                params.put("pkceChallenge", pkceChallengeCode);
                params.put("pkceMethod", pkceChallengeMethod);
                Map<String, Object> configs = new HashMap<>();
                configs.put("isPkceMandatory", Boolean.toString(validationResponse.isPkceMandatory()));
                configs.put("isPkceSupportPlain", "false");
                LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "OAuth client does not support 'plain' transformation algorithm.", "validate-pkce", configs);
            }
            return getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_PKCE_CHALLENGE_CODE, "This application does not support " + "\"plain\" transformation algorithm.", null, oAuth2Parameters);
        }
    }
    // If PKCE challenge code was sent, check if the code challenge is upto specifications
    if (pkceChallengeCode != null && !OAuth2Util.validatePKCECodeChallenge(pkceChallengeCode, pkceChallengeMethod)) {
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            Map<String, Object> params = new HashMap<>();
            params.put("clientId", oAuth2Parameters.getClientId());
            params.put("pkceChallenge", pkceChallengeCode);
            params.put("pkceMethod", pkceChallengeMethod);
            Map<String, Object> configs = new HashMap<>();
            configs.put("isPkceMandatory", Boolean.toString(validationResponse.isPkceMandatory()));
            LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "Code challenge used is not up to RFC 7636 specifications.", "validate-pkce", configs);
        }
        return getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_PKCE_CHALLENGE_CODE, "Code challenge used is not up to RFC 7636 " + "specifications.", null, oAuth2Parameters);
    }
    LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.SUCCESS, "PKCE validation is successful.", "validate-pkce", null);
    return null;
}
Also used : OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) HashMap(java.util.HashMap) RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject) JSONObject(org.json.JSONObject)

Example 23 with OAuth2Parameters

use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method handleApproveAlwaysWithPromptForNewConsent.

private String handleApproveAlwaysWithPromptForNewConsent(OAuthMessage oAuthMessage, OIDCSessionState sessionState, OAuth2Parameters oauth2Params) throws ConsentHandlingFailedException, OAuthSystemException {
    AuthenticatedUser authenticatedUser = getLoggedInUser(oAuthMessage);
    String preConsent = handlePreConsentIncludingExistingConsents(oauth2Params, authenticatedUser);
    if (isConsentFromUserRequired(preConsent)) {
        String sessionDataKeyFromLogin = getSessionDataKeyFromLogin(oAuthMessage);
        preConsent = buildQueryParamString(preConsent, USER_CLAIMS_CONSENT_ONLY + "=true");
        return getUserConsentURL(sessionDataKeyFromLogin, oauth2Params, authenticatedUser, preConsent, oAuthMessage);
    } else {
        sessionState.setAddSessionState(true);
        return handleUserConsent(oAuthMessage, APPROVE, sessionState);
    }
}
Also used : AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)

Example 24 with OAuth2Parameters

use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.

the class CibaResponseTypeHandlerTest method provideConsentDenialErrorInfo.

@DataProvider(name = "provideConsentDenialErrorInfo")
public Object[][] provideConsentDenialErrorInfo() {
    OAuth2Parameters oAuth2Parameters = new OAuth2Parameters();
    oAuth2Parameters.setNonce(NONCE);
    return new Object[][] { { oAuth2Parameters, "User denied the consent." } };
}
Also used : OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters) DataProvider(org.testng.annotations.DataProvider)

Example 25 with OAuth2Parameters

use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2ServiceTest method testHandleUserConsentDenial.

@Test
public void testHandleUserConsentDenial() throws Exception {
    OAuth2Parameters oAuth2Parameters = new OAuth2Parameters();
    when(getResponseHander(oAuth2Parameters).handleUserConsentDenial(oAuth2Parameters)).thenReturn(null);
    assertNull(oAuth2Service.handleUserConsentDenial(oAuth2Parameters));
}
Also used : OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters) Test(org.testng.annotations.Test) PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest) PowerMockIdentityBaseTest(org.wso2.carbon.identity.testutil.powermock.PowerMockIdentityBaseTest)

Aggregations

OAuth2Parameters (org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)40 RequestObject (org.wso2.carbon.identity.openidconnect.model.RequestObject)23 HashMap (java.util.HashMap)22 PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)19 Test (org.testng.annotations.Test)19 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)17 Matchers.anyString (org.mockito.Matchers.anyString)14 BeforeTest (org.testng.annotations.BeforeTest)13 AuthenticatedUser (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)13 RequestObjectException (org.wso2.carbon.identity.oauth2.RequestObjectException)12 JSONObject (org.json.JSONObject)10 OAuthResponse (org.apache.oltu.oauth2.common.message.OAuthResponse)9 OAuthSystemException (org.apache.oltu.oauth2.common.exception.OAuthSystemException)8 ArrayList (java.util.ArrayList)7 HttpServletResponse (javax.servlet.http.HttpServletResponse)7 OAuthProblemException (org.apache.oltu.oauth2.common.exception.OAuthProblemException)7 ServiceProvider (org.wso2.carbon.identity.application.common.model.ServiceProvider)7 SessionDataCacheKey (org.wso2.carbon.identity.oauth.cache.SessionDataCacheKey)7 OAuth2ScopeConsentResponse (org.wso2.carbon.identity.oauth2.model.OAuth2ScopeConsentResponse)7 URI (java.net.URI)6