use of org.wso2.carbon.identity.oidc.session.OIDCSessionState in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpointTest method provideOidcSessionData.
@DataProvider(name = "provideOidcSessionData")
public Object[][] provideOidcSessionData() {
Cookie opBrowserStateCookie = new Cookie("opbs", "2345678776gffdgdsfafa");
OIDCSessionState previousSessionState1 = new OIDCSessionState();
OIDCSessionState previousSessionState2 = new OIDCSessionState();
previousSessionState1.setSessionParticipants(new HashSet<>(Arrays.asList(CLIENT_ID_VALUE)));
previousSessionState2.setSessionParticipants(new HashSet<String>());
String[] returnValues = new String[] { "http://localhost:8080/redirect?session_state=sessionStateValue", "<form method=\"post\" action=\"http://localhost:8080/redirect\">" };
// This object provides values to cover the branches in ManageOIDCSessionState() private method
return new Object[][] { { opBrowserStateCookie, previousSessionState1, APP_REDIRECT_URL, null, HttpServletResponse.SC_FOUND, returnValues[0] }, { opBrowserStateCookie, previousSessionState2, APP_REDIRECT_URL, RESPONSE_MODE_FORM_POST, HttpServletResponse.SC_OK, returnValues[1] }, { null, previousSessionState1, APP_REDIRECT_URL, null, HttpServletResponse.SC_FOUND, returnValues[0] }, { null, previousSessionState1, APP_REDIRECT_URL, null, HttpServletResponse.SC_FOUND, returnValues[0] }, { opBrowserStateCookie, null, APP_REDIRECT_URL, null, HttpServletResponse.SC_FOUND, returnValues[0] }, { opBrowserStateCookie, previousSessionState1, APP_REDIRECT_URL, RESPONSE_MODE_FORM_POST, HttpServletResponse.SC_OK, returnValues[1] } };
}
use of org.wso2.carbon.identity.oidc.session.OIDCSessionState in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method handleUserConsent.
private String handleUserConsent(OAuthMessage oAuthMessage, String consent, OIDCSessionState sessionState) throws OAuthSystemException {
OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
storeUserConsent(oAuthMessage, consent);
OAuthResponse oauthResponse;
String responseType = oauth2Params.getResponseType();
HttpRequestHeaderHandler httpRequestHeaderHandler = new HttpRequestHeaderHandler(oAuthMessage.getRequest());
// authorizing the request
OAuth2AuthorizeRespDTO authzRespDTO = authorize(oauth2Params, oAuthMessage.getSessionDataCacheEntry(), httpRequestHeaderHandler);
if (isSuccessfulAuthorization(authzRespDTO)) {
oauthResponse = handleSuccessAuthorization(oAuthMessage, sessionState, oauth2Params, responseType, authzRespDTO);
} else if (isFailureAuthorizationWithErorrCode(authzRespDTO)) {
// Authorization failure due to various reasons
return handleFailureAuthorization(oAuthMessage, sessionState, oauth2Params, authzRespDTO);
} else {
// Authorization failure due to various reasons
return handleServerErrorAuthorization(oAuthMessage, sessionState, oauth2Params);
}
// When response_mode equals to form_post, body parameter is passed back.
if (isFormPostModeAndResponseBodyExists(oauth2Params, oauthResponse)) {
return oauthResponse.getBody();
} else {
// as per the specification: http://openid.net/specs/openid-connect-core-1_0.html#HybridCallback
if (hasIDTokenInResponseType(responseType)) {
return buildOIDCResponseWithURIFragment(oauthResponse, authzRespDTO);
} else {
return appendAuthenticatedIDPs(oAuthMessage.getSessionDataCacheEntry(), oauthResponse.getLocationUri());
}
}
}
use of org.wso2.carbon.identity.oidc.session.OIDCSessionState in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method doUserAuthorization.
/**
* prompt : none
* The Authorization Server MUST NOT display any authentication
* or consent user interface pages. An error is returned if the
* End-User is not already authenticated or the Client does not
* have pre-configured consent for the requested scopes. This
* can be used as a method to check for existing authentication
* and/or consent.
* <p/>
* prompt : consent
* The Authorization Server MUST prompt the End-User for consent before
* returning information to the Client.
