Search in sources :

Example 1 with RefreshToken

use of org.xdi.oxauth.model.common.RefreshToken in project oxAuth by GluuFederation.

the class TokenRestWebServiceImpl method requestAccessToken.

@Override
public Response requestAccessToken(String grantType, String code, String redirectUri, String username, String password, String scope, String assertion, String refreshToken, String oxAuthExchangeToken, String clientId, String clientSecret, String codeVerifier, HttpServletRequest request, SecurityContext sec) {
    log.debug("Attempting to request access token: grantType = {}, code = {}, redirectUri = {}, username = {}, refreshToken = {}, " + "clientId = {}, ExtraParams = {}, isSecure = {}, codeVerifier = {}", grantType, code, redirectUri, username, refreshToken, clientId, request.getParameterMap(), sec.isSecure(), codeVerifier);
    OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.TOKEN_REQUEST);
    oAuth2AuditLog.setClientId(clientId);
    oAuth2AuditLog.setUsername(username);
    oAuth2AuditLog.setScope(scope);
    // it may be encoded in uma case
    scope = ServerUtil.urlDecode(scope);
    ResponseBuilder builder = Response.ok();
    try {
        log.debug("Starting to validate request parameters");
        if (!TokenParamsValidator.validateParams(grantType, code, redirectUri, username, password, scope, assertion, refreshToken, oxAuthExchangeToken)) {
            log.trace("Failed to validate request parameters");
            builder = error(400, TokenErrorResponseType.INVALID_REQUEST);
        } else {
            log.trace("Request parameters are right");
            GrantType gt = GrantType.fromString(grantType);
            log.debug("Grant type: '{}'", gt);
            SessionClient sessionClient = identity.getSetSessionClient();
            Client client = null;
            if (sessionClient != null) {
                client = sessionClient.getClient();
                log.debug("Get sessionClient: '{}'", sessionClient);
            }
            if (client != null) {
                log.debug("Get client from session: '{}'", client.getClientId());
            }
            if (gt == GrantType.AUTHORIZATION_CODE) {
                if (client == null) {
                    return response(error(400, TokenErrorResponseType.INVALID_GRANT));
                }
                log.debug("Attempting to find authorizationCodeGrant by clinetId: '{}', code: '{}'", client.getClientId(), code);
                AuthorizationCodeGrant authorizationCodeGrant = authorizationGrantList.getAuthorizationCodeGrant(client.getClientId(), code);
                log.trace("AuthorizationCodeGrant : '{}'", authorizationCodeGrant);
                if (authorizationCodeGrant != null) {
                    validatePKCE(authorizationCodeGrant, codeVerifier);
                    authorizationCodeGrant.setIsCachedWithNoPersistence(false);
                    authorizationCodeGrant.save();
                    AccessToken accToken = authorizationCodeGrant.createAccessToken();
                    log.debug("Issuing access token: {}", accToken.getCode());
                    RefreshToken reToken = authorizationCodeGrant.createRefreshToken();
                    if (scope != null && !scope.isEmpty()) {
                        scope = authorizationCodeGrant.checkScopesPolicy(scope);
                    }
                    IdToken idToken = null;
                    if (authorizationCodeGrant.getScopes().contains("openid")) {
                        String nonce = authorizationCodeGrant.getNonce();
                        boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
                        idToken = authorizationCodeGrant.createIdToken(nonce, null, accToken, authorizationCodeGrant, includeIdTokenClaims);
                    }
                    builder.entity(getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, idToken));
                    oAuth2AuditLog.updateOAuth2AuditLog(authorizationCodeGrant, true);
                    grantService.removeByCode(authorizationCodeGrant.getAuthorizationCode().getCode(), authorizationCodeGrant.getClientId());
                } else {
