Example 1 with User
use of org.xdi.oxauth.model.common.User in project oxAuth by GluuFederation.
the class AuthorizeAction method permissionGranted.
public void permissionGranted(SessionState session) {
try {
final User user = userService.getUserByDn(session.getUserDn());
if (user == null) {
log.error("Permission denied. Failed to find session user: userDn = " + session.getUserDn() + ".");
permissionDenied();
return;
}
if (clientId == null) {
clientId = session.getSessionAttributes().get(AuthorizeRequestParam.CLIENT_ID);
}
final Client client = clientService.getClient(clientId);
if (scope == null) {
scope = session.getSessionAttributes().get(AuthorizeRequestParam.SCOPE);
}
// ldap database, and serve no purpose.
if (client.getPersistClientAuthorizations() && !client.getTrustedClient()) {
final Set<String> scopes = Sets.newHashSet(org.xdi.oxauth.model.util.StringUtils.spaceSeparatedToList(scope));
clientAuthorizationsService.add(user.getAttribute("inum"), client.getClientId(), scopes);
}
session.addPermission(clientId, true);
sessionStateService.updateSessionState(session);
// OXAUTH-297 - set session_state cookie
sessionStateService.createSessionStateCookie(sessionState);
Map<String, String> sessionAttribute = authenticationService.getAllowedParameters(session.getSessionAttributes());
if (sessionAttribute.containsKey(AuthorizeRequestParam.PROMPT)) {
List<Prompt> prompts = Prompt.fromString(sessionAttribute.get(AuthorizeRequestParam.PROMPT), " ");
prompts.remove(Prompt.CONSENT);
sessionAttribute.put(AuthorizeRequestParam.PROMPT, org.xdi.oxauth.model.util.StringUtils.implodeEnum(prompts, " "));
}
final String parametersAsString = authenticationService.parametersAsString(sessionAttribute);
final String uri = "seam/resource/restv1/oxauth/authorize?" + parametersAsString;
log.trace("permissionGranted, redirectTo: {}", uri);
facesService.redirectToExternalURL(uri);
} catch (UnsupportedEncodingException e) {
log.trace(e.getMessage(), e);
}
}
Also used :
User(org.xdi.oxauth.model.common.User)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
Prompt(org.xdi.oxauth.model.common.Prompt)
Client(org.xdi.oxauth.model.registration.Client)
Example 2 with User
use of org.xdi.oxauth.model.common.User in project oxAuth by GluuFederation.
the class TokenRestWebServiceImpl method requestAccessToken.
@Override
public Response requestAccessToken(String grantType, String code, String redirectUri, String username, String password, String scope, String assertion, String refreshToken, String oxAuthExchangeToken, String clientId, String clientSecret, String codeVerifier, HttpServletRequest request, SecurityContext sec) {
log.debug("Attempting to request access token: grantType = {}, code = {}, redirectUri = {}, username = {}, refreshToken = {}, " + "clientId = {}, ExtraParams = {}, isSecure = {}, codeVerifier = {}", grantType, code, redirectUri, username, refreshToken, clientId, request.getParameterMap(), sec.isSecure(), codeVerifier);
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.TOKEN_REQUEST);
oAuth2AuditLog.setClientId(clientId);
oAuth2AuditLog.setUsername(username);
oAuth2AuditLog.setScope(scope);
// it may be encoded in uma case
scope = ServerUtil.urlDecode(scope);
ResponseBuilder builder = Response.ok();
try {
log.debug("Starting to validate request parameters");
if (!TokenParamsValidator.validateParams(grantType, code, redirectUri, username, password, scope, assertion, refreshToken, oxAuthExchangeToken)) {
log.trace("Failed to validate request parameters");
builder = error(400, TokenErrorResponseType.INVALID_REQUEST);
} else {
log.trace("Request parameters are right");
GrantType gt = GrantType.fromString(grantType);
log.debug("Grant type: '{}'", gt);
SessionClient sessionClient = identity.getSetSessionClient();
Client client = null;
if (sessionClient != null) {
client = sessionClient.getClient();
log.debug("Get sessionClient: '{}'", sessionClient);
}
if (client != null) {
log.debug("Get client from session: '{}'", client.getClientId());
}
if (gt == GrantType.AUTHORIZATION_CODE) {
if (client == null) {
return response(error(400, TokenErrorResponseType.INVALID_GRANT));
}
log.debug("Attempting to find authorizationCodeGrant by clinetId: '{}', code: '{}'", client.getClientId(), code);
AuthorizationCodeGrant authorizationCodeGrant = authorizationGrantList.getAuthorizationCodeGrant(client.getClientId(), code);
log.trace("AuthorizationCodeGrant : '{}'", authorizationCodeGrant);
if (authorizationCodeGrant != null) {
validatePKCE(authorizationCodeGrant, codeVerifier);
authorizationCodeGrant.setIsCachedWithNoPersistence(false);