* <p/>
* prompt Error : consent_required
* The Authorization Server requires End-User consent. This
* error MAY be returned when the prompt parameter in the
* Authorization Request is set to none to request that the
* Authorization Server should not display any user
* interfaces to the End-User, but the Authorization Request
* cannot be completed without displaying a user interface
* for End-User consent.
*
* @return String URL
* @throws OAuthSystemException OAuthSystemException
*/
private String doUserAuthorization(OAuthMessage oAuthMessage, String sessionDataKeyFromLogin, OIDCSessionState sessionState) throws OAuthSystemException, ConsentHandlingFailedException, OAuthProblemException {
OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
AuthenticatedUser authenticatedUser = getLoggedInUser(oAuthMessage);
boolean hasUserApproved = isUserAlreadyApproved(oauth2Params, authenticatedUser);
if (hasPromptContainsConsent(oauth2Params)) {
// Remove any existing consents.
String clientId = oauth2Params.getClientId();
OpenIDConnectUserRPStore.getInstance().removeConsentForUser(authenticatedUser, clientId);
if (LoggerUtils.isDiagnosticLogsEnabled()) {
Map<String, Object> params = new HashMap<>();
params.put("clientId", oauth2Params.getClientId());
params.put("prompt", oauth2Params.getPrompt());
if (authenticatedUser != null) {
try {
params.put("user", authenticatedUser.getUserId());
} catch (UserIdNotFoundException e) {
if (StringUtils.isNotBlank(authenticatedUser.getAuthenticatedSubjectIdentifier())) {
params.put("user", authenticatedUser.getAuthenticatedSubjectIdentifier().replaceAll(".", "*"));
}
}
}
LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, "'prompt' contains consent. Hence existing user consent is revoked.", "remove-user-consent", null);
}
if (log.isDebugEnabled()) {
log.debug("Prompt parameter contains 'consent'. Existing consents for user: " + authenticatedUser.toFullQualifiedUsername() + " for oauth app with clientId: " + clientId + " are revoked and user will be prompted to give consent again.");
}
// Need to prompt for consent and get user consent for claims as well.
return promptUserForConsent(sessionDataKeyFromLogin, oauth2Params, authenticatedUser, true, oAuthMessage);
} else if (isPromptNone(oauth2Params)) {
return handlePromptNone(oAuthMessage, sessionState, oauth2Params, authenticatedUser, hasUserApproved);
} else if (isPromptLogin(oauth2Params) || isPromptParamsNotPresent(oauth2Params)) {
return handleConsent(oAuthMessage, sessionDataKeyFromLogin, sessionState, oauth2Params, authenticatedUser, hasUserApproved);
} else {
return StringUtils.EMPTY;
}
}
use of org.wso2.carbon.identity.oidc.session.OIDCSessionState in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method manageOIDCSessionState.
private String manageOIDCSessionState(OAuthMessage oAuthMessage, OIDCSessionState sessionState, String redirectURL) {
OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
boolean isOIDCRequest = OAuth2Util.isOIDCAuthzRequest(oauth2Params.getScopes());
if (isOIDCRequest) {
sessionState.setAddSessionState(true);
return manageOIDCSessionState(oAuthMessage, sessionState, oauth2Params, getLoggedInUser(oAuthMessage).getAuthenticatedSubjectIdentifier(), redirectURL, oAuthMessage.getSessionDataCacheEntry());
}
return redirectURL;
}
use of org.wso2.carbon.identity.oidc.session.OIDCSessionState in project identity-inbound-auth-oauth by wso2-extensions.
the class OAuth2AuthzEndpoint method handleFormPostResponseMode.
private Response handleFormPostResponseMode(OAuthMessage oAuthMessage, OIDCSessionState sessionState, String redirectURL) {
String authenticatedIdPs = oAuthMessage.getSessionDataCacheEntry().getAuthenticatedIdPs();
OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
boolean isOIDCRequest = OAuth2Util.isOIDCAuthzRequest(oauth2Params.getScopes());
String sessionStateValue = null;
if (isOIDCRequest) {
sessionState.setAddSessionState(true);
sessionStateValue = manageOIDCSessionState(oAuthMessage, sessionState, oauth2Params, getLoggedInUser(oAuthMessage).getAuthenticatedSubjectIdentifier(), redirectURL, oAuthMessage.getSessionDataCacheEntry());
}
return Response.ok(createFormPage(redirectURL, oauth2Params.getRedirectURI(), authenticatedIdPs, sessionStateValue)).build();
}
Aggregations