Search in sources :

Example 6 with InvalidJweException

use of org.xdi.oxauth.model.exception.InvalidJweException in project oxAuth by GluuFederation.

the class TokenRestWebServiceImpl method requestAccessToken.

@Override
public Response requestAccessToken(String grantType, String code, String redirectUri, String username, String password, String scope, String assertion, String refreshToken, String oxAuthExchangeToken, String clientId, String clientSecret, String codeVerifier, HttpServletRequest request, SecurityContext sec) {
    log.debug("Attempting to request access token: grantType = {}, code = {}, redirectUri = {}, username = {}, refreshToken = {}, " + "clientId = {}, ExtraParams = {}, isSecure = {}, codeVerifier = {}", grantType, code, redirectUri, username, refreshToken, clientId, request.getParameterMap(), sec.isSecure(), codeVerifier);
    OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.TOKEN_REQUEST);
    oAuth2AuditLog.setClientId(clientId);
    oAuth2AuditLog.setUsername(username);
    oAuth2AuditLog.setScope(scope);
    // it may be encoded in uma case
    scope = ServerUtil.urlDecode(scope);
    ResponseBuilder builder = Response.ok();
    try {
        log.debug("Starting to validate request parameters");
        if (!TokenParamsValidator.validateParams(grantType, code, redirectUri, username, password, scope, assertion, refreshToken, oxAuthExchangeToken)) {
            log.trace("Failed to validate request parameters");
            builder = error(400, TokenErrorResponseType.INVALID_REQUEST);
        } else {
            log.trace("Request parameters are right");
            GrantType gt = GrantType.fromString(grantType);
            log.debug("Grant type: '{}'", gt);
            SessionClient sessionClient = identity.getSetSessionClient();
            Client client = null;
            if (sessionClient != null) {
                client = sessionClient.getClient();
                log.debug("Get sessionClient: '{}'", sessionClient);
            }
            if (client != null) {
                log.debug("Get client from session: '{}'", client.getClientId());
            }
            if (gt == GrantType.AUTHORIZATION_CODE) {
                if (client == null) {
                    return response(error(400, TokenErrorResponseType.INVALID_GRANT));
                }
                log.debug("Attempting to find authorizationCodeGrant by clinetId: '{}', code: '{}'", client.getClientId(), code);
                AuthorizationCodeGrant authorizationCodeGrant = authorizationGrantList.getAuthorizationCodeGrant(client.getClientId(), code);
                log.trace("AuthorizationCodeGrant : '{}'", authorizationCodeGrant);
                if (authorizationCodeGrant != null) {
                    validatePKCE(authorizationCodeGrant, codeVerifier);
                    authorizationCodeGrant.setIsCachedWithNoPersistence(false);
                    authorizationCodeGrant.save();
                    AccessToken accToken = authorizationCodeGrant.createAccessToken();
                    log.debug("Issuing access token: {}", accToken.getCode());
                    RefreshToken reToken = authorizationCodeGrant.createRefreshToken();
                    if (scope != null && !scope.isEmpty()) {
                        scope = authorizationCodeGrant.checkScopesPolicy(scope);
                    }
                    IdToken idToken = null;
                    if (authorizationCodeGrant.getScopes().contains("openid")) {
                        String nonce = authorizationCodeGrant.getNonce();
                        boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
                        idToken = authorizationCodeGrant.createIdToken(nonce, null, accToken, authorizationCodeGrant, includeIdTokenClaims);
                    }
                    builder.entity(getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, idToken));
                    oAuth2AuditLog.updateOAuth2AuditLog(authorizationCodeGrant, true);
                    grantService.removeByCode(authorizationCodeGrant.getAuthorizationCode().getCode(), authorizationCodeGrant.getClientId());
                } else {
                    log.debug("AuthorizationCodeGrant is empty by clinetId: '{}', code: '{}'", client.getClientId(), code);
                    // if authorization code is not found then code was already used = remove all grants with this auth code
                    grantService.removeAllByAuthorizationCode(code);
                    builder = error(400, TokenErrorResponseType.INVALID_GRANT);
                }
            } else if (gt == GrantType.REFRESH_TOKEN) {
                if (client == null) {
                    return response(error(401, TokenErrorResponseType.INVALID_GRANT));
                }
                AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), refreshToken);
                if (authorizationGrant != null) {
                    AccessToken accToken = authorizationGrant.createAccessToken();
                    /*
                        The authorization server MAY issue a new refresh token, in which case
                        the client MUST discard the old refresh token and replace it with the
                        new refresh token.
                        */
                    RefreshToken reToken = authorizationGrant.createRefreshToken();
                    grantService.removeByCode(refreshToken, client.getClientId());
                    if (scope != null && !scope.isEmpty()) {
                        scope = authorizationGrant.checkScopesPolicy(scope);
                    }
                    builder.entity(getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, null));
                    oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
                } else {
                    builder = error(401, TokenErrorResponseType.INVALID_GRANT);
                }
            } else if (gt == GrantType.CLIENT_CREDENTIALS) {
                if (client == null) {
                    return response(error(401, TokenErrorResponseType.INVALID_GRANT));
                }
                // TODO: fix the user arg