                    log.debug("AuthorizationCodeGrant is empty by clinetId: '{}', code: '{}'", client.getClientId(), code);
                    // if authorization code is not found then code was already used = remove all grants with this auth code
                    grantService.removeAllByAuthorizationCode(code);
                    builder = error(400, TokenErrorResponseType.INVALID_GRANT);
                }
            } else if (gt == GrantType.REFRESH_TOKEN) {
                if (client == null) {
                    return response(error(401, TokenErrorResponseType.INVALID_GRANT));
                }
                AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), refreshToken);
                if (authorizationGrant != null) {
                    AccessToken accToken = authorizationGrant.createAccessToken();
                    /*
                        The authorization server MAY issue a new refresh token, in which case
                        the client MUST discard the old refresh token and replace it with the
                        new refresh token.
                        */
                    RefreshToken reToken = authorizationGrant.createRefreshToken();
                    grantService.removeByCode(refreshToken, client.getClientId());
                    if (scope != null && !scope.isEmpty()) {
                        scope = authorizationGrant.checkScopesPolicy(scope);
                    }
                    builder.entity(getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, null));
                    oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
                } else {
                    builder = error(401, TokenErrorResponseType.INVALID_GRANT);
                }
            } else if (gt == GrantType.CLIENT_CREDENTIALS) {
                if (client == null) {
                    return response(error(401, TokenErrorResponseType.INVALID_GRANT));
                }
                // TODO: fix the user arg
                ClientCredentialsGrant clientCredentialsGrant = authorizationGrantList.createClientCredentialsGrant(new User(), client);
                AccessToken accessToken = clientCredentialsGrant.createAccessToken();
                if (scope != null && !scope.isEmpty()) {
                    scope = clientCredentialsGrant.checkScopesPolicy(scope);
                }
                IdToken idToken = null;
                if (clientCredentialsGrant.getScopes().contains("openid")) {
                    boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
                    idToken = clientCredentialsGrant.createIdToken(null, null, null, clientCredentialsGrant, includeIdTokenClaims);
                }
                oAuth2AuditLog.updateOAuth2AuditLog(clientCredentialsGrant, true);
                builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), null, scope, idToken));
            } else if (gt == GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) {
                if (client == null) {
                    log.error("Invalid client", new RuntimeException("Client is empty"));
                    return response(error(401, TokenErrorResponseType.INVALID_CLIENT));
                }
                User user = null;
                if (authenticationFilterService.isEnabled()) {
                    String userDn = authenticationFilterService.processAuthenticationFilters(request.getParameterMap());
                    if (StringHelper.isNotEmpty(userDn)) {
                        user = userService.getUserByDn(userDn);
                    }
                }
                if (user == null) {
                    boolean authenticated = authenticationService.authenticate(username, password);
                    if (authenticated) {
                        user = authenticationService.getAuthenticatedUser();
                    }
                }
                if (user != null) {
                    ResourceOwnerPasswordCredentialsGrant resourceOwnerPasswordCredentialsGrant = authorizationGrantList.createResourceOwnerPasswordCredentialsGrant(user, client);
