use of org.xdi.oxauth.model.exception.InvalidJwtException in project oxAuth by GluuFederation.
the class TokenRestWebServiceImpl method requestAccessToken.
@Override
public Response requestAccessToken(String grantType, String code, String redirectUri, String username, String password, String scope, String assertion, String refreshToken, String oxAuthExchangeToken, String clientId, String clientSecret, String codeVerifier, HttpServletRequest request, SecurityContext sec) {
log.debug("Attempting to request access token: grantType = {}, code = {}, redirectUri = {}, username = {}, refreshToken = {}, " + "clientId = {}, ExtraParams = {}, isSecure = {}, codeVerifier = {}", grantType, code, redirectUri, username, refreshToken, clientId, request.getParameterMap(), sec.isSecure(), codeVerifier);
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.TOKEN_REQUEST);
oAuth2AuditLog.setClientId(clientId);
oAuth2AuditLog.setUsername(username);
oAuth2AuditLog.setScope(scope);
// it may be encoded in uma case
scope = ServerUtil.urlDecode(scope);
ResponseBuilder builder = Response.ok();
try {
log.debug("Starting to validate request parameters");
if (!TokenParamsValidator.validateParams(grantType, code, redirectUri, username, password, scope, assertion, refreshToken, oxAuthExchangeToken)) {
log.trace("Failed to validate request parameters");
builder = error(400, TokenErrorResponseType.INVALID_REQUEST);
} else {
log.trace("Request parameters are right");
GrantType gt = GrantType.fromString(grantType);
log.debug("Grant type: '{}'", gt);
SessionClient sessionClient = identity.getSetSessionClient();
Client client = null;
if (sessionClient != null) {
client = sessionClient.getClient();
log.debug("Get sessionClient: '{}'", sessionClient);
}
if (client != null) {
log.debug("Get client from session: '{}'", client.getClientId());
}
if (gt == GrantType.AUTHORIZATION_CODE) {
if (client == null) {
return response(error(400, TokenErrorResponseType.INVALID_GRANT));
}
log.debug("Attempting to find authorizationCodeGrant by clinetId: '{}', code: '{}'", client.getClientId(), code);
AuthorizationCodeGrant authorizationCodeGrant = authorizationGrantList.getAuthorizationCodeGrant(client.getClientId(), code);
log.trace("AuthorizationCodeGrant : '{}'", authorizationCodeGrant);
if (authorizationCodeGrant != null) {
validatePKCE(authorizationCodeGrant, codeVerifier);
authorizationCodeGrant.setIsCachedWithNoPersistence(false);
authorizationCodeGrant.save();
AccessToken accToken = authorizationCodeGrant.createAccessToken();
log.debug("Issuing access token: {}", accToken.getCode());
RefreshToken reToken = authorizationCodeGrant.createRefreshToken();
if (scope != null && !scope.isEmpty()) {
scope = authorizationCodeGrant.checkScopesPolicy(scope);
}
IdToken idToken = null;
if (authorizationCodeGrant.getScopes().contains("openid")) {
String nonce = authorizationCodeGrant.getNonce();
boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
idToken = authorizationCodeGrant.createIdToken(nonce, null, accToken, authorizationCodeGrant, includeIdTokenClaims);
}
builder.entity(getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, idToken));
oAuth2AuditLog.updateOAuth2AuditLog(authorizationCodeGrant, true);
grantService.removeByCode(authorizationCodeGrant.getAuthorizationCode().getCode(), authorizationCodeGrant.getClientId());
} else {
log.debug("AuthorizationCodeGrant is empty by clinetId: '{}', code: '{}'", client.getClientId(), code);
// if authorization code is not found then code was already used = remove all grants with this auth code
grantService.removeAllByAuthorizationCode(code);
builder = error(400, TokenErrorResponseType.INVALID_GRANT);
}
} else if (gt == GrantType.REFRESH_TOKEN) {
if (client == null) {
return response(error(401, TokenErrorResponseType.INVALID_GRANT));
}
AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), refreshToken);
if (authorizationGrant != null) {
AccessToken accToken = authorizationGrant.createAccessToken();
/*
The authorization server MAY issue a new refresh token, in which case
the client MUST discard the old refresh token and replace it with the
new refresh token.