authorizationCodeGrant.save();
AccessToken accToken = authorizationCodeGrant.createAccessToken();
log.debug("Issuing access token: {}", accToken.getCode());
RefreshToken reToken = authorizationCodeGrant.createRefreshToken();
if (scope != null && !scope.isEmpty()) {
scope = authorizationCodeGrant.checkScopesPolicy(scope);
}
IdToken idToken = null;
if (authorizationCodeGrant.getScopes().contains("openid")) {
String nonce = authorizationCodeGrant.getNonce();
boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
idToken = authorizationCodeGrant.createIdToken(nonce, null, accToken, authorizationCodeGrant, includeIdTokenClaims);
}
builder.entity(getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, idToken));
oAuth2AuditLog.updateOAuth2AuditLog(authorizationCodeGrant, true);
grantService.removeByCode(authorizationCodeGrant.getAuthorizationCode().getCode(), authorizationCodeGrant.getClientId());
} else {
log.debug("AuthorizationCodeGrant is empty by clinetId: '{}', code: '{}'", client.getClientId(), code);
// if authorization code is not found then code was already used = remove all grants with this auth code
grantService.removeAllByAuthorizationCode(code);
builder = error(400, TokenErrorResponseType.INVALID_GRANT);
}
} else if (gt == GrantType.REFRESH_TOKEN) {
if (client == null) {
return response(error(401, TokenErrorResponseType.INVALID_GRANT));
}
AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), refreshToken);
if (authorizationGrant != null) {
AccessToken accToken = authorizationGrant.createAccessToken();
/*
The authorization server MAY issue a new refresh token, in which case
the client MUST discard the old refresh token and replace it with the
new refresh token.
*/
RefreshToken reToken = authorizationGrant.createRefreshToken();
grantService.removeByCode(refreshToken, client.getClientId());
if (scope != null && !scope.isEmpty()) {
scope = authorizationGrant.checkScopesPolicy(scope);
}
builder.entity(getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, null));
oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
} else {
builder = error(401, TokenErrorResponseType.INVALID_GRANT);
}
} else if (gt == GrantType.CLIENT_CREDENTIALS) {
if (client == null) {
return response(error(401, TokenErrorResponseType.INVALID_GRANT));
}
// TODO: fix the user arg
ClientCredentialsGrant clientCredentialsGrant = authorizationGrantList.createClientCredentialsGrant(new User(), client);
AccessToken accessToken = clientCredentialsGrant.createAccessToken();
if (scope != null && !scope.isEmpty()) {
scope = clientCredentialsGrant.checkScopesPolicy(scope);
}
IdToken idToken = null;
if (clientCredentialsGrant.getScopes().contains("openid")) {
boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
idToken = clientCredentialsGrant.createIdToken(null, null, null, clientCredentialsGrant, includeIdTokenClaims);
}
oAuth2AuditLog.updateOAuth2AuditLog(clientCredentialsGrant, true);
builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), null, scope, idToken));
} else if (gt == GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) {
if (client == null) {
log.error("Invalid client", new RuntimeException("Client is empty"));
return response(error(401, TokenErrorResponseType.INVALID_CLIENT));
}
User user = null;
if (authenticationFilterService.isEnabled()) {
String userDn = authenticationFilterService.processAuthenticationFilters(request.getParameterMap());
if (StringHelper.isNotEmpty(userDn)) {
user = userService.getUserByDn(userDn);
}
}
if (user == null) {
boolean authenticated = authenticationService.authenticate(username, password);
if (authenticated) {
user = authenticationService.getAuthenticatedUser();
}
}
if (user != null) {
ResourceOwnerPasswordCredentialsGrant resourceOwnerPasswordCredentialsGrant = authorizationGrantList.createResourceOwnerPasswordCredentialsGrant(user, client);
AccessToken accessToken = resourceOwnerPasswordCredentialsGrant.createAccessToken();
RefreshToken reToken = resourceOwnerPasswordCredentialsGrant.createRefreshToken();
if (scope != null && !scope.isEmpty()) {
scope = resourceOwnerPasswordCredentialsGrant.checkScopesPolicy(scope);
}
IdToken idToken = null;
if (resourceOwnerPasswordCredentialsGrant.getScopes().contains("openid")) {
boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
idToken = resourceOwnerPasswordCredentialsGrant.createIdToken(null, null, null, resourceOwnerPasswordCredentialsGrant, includeIdTokenClaims);
}
oAuth2AuditLog.updateOAuth2AuditLog(resourceOwnerPasswordCredentialsGrant, true);
builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), reToken, scope, idToken));
} else {
log.error("Invalid user", new RuntimeException("User is empty"));
builder = error(401, TokenErrorResponseType.INVALID_CLIENT);
}
} else if (gt == GrantType.EXTENSION) {
builder = error(501, TokenErrorResponseType.INVALID_GRANT);
} else if (gt == GrantType.OXAUTH_EXCHANGE_TOKEN) {
AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(oxAuthExchangeToken);
if (authorizationGrant != null) {
final AccessToken accessToken = authorizationGrant.createLongLivedAccessToken();
oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), null, null, null));
} else {
builder = error(401, TokenErrorResponseType.INVALID_GRANT);
}
}
}
} catch (WebApplicationException e) {
throw e;
} catch (SignatureException e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
} catch (StringEncrypter.EncryptionException e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
} catch (InvalidJwtException e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
} catch (InvalidJweException e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
} catch (Exception e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
}
applicationAuditLogger.sendMessage(oAuth2AuditLog);
return response(builder);
}
Also used :
InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException)
IdToken(org.xdi.oxauth.model.common.IdToken)
User(org.xdi.oxauth.model.common.User)
WebApplicationException(javax.ws.rs.WebApplicationException)
SessionClient(org.xdi.oxauth.model.session.SessionClient)
OAuth2AuditLog(org.xdi.oxauth.model.audit.OAuth2AuditLog)
ResourceOwnerPasswordCredentialsGrant(org.xdi.oxauth.model.common.ResourceOwnerPasswordCredentialsGrant)
GrantType(org.xdi.oxauth.model.common.GrantType)
SignatureException(java.security.SignatureException)
StringEncrypter(org.xdi.util.security.StringEncrypter)
InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException)
SignatureException(java.security.SignatureException)
JSONException(org.codehaus.jettison.json.JSONException)
WebApplicationException(javax.ws.rs.WebApplicationException)
InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)
RefreshToken(org.xdi.oxauth.model.common.RefreshToken)
AuthorizationCodeGrant(org.xdi.oxauth.model.common.AuthorizationCodeGrant)
AccessToken(org.xdi.oxauth.model.common.AccessToken)
ClientCredentialsGrant(org.xdi.oxauth.model.common.ClientCredentialsGrant)
ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder)
Client(org.xdi.oxauth.model.registration.Client)
SessionClient(org.xdi.oxauth.model.session.SessionClient)
AuthorizationGrant(org.xdi.oxauth.model.common.AuthorizationGrant)
InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)
Example 3 with User
use of org.xdi.oxauth.model.common.User in project oxAuth by GluuFederation.
the class U2fRegistrationWS method startRegistration.
@GET
@Produces({ "application/json" })
public Response startRegistration(@QueryParam("username") String userName, @QueryParam("application") String appId, @QueryParam("session_state") String sessionState, @QueryParam("enrollment_code") String enrollmentCode) {
// Parameter username is deprecated. We uses it only to determine is it's one or two step workflow
try {
log.debug("Startig registration with username '{}' for appId '{}'. session_state '{}', enrollment_code '{}'", userName, appId, sessionState, enrollmentCode);
String userInum = null;
boolean sessionBasedEnrollment = false;
boolean twoStep = StringHelper.isNotEmpty(userName);
if (twoStep) {
boolean removeEnrollment = false;
if (StringHelper.isNotEmpty(sessionState)) {
boolean valid = u2fValidationService.isValidSessionState(userName, sessionState);
if (!valid) {
throw new BadInputException(String.format("session_state '%s' is invalid", sessionState));
}
sessionBasedEnrollment = true;
} else if (StringHelper.isNotEmpty(enrollmentCode)) {
boolean valid = u2fValidationService.isValidEnrollmentCode(userName, enrollmentCode);
if (!valid) {
throw new BadInputException(String.format("enrollment_code '%s' is invalid", enrollmentCode));
}
removeEnrollment = true;
} else {
throw new BadInputException(String.format("session_state or enrollment_code is mandatory"));
}
User user = userService.getUser(userName);
userInum = userService.getUserInum(user);
if (StringHelper.isEmpty(userInum)) {
throw new BadInputException(String.format("Failed to find user '%s' in LDAP", userName));
}
if (removeEnrollment) {
// We allow to use enrollment code only one time
user.setAttribute(U2fConstants.U2F_ENROLLMENT_CODE_ATTRIBUTE, (String) null);
userService.updateUser(user);
}
}
if (sessionBasedEnrollment) {
List<DeviceRegistration> deviceRegistrations = deviceRegistrationService.findUserDeviceRegistrations(userInum, appId);
if (deviceRegistrations.size() > 0 && !isCurrentAuthenticationLevelCorrespondsToU2fLevel(sessionState)) {
throw new RegistrationNotAllowed(String.format("It's not possible to start registration with user_name and session_state becuase user '%s' has already enrolled device", userName));
}
}
RegisterRequestMessage registerRequestMessage = u2fRegistrationService.builRegisterRequestMessage(appId, userInum);
u2fRegistrationService.storeRegisterRequestMessage(registerRequestMessage, userInum, sessionState);
// Convert manually to avoid possible conflict between resteasy providers, e.g. jettison, jackson
final String entity = ServerUtil.asJson(registerRequestMessage);
return Response.status(Response.Status.OK).entity(entity).cacheControl(ServerUtil.cacheControl(true)).build();
} catch (Exception ex) {
log.error("Exception happened", ex);
if (ex instanceof WebApplicationException) {
throw (WebApplicationException) ex;
}
if (ex instanceof RegistrationNotAllowed) {
throw new WebApplicationException(Response.status(Response.Status.NOT_ACCEPTABLE).entity(errorResponseFactory.getErrorResponse(U2fErrorResponseType.REGISTRATION_NOT_ALLOWED)).build());
}
throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(errorResponseFactory.getJsonErrorResponse(U2fErrorResponseType.SERVER_ERROR)).build());
}
}
Also used :
BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException)
User(org.xdi.oxauth.model.common.User)
WebApplicationException(javax.ws.rs.WebApplicationException)
RegistrationNotAllowed(org.xdi.oxauth.model.fido.u2f.exception.RegistrationNotAllowed)
DeviceRegistration(org.xdi.oxauth.model.fido.u2f.DeviceRegistration)
RegisterRequestMessage(org.xdi.oxauth.model.fido.u2f.protocol.RegisterRequestMessage)
BadInputException(org.xdi.oxauth.model.fido.u2f.exception.BadInputException)
WebApplicationException(javax.ws.rs.WebApplicationException)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Example 4 with User
use of org.xdi.oxauth.model.common.User in project oxAuth by GluuFederation.
the class ValidationService method isValidEnrollmentCode.
public boolean isValidEnrollmentCode(String userName, String enrollmentCode) {
if (enrollmentCode == null) {
log.error("In two step authentication workflow enrollment_code is mandatory");
return false;
}
User user = userService.getUser(userName, U2fConstants.U2F_ENROLLMENT_CODE_ATTRIBUTE);
if (user == null) {
log.error("Specified user_name '{}' is invalid", userName);
return false;
}
String userEnrollmentCode = user.getAttribute(U2fConstants.U2F_ENROLLMENT_CODE_ATTRIBUTE);
if (userEnrollmentCode == null) {
log.error("Specified enrollment_code '{}' is invalid", enrollmentCode);
return false;
}
if (!StringHelper.equalsIgnoreCase(userEnrollmentCode, enrollmentCode)) {
log.error("Username '{}' and enrollment_code '{}' don't match", userName, enrollmentCode);
return false;
}
return true;
}
Also used :
User(org.xdi.oxauth.model.common.User)
Example 5 with User
use of org.xdi.oxauth.model.common.User in project oxAuth by GluuFederation.
the class UserService method getUserByInum.
public User getUserByInum(String inum, String... returnAttributes) {
if (StringHelper.isEmpty(inum)) {
return null;
}
String userDn = getDnForUser(inum);
User user = getUserByDn(userDn, returnAttributes);
if (user == null) {
return null;
}
return user;
}
Also used :
User(org.xdi.oxauth.model.common.User)
Aggregations
User (org.xdi.oxauth.model.common.User)25
SimpleUser (org.xdi.oxauth.model.common.SimpleUser)7
CustomAttribute (org.xdi.ldap.model.CustomAttribute)5
SessionState (org.xdi.oxauth.model.common.SessionState)5
ArrayList (java.util.ArrayList)4
Client (org.xdi.oxauth.model.registration.Client)4
Prompt (org.xdi.oxauth.model.common.Prompt)3
SignatureException (java.security.SignatureException)2
WebApplicationException (javax.ws.rs.WebApplicationException)2
ResponseBuilder (javax.ws.rs.core.Response.ResponseBuilder)2
EntryPersistenceException (org.gluu.site.ldap.persistence.exception.EntryPersistenceException)2
OAuth2AuditLog (org.xdi.oxauth.model.audit.OAuth2AuditLog)2
AccessToken (org.xdi.oxauth.model.common.AccessToken)2
AuthorizationGrant (org.xdi.oxauth.model.common.AuthorizationGrant)2
IdToken (org.xdi.oxauth.model.common.IdToken)2
AcrChangedException (org.xdi.oxauth.model.exception.AcrChangedException)2
InvalidJwtException (org.xdi.oxauth.model.exception.InvalidJwtException)2
ClientAuthorizations (org.xdi.oxauth.model.ldap.ClientAuthorizations)2
StringEncrypter (org.xdi.util.security.StringEncrypter)2
Filter (com.unboundid.ldap.sdk.Filter)1
