Search in sources :

Example 1 with PairwiseIdentifier

use of org.xdi.oxauth.model.ldap.PairwiseIdentifier in project oxAuth by GluuFederation.

the class UserInfoRestWebServiceImpl method getJSonResponse.

/**
     * Builds a JSon String with the response parameters.
     */
public String getJSonResponse(User user, AuthorizationGrant authorizationGrant, Collection<String> scopes) throws Exception {
    JsonWebResponse jsonWebResponse = new JsonWebResponse();
    // Claims
    List<Scope> dynamicScopes = new ArrayList<Scope>();
    for (String scopeName : scopes) {
        org.xdi.oxauth.model.common.Scope scope = scopeService.getScopeByDisplayName(scopeName);
        if ((scope != null) && (org.xdi.oxauth.model.common.ScopeType.DYNAMIC == scope.getScopeType())) {
            dynamicScopes.add(scope);
            continue;
        }
        Map<String, Object> claims = getClaims(user, scope);
        if (scope.getIsOxAuthGroupClaims()) {
            JwtSubClaimObject groupClaim = new JwtSubClaimObject();
            groupClaim.setName(scope.getDisplayName());
            for (Map.Entry<String, Object> entry : claims.entrySet()) {
                String key = entry.getKey();
                Object value = entry.getValue();
                if (value instanceof List) {
                    groupClaim.setClaim(key, (List<String>) value);
                } else {
                    groupClaim.setClaim(key, (String) value);
                }
            }
            jsonWebResponse.getClaims().setClaim(scope.getDisplayName(), groupClaim);
        } else {
            for (Map.Entry<String, Object> entry : claims.entrySet()) {
                String key = entry.getKey();
                Object value = entry.getValue();
                if (value instanceof List) {
                    jsonWebResponse.getClaims().setClaim(key, (List<String>) value);
                } else {
                    jsonWebResponse.getClaims().setClaim(key, (String) value);
                }
            }
        }
        jsonWebResponse.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute("inum"));
    }
    if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
        for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
            // ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
            boolean optional = true;
            GluuAttribute gluuAttribute = attributeService.getByClaimName(claim.getName());
            if (gluuAttribute != null) {
                String ldapClaimName = gluuAttribute.getName();
                Object attribute = user.getAttribute(ldapClaimName, optional);
                if (attribute != null) {
                    if (attribute instanceof JSONArray) {
                        JSONArray jsonArray = (JSONArray) attribute;
                        List<String> values = new ArrayList<String>();
                        for (int i = 0; i < jsonArray.length(); i++) {
                            String value = jsonArray.optString(i);
                            if (value != null) {
                                values.add(value);
                            }
                        }
                        jsonWebResponse.getClaims().setClaim(claim.getName(), values);
                    } else {
                        String value = (String) attribute;
                        jsonWebResponse.getClaims().setClaim(claim.getName(), value);
                    }
                }
            }
        }
    }
    // Check for Subject Identifier Type
    if (authorizationGrant.getClient().getSubjectType() != null && SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
        String sectorIdentifierUri = null;
        if (StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri())) {
            sectorIdentifierUri = authorizationGrant.getClient().getSectorIdentifierUri();
        } else {
            sectorIdentifierUri = authorizationGrant.getClient().getRedirectUris()[0];
        }
        String userInum = authorizationGrant.getUser().getAttribute("inum");
        PairwiseIdentifier pairwiseIdentifier = pairwiseIdentifierService.findPairWiseIdentifier(userInum, sectorIdentifierUri);
        if (pairwiseIdentifier == null) {
            pairwiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
            pairwiseIdentifier.setId(UUID.randomUUID().toString());
            pairwiseIdentifier.setDn(pairwiseIdentifierService.getDnForPairwiseIdentifier(pairwiseIdentifier.getId(), userInum));
            pairwiseIdentifierService.addPairwiseIdentifier(userInum, pairwiseIdentifier);
        }
        jsonWebResponse.getClaims().setSubjectIdentifier(pairwiseIdentifier.getId());
    } else {
        String openidSubAttribute = appConfiguration.getOpenidSubAttribute();
        jsonWebResponse.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(openidSubAttribute));
    }
    if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
        final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
        DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jsonWebResponse, unmodifiableAuthorizationGrant);
        externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
    }
    return jsonWebResponse.toString();
}
Also used : JsonWebResponse(org.xdi.oxauth.model.token.JsonWebResponse) JSONArray(org.codehaus.jettison.json.JSONArray) DynamicScopeExternalContext(org.xdi.oxauth.service.external.context.DynamicScopeExternalContext) JwtSubClaimObject(org.xdi.oxauth.model.jwt.JwtSubClaimObject) GluuAttribute(org.xdi.model.GluuAttribute) PairwiseIdentifier(org.xdi.oxauth.model.ldap.PairwiseIdentifier) org.xdi.oxauth.model.common(org.xdi.oxauth.model.common) JwtSubClaimObject(org.xdi.oxauth.model.jwt.JwtSubClaimObject) JSONObject(org.codehaus.jettison.json.JSONObject) Claim(org.xdi.oxauth.model.authorize.Claim)