                ClientCredentialsGrant clientCredentialsGrant = authorizationGrantList.createClientCredentialsGrant(new User(), client);
                AccessToken accessToken = clientCredentialsGrant.createAccessToken();
                if (scope != null && !scope.isEmpty()) {
                    scope = clientCredentialsGrant.checkScopesPolicy(scope);
                }
                IdToken idToken = null;
                if (clientCredentialsGrant.getScopes().contains("openid")) {
                    boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
                    idToken = clientCredentialsGrant.createIdToken(null, null, null, clientCredentialsGrant, includeIdTokenClaims);
                }
                oAuth2AuditLog.updateOAuth2AuditLog(clientCredentialsGrant, true);
                builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), null, scope, idToken));
            } else if (gt == GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) {
                if (client == null) {
                    log.error("Invalid client", new RuntimeException("Client is empty"));
                    return response(error(401, TokenErrorResponseType.INVALID_CLIENT));
                }
                User user = null;
                if (authenticationFilterService.isEnabled()) {
                    String userDn = authenticationFilterService.processAuthenticationFilters(request.getParameterMap());
                    if (StringHelper.isNotEmpty(userDn)) {
                        user = userService.getUserByDn(userDn);
                    }
                }
                if (user == null) {
                    boolean authenticated = authenticationService.authenticate(username, password);
                    if (authenticated) {
                        user = authenticationService.getAuthenticatedUser();
                    }
                }
                if (user != null) {
                    ResourceOwnerPasswordCredentialsGrant resourceOwnerPasswordCredentialsGrant = authorizationGrantList.createResourceOwnerPasswordCredentialsGrant(user, client);
                    AccessToken accessToken = resourceOwnerPasswordCredentialsGrant.createAccessToken();
                    RefreshToken reToken = resourceOwnerPasswordCredentialsGrant.createRefreshToken();
                    if (scope != null && !scope.isEmpty()) {
                        scope = resourceOwnerPasswordCredentialsGrant.checkScopesPolicy(scope);
                    }
                    IdToken idToken = null;
                    if (resourceOwnerPasswordCredentialsGrant.getScopes().contains("openid")) {
                        boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
                        idToken = resourceOwnerPasswordCredentialsGrant.createIdToken(null, null, null, resourceOwnerPasswordCredentialsGrant, includeIdTokenClaims);
                    }
                    oAuth2AuditLog.updateOAuth2AuditLog(resourceOwnerPasswordCredentialsGrant, true);
                    builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), reToken, scope, idToken));
                } else {
                    log.error("Invalid user", new RuntimeException("User is empty"));
                    builder = error(401, TokenErrorResponseType.INVALID_CLIENT);
                }
            } else if (gt == GrantType.EXTENSION) {
                builder = error(501, TokenErrorResponseType.INVALID_GRANT);
            } else if (gt == GrantType.OXAUTH_EXCHANGE_TOKEN) {
                AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(oxAuthExchangeToken);
                if (authorizationGrant != null) {
                    final AccessToken accessToken = authorizationGrant.createLongLivedAccessToken();
                    oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
                    builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), null, null, null));
                } else {
                    builder = error(401, TokenErrorResponseType.INVALID_GRANT);
                }
            }
        }
    } catch (WebApplicationException e) {
        throw e;
    } catch (SignatureException e) {
        builder = Response.status(500);
        log.error(e.getMessage(), e);
    } catch (StringEncrypter.EncryptionException e) {
        builder = Response.status(500);
        log.error(e.getMessage(), e);
    } catch (InvalidJwtException e) {
        builder = Response.status(500);
        log.error(e.getMessage(), e);
    } catch (InvalidJweException e) {
        builder = Response.status(500);
        log.error(e.getMessage(), e);
    } catch (Exception e) {
        builder = Response.status(500);
        log.error(e.getMessage(), e);
    }
    applicationAuditLogger.sendMessage(oAuth2AuditLog);
    return response(builder);
}
Also used : InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException) IdToken(org.xdi.oxauth.model.common.IdToken) User(org.xdi.oxauth.model.common.User) WebApplicationException(javax.ws.rs.WebApplicationException) SessionClient(org.xdi.oxauth.model.session.SessionClient) OAuth2AuditLog(org.xdi.oxauth.model.audit.OAuth2AuditLog) ResourceOwnerPasswordCredentialsGrant(org.xdi.oxauth.model.common.ResourceOwnerPasswordCredentialsGrant) GrantType(org.xdi.oxauth.model.common.GrantType) SignatureException(java.security.SignatureException) StringEncrypter(org.xdi.util.security.StringEncrypter) InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException) SignatureException(java.security.SignatureException) JSONException(org.codehaus.jettison.json.JSONException) WebApplicationException(javax.ws.rs.WebApplicationException) InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException) RefreshToken(org.xdi.oxauth.model.common.RefreshToken) AuthorizationCodeGrant(org.xdi.oxauth.model.common.AuthorizationCodeGrant) AccessToken(org.xdi.oxauth.model.common.AccessToken) ClientCredentialsGrant(org.xdi.oxauth.model.common.ClientCredentialsGrant) ResponseBuilder(javax.ws.rs.core.Response.ResponseBuilder) Client(org.xdi.oxauth.model.registration.Client) SessionClient(org.xdi.oxauth.model.session.SessionClient) AuthorizationGrant(org.xdi.oxauth.model.common.AuthorizationGrant) InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)