*/
RefreshToken reToken = authorizationGrant.createRefreshToken();
grantService.removeByCode(refreshToken, client.getClientId());
if (scope != null && !scope.isEmpty()) {
scope = authorizationGrant.checkScopesPolicy(scope);
}
builder.entity(getJSonResponse(accToken, accToken.getTokenType(), accToken.getExpiresIn(), reToken, scope, null));
oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
} else {
builder = error(401, TokenErrorResponseType.INVALID_GRANT);
}
} else if (gt == GrantType.CLIENT_CREDENTIALS) {
if (client == null) {
return response(error(401, TokenErrorResponseType.INVALID_GRANT));
}
// TODO: fix the user arg
ClientCredentialsGrant clientCredentialsGrant = authorizationGrantList.createClientCredentialsGrant(new User(), client);
AccessToken accessToken = clientCredentialsGrant.createAccessToken();
if (scope != null && !scope.isEmpty()) {
scope = clientCredentialsGrant.checkScopesPolicy(scope);
}
IdToken idToken = null;
if (clientCredentialsGrant.getScopes().contains("openid")) {
boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
idToken = clientCredentialsGrant.createIdToken(null, null, null, clientCredentialsGrant, includeIdTokenClaims);
}
oAuth2AuditLog.updateOAuth2AuditLog(clientCredentialsGrant, true);
builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), null, scope, idToken));
} else if (gt == GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) {
if (client == null) {
log.error("Invalid client", new RuntimeException("Client is empty"));
return response(error(401, TokenErrorResponseType.INVALID_CLIENT));
}
User user = null;
if (authenticationFilterService.isEnabled()) {
String userDn = authenticationFilterService.processAuthenticationFilters(request.getParameterMap());
if (StringHelper.isNotEmpty(userDn)) {
user = userService.getUserByDn(userDn);
}
}
if (user == null) {
boolean authenticated = authenticationService.authenticate(username, password);
if (authenticated) {
user = authenticationService.getAuthenticatedUser();
}
}
if (user != null) {
ResourceOwnerPasswordCredentialsGrant resourceOwnerPasswordCredentialsGrant = authorizationGrantList.createResourceOwnerPasswordCredentialsGrant(user, client);
AccessToken accessToken = resourceOwnerPasswordCredentialsGrant.createAccessToken();
RefreshToken reToken = resourceOwnerPasswordCredentialsGrant.createRefreshToken();
if (scope != null && !scope.isEmpty()) {
scope = resourceOwnerPasswordCredentialsGrant.checkScopesPolicy(scope);
}
IdToken idToken = null;
if (resourceOwnerPasswordCredentialsGrant.getScopes().contains("openid")) {
boolean includeIdTokenClaims = Boolean.TRUE.equals(appConfiguration.getLegacyIdTokenClaims());
idToken = resourceOwnerPasswordCredentialsGrant.createIdToken(null, null, null, resourceOwnerPasswordCredentialsGrant, includeIdTokenClaims);
}
oAuth2AuditLog.updateOAuth2AuditLog(resourceOwnerPasswordCredentialsGrant, true);
builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), reToken, scope, idToken));
} else {
log.error("Invalid user", new RuntimeException("User is empty"));
builder = error(401, TokenErrorResponseType.INVALID_CLIENT);
}
} else if (gt == GrantType.EXTENSION) {
builder = error(501, TokenErrorResponseType.INVALID_GRANT);
} else if (gt == GrantType.OXAUTH_EXCHANGE_TOKEN) {
AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByAccessToken(oxAuthExchangeToken);
if (authorizationGrant != null) {
final AccessToken accessToken = authorizationGrant.createLongLivedAccessToken();
oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
builder.entity(getJSonResponse(accessToken, accessToken.getTokenType(), accessToken.getExpiresIn(), null, null, null));
} else {
builder = error(401, TokenErrorResponseType.INVALID_GRANT);
}
}
}
} catch (WebApplicationException e) {
throw e;
} catch (SignatureException e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
} catch (StringEncrypter.EncryptionException e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
} catch (InvalidJwtException e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
} catch (InvalidJweException e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
} catch (Exception e) {
builder = Response.status(500);
log.error(e.getMessage(), e);
}
applicationAuditLogger.sendMessage(oAuth2AuditLog);
return response(builder);
}
use of org.xdi.oxauth.model.exception.InvalidJwtException in project oxAuth by GluuFederation.
the class SectorIdentifierUrlVerificationEmbeddedTest method requestAuthorizationCodeWithSectorIdentifierStep2.