Example 2 with PairwiseIdentifier

use of org.xdi.oxauth.model.ldap.PairwiseIdentifier in project oxAuth by GluuFederation.

the class UserInfoRestWebServiceImpl method getJwtResponse.

public String getJwtResponse(SignatureAlgorithm signatureAlgorithm, User user, AuthorizationGrant authorizationGrant, Collection<String> scopes) throws Exception {
    Jwt jwt = new Jwt();
    AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(appConfiguration);
    // Header
    jwt.getHeader().setType(JwtType.JWT);
    jwt.getHeader().setAlgorithm(signatureAlgorithm);
    String keyId = cryptoProvider.getKeyId(webKeysConfiguration, signatureAlgorithm);
    if (keyId != null) {
        jwt.getHeader().setKeyId(keyId);
    }
    // Claims
    List<Scope> dynamicScopes = new ArrayList<Scope>();
    for (String scopeName : scopes) {
        Scope scope = scopeService.getScopeByDisplayName(scopeName);
        if (org.xdi.oxauth.model.common.ScopeType.DYNAMIC == scope.getScopeType()) {
            dynamicScopes.add(scope);
            continue;
        }
        if (scope.getOxAuthClaims() != null) {
            for (String claimDn : scope.getOxAuthClaims()) {
                GluuAttribute gluuAttribute = attributeService.getAttributeByDn(claimDn);
                String claimName = gluuAttribute.getOxAuthClaimName();
                String ldapName = gluuAttribute.getName();
                String attributeValue = null;
                if (StringUtils.isNotBlank(claimName) && StringUtils.isNotBlank(ldapName)) {
                    if (ldapName.equals("uid")) {
                        attributeValue = user.getUserId();
                    } else {
                        attributeValue = user.getAttribute(gluuAttribute.getName());
                    }
                    jwt.getClaims().setClaim(claimName, attributeValue);
                }
            }
        }
    }
    if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember() != null) {
        for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getUserInfoMember().getClaims()) {
            // ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
            boolean optional = true;
            GluuAttribute gluuAttribute = attributeService.getByClaimName(claim.getName());
            if (gluuAttribute != null) {
                String ldapClaimName = gluuAttribute.getName();
                Object attribute = user.getAttribute(ldapClaimName, optional);
                if (attribute != null) {
                    if (attribute instanceof JSONArray) {
                        JSONArray jsonArray = (JSONArray) attribute;
                        List<String> values = new ArrayList<String>();
                        for (int i = 0; i < jsonArray.length(); i++) {
                            String value = jsonArray.optString(i);
                            if (value != null) {
                                values.add(value);
                            }
                        }
                        jwt.getClaims().setClaim(claim.getName(), values);
                    } else {
                        String value = (String) attribute;
                        jwt.getClaims().setClaim(claim.getName(), value);
                    }
                }
            }
        }
    }
    // Check for Subject Identifier Type
    if (authorizationGrant.getClient().getSubjectType() != null && SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
        String sectorIdentifierUri = null;
        if (StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri())) {
            sectorIdentifierUri = authorizationGrant.getClient().getSectorIdentifierUri();
        } else {
            sectorIdentifierUri = authorizationGrant.getClient().getRedirectUris()[0];
        }
        String userInum = authorizationGrant.getUser().getAttribute("inum");
        PairwiseIdentifier pairwiseIdentifier = pairwiseIdentifierService.findPairWiseIdentifier(userInum, sectorIdentifierUri);
        if (pairwiseIdentifier == null) {
            pairwiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
            pairwiseIdentifier.setId(UUID.randomUUID().toString());
            pairwiseIdentifier.setDn(pairwiseIdentifierService.getDnForPairwiseIdentifier(pairwiseIdentifier.getId(), userInum));
            pairwiseIdentifierService.addPairwiseIdentifier(userInum, pairwiseIdentifier);
        }
        jwt.getClaims().setSubjectIdentifier(pairwiseIdentifier.getId());
    } else {
        String openidSubAttribute = appConfiguration.getOpenidSubAttribute();
        jwt.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(openidSubAttribute));
    }
    // If signed, the UserInfo Response SHOULD contain the Claims iss (issuer) and aud (audience) as members. The iss value should be the OP's Issuer Identifier URL. The aud value should be or include the RP's Client ID value.
    jwt.getClaims().setIssuer(appConfiguration.getIssuer());
    jwt.getClaims().setAudience(authorizationGrant.getClientId());
    if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
        final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
        DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jwt, unmodifiableAuthorizationGrant);
        externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
    }
    // Signature
    String sharedSecret = clientService.decryptSecret(authorizationGrant.getClient().getClientSecret());
    String signature = cryptoProvider.sign(jwt.getSigningInput(), jwt.getHeader().getKeyId(), sharedSecret, signatureAlgorithm);
    jwt.setEncodedSignature(signature);
    return jwt.toString();
}
Also used : Jwt(org.xdi.oxauth.model.jwt.Jwt) JSONArray(org.codehaus.jettison.json.JSONArray) DynamicScopeExternalContext(org.xdi.oxauth.service.external.context.DynamicScopeExternalContext) GluuAttribute(org.xdi.model.GluuAttribute) PairwiseIdentifier(org.xdi.oxauth.model.ldap.PairwiseIdentifier) AbstractCryptoProvider(org.xdi.oxauth.model.crypto.AbstractCryptoProvider) JwtSubClaimObject(org.xdi.oxauth.model.jwt.JwtSubClaimObject) JSONObject(org.codehaus.jettison.json.JSONObject) Claim(org.xdi.oxauth.model.authorize.Claim)

