Example 1 with OAuth2AuditLog
use of org.xdi.oxauth.model.audit.OAuth2AuditLog in project oxAuth by GluuFederation.
the class RegisterRestWebServiceImpl method requestClientRead.
@Override
public Response requestClientRead(String clientId, String authorization, HttpServletRequest httpRequest, SecurityContext securityContext) {
String accessToken = tokenService.getTokenFromAuthorizationParameter(authorization);
log.debug("Attempting to read client: clientId = {}, registrationAccessToken = {} isSecure = {}", clientId, accessToken, securityContext.isSecure());
Response.ResponseBuilder builder = Response.ok();
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpRequest), Action.CLIENT_READ);
oAuth2AuditLog.setClientId(clientId);
try {
if (appConfiguration.getDynamicRegistrationEnabled()) {
if (registerParamsValidator.validateParamsClientRead(clientId, accessToken)) {
Client client = clientService.getClient(clientId, accessToken);
if (client != null) {
oAuth2AuditLog.setScope(clientScopesToString(client));
oAuth2AuditLog.setSuccess(true);
builder.entity(clientAsEntity(client));
} else {
log.trace("The Access Token is not valid for the Client ID, returns invalid_token error.");
builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
builder.entity(errorResponseFactory.getErrorAsJson(RegisterErrorResponseType.INVALID_TOKEN));
}
} else {
log.trace("Client parameters are invalid.");
builder = Response.status(Response.Status.BAD_REQUEST);
builder.entity(errorResponseFactory.getErrorAsJson(RegisterErrorResponseType.INVALID_CLIENT_METADATA));
}
} else {
builder = Response.status(Response.Status.BAD_REQUEST);
builder.entity(errorResponseFactory.getErrorAsJson(RegisterErrorResponseType.ACCESS_DENIED));
}
} catch (JSONException e) {
builder = Response.status(500);
builder.entity(errorResponseFactory.getErrorAsJson(RegisterErrorResponseType.INVALID_CLIENT_METADATA));
log.error(e.getMessage(), e);
} catch (StringEncrypter.EncryptionException e) {
builder = Response.status(500);
builder.entity(errorResponseFactory.getErrorAsJson(RegisterErrorResponseType.INVALID_CLIENT_METADATA));
log.error(e.getMessage(), e);
}
CacheControl cacheControl = new CacheControl();
cacheControl.setNoTransform(false);
cacheControl.setNoStore(true);
builder.cacheControl(cacheControl);
builder.header("Pragma", "no-cache");
applicationAuditLogger.sendMessage(oAuth2AuditLog);
return builder.build();
}
Also used :
Response(javax.ws.rs.core.Response)
OAuth2AuditLog(org.xdi.oxauth.model.audit.OAuth2AuditLog)
JSONException(org.codehaus.jettison.json.JSONException)
CacheControl(javax.ws.rs.core.CacheControl)
Client(org.xdi.oxauth.model.registration.Client)
StringEncrypter(org.xdi.util.security.StringEncrypter)
Example 2 with OAuth2AuditLog
use of org.xdi.oxauth.model.audit.OAuth2AuditLog in project oxAuth by GluuFederation.
the class UserInfoRestWebServiceImpl method requestUserInfo.