                    AccessToken accessToken = resourceOwnerPasswordCredentialsGrant.createAccessToken();
                    RefreshToken reToken = resourceOwnerPasswordCredentialsGrant.createRefreshToken();
                    if (scope != null && !scope.isEmpty()) {
                        scope = resourceOwnerPasswordCredentialsGrant.checkScopesPolicy(scope);
                    }
                    IdToken idToken = null;
                    if (resourceOwnerPasswordCredentialsGrant.getScopes().contains("openid")) {
                        boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
                        idToken = resourceOwnerPasswordCredentialsGrant.createIdToken(null, null, null, resourceOwnerPasswordCredentialsGrant, includeIdTokenClaims);
                    }
                    oAuth2AuditLog.updateOAuth2AuditLog(resourceOwnerPasswordCredentialsGrant, true);
                    builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), reToken, scope, idToken));
                } else {
                    log.error("Invalid user", new RuntimeException("User is empty"));
                    builder = error(401, TokenErrorResponseType.INVALID_CLIENT);
                }
            } else if (gt == GrantType.EXTENSION) {
                builder = error(501, TokenErrorResponseType.INVALID_GRANT);
            } else if (gt == GrantType.OXAUTH_EXCHANGE_TOKEN) {
                AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(oxAuthExchangeToken);
                if (authorizationGrant != null) {
                    final AccessToken accessToken = authorizationGrant.createLongLivedAccessToken();
                    oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
                    builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), null, null, null));
                } else {
                    builder = error(401, TokenErrorResponseType.INVALID_GRANT);
                }
            }
        }
    } catch (WebApplicationException e) {
        throw e;
    } catch (SignatureException e) {
        builder = Response.status(500);
        log.error(e.getMessage(), e);
    } catch (StringEncrypter.EncryptionException e) {
        builder = Response.status(500);
        log.error(e.getMessage(), e);
    } catch (InvalidJwtException e) {
        builder = Response.status(500);
        log.error(e.getMessage(), e);
    } catch (InvalidJweException e) {
        builder = Response.status(500);
        log.error(e.getMessage(), e);
    } catch (Exception e) {
        builder = Response.status(500);
        log.error(e.getMessage(), e);
    }
    applicationAuditLogger.sendMessage(oAuth2AuditLog);
    return response(builder);
}
Also used : InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException) IdToken(org.xdi.oxauth.model.common.IdToken) User(org.xdi.oxauth.model.common.User) WebApplicationException(javax.ws.rs.WebApplicationException) SessionClient(org.xdi.oxauth.model.session.SessionClient) OAuth2AuditLog(org.xdi.oxauth.model.audit.OAuth2AuditLog) ResourceOwnerPasswordCredentialsGrant(org.xdi.oxauth.model.common.ResourceOwnerPasswordCredentialsGrant) GrantType(org.xdi.oxauth.model.common.GrantType) SignatureException(java.security.SignatureException) StringEncrypter(org.xdi.util.security.StringEncrypter) InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException) SignatureException(java.security.SignatureException) JSONException(org.codehaus.jettison.json.JSONException) WebApplicationException(javax.ws.rs.WebApplicationException) InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException) RefreshToken(org.xdi.oxauth.model.common.RefreshToken) AuthorizationCodeGrant(org.xdi.oxauth.model.common.AuthorizationCodeGrant) AccessToken(org.xdi.oxauth.model.common.AccessToken) ClientCredentialsGrant(org.xdi.oxauth.model.common.ClientCredentialsGrant) ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder) Client(org.xdi.oxauth.model.registration.Client) SessionClient(org.xdi.oxauth.model.session.SessionClient) AuthorizationGrant(org.xdi.oxauth.model.common.AuthorizationGrant) InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)