Example 7 with InvalidJweException

use of org.xdi.oxauth.model.exception.InvalidJweException in project oxAuth by GluuFederation.

the class AbstractJweDecrypter method decrypt.

@Override
public Jwe decrypt(String encryptedJwe) throws InvalidJweException {
    try {
        if (StringUtils.isBlank(encryptedJwe)) {
            return null;
        }
        String[] jweParts = encryptedJwe.split("\\.");
        if (jweParts.length != 5) {
            throw new InvalidJwtException("Invalid JWS format.");
        }
        String encodedHeader = jweParts[0];
        String encodedEncryptedKey = jweParts[1];
        String encodedInitializationVector = jweParts[2];
        String encodedCipherText = jweParts[3];
        String encodedIntegrityValue = jweParts[4];
        Jwe jwe = new Jwe();
        jwe.setEncodedHeader(encodedHeader);
        jwe.setEncodedEncryptedKey(encodedEncryptedKey);
        jwe.setEncodedInitializationVector(encodedInitializationVector);
        jwe.setEncodedCiphertext(encodedCipherText);
        jwe.setEncodedIntegrityValue(encodedIntegrityValue);
        jwe.setHeader(new JwtHeader(encodedHeader));
        keyEncryptionAlgorithm = KeyEncryptionAlgorithm.fromName(jwe.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM));
        blockEncryptionAlgorithm = BlockEncryptionAlgorithm.fromName(jwe.getHeader().getClaimAsString(JwtHeaderName.ENCRYPTION_METHOD));
        byte[] contentMasterKey = decryptEncryptionKey(encodedEncryptedKey);
        byte[] initializationVector = Base64Util.base64urldecode(encodedInitializationVector);
        byte[] authenticationTag = Base64Util.base64urldecode(encodedIntegrityValue);
        byte[] additionalAuthenticatedData = jwe.getAdditionalAuthenticatedData().getBytes(Util.UTF8_STRING_ENCODING);
        String plainText = decryptCipherText(encodedCipherText, contentMasterKey, initializationVector, authenticationTag, additionalAuthenticatedData);
        jwe.setClaims(new JwtClaims(plainText));
        return jwe;
    } catch (InvalidJwtException e) {
        throw new InvalidJweException(e);
    } catch (UnsupportedEncodingException e) {
        throw new InvalidJweException(e);
    }
}
Also used : InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException) JwtHeader(org.xdi.oxauth.model.jwt.JwtHeader) JwtClaims(org.xdi.oxauth.model.jwt.JwtClaims) UnsupportedEncodingException(java.io.UnsupportedEncodingException) InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)

Example 8 with InvalidJweException

use of org.xdi.oxauth.model.exception.InvalidJweException in project oxAuth by GluuFederation.

the class JweEncrypterImpl method generateCipherTextAndIntegrityValue.

@Override
public Pair<String, String> generateCipherTextAndIntegrityValue(byte[] contentMasterKey, byte[] initializationVector, byte[] additionalAuthenticatedData, byte[] plainText) throws InvalidJweException {
    if (getBlockEncryptionAlgorithm() == null) {
        throw new InvalidJweException("The block encryption algorithm is null");
    }
    if (contentMasterKey == null) {
        throw new InvalidJweException("The content master key (CMK) is null");
    }
    if (initializationVector == null) {
        throw new InvalidJweException("The initialization vector is null");
    }
    if (additionalAuthenticatedData == null) {
        throw new InvalidJweException("The additional authentication data is null");
    }
    if (plainText == null) {
        throw new InvalidJweException("The plain text to encrypt is null");
    }
    try {
        if (getBlockEncryptionAlgorithm() == BlockEncryptionAlgorithm.A128GCM || getBlockEncryptionAlgorithm() == BlockEncryptionAlgorithm.A256GCM) {
            SecretKey secretKey = new SecretKeySpec(contentMasterKey, "AES");
            KeyParameter key = new KeyParameter(contentMasterKey);
            final int MAC_SIZE_BITS = 128;
            AEADParameters aeadParameters = new AEADParameters(key, MAC_SIZE_BITS, initializationVector, additionalAuthenticatedData);
            final int macSize = aeadParameters.getMacSize() / 8;
            BlockCipher blockCipher = new AESEngine();
            CipherParameters params = new KeyParameter(secretKey.getEncoded());
            blockCipher.init(true, params);
            GCMBlockCipher aGCMBlockCipher = new GCMBlockCipher(blockCipher);
            aGCMBlockCipher.init(true, aeadParameters);
            int len = aGCMBlockCipher.getOutputSize(plainText.length);
            byte[] out = new byte[len];
            int outOff = aGCMBlockCipher.processBytes(plainText, 0, plainText.length, out, 0);
            outOff += aGCMBlockCipher.doFinal(out, outOff);
            byte[] cipherText = new byte[outOff - macSize];
            System.arraycopy(out, 0, cipherText, 0, cipherText.length);
            byte[] authenticationTag = new byte[macSize];
            System.arraycopy(out, outOff - macSize, authenticationTag, 0, authenticationTag.length);
            String encodedCipherText = Base64Util.base64urlencode(cipherText);
            String encodedAuthenticationTag = Base64Util.base64urlencode(authenticationTag);
            return new Pair<String, String>(encodedCipherText, encodedAuthenticationTag);
        } else if (getBlockEncryptionAlgorithm() == BlockEncryptionAlgorithm.A128CBC_PLUS_HS256 || getBlockEncryptionAlgorithm() == BlockEncryptionAlgorithm.A256CBC_PLUS_HS512) {
            byte[] cek = KeyDerivationFunction.generateCek(contentMasterKey, getBlockEncryptionAlgorithm());
            IvParameterSpec parameters = new IvParameterSpec(initializationVector);
            Cipher cipher = Cipher.getInstance(getBlockEncryptionAlgorithm().getAlgorithm(), "BC");
            //Cipher cipher = Cipher.getInstance(getBlockEncryptionAlgorithm().getAlgorithm());
            SecretKeySpec secretKeySpec = new SecretKeySpec(cek, "AES");
            cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, parameters);
            byte[] cipherText = cipher.doFinal(plainText);
            String encodedCipherText = Base64Util.base64urlencode(cipherText);
            String securedInputValue = new String(additionalAuthenticatedData, Charset.forName(Util.UTF8_STRING_ENCODING)) + "." + encodedCipherText;
            byte[] cik = KeyDerivationFunction.generateCik(contentMasterKey, getBlockEncryptionAlgorithm());
            SecretKey secretKey = new SecretKeySpec(cik, getBlockEncryptionAlgorithm().getIntegrityValueAlgorithm());
            Mac mac = Mac.getInstance(getBlockEncryptionAlgorithm().getIntegrityValueAlgorithm());
            mac.init(secretKey);
            byte[] integrityValue = mac.doFinal(securedInputValue.getBytes(Util.UTF8_STRING_ENCODING));
            String encodedIntegrityValue = Base64Util.base64urlencode(integrityValue);
            return new Pair<String, String>(encodedCipherText, encodedIntegrityValue);
        } else {
            throw new InvalidJweException("The block encryption algorithm is not supported");
        }
    } catch (InvalidCipherTextException e) {
        throw new InvalidJweException(e);
    } catch (NoSuchAlgorithmException e) {
        throw new InvalidJweException(e);
    } catch (UnsupportedEncodingException e) {
        throw new InvalidJweException(e);
    } catch (NoSuchProviderException e) {
        throw new InvalidJweException(e);
    } catch (IllegalBlockSizeException e) {
        throw new InvalidJweException(e);
    } catch (InvalidKeyException e) {
        throw new InvalidJweException(e);
    } catch (BadPaddingException e) {
        throw new InvalidJweException(e);
    } catch (InvalidAlgorithmParameterException e) {
        throw new InvalidJweException(e);
    } catch (NoSuchPaddingException e) {
        throw new InvalidJweException(e);
    } catch (InvalidParameterException e) {
        throw new InvalidJweException(e);
    }
}
Also used : InvalidCipherTextException(org.bouncycastle.crypto.InvalidCipherTextException) KeyParameter(org.bouncycastle.crypto.params.KeyParameter) InvalidParameterException(org.xdi.oxauth.model.exception.InvalidParameterException) SecretKeySpec(javax.crypto.spec.SecretKeySpec) InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException) Pair(org.xdi.oxauth.model.util.Pair) AESEngine(org.bouncycastle.crypto.engines.AESEngine) BlockCipher(org.bouncycastle.crypto.BlockCipher) GCMBlockCipher(org.bouncycastle.crypto.modes.GCMBlockCipher) UnsupportedEncodingException(java.io.UnsupportedEncodingException) CipherParameters(org.bouncycastle.crypto.CipherParameters) AEADParameters(org.bouncycastle.crypto.params.AEADParameters) IvParameterSpec(javax.crypto.spec.IvParameterSpec) BlockCipher(org.bouncycastle.crypto.BlockCipher) GCMBlockCipher(org.bouncycastle.crypto.modes.GCMBlockCipher) GCMBlockCipher(org.bouncycastle.crypto.modes.GCMBlockCipher)

Example 9 with InvalidJweException

use of org.xdi.oxauth.model.exception.InvalidJweException in project oxAuth by GluuFederation.

the class AuthorizationGrant method createIdToken.

@Override
public IdToken createIdToken(String nonce, AuthorizationCode authorizationCode, AccessToken accessToken, AuthorizationGrant authorizationGrant, boolean includeIdTokenClaims) throws SignatureException, StringEncrypter.EncryptionException, InvalidJwtException, InvalidJweException {
    try {
        final IdToken idToken = createIdToken(this, nonce, authorizationCode, accessToken, getScopes(), includeIdTokenClaims);
        final String acrValues = authorizationGrant.getAcrValues();
        final String sessionDn = authorizationGrant.getSessionDn();
        if (idToken.getExpiresIn() > 0) {
            final TokenLdap tokenLdap = asToken(idToken);
            tokenLdap.setAuthMode(acrValues);
            tokenLdap.setSessionDn(sessionDn);
            persist(tokenLdap);
        }
        // is it really neccessary to propagate to all tokens?
        setAcrValues(acrValues);
        setSessionDn(sessionDn);
        // asynchronous save
        save();
        return idToken;
    } catch (Exception e) {
        log.error(e.getMessage(), e);
        return null;
    }
}
Also used : TokenLdap(org.xdi.oxauth.model.ldap.TokenLdap) SignatureException(java.security.SignatureException) InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException) InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)

