Search in sources :

Example 16 with RequestObject

use of org.wso2.carbon.identity.openidconnect.model.RequestObject in project identity-inbound-auth-oauth by wso2-extensions.

the class RequestParamRequestObjectBuilder method decrypt.

/**
 * Decrypt the request object.
 *
 * @param requestObject    requestObject
 * @param oAuth2Parameters oAuth2Parameters
 * @throws RequestObjectException
 */
@Override
public String decrypt(String requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
    EncryptedJWT encryptedJWT;
    try {
        encryptedJWT = EncryptedJWT.parse(requestObject);
        RSAPrivateKey rsaPrivateKey = getRSAPrivateKey(oAuth2Parameters);
        RSADecrypter decrypter = new RSADecrypter(rsaPrivateKey);
        encryptedJWT.decrypt(decrypter);
        JWEObject jweObject = JWEObject.parse(requestObject);
        jweObject.decrypt(decrypter);
        if (jweObject.getPayload() != null && jweObject.getPayload().toString().split(JWT_PART_DELIMITER).length == NUMBER_OF_PARTS_IN_JWS) {
            return jweObject.getPayload().toString();
        } else {
            return new PlainJWT((JWTClaimsSet) encryptedJWT.getJWTClaimsSet()).serialize();
        }
    } catch (JOSEException | IdentityOAuth2Exception | ParseException e) {
        String errorMessage = "Failed to decrypt Request Object";
        if (log.isDebugEnabled()) {
            log.debug(errorMessage + " from " + requestObject, e);
        }
        throw new RequestObjectException(RequestObjectException.ERROR_CODE_INVALID_REQUEST, errorMessage);
    }
}
Also used : RequestObjectException(org.wso2.carbon.identity.oauth2.RequestObjectException) PlainJWT(com.nimbusds.jwt.PlainJWT) IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception) JWEObject(com.nimbusds.jose.JWEObject) JWTClaimsSet(com.nimbusds.jwt.JWTClaimsSet) ParseException(java.text.ParseException) EncryptedJWT(com.nimbusds.jwt.EncryptedJWT) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) JOSEException(com.nimbusds.jose.JOSEException) RSADecrypter(com.nimbusds.jose.crypto.RSADecrypter)

Example 17 with RequestObject

use of org.wso2.carbon.identity.openidconnect.model.RequestObject in project identity-inbound-auth-oauth by wso2-extensions.

the class OIDCRequestObjectUtil method validateRequestObjectSignature.

/**
 * @param oAuth2Parameters OAuth2 parameters
 * @param requestObject OAuth2 request
 * @param requestObjectValidator OAuth2 Request validator
 * @throws RequestObjectException
 */
public static void validateRequestObjectSignature(OAuth2Parameters oAuth2Parameters, RequestObject requestObject, RequestObjectValidator requestObjectValidator) throws RequestObjectException {
    String clientId = oAuth2Parameters.getClientId();
    OAuthAppDO oAuthAppDO;
    try {
        oAuthAppDO = OAuth2Util.getAppInformationByClientId(clientId);
    } catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
        LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.FAILED, "Server error occurred.", "validate-request-object-signature", null);
        throw new RequestObjectException("Error while retrieving app information for client_id: " + clientId + ". Cannot proceed with signature validation", e);
    }
    try {
        // Check whether request object signature validation is enforced.
        if (oAuthAppDO.isRequestObjectSignatureValidationEnabled()) {
            if (log.isDebugEnabled()) {
                log.debug("Request Object Signature Verification enabled for client_id: " + clientId);
            }
            if (requestObject.isSigned()) {
                validateSignature(oAuth2Parameters, requestObject, requestObjectValidator);
            } else {
                // If request object is not signed we need to throw an exception.
                if (LoggerUtils.isDiagnosticLogsEnabled()) {
                    Map<String, Object> params = new HashMap<>();
                    params.put("clientId", clientId);
                    Map<String, Object> configs = new HashMap<>();
                    configs.put("requestObjectSignatureValidationEnabled", "true");
                    LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "Request object signature validation is enabled but request object is not signed.", "validate-request-object-signature", configs);
                }
                throw new RequestObjectException("Request object signature validation is enabled but request " + "object is not signed.");
            }
        } else {
            // the request object is signed.
            if (requestObject.isSigned()) {
                validateSignature(oAuth2Parameters, requestObject, requestObjectValidator);
            }
        }
    } catch (RequestObjectException e) {
        if (StringUtils.isNotBlank(e.getErrorMessage()) && e.getErrorMessage().contains("signature verification " + "failed")) {
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                Map<String, Object> params = new HashMap<>();
                params.put("clientId", oAuth2Parameters.getClientId());
                Map<String, Object> configs = new HashMap<>();
                configs.put("requestObjectSignatureValidationEnabled", Boolean.toString(oAuthAppDO.isRequestObjectSignatureValidationEnabled()));
                LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "Request Object signature verification failed.", "validate-request-object-signature", configs);
            }
        }
        throw e;
    }
    LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, null, OAuthConstants.LogConstants.SUCCESS, "Request Object signature verification is successful.", "validate-request-object-signature", null);
}
Also used : RequestObjectException(org.wso2.carbon.identity.oauth2.RequestObjectException) OAuthAppDO(org.wso2.carbon.identity.oauth.dao.OAuthAppDO) IdentityOAuth2Exception(org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception) HashMap(java.util.HashMap) RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject) HashMap(java.util.HashMap) Map(java.util.Map) InvalidOAuthClientException(org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException)

Example 18 with RequestObject

use of org.wso2.carbon.identity.openidconnect.model.RequestObject in project identity-inbound-auth-oauth by wso2-extensions.

the class OIDCRequestObjectUtil method buildRequestObject.

