use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method handleDeniedConsent.
private Response handleDeniedConsent(OAuthMessage oAuthMessage) throws OAuthSystemException, URISyntaxException {
OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
OpenIDConnectUserRPStore.getInstance().putUserRPToStore(getLoggedInUser(oAuthMessage), getOauth2Params(oAuthMessage).getApplicationName(), false, oauth2Params.getClientId());
OAuthErrorDTO oAuthErrorDTO = EndpointUtil.getOAuth2Service().handleUserConsentDenial(oauth2Params);
OAuthProblemException consentDenialException = buildConsentDenialException(oAuthErrorDTO);
String denyResponse = EndpointUtil.getErrorRedirectURL(oAuthMessage.getRequest(), consentDenialException, oauth2Params);
if (StringUtils.equals(oauth2Params.getResponseMode(), RESPONSE_MODE_FORM_POST)) {
return handleFailedState(oAuthMessage, oauth2Params, consentDenialException);
}
return Response.status(HttpServletResponse.SC_FOUND).location(new URI(denyResponse)).build();
}
use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method validatePKCEParameters.
private String validatePKCEParameters(OAuthMessage oAuthMessage, OAuth2ClientValidationResponseDTO validationResponse, String pkceChallengeCode, String pkceChallengeMethod) {
OAuth2Parameters oAuth2Parameters = getOAuth2ParamsFromOAuthMessage(oAuthMessage);
// Check if PKCE is mandatory for the application
if (validationResponse.isPkceMandatory()) {
if (pkceChallengeCode == null || !OAuth2Util.validatePKCECodeChallenge(pkceChallengeCode, pkceChallengeMethod)) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> params = new HashMap<>();
params.put("clientId", oAuth2Parameters.getClientId());
params.put("pkceChallenge", pkceChallengeCode);
params.put("pkceMethod", pkceChallengeMethod);
Map<String, Object> configs = new HashMap<>();
configs.put("isPkceMandatory", "true");
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "PKCE Challenge is not provided or is not upto RFC 7636 specification.", "validate-pkce", configs);
}
return getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_PKCE_CHALLENGE_CODE, "PKCE is mandatory for this application. " + "PKCE Challenge is not provided or is not upto RFC 7636 " + "specification.", null, oAuth2Parameters);
}
}
// Check if the code challenge method value is neither "plain" or "s256", if so return error
if (pkceChallengeCode != null && pkceChallengeMethod != null) {
if (!OAuthConstants.OAUTH_PKCE_PLAIN_CHALLENGE.equals(pkceChallengeMethod) && !OAuthConstants.OAUTH_PKCE_S256_CHALLENGE.equals(pkceChallengeMethod)) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> params = new HashMap<>();
params.put("clientId", oAuth2Parameters.getClientId());
params.put("pkceChallenge", pkceChallengeCode);
params.put("pkceMethod", pkceChallengeMethod);
Map<String, Object> configs = new HashMap<>();
configs.put("isPkceMandatory", Boolean.toString(validationResponse.isPkceMandatory()));
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "Unsupported PKCE Challenge Method.", "validate-pkce", configs);
}
return getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_PKCE_CHALLENGE_CODE, "Unsupported PKCE Challenge Method", null, oAuth2Parameters);
}
}
// Check if "plain" transformation algorithm is disabled for the application
if (pkceChallengeCode != null && !validationResponse.isPkceSupportPlain()) {
if (pkceChallengeMethod == null || OAuthConstants.OAUTH_PKCE_PLAIN_CHALLENGE.equals(pkceChallengeMethod)) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> params = new HashMap<>();
params.put("clientId", oAuth2Parameters.getClientId());
params.put("pkceChallenge", pkceChallengeCode);
params.put("pkceMethod", pkceChallengeMethod);
Map<String, Object> configs = new HashMap<>();
configs.put("isPkceMandatory", Boolean.toString(validationResponse.isPkceMandatory()));
configs.put("isPkceSupportPlain", "false");
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "OAuth client does not support 'plain' transformation algorithm.", "validate-pkce", configs);
}
return getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_PKCE_CHALLENGE_CODE, "This application does not support " + "\"plain\" transformation algorithm.", null, oAuth2Parameters);
}
}
// If PKCE challenge code was sent, check if the code challenge is upto specifications
if (pkceChallengeCode != null && !OAuth2Util.validatePKCECodeChallenge(pkceChallengeCode, pkceChallengeMethod)) {
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> params = new HashMap<>();
params.put("clientId", oAuth2Parameters.getClientId());
params.put("pkceChallenge", pkceChallengeCode);
params.put("pkceMethod", pkceChallengeMethod);
Map<String, Object> configs = new HashMap<>();
configs.put("isPkceMandatory", Boolean.toString(validationResponse.isPkceMandatory()));
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "Code challenge used is not up to RFC 7636 specifications.", "validate-pkce", configs);
}
return getErrorPageURL(oAuthMessage.getRequest(), OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ErrorCodes.OAuth2SubErrorCodes.INVALID_PKCE_CHALLENGE_CODE, "Code challenge used is not up to RFC 7636 " + "specifications.", null, oAuth2Parameters);
}
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.SUCCESS, "PKCE validation is successful.", "validate-pkce", null);
return null;
}
use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method handleApproveAlwaysWithPromptForNewConsent.
private String handleApproveAlwaysWithPromptForNewConsent(OAuthMessage oAuthMessage, OIDCSessionState sessionState, OAuth2Parameters oauth2Params) throws ConsentHandlingFailedException, OAuthSystemException {
AuthenticatedUser authenticatedUser = getLoggedInUser(oAuthMessage);
String preConsent = handlePreConsentIncludingExistingConsents(oauth2Params, authenticatedUser);
if (isConsentFromUserRequired(preConsent)) {
String sessionDataKeyFromLogin = getSessionDataKeyFromLogin(oAuthMessage);
preConsent = buildQueryParamString(preConsent, USER_CLAIMS_CONSENT_ONLY + "=true");
return getUserConsentURL(sessionDataKeyFromLogin, oauth2Params, authenticatedUser, preConsent, oAuthMessage);
} else {
sessionState.setAddSessionState(true);
return handleUserConsent(oAuthMessage, APPROVE, sessionState);
}
}
use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class CibaResponseTypeHandlerTest method provideConsentDenialErrorInfo.
@DataProvider(name = "provideConsentDenialErrorInfo")
public Object[][] provideConsentDenialErrorInfo() {
OAuth2Parameters oAuth2Parameters = new OAuth2Parameters();
oAuth2Parameters.setNonce(NONCE);
return new Object[][] { { oAuth2Parameters, "User denied the consent." } };
}
use of org.wso2.carbon.identity.oauth2.model.OAuth2Parameters in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2ServiceTest method testHandleUserConsentDenial.
@Test
public void testHandleUserConsentDenial() throws Exception {
OAuth2Parameters oAuth2Parameters = new OAuth2Parameters();
when(getResponseHander(oAuth2Parameters).handleUserConsentDenial(oAuth2Parameters)).thenReturn(null);
assertNull(oAuth2Service.handleUserConsentDenial(oAuth2Parameters));
}
Aggregations