Example 3 with PairwiseIdentifier

use of org.xdi.oxauth.model.ldap.PairwiseIdentifier in project oxAuth by GluuFederation.

the class PairwiseIdentifierService method findPairWiseIdentifier.

public PairwiseIdentifier findPairWiseIdentifier(String userInum, String sectorIdentifierUri) throws Exception {
    PairwiseIdType pairwiseIdType = PairwiseIdType.fromString(appConfiguration.getPairwiseIdType());
    String sectorIdentifier = URI.create(sectorIdentifierUri).getHost();
    if (PairwiseIdType.PERSISTENT == pairwiseIdType) {
        prepareBranch(userInum);
        String baseDnForPairwiseIdentifiers = getBaseDnForPairwiseIdentifiers(userInum);
        Filter filter = Filter.createEqualityFilter("oxSectorIdentifier", sectorIdentifier);
        List<PairwiseIdentifier> entries = ldapEntryManager.findEntries(baseDnForPairwiseIdentifiers, PairwiseIdentifier.class, filter);
        if (entries != null && !entries.isEmpty()) {
            // if more then one entry then it's problem, non-deterministic behavior, id must be unique
            if (entries.size() > 1) {
                log.error("Found more then one pairwise identifier by sector identifier: {}" + sectorIdentifier);
                for (PairwiseIdentifier pairwiseIdentifier : entries) {
                    log.error("PairwiseIdentifier: {}", pairwiseIdentifier);
                }
            }
            return entries.get(0);
        }
    } else {
        // PairwiseIdType.ALGORITHMIC
        String key = appConfiguration.getPairwiseCalculationKey();
        String salt = appConfiguration.getPairwiseCalculationSalt();
        String calculatedSub = SubjectIdentifierGenerator.generatePairwiseSubjectIdentifier(sectorIdentifierUri, userInum, key, salt, appConfiguration);
        PairwiseIdentifier pairwiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
        pairwiseIdentifier.setId(calculatedSub);
        return pairwiseIdentifier;
    }
    return null;
}
Also used : PairwiseIdentifier(org.xdi.oxauth.model.ldap.PairwiseIdentifier) Filter(com.unboundid.ldap.sdk.Filter) PairwiseIdType(org.xdi.oxauth.model.common.PairwiseIdType)

Example 4 with PairwiseIdentifier

use of org.xdi.oxauth.model.ldap.PairwiseIdentifier in project oxAuth by GluuFederation.

the class IdTokenFactory method generateSignedIdToken.

public Jwt generateSignedIdToken(IAuthorizationGrant authorizationGrant, String nonce, AuthorizationCode authorizationCode, AccessToken accessToken, Set<String> scopes, boolean includeIdTokenClaims) throws Exception {
    JwtSigner jwtSigner = JwtSigner.newJwtSigner(appConfiguration, webKeysConfiguration, authorizationGrant.getClient());
    Jwt jwt = jwtSigner.newJwt();
    int lifeTime = appConfiguration.getIdTokenLifetime();
    Calendar calendar = Calendar.getInstance();
    Date issuedAt = calendar.getTime();
    calendar.add(Calendar.SECOND, lifeTime);
    Date expiration = calendar.getTime();
    jwt.getClaims().setExpirationTime(expiration);
    jwt.getClaims().setIssuedAt(issuedAt);
    if (authorizationGrant.getAcrValues() != null) {
        jwt.getClaims().setClaim(