Example 2 with RefreshToken

use of org.xdi.oxauth.model.common.RefreshToken in project oxAuth by GluuFederation.

the class PersistentJwt method toString.

@Override
public String toString() {
    JSONObject jsonObject = new JSONObject();
    try {
        if (StringUtils.isNotBlank(userId)) {
            jsonObject.put("user_id", userId);
        }
        if (StringUtils.isNotBlank(clientId)) {
            jsonObject.put("client_id", clientId);
        }
        if (authorizationGrantType != null) {
            jsonObject.put("authorization_grant_type", authorizationGrantType);
        }
        if (authenticationTime != null) {
            jsonObject.put("authentication_time", authenticationTime.getTime());
        }
        if (scopes != null) {
            JSONArray scopesJsonArray = new JSONArray();
            for (String scope : scopes) {
                scopesJsonArray.put(scope);
            }
            jsonObject.put("scopes", scopesJsonArray);
        }
        if (accessTokens != null) {
            JSONArray accessTokensJsonArray = new JSONArray();
            for (AccessToken accessToken : accessTokens) {
                JSONObject accessTokenJsonObject = new JSONObject();
                if (accessToken.getCode() != null && !accessToken.getCode().isEmpty()) {
                    accessTokenJsonObject.put("code", accessToken.getCode());
                }
                if (accessToken.getCreationDate() != null) {
                    accessTokenJsonObject.put("creation_date", accessToken.getCreationDate().getTime());
                }
                if (accessToken.getExpirationDate() != null) {
                    accessTokenJsonObject.put("expiration_date", accessToken.getExpirationDate().getTime());
                }
                accessTokensJsonArray.put(accessTokenJsonObject);
            }
            jsonObject.put("access_tokens", accessTokensJsonArray);
        }
        if (refreshTokens != null) {
            JSONArray refreshTokensJsonArray = new JSONArray();
            for (RefreshToken refreshToken : refreshTokens) {
                JSONObject refreshTokenJsonObject = new JSONObject();
                if (refreshToken.getCode() != null && !refreshToken.getCode().isEmpty()) {
                    refreshTokenJsonObject.put("code", refreshToken.getCode());
                }
                if (refreshToken.getCreationDate() != null) {
                    refreshTokenJsonObject.put("creation_date", refreshToken.getCreationDate().getTime());
                }
                if (refreshToken.getExpirationDate() != null) {
                    refreshTokenJsonObject.put("expiration_date", refreshToken.getExpirationDate().getTime());
                }
            }
            jsonObject.put("refresh_tokens", refreshTokensJsonArray);
        }
        if (longLivedAccessToken != null) {
            JSONObject longLivedAccessTokenJsonObject = new JSONObject();
            if (longLivedAccessToken.getCode() != null && !longLivedAccessToken.getCode().isEmpty()) {
                longLivedAccessTokenJsonObject.put("code", longLivedAccessToken.getCode());
            }
            if (longLivedAccessToken.getCreationDate() != null) {
                longLivedAccessTokenJsonObject.put("creation_date", longLivedAccessToken.getCreationDate().getTime());
            }
            if (longLivedAccessToken.getExpirationDate() != null) {
                longLivedAccessTokenJsonObject.put("expiration_date", longLivedAccessToken.getExpirationDate().getTime());
            }
            jsonObject.put("long_lived_access_token", longLivedAccessTokenJsonObject);
        }
        if (idToken != null) {
            JSONObject idTokenJsonObject = new JSONObject();
            if (idToken.getCode() != null && !idToken.getCode().isEmpty()) {
                idTokenJsonObject.put("code", idToken.getCode());
            }
            if (idToken.getCreationDate() != null) {
                idTokenJsonObject.put("creation_date", idToken.getCreationDate().getTime());
            }
            if (idToken.getExpirationDate() != null) {
                idTokenJsonObject.put("expiration_date", idToken.getExpirationDate().getTime());
            }
            jsonObject.put("id_token", idTokenJsonObject);
        }
    } catch (JSONException e) {
        log.error(e.getMessage(), e);
    }
    return jsonObject.toString();
}
Also used : RefreshToken(org.xdi.oxauth.model.common.RefreshToken) JSONObject(org.codehaus.jettison.json.JSONObject) AccessToken(org.xdi.oxauth.model.common.AccessToken) JSONArray(org.codehaus.jettison.json.JSONArray) JSONException(org.codehaus.jettison.json.JSONException)

Example 3 with RefreshToken

use of org.xdi.oxauth.model.common.RefreshToken in project oxAuth by GluuFederation.

the class PersistentJwt method load.