/**
 * Fetch and invoke the matched request builder class based on the identity.xml configurations.
 * Build and validate the Request Object extracted from request information
 *
 * @param oauthRequest authorization request
 * @throws RequestObjectException
 */
public static RequestObject buildRequestObject(OAuthAuthzRequest oauthRequest, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
    /*
          So that the request is a valid OAuth 2.0 Authorization Request, values for the response_type and client_id
          parameters MUST be included using the OAuth 2.0 request syntax, since they are REQUIRED by OAuth 2.0.
          The values for these parameters MUST match those in the Request Object, if present
         */
    RequestObject requestObject;
    RequestObjectBuilder requestObjectBuilder;
    String requestObjType;
    if (isRequestParameter(oauthRequest)) {
        requestObjectBuilder = getRequestObjectBuilder(REQUEST_PARAM_VALUE_BUILDER);
        requestObjType = REQUEST;
    } else if (isRequestUri(oauthRequest)) {
        requestObjectBuilder = getRequestObjectBuilder(REQUEST_URI_PARAM_VALUE_BUILDER);
        requestObjType = REQUEST_URI;
    } else {
        // Unsupported request object type.
        return null;
    }
    if (requestObjectBuilder == null) {
        String error = "Unable to build the OIDC Request Object from:";
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            Map<String, Object> params = new HashMap<>();
            params.put(REQUEST, oauthRequest.getParam(REQUEST));
            params.put(REQUEST_URI, oauthRequest.getParam(REQUEST_URI));
            LoggerUtils.triggerDiagnosticLogEvent(OAuthConstants.LogConstants.OAUTH_INBOUND_SERVICE, params, OAuthConstants.LogConstants.FAILED, "Server error occurred.", "parse-request-object", null);
        }
        throw new RequestObjectException(OAuth2ErrorCodes.SERVER_ERROR, error + requestObjType);
    }
    requestObject = requestObjectBuilder.buildRequestObject(oauthRequest.getParam(requestObjType), oAuth2Parameters);
    RequestObjectValidator requestObjectValidator = OAuthServerConfiguration.getInstance().getRequestObjectValidator();
    validateRequestObjectSignature(oAuth2Parameters, requestObject, requestObjectValidator);
    if (!requestObjectValidator.validateRequestObject(requestObject, oAuth2Parameters)) {
        throw new RequestObjectException(OAuth2ErrorCodes.INVALID_REQUEST, "Invalid parameters " + "found in the Request Object.");
    }
    if (log.isDebugEnabled()) {
        log.debug("Successfully build and and validated request Object for: " + requestObjType);
    }
    return requestObject;
}
Also used : RequestObjectException(org.wso2.carbon.identity.oauth2.RequestObjectException) HashMap(java.util.HashMap) RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject) RequestObject(org.wso2.carbon.identity.openidconnect.model.RequestObject)

Example 19 with RequestObject

use of org.wso2.carbon.identity.openidconnect.model.RequestObject in project identity-inbound-auth-oauth by wso2-extensions.

the class DefaultOIDCProviderRequestBuilder method buildRequest.

@Override
public OIDProviderRequest buildRequest(HttpServletRequest request, String tenant) throws OIDCDiscoveryEndPointException {
    OIDProviderRequest requestObject = new OIDProviderRequest();
    requestObject.setUri(request.getRequestURI());
    if (StringUtils.isNotBlank(tenant)) {
        requestObject.setTenantDomain(tenant);
    } else {
        requestObject.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);
    }
    return requestObject;
}
Also used : OIDProviderRequest(org.wso2.carbon.identity.discovery.OIDProviderRequest)

Aggregations

RequestObject (org.wso2.carbon.identity.openidconnect.model.RequestObject)11 RequestObjectException (org.wso2.carbon.identity.oauth2.RequestObjectException)8 HashMap (java.util.HashMap)5 PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)4 BeforeTest (org.testng.annotations.BeforeTest)4 Test (org.testng.annotations.Test)4 OAuth2Parameters (org.wso2.carbon.identity.oauth2.model.OAuth2Parameters)4 Map (java.util.Map)3 OAuthServerConfiguration (org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration)3 JsonObject (com.google.gson.JsonObject)2 ArrayList (java.util.ArrayList)2 List (java.util.List)2 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)2 Matchers.anyString (org.mockito.Matchers.anyString)2 Property (org.wso2.carbon.identity.application.common.model.Property)2 InvalidRequestException (org.wso2.carbon.identity.oauth.endpoint.exception.InvalidRequestException)2 IdentityOAuth2Exception (org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception)2 JsonElement (com.google.gson.JsonElement)1 JsonParseException (com.google.gson.JsonParseException)1 JsonParser (com.google.gson.JsonParser)1