Search in sources :

Example 1 with OIDCSessionState

use of org.wso2.carbon.identity.oidc.session.OIDCSessionState in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpointTest method provideOidcSessionData.

@DataProvider(name = "provideOidcSessionData")
public Object[][] provideOidcSessionData() {
    Cookie opBrowserStateCookie = new Cookie("opbs", "2345678776gffdgdsfafa");
    OIDCSessionState previousSessionState1 = new OIDCSessionState();
    OIDCSessionState previousSessionState2 = new OIDCSessionState();
    previousSessionState1.setSessionParticipants(new HashSet<>(Arrays.asList(CLIENT_ID_VALUE)));
    previousSessionState2.setSessionParticipants(new HashSet<String>());
    String[] returnValues = new String[] { "http://localhost:8080/redirect?session_state=sessionStateValue", "<form method=\"post\" action=\"http://localhost:8080/redirect\">" };
    // This object provides values to cover the branches in ManageOIDCSessionState() private method
    return new Object[][] { { opBrowserStateCookie, previousSessionState1, APP_REDIRECT_URL, null, HttpServletResponse.SC_FOUND, returnValues[0] }, { opBrowserStateCookie, previousSessionState2, APP_REDIRECT_URL, RESPONSE_MODE_FORM_POST, HttpServletResponse.SC_OK, returnValues[1] }, { null, previousSessionState1, APP_REDIRECT_URL, null, HttpServletResponse.SC_FOUND, returnValues[0] }, { null, previousSessionState1, APP_REDIRECT_URL, null, HttpServletResponse.SC_FOUND, returnValues[0] }, { opBrowserStateCookie, null, APP_REDIRECT_URL, null, HttpServletResponse.SC_FOUND, returnValues[0] }, { opBrowserStateCookie, previousSessionState1, APP_REDIRECT_URL, RESPONSE_MODE_FORM_POST, HttpServletResponse.SC_OK, returnValues[1] } };
}
Also used : Cookie(javax.servlet.http.Cookie) OIDCSessionState(org.wso2.carbon.identity.oidc.session.OIDCSessionState) RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject) Matchers.anyString(org.mockito.Matchers.anyString) DataProvider(org.testng.annotations.DataProvider)

Example 2 with OIDCSessionState

use of org.wso2.carbon.identity.oidc.session.OIDCSessionState in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method handleUserConsent.

private String handleUserConsent(OAuthMessage oAuthMessage, String consent, OIDCSessionState sessionState) throws OAuthSystemException {
    OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
    storeUserConsent(oAuthMessage, consent);
    OAuthResponse oauthResponse;
    String responseType = oauth2Params.getResponseType();
    HttpRequestHeaderHandler httpRequestHeaderHandler = new HttpRequestHeaderHandler(oAuthMessage.getRequest());
    // authorizing the request
    OAuth2AuthorizeRespDTO authzRespDTO = authorize(oauth2Params, oAuthMessage.getSessionDataCacheEntry(), httpRequestHeaderHandler);
    if (isSuccessfulAuthorization(authzRespDTO)) {
        oauthResponse = handleSuccessAuthorization(oAuthMessage, sessionState, oauth2Params, responseType, authzRespDTO);
    } else if (isFailureAuthorizationWithErorrCode(authzRespDTO)) {
        // Authorization failure due to various reasons
        return handleFailureAuthorization(oAuthMessage, sessionState, oauth2Params, authzRespDTO);
    } else {
        // Authorization failure due to various reasons
        return handleServerErrorAuthorization(oAuthMessage, sessionState, oauth2Params);
    }
    // When response_mode equals to form_post, body parameter is passed back.
    if (isFormPostModeAndResponseBodyExists(oauth2Params, oauthResponse)) {
        return oauthResponse.getBody();
    } else {
        // as per the specification: http://openid.net/specs/openid-connect-core-1_0.html#HybridCallback
        if (hasIDTokenInResponseType(responseType)) {
            return buildOIDCResponseWithURIFragment(oauthResponse, authzRespDTO);
        } else {
            return appendAuthenticatedIDPs(oAuthMessage.getSessionDataCacheEntry(), oauthResponse.getLocationUri());
        }
    }
}
Also used : OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters) HttpRequestHeaderHandler(org.wso2.carbon.identity.oauth2.model.HttpRequestHeaderHandler) OAuth2AuthorizeRespDTO(org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeRespDTO) OAuthResponse(org.apache.oltu.oauth2.common.message.OAuthResponse)

Example 3 with OIDCSessionState

use of org.wso2.carbon.identity.oidc.session.OIDCSessionState in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method doUserAuthorization.