Example 10 with InvalidJweException

use of org.xdi.oxauth.model.exception.InvalidJweException in project oxAuth by GluuFederation.

the class UserInfoRestWebServiceImpl method getJweResponse.

public String getJweResponse(KeyEncryptionAlgorithm keyEncryptionAlgorithm, BlockEncryptionAlgorithm blockEncryptionAlgorithm, User user, AuthorizationGrant authorizationGrant, Collection<String> scopes) throws Exception {
    Jwe jwe = new Jwe();
    // Header
    jwe.getHeader().setType(JwtType.JWT);
    jwe.getHeader().setAlgorithm(keyEncryptionAlgorithm);
    jwe.getHeader().setEncryptionMethod(blockEncryptionAlgorithm);
    // Claims
    List<Scope> dynamicScopes = new ArrayList<Scope>();
    for (String scopeName : scopes) {
        Scope scope = scopeService.getScopeByDisplayName(scopeName);
        if (org.xdi.oxauth.model.common.ScopeType.DYNAMIC == scope.getScopeType()) {
            dynamicScopes.add(scope);
            continue;
        }
        if (scope.getOxAuthClaims() != null) {
            for (String claimDn : scope.getOxAuthClaims()) {
                GluuAttribute gluuAttribute = attributeService.getAttributeByDn(claimDn);
                String claimName = gluuAttribute.getOxAuthClaimName();
                String ldapName = gluuAttribute.getName();
                String attributeValue = null;
                if (StringUtils.isNotBlank(claimName) && StringUtils.isNotBlank(ldapName)) {
                    if (ldapName.equals("uid")) {
                        attributeValue = user.getUserId();
                    } else {
                        attributeValue = user.getAttribute(gluuAttribute.getName());
                    }
                    jwe.getClaims().setClaim(claimName, attributeValue);
                }
            }
        }
    }
    if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
        for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
            // ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
            boolean optional = true;
            GluuAttribute gluuAttribute = attributeService.getByClaimName(claim.getName());
            if (gluuAttribute != null) {
                String ldapClaimName = gluuAttribute.getName();
                Object attribute = user.getAttribute(ldapClaimName, optional);
                if (attribute != null) {
                    if (attribute instanceof JSONArray) {
                        JSONArray jsonArray = (JSONArray) attribute;
                        List<String> values = new ArrayList<String>();
                        for (int i = 0; i < jsonArray.length(); i++) {
                            String value = jsonArray.optString(i);
                            if (value != null) {
                                values.add(value);
                            }
                        }
                        jwe.getClaims().setClaim(claim.getName(), values);
                    } else {
                        String value = (String) attribute;
                        jwe.getClaims().setClaim(claim.getName(), value);
                    }
                }
            }
        }
    }
    // Check for Subject Identifier Type
    if (authorizationGrant.getClient().getSubjectType() != null && SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
        String sectorIdentifierUri = null;
        if (StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri())) {
            sectorIdentifierUri = authorizationGrant.getClient().getSectorIdentifierUri();
        } else {
            sectorIdentifierUri = authorizationGrant.getClient().getRedirectUris()[0];
        }
        String userInum = authorizationGrant.getUser().getAttribute("inum");
        PairwiseIdentifier pairwiseIdentifier = pairwiseIdentifierService.findPairWiseIdentifier(userInum, sectorIdentifierUri);
        if (pairwiseIdentifier == null) {
            pairwiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
            pairwiseIdentifier.setId(UUID.randomUUID().toString());
            pairwiseIdentifier.setDn(pairwiseIdentifierService.getDnForPairwiseIdentifier(pairwiseIdentifier.getId(), userInum));
            pairwiseIdentifierService.addPairwiseIdentifier(userInum, pairwiseIdentifier);
        }
        jwe.getClaims().setSubjectIdentifier(pairwiseIdentifier.getId());
    } else {
        String openidSubAttribute = appConfiguration.getOpenidSubAttribute();
        jwe.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(openidSubAttribute));
    }
    if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
        final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
        DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jwe, unmodifiableAuthorizationGrant);
        externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
    }
    // Encryption
    if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) {
        JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(authorizationGrant.getClient().getJwksUri());
        AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(appConfiguration);
        String keyId = cryptoProvider.getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys), SignatureAlgorithm.RS256);
        PublicKey publicKey = cryptoProvider.getPublicKey(keyId, jsonWebKeys);
        if (publicKey != null) {
            JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, publicKey);
            jwe = jweEncrypter.encrypt(jwe);
        } else {
            throw new InvalidJweException("The public key is not valid");
        }
    } else if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A128KW || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A256KW) {
        try {
            byte[] sharedSymmetricKey = clientService.decryptSecret(authorizationGrant.getClient().getClientSecret()).getBytes(Util.UTF8_STRING_ENCODING);
            JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, sharedSymmetricKey);
            jwe = jweEncrypter.encrypt(jwe);
        } catch (UnsupportedEncodingException e) {
            throw new InvalidJweException(e);
        } catch (StringEncrypter.EncryptionException e) {
            throw new InvalidJweException(e);
        } catch (Exception e) {
            throw new InvalidJweException(e);
        }
    }
    return jwe.toString();
}
Also used : PublicKey(java.security.PublicKey) JSONArray(org.codehaus.jettison.json.JSONArray) UnsupportedEncodingException(java.io.UnsupportedEncodingException) DynamicScopeExternalContext(org.xdi.oxauth.service.external.context.DynamicScopeExternalContext) InvalidJwtException(org.xdi.oxauth.model.exception.InvalidJwtException) SignatureException(java.security.SignatureException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) InvalidClaimException(org.xdi.oxauth.model.exception.InvalidClaimException) EntryPersistenceException(org.gluu.site.ldap.persistence.exception.EntryPersistenceException) InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException) GluuAttribute(org.xdi.model.GluuAttribute) PairwiseIdentifier(org.xdi.oxauth.model.ldap.PairwiseIdentifier) JSONObject(org.codehaus.jettison.json.JSONObject) Jwe(org.xdi.oxauth.model.jwe.Jwe) JwtSubClaimObject(org.xdi.oxauth.model.jwt.JwtSubClaimObject) JSONObject(org.codehaus.jettison.json.JSONObject) AbstractCryptoProvider(org.xdi.oxauth.model.crypto.AbstractCryptoProvider) JweEncrypterImpl(org.xdi.oxauth.model.jwe.JweEncrypterImpl) Claim(org.xdi.oxauth.model.authorize.Claim) JweEncrypter(org.xdi.oxauth.model.jwe.JweEncrypter) InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException)

Aggregations

InvalidJweException (org.xdi.oxauth.model.exception.InvalidJweException)10 UnsupportedEncodingException (java.io.UnsupportedEncodingException)6 InvalidJwtException (org.xdi.oxauth.model.exception.InvalidJwtException)5 SecretKeySpec (javax.crypto.spec.SecretKeySpec)4 BlockCipher (org.bouncycastle.crypto.BlockCipher)4 CipherParameters (org.bouncycastle.crypto.CipherParameters)4 GCMBlockCipher (org.bouncycastle.crypto.modes.GCMBlockCipher)4 KeyParameter (org.bouncycastle.crypto.params.KeyParameter)4 SignatureException (java.security.SignatureException)3 InvalidCipherTextException (org.bouncycastle.crypto.InvalidCipherTextException)3 PublicKey (java.security.PublicKey)2 IvParameterSpec (javax.crypto.spec.IvParameterSpec)2 AESEngine (org.bouncycastle.crypto.engines.AESEngine)2 AESWrapEngine (org.bouncycastle.crypto.engines.AESWrapEngine)2 AEADParameters (org.bouncycastle.crypto.params.AEADParameters)2 JSONArray (org.codehaus.jettison.json.JSONArray)2 JSONObject (org.codehaus.jettison.json.JSONObject)2 GluuAttribute (org.xdi.model.GluuAttribute)2 Claim (org.xdi.oxauth.model.authorize.Claim)2 AbstractCryptoProvider (org.xdi.oxauth.model.crypto.AbstractCryptoProvider)2