private boolean load(String jwt) throws JSONException {
    boolean result = false;
    JSONObject jsonObject = new JSONObject(jwt);
    if (jsonObject.has("user_id")) {
        userId = jsonObject.getString("user_id");
    }
    if (jsonObject.has("client_id")) {
        clientId = jsonObject.getString("client_id");
    }
    if (jsonObject.has("authorization_grant_type")) {
        authorizationGrantType = AuthorizationGrantType.fromString(jsonObject.getString("authorization_grant_type"));
    }
    if (jsonObject.has("authentication_time")) {
        authenticationTime = new Date(jsonObject.getLong("authentication_time"));
    }
    if (jsonObject.has("scopes")) {
        JSONArray jsonArray = jsonObject.getJSONArray("scopes");
        scopes = Util.asList(jsonArray);
    }
    if (jsonObject.has("access_tokens")) {
        JSONArray accessTokensJsonArray = jsonObject.getJSONArray("access_tokens");
        accessTokens = new ArrayList<AccessToken>();
        for (int i = 0; i < accessTokensJsonArray.length(); i++) {
            JSONObject accessTokenJsonObject = accessTokensJsonArray.getJSONObject(i);
            if (accessTokenJsonObject.has("code") && accessTokenJsonObject.has("creation_date") && accessTokenJsonObject.has("expiration_date")) {
                String tokenCode = accessTokenJsonObject.getString("code");
                Date creationDate = new Date(accessTokenJsonObject.getLong("creation_date"));
                Date expirationDate = new Date(accessTokenJsonObject.getLong("expiration_date"));
                AccessToken accessToken = new AccessToken(tokenCode, creationDate, expirationDate);
                accessTokens.add(accessToken);
            }
        }
    }
    if (jsonObject.has("refresh_tokens")) {
        JSONArray refreshTokensJsonArray = jsonObject.getJSONArray("refresh_tokens");
        refreshTokens = new ArrayList<RefreshToken>();
        for (int i = 0; i < refreshTokensJsonArray.length(); i++) {
            JSONObject refreshTokenJsonObject = refreshTokensJsonArray.getJSONObject(i);
            if (refreshTokenJsonObject.has("code") && refreshTokenJsonObject.has("creation_date") && refreshTokenJsonObject.has("expiration_date")) {
                String tokenCode = refreshTokenJsonObject.getString("code");
                Date creationDate = new Date(refreshTokenJsonObject.getLong("creation_date"));
                Date expirationDate = new Date(refreshTokenJsonObject.getLong("expiration_date"));
                RefreshToken refreshToken = new RefreshToken(tokenCode, creationDate, expirationDate);
                refreshTokens.add(refreshToken);
            }
        }
    }
    if (jsonObject.has("long_lived_access_token")) {
        JSONObject longLivedAccessTokenJsonObject = jsonObject.getJSONObject("long_lived_access_token");
        if (longLivedAccessTokenJsonObject.has("code") && longLivedAccessTokenJsonObject.has("creation_date") && longLivedAccessTokenJsonObject.has("expiration_date")) {
            String tokenCode = longLivedAccessTokenJsonObject.getString("code");
            Date creationDate = new Date(longLivedAccessTokenJsonObject.getLong("creation_date"));
            Date expirationDate = new Date(longLivedAccessTokenJsonObject.getLong("expiration_date"));
            longLivedAccessToken = new AccessToken(tokenCode, creationDate, expirationDate);
        }
    }
    if (jsonObject.has("id_token")) {
        JSONObject idTokenJsonObject = jsonObject.getJSONObject("id_token");
        if (idTokenJsonObject.has("code") && idTokenJsonObject.has("creation_date") && idTokenJsonObject.has("expiration_date")) {
            String tokenCode = idTokenJsonObject.getString("code");
            Date creationDate = new Date(idTokenJsonObject.getLong("creation_date"));
            Date expirationDate = new Date(idTokenJsonObject.getLong("expiration_date"));
            idToken = new IdToken(tokenCode, creationDate, expirationDate);
        }
    }
    return result;
}
Also used : IdToken(org.xdi.oxauth.model.common.IdToken) RefreshToken(org.xdi.oxauth.model.common.RefreshToken) JSONObject(org.codehaus.jettison.json.JSONObject) AccessToken(org.xdi.oxauth.model.common.AccessToken) JSONArray(org.codehaus.jettison.json.JSONArray) Date(java.util.Date)

Aggregations

AccessToken (org.xdi.oxauth.model.common.AccessToken)3 RefreshToken (org.xdi.oxauth.model.common.RefreshToken)3 JSONArray (org.codehaus.jettison.json.JSONArray)2 JSONException (org.codehaus.jettison.json.JSONException)2 JSONObject (org.codehaus.jettison.json.JSONObject)2 IdToken (org.xdi.oxauth.model.common.IdToken)2 SignatureException (java.security.SignatureException)1 Date (java.util.Date)1 WebApplicationException (javax.ws.rs.WebApplicationException)1 ResponseBuilder (javax.ws.rs.core.Response.ResponseBuilder)1 OAuth2AuditLog (org.xdi.oxauth.model.audit.OAuth2AuditLog)1 AuthorizationCodeGrant (org.xdi.oxauth.model.common.AuthorizationCodeGrant)1 AuthorizationGrant (org.xdi.oxauth.model.common.AuthorizationGrant)1 ClientCredentialsGrant (org.xdi.oxauth.model.common.ClientCredentialsGrant)1 GrantType (org.xdi.oxauth.model.common.GrantType)1 ResourceOwnerPasswordCredentialsGrant (org.xdi.oxauth.model.common.ResourceOwnerPasswordCredentialsGrant)1 User (org.xdi.oxauth.model.common.User)1 InvalidJweException (org.xdi.oxauth.model.exception.InvalidJweException)1 InvalidJwtException (org.xdi.oxauth.model.exception.InvalidJwtException)1 Client (org.xdi.oxauth.model.registration.Client)1