/**
 * prompt : none
 * The Authorization Server MUST NOT display any authentication
 * or consent user interface pages. An error is returned if the
 * End-User is not already authenticated or the Client does not
 * have pre-configured consent for the requested scopes. This
 * can be used as a method to check for existing authentication
 * and/or consent.
 * <p/>
 * prompt : consent
 * The Authorization Server MUST prompt the End-User for consent before
 * returning information to the Client.
 * <p/>
 * prompt Error : consent_required
 * The Authorization Server requires End-User consent. This
 * error MAY be returned when the prompt parameter in the
 * Authorization Request is set to none to request that the
 * Authorization Server should not display any user
 * interfaces to the End-User, but the Authorization Request
 * cannot be completed without displaying a user interface
 * for End-User consent.
 *
 * @return String URL
 * @throws OAuthSystemException OAuthSystemException
 */
private String doUserAuthorization(OAuthMessage oAuthMessage, String sessionDataKeyFromLogin, OIDCSessionState sessionState) throws OAuthSystemException, ConsentHandlingFailedException, OAuthProblemException {
    OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
    AuthenticatedUser authenticatedUser = getLoggedInUser(oAuthMessage);
    boolean hasUserApproved = isUserAlreadyApproved(oauth2Params, authenticatedUser);
    if (hasPromptContainsConsent(oauth2Params)) {
        // Remove any existing consents.
        String clientId = oauth2Params.getClientId();
        OpenIDConnectUserRPStore.getInstance().removeConsentForUser(authenticatedUser, clientId);
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            Map<String, Object> params = new HashMap<>();
            params.put("clientId", oauth2Params.getClientId());
            params.put("prompt", oauth2Params.getPrompt());
            if (authenticatedUser != null) {
                try {
                    params.put("user", authenticatedUser.getUserId());
                } catch (UserIdNotFoundException e) {
                    if (StringUtils.isNotBlank(authenticatedUser.getAuthenticatedSubjectIdentifier())) {
                        params.put("user", authenticatedUser.getAuthenticatedSubjectIdentifier().replaceAll(".", "*"));
                    }
                }
            }
            LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.SUCCESS, "'prompt' contains consent. Hence existing user consent is revoked.", "remove-user-consent", null);
        }
        if (log.isDebugEnabled()) {
            log.debug("Prompt parameter contains 'consent'. Existing consents for user: " + authenticatedUser.toFullQualifiedUsername() + " for oauth app with clientId: " + clientId + " are revoked and user will be prompted to give consent again.");
        }
        // Need to prompt for consent and get user consent for claims as well.
        return promptUserForConsent(sessionDataKeyFromLogin, oauth2Params, authenticatedUser, true, oAuthMessage);
    } else if (isPromptNone(oauth2Params)) {
        return handlePromptNone(oAuthMessage, sessionState, oauth2Params, authenticatedUser, hasUserApproved);
    } else if (isPromptLogin(oauth2Params) || isPromptParamsNotPresent(oauth2Params)) {
        return handleConsent(oAuthMessage, sessionDataKeyFromLogin, sessionState, oauth2Params, authenticatedUser, hasUserApproved);
    } else {
        return StringUtils.EMPTY;
    }
}
Also used : OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) HashMap(java.util.HashMap) RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject) JSONObject(org.json.JSONObject) UserIdNotFoundException(org.wso2.carbon.identity.application.authentication.framework.exception.UserIdNotFoundException) AuthenticatedUser(org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)

Example 4 with OIDCSessionState

use of org.wso2.carbon.identity.oidc.session.OIDCSessionState in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method manageOIDCSessionState.

private String manageOIDCSessionState(OAuthMessage oAuthMessage, OIDCSessionState sessionState, String redirectURL) {
    OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
    boolean isOIDCRequest = OAuth2Util.isOIDCAuthzRequest(oauth2Params.getScopes());
    if (isOIDCRequest) {
        sessionState.setAddSessionState(true);
        return manageOIDCSessionState(oAuthMessage, sessionState, oauth2Params, getLoggedInUser(oAuthMessage).getAuthenticatedSubjectIdentifier(), redirectURL, oAuthMessage.getSessionDataCacheEntry());
    }
    return redirectURL;
}
Also used : OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)

Example 5 with OIDCSessionState

use of org.wso2.carbon.identity.oidc.session.OIDCSessionState in project identity-inbound-auth-oauth by wso2-extensions.

the class OAuth2AuthzEndpoint method handleFormPostResponseMode.

private Response handleFormPostResponseMode(OAuthMessage oAuthMessage, OIDCSessionState sessionState, String redirectURL) {
    String authenticatedIdPs = oAuthMessage.getSessionDataCacheEntry().getAuthenticatedIdPs();
    OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
    boolean isOIDCRequest = OAuth2Util.isOIDCAuthzRequest(oauth2Params.getScopes());
    String sessionStateValue = null;
    if (isOIDCRequest) {
        sessionState.setAddSessionState(true);
        sessionStateValue = manageOIDCSessionState(oAuthMessage, sessionState, oauth2Params, getLoggedInUser(oAuthMessage).getAuthenticatedSubjectIdentifier(), redirectURL, oAuthMessage.getSessionDataCacheEntry());
    }
    return Response.ok(createFormPage(redirectURL, oauth2Params.getRedirectURI(), authenticatedIdPs, sessionStateValue)).build();
}
Also used : OAuth2Parameters(org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)

Aggregations

HashMap (java.util.HashMap)9 OIDCSessionState (org.wso2.carbon.identity.oidc.session.OIDCSessionState)9 RequestObject (org.wso2.carbon.identity.openidconnect.model.RequestObject)7 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)6 JSONObject (org.json.JSONObject)5 AuthenticatedUser (org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser)5 OAuth2Parameters (org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)5 Cookie (javax.servlet.http.Cookie)4 OAuthResponse (org.apache.oltu.oauth2.common.message.OAuthResponse)3 URI (java.net.URI)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 Matchers.anyString (org.mockito.Matchers.anyString)2 REDIRECT_URI (org.wso2.carbon.identity.oauth.common.OAuthConstants.OAuth20Params.REDIRECT_URI)2 InvalidOAuthClientException (org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException)2 OAuthAppDO (org.wso2.carbon.identity.oauth.dao.OAuthAppDO)2 OAuth2AuthorizeRespDTO (org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeRespDTO)2 OIDCSessionParticipantCacheEntry (org.wso2.carbon.identity.oidc.session.cache.OIDCSessionParticipantCacheEntry)2 OIDCSessionParticipantCacheKey (org.wso2.carbon.identity.oidc.session.cache.OIDCSessionParticipantCacheKey)2 JWTClaimsSet (com.nimbusds.jwt.JWTClaimsSet)1