// This test requires a place to publish a sector identifier JSON array of
// redirect URIs via HTTPS
@Parameters({ "authorizePath", "userId", "userSecret", "redirectUri" })
@Test(dependsOnMethods = "requestAuthorizationCodeWithSectorIdentifierStep1")
public void requestAuthorizationCodeWithSectorIdentifierStep2(final String authorizePath, final String userId, final String userSecret, final String redirectUri) throws Exception {
List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.ID_TOKEN);
List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
String state = UUID.randomUUID().toString();
String nonce = UUID.randomUUID().toString();
AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId1, scopes, redirectUri, nonce);
authorizationRequest.setState(state);
authorizationRequest.getPrompts().add(Prompt.NONE);
authorizationRequest.setAuthUsername(userId);
authorizationRequest.setAuthPassword(userSecret);
Builder request = ResteasyClientBuilder.newClient().target(url.toString() + authorizePath + "?" + authorizationRequest.getQueryString()).request();
request.header("Authorization", "Basic " + authorizationRequest.getEncodedCredentials());
request.header("Accept", MediaType.TEXT_PLAIN);
Response response = request.get();
String entity = response.readEntity(String.class);
showResponse("requestAuthorizationCodeWithSectorIdentifierStep2", response, entity);
assertEquals(response.getStatus(), 302, "Unexpected response code.");
assertNotNull(response.getLocation(), "Unexpected result: " + response.getLocation());
try {
URI uri = new URI(response.getLocation().toString());
assertNotNull(uri.getFragment());
Map<String, String> params = QueryStringDecoder.decode(uri.getFragment());
assertNotNull(params.get(AuthorizeResponseParam.CODE), "The code is null");
assertNotNull(params.get(AuthorizeResponseParam.ID_TOKEN), "The ID Token is null");
assertNotNull(params.get(AuthorizeResponseParam.SCOPE), "The scope is null");
assertNotNull(params.get(AuthorizeResponseParam.STATE), "The state is null");
String idToken = params.get(AuthorizeResponseParam.ID_TOKEN);
Jwt jwt = Jwt.parse(idToken);
assertNotNull(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE));
assertNotNull(jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.AUDIENCE));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.EXPIRATION_TIME));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.ISSUED_AT));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.CODE_HASH));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.AUTHENTICATION_TIME));
} catch (URISyntaxException e) {
e.printStackTrace();
fail("Response URI is not well formed");
} catch (InvalidJwtException e) {
e.printStackTrace();
fail("Invalid JWT");
}
}
use of org.xdi.oxauth.model.exception.InvalidJwtException in project oxAuth by GluuFederation.
the class UserInfoRestWebServiceEmbeddedTest method requestUserInfoHS384Step3.
@Parameters({ "userInfoPath" })
@Test(dependsOnMethods = "requestUserInfoHS384Step2")
public void requestUserInfoHS384Step3(final String userInfoPath) throws Exception {
Builder request = ResteasyClientBuilder.newClient().target(url.toString() + userInfoPath).request();
request.header("Authorization", "Bearer " + accessToken6);
UserInfoRequest userInfoRequest = new UserInfoRequest(null);
Response response = request.post(Entity.form(new MultivaluedHashMap<String, String>(userInfoRequest.getParameters())));
String entity = response.readEntity(String.class);
showResponse("requestUserInfoHS384Step3", response, entity);
assertEquals(response.getStatus(), 200, "Unexpected response code.");
assertTrue(response.getHeaderString("Cache-Control") != null && response.getHeaderString("Cache-Control").equals("no-store, private"), "Unexpected result: " + response.getHeaderString("Cache-Control"));
assertTrue(response.getHeaderString("Pragma") != null && response.getHeaderString("Pragma").equals("no-cache"), "Unexpected result: " + response.getHeaderString("Pragma"));
assertNotNull(entity, "Unexpected result: " + entity);
try {
Jwt jwt = Jwt.parse(entity);
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.NAME));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.EMAIL));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.PICTURE));
} catch (InvalidJwtException e) {
e.printStackTrace();
fail(e.getMessage() + "\nResponse was: " + entity);
} catch (Exception e) {
e.printStackTrace();
fail(e.getMessage());
}
}
use of org.xdi.oxauth.model.exception.InvalidJwtException in project oxAuth by GluuFederation.