public Response requestUserInfo(String accessToken, String authorization, HttpServletRequest request, SecurityContext securityContext) {
if (authorization != null && !authorization.isEmpty() && authorization.startsWith("Bearer ")) {
accessToken = authorization.substring(7);
}
log.debug("Attempting to request User Info, Access token = {}, Is Secure = {}", accessToken, securityContext.isSecure());
Response.ResponseBuilder builder = Response.ok();
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.USER_INFO);
try {
if (!UserInfoParamsValidator.validateParams(accessToken)) {
builder = Response.status(400);
builder.entity(errorResponseFactory.getErrorAsJson(UserInfoErrorResponseType.INVALID_REQUEST));
} else {
AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(accessToken);
if (authorizationGrant == null) {
builder = Response.status(400);
builder.entity(errorResponseFactory.getErrorAsJson(UserInfoErrorResponseType.INVALID_TOKEN));
} else if (authorizationGrant.getAuthorizationGrantType() == AuthorizationGrantType.CLIENT_CREDENTIALS) {
builder = Response.status(403);
builder.entity(errorResponseFactory.getErrorAsJson(UserInfoErrorResponseType.INSUFFICIENT_SCOPE));
} else if (!authorizationGrant.getScopes().contains(DefaultScope.OPEN_ID.toString()) && !authorizationGrant.getScopes().contains(DefaultScope.PROFILE.toString())) {
builder = Response.status(403);
builder.entity(errorResponseFactory.getErrorAsJson(UserInfoErrorResponseType.INSUFFICIENT_SCOPE));
oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, false);
} else {
oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
CacheControl cacheControl = new CacheControl();
cacheControl.setPrivate(true);
cacheControl.setNoTransform(false);
cacheControl.setNoStore(true);
builder.cacheControl(cacheControl);
builder.header("Pragma", "no-cache");
User currentUser = authorizationGrant.getUser();
try {
currentUser = userService.getUserByDn(authorizationGrant.getUserDn());
} catch (EntryPersistenceException ex) {
log.warn("Failed to reload user entry: '{}'", authorizationGrant.getUserDn());
}
if (authorizationGrant.getClient() != null && authorizationGrant.getClient().getUserInfoEncryptedResponseAlg() != null && authorizationGrant.getClient().getUserInfoEncryptedResponseEnc() != null) {
KeyEncryptionAlgorithm keyEncryptionAlgorithm = KeyEncryptionAlgorithm.fromName(authorizationGrant.getClient().getUserInfoEncryptedResponseAlg());
BlockEncryptionAlgorithm blockEncryptionAlgorithm = BlockEncryptionAlgorithm.fromName(authorizationGrant.getClient().getUserInfoEncryptedResponseEnc());
builder.type("application/jwt");
builder.entity(getJweResponse(keyEncryptionAlgorithm, blockEncryptionAlgorithm, currentUser, authorizationGrant, authorizationGrant.getScopes()));
} else if (authorizationGrant.getClient() != null && authorizationGrant.getClient().getUserInfoSignedResponseAlg() != null) {
SignatureAlgorithm algorithm = SignatureAlgorithm.fromString(authorizationGrant.getClient().getUserInfoSignedResponseAlg());
builder.type("application/jwt");
builder.entity(getJwtResponse(algorithm, currentUser, authorizationGrant, authorizationGrant.getScopes()));
} else {
builder.type((MediaType.APPLICATION_JSON + ";charset=UTF-8"));
builder.entity(getJSonResponse(currentUser, authorizationGrant, authorizationGrant.getScopes()));
}
}
}
} catch (StringEncrypter.EncryptionException e) {
// 500
builder = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
log.error(e.getMessage(), e);
} catch (InvalidJwtException e) {
// 500
builder = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
log.error(e.getMessage(), e);
} catch (SignatureException e) {
// 500
builder = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
log.error(e.getMessage(), e);
} catch (InvalidClaimException e) {
// 500
builder = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
log.error(e.getMessage(), e);
} catch (Exception e) {
// 500
builder = Response.status(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
log.error(e.getMessage(), e);
}
applicationAuditLogger.sendMessage(oAuth2AuditLog);
return builder.build();
}
Also used :
InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException)
OAuth2AuditLog(org.xdi.oxauth.model.audit.OAuth2AuditLog)
EntryPersistenceException(org.gluu.site.ldap.persistence.exception.EntryPersistenceException)
SignatureAlgorithm(org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm)
SignatureException(java.security.SignatureException)
InvalidClaimException(org.xdi.oxauth.model.exception.InvalidClaimException)
StringEncrypter(org.xdi.util.security.StringEncrypter)
InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException)
SignatureException(java.security.SignatureException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
InvalidClaimException(org.xdi.oxauth.model.exception.InvalidClaimException)
EntryPersistenceException(org.gluu.site.ldap.persistence.exception.EntryPersistenceException)
InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)
BlockEncryptionAlgorithm(org.xdi.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm)
JsonWebResponse(org.xdi.oxauth.model.token.JsonWebResponse)
Response(javax.ws.rs.core.Response)
KeyEncryptionAlgorithm(org.xdi.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm)
CacheControl(javax.ws.rs.core.CacheControl)
Example 3 with OAuth2AuditLog
use of org.xdi.oxauth.model.audit.OAuth2AuditLog in project oxAuth by GluuFederation.
the class EndSessionRestWebServiceImpl method auditLogging.
private void auditLogging(HttpServletRequest request, Pair<SessionState, AuthorizationGrant> pair) {
SessionState sessionState = pair.getFirst();
AuthorizationGrant authorizationGrant = pair.getSecond();
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.SESSION_DESTROYED);
oAuth2AuditLog.setSuccess(true);
if (authorizationGrant != null) {
oAuth2AuditLog.setClientId(authorizationGrant.getClientId());
oAuth2AuditLog.setScope(StringUtils.join(authorizationGrant.getScopes(), " "));
oAuth2AuditLog.setUsername(authorizationGrant.getUserId());
} else {
oAuth2AuditLog.setClientId(sessionState.getPermissionGrantedMap().getClientIds(true).toString());
oAuth2AuditLog.setScope(sessionState.getSessionAttributes().get(AuthorizeRequestParam.SCOPE));
oAuth2AuditLog.setUsername(sessionState.getUserDn());
}
applicationAuditLogger.sendMessage(oAuth2AuditLog);
}
Also used :
SessionState(org.xdi.oxauth.model.common.SessionState)
OAuth2AuditLog(org.xdi.oxauth.model.audit.OAuth2AuditLog)
AuthorizationGrant(org.xdi.oxauth.model.common.AuthorizationGrant)
Example 4 with OAuth2AuditLog
use of org.xdi.oxauth.model.audit.OAuth2AuditLog in project oxAuth by GluuFederation.
the class TokenRestWebServiceImpl method requestAccessToken.
@Override
public Response requestAccessToken(String grantType, String code, String redirectUri, String username, String password, String scope, String assertion, String refreshToken, String oxAuthExchangeToken, String clientId, String clientSecret, String codeVerifier, HttpServletRequest request, SecurityContext sec) {
log.debug("Attempting to request access token: grantType = {}, code = {}, redirectUri = {}, username = {}, refreshToken = {}, " + "clientId = {}, ExtraParams = {}, isSecure = {}, codeVerifier = {}", grantType, code, redirectUri, username, refreshToken, clientId, request.getParameterMap(), sec.isSecure(), codeVerifier);
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.TOKEN_REQUEST);
oAuth2AuditLog.setClientId(clientId);
oAuth2AuditLog.setUsername(username);
oAuth2AuditLog.setScope(scope);
// it may be encoded in uma case
scope = ServerUtil.urlDecode(scope);
ResponseBuilder builder = Response.ok();
try {
log.debug("Starting to validate request parameters");
if (!TokenParamsValidator.validateParams(grantType, code, redirectUri, username, password, scope, assertion, refreshToken, oxAuthExchangeToken)) {
log.trace("Failed to validate request parameters");
builder = error(400, TokenErrorResponseType.INVALID_REQUEST);
} else {
log.trace("Request parameters are right");
GrantType gt = GrantType.fromString(grantType);
log.debug("Grant type: '{}'", gt);
SessionClient sessionClient = identity.getSetSessionClient();
Client client = null;
if (sessionClient != null) {
client = sessionClient.getClient();
log.debug("Get sessionClient: '{}'", sessionClient);
}
if (client != null) {
log.debug("Get client from session: '{}'", client.getClientId());
}
if (gt == GrantType.AUTHORIZATION_CODE) {
if (client == null) {
return response(error(400, TokenErrorResponseType.INVALID_GRANT));
}
log.debug("Attempting to find authorizationCodeGrant by clinetId: '{}', code: '{}'", client.getClientId(), code);
AuthorizationCodeGrant authorizationCodeGrant = authorizationGrantList.getAuthorizationCodeGrant(client.getClientId(), code);
log.trace("AuthorizationCodeGrant : '{}'", authorizationCodeGrant);
if (authorizationCodeGrant != null) {
validatePKCE(authorizationCodeGrant, codeVerifier);
authorizationCodeGrant.setIsCachedWithNoPersistence(false);
authorizationCodeGrant.save();
AccessToken accToken = authorizationCodeGrant.createAccessToken();
log.debug("Issuing access token: {}", accToken.getCode());
RefreshToken reToken = authorizationCodeGrant.createRefreshToken();
if (scope != null && !scope.isEmpty()) {
scope = authorizationCodeGrant.checkScopesPolicy(scope);
}
IdToken idToken = null;
if (authorizationCodeGrant.getScopes().contains("openid")) {
String nonce = authorizationCodeGrant.getNonce();
boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
idToken = authorizationCodeGrant.createIdToken(nonce, null, accToken, authorizationCodeGrant, includeIdTokenClaims);
}
builder.entity(getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, idToken));
oAuth2AuditLog.updateOAuth2AuditLog(authorizationCodeGrant, true);
grantService.removeByCode(authorizationCodeGrant.getAuthorizationCode().getCode(), authorizationCodeGrant.getClientId());
} else {
log.debug("AuthorizationCodeGrant is empty by clinetId: '{}', code: '{}'", client.getClientId(), code);
// if authorization code is not found then code was already used = remove all grants with this auth code
grantService.removeAllByAuthorizationCode(code);
builder = error(400, TokenErrorResponseType.INVALID_GRANT);
}
} else if (gt == GrantType.REFRESH_TOKEN) {
if (client == null) {
return response(error(401, TokenErrorResponseType.INVALID_GRANT));
}
AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), refreshToken);
if (authorizationGrant != null) {
AccessToken accToken = authorizationGrant.createAccessToken();
/*
The authorization server MAY issue a new refresh token, in which case
the client MUST discard the old refresh token and replace it with the
new refresh token.
*/
RefreshToken reToken = authorizationGrant.createRefreshToken();
grantService.removeByCode(refreshToken, client.getClientId());
if (scope != null && !scope.isEmpty()) {
scope = authorizationGrant.checkScopesPolicy(scope);
}
builder.entity(getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, null));
oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
} else {
builder = error(401, TokenErrorResponseType.INVALID_GRANT);
}
} else if (gt == GrantType.CLIENT_CREDENTIALS) {
if (client == null) {
return response(error(401, TokenErrorResponseType.INVALID_GRANT));
}
// TODO: fix the user arg
ClientCredentialsGrant clientCredentialsGrant = authorizationGrantList.createClientCredentialsGrant(new User(), client);
AccessToken accessToken = clientCredentialsGrant.createAccessToken();
if (scope != null && !scope.isEmpty()) {
scope = clientCredentialsGrant.checkScopesPolicy(scope);
}
IdToken idToken = null;
if (clientCredentialsGrant.getScopes().contains("openid")) {
boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
idToken = clientCredentialsGrant.createIdToken(null, null, null, clientCredentialsGrant, includeIdTokenClaims);
}
oAuth2AuditLog.updateOAuth2AuditLog(clientCredentialsGrant, true);
builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), null, scope, idToken));
} else if (gt == GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) {
if (client == null) {
log.error("Invalid client", new RuntimeException("Client is empty"));
return response(error(401, TokenErrorResponseType.INVALID_CLIENT));
}
User user = null;
if (authenticationFilterService.isEnabled()) {
String userDn = authenticationFilterService.processAuthenticationFilters(request.getParameterMap());
if (StringHelper.isNotEmpty(userDn)) {
user = userService.getUserByDn(userDn);
}
}
if (user == null) {
boolean authenticated = authenticationService.authenticate(username, password);
if (authenticated) {
user = authenticationService.getAuthenticatedUser();
}
}
if (user != null) {
ResourceOwnerPasswordCredentialsGrant resourceOwnerPasswordCredentialsGrant = authorizationGrantList.createResourceOwnerPasswordCredentialsGrant(user, client);
AccessToken accessToken = resourceOwnerPasswordCredentialsGrant.createAccessToken();
RefreshToken reToken = resourceOwnerPasswordCredentialsGrant.createRefreshToken();
if (scope != null && !scope.isEmpty()) {
scope = resourceOwnerPasswordCredentialsGrant.checkScopesPolicy(scope);
}
IdToken idToken = null;
if (resourceOwnerPasswordCredentialsGrant.getScopes().contains("openid")) {
boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
idToken = resourceOwnerPasswordCredentialsGrant.createIdToken(null, null, null, resourceOwnerPasswordCredentialsGrant, includeIdTokenClaims);
}
oAuth2AuditLog.updateOAuth2AuditLog(resourceOwnerPasswordCredentialsGrant, true);
builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), reToken, scope, idToken));
} else {
log.error("Invalid user", new RuntimeException("User is empty"));
builder = error(401, TokenErrorResponseType.INVALID_CLIENT);
}
} else if (gt == GrantType.EXTENSION) {
builder = error(501, TokenErrorResponseType.INVALID_GRANT);
} else if (gt == GrantType.OXAUTH_EXCHANGE_TOKEN) {
AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(oxAuthExchangeToken);
if (authorizationGrant != null) {
final AccessToken accessToken = authorizationGrant.createLongLivedAccessToken();
oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), null, null, null));
} else {
builder = error(401, TokenErrorResponseType.INVALID_GRANT);
}
}
}
} catch (WebApplicationException e) {
throw e;
} catch (SignatureException e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
} catch (StringEncrypter.EncryptionException e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
} catch (InvalidJwtException e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
} catch (InvalidJweException e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
} catch (Exception e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
}
applicationAuditLogger.sendMessage(oAuth2AuditLog);
return response(builder);
}
Also used :
InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException)
IdToken(org.xdi.oxauth.model.common.IdToken)
User(org.xdi.oxauth.model.common.User)
WebApplicationException(javax.ws.rs.WebApplicationException)
SessionClient(org.xdi.oxauth.model.session.SessionClient)
OAuth2AuditLog(org.xdi.oxauth.model.audit.OAuth2AuditLog)
ResourceOwnerPasswordCredentialsGrant(org.xdi.oxauth.model.common.ResourceOwnerPasswordCredentialsGrant)
GrantType(org.xdi.oxauth.model.common.GrantType)
SignatureException(java.security.SignatureException)
StringEncrypter(org.xdi.util.security.StringEncrypter)
InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException)
SignatureException(java.security.SignatureException)
JSONException(org.codehaus.jettison.json.JSONException)
WebApplicationException(javax.ws.rs.WebApplicationException)
InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)
RefreshToken(org.xdi.oxauth.model.common.RefreshToken)
AuthorizationCodeGrant(org.xdi.oxauth.model.common.AuthorizationCodeGrant)
AccessToken(org.xdi.oxauth.model.common.AccessToken)
ClientCredentialsGrant(org.xdi.oxauth.model.common.ClientCredentialsGrant)
ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder)
Client(org.xdi.oxauth.model.registration.Client)
SessionClient(org.xdi.oxauth.model.session.SessionClient)
AuthorizationGrant(org.xdi.oxauth.model.common.AuthorizationGrant)
InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)
Example 5 with OAuth2AuditLog
use of org.xdi.oxauth.model.audit.OAuth2AuditLog in project oxAuth by GluuFederation.
the class GrantService method auditLogging.
private void auditLogging(Collection<TokenLdap> entries) {
for (TokenLdap tokenLdap : entries) {
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(null, Action.SESSION_DESTROYED);
oAuth2AuditLog.setSuccess(true);
oAuth2AuditLog.setClientId(tokenLdap.getClientId());
oAuth2AuditLog.setScope(tokenLdap.getScope());
oAuth2AuditLog.setUsername(tokenLdap.getUserId());
applicationAuditLogger.sendMessage(oAuth2AuditLog);
}
}
Also used :
OAuth2AuditLog(org.xdi.oxauth.model.audit.OAuth2AuditLog)
TokenLdap(org.xdi.oxauth.model.ldap.TokenLdap)
Aggregations
OAuth2AuditLog (org.xdi.oxauth.model.audit.OAuth2AuditLog)9
Client (org.xdi.oxauth.model.registration.Client)5
StringEncrypter (org.xdi.util.security.StringEncrypter)5
JSONException (org.codehaus.jettison.json.JSONException)4
SignatureException (java.security.SignatureException)3
WebApplicationException (javax.ws.rs.WebApplicationException)3
Response (javax.ws.rs.core.Response)3
AuthorizationGrant (org.xdi.oxauth.model.common.AuthorizationGrant)3
InvalidJwtException (org.xdi.oxauth.model.exception.InvalidJwtException)3
URI (java.net.URI)2
GregorianCalendar (java.util.GregorianCalendar)2
CacheControl (javax.ws.rs.core.CacheControl)2
ResponseBuilder (javax.ws.rs.core.Response.ResponseBuilder)2
EntryPersistenceException (org.gluu.site.ldap.persistence.exception.EntryPersistenceException)2
RegisterRequest (org.xdi.oxauth.client.RegisterRequest)2
AccessToken (org.xdi.oxauth.model.common.AccessToken)2
IdToken (org.xdi.oxauth.model.common.IdToken)2
SessionState (org.xdi.oxauth.model.common.SessionState)2
User (org.xdi.oxauth.model.common.User)2
InvalidJweException (org.xdi.oxauth.model.exception.InvalidJweException)2