the class UserInfoRestWebServiceEmbeddedTest method requestUserInfoHS256Step3.
@Parameters({ "userInfoPath" })
@Test(dependsOnMethods = "requestUserInfoHS256Step2")
public void requestUserInfoHS256Step3(final String userInfoPath) throws Exception {
Builder request = ResteasyClientBuilder.newClient().target(url.toString() + userInfoPath).request();
request.header("Authorization", "Bearer " + accessToken5);
request.header("Content-Type", MediaType.APPLICATION_FORM_URLENCODED);
UserInfoRequest userInfoRequest = new UserInfoRequest(null);
Response response = request.post(Entity.form(new MultivaluedHashMap<String, String>(userInfoRequest.getParameters())));
String entity = response.readEntity(String.class);
showResponse("requestUserInfoHS256Step3", response, entity);
assertEquals(response.getStatus(), 200, "Unexpected response code.");
assertTrue(response.getHeaderString("Cache-Control") != null && response.getHeaderString("Cache-Control").equals("no-store, private"), "Unexpected result: " + response.getHeaderString("Cache-Control"));
assertTrue(response.getHeaderString("Pragma") != null && response.getHeaderString("Pragma").equals("no-cache"), "Unexpected result: " + response.getHeaderString("Pragma"));
assertNotNull(entity, "Unexpected result: " + entity);
try {
Jwt jwt = Jwt.parse(entity);
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.NAME));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.EMAIL));
assertNotNull(jwt.getClaims().getClaimAsString(JwtClaimName.PICTURE));
} catch (InvalidJwtException e) {
e.printStackTrace();
fail(e.getMessage() + "\nResponse was: " + entity);
} catch (Exception e) {
e.printStackTrace();
fail(e.getMessage());
}
}
use of org.xdi.oxauth.model.exception.InvalidJwtException in project oxAuth by GluuFederation.
the class TokenRequest method getClientAssertion.
public String getClientAssertion() {
Jwt clientAssertion = new Jwt();
if (algorithm == null) {
algorithm = SignatureAlgorithm.HS256;
}
GregorianCalendar calendar = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
Date issuedAt = calendar.getTime();
calendar.add(Calendar.MINUTE, 5);
Date expirationTime = calendar.getTime();
// Header
clientAssertion.getHeader().setType(JwtType.JWT);
clientAssertion.getHeader().setAlgorithm(algorithm);
if (StringUtils.isNotBlank(keyId)) {
clientAssertion.getHeader().setKeyId(keyId);
}
// Claims
clientAssertion.getClaims().setIssuer(getAuthUsername());
clientAssertion.getClaims().setSubjectIdentifier(getAuthUsername());
clientAssertion.getClaims().setAudience(audience);
clientAssertion.getClaims().setJwtId(UUID.randomUUID());
clientAssertion.getClaims().setExpirationTime(expirationTime);
clientAssertion.getClaims().setIssuedAt(issuedAt);
// Signature
try {
if (sharedKey == null) {
sharedKey = getAuthPassword();
}
String signature = cryptoProvider.sign(clientAssertion.getSigningInput(), keyId, sharedKey, algorithm);
clientAssertion.setEncodedSignature(signature);
} catch (InvalidJwtException e) {
LOG.error(e.getMessage(), e);
} catch (Exception e) {
LOG.error(e.getMessage(), e);
}
return clientAssertion.toString();
}
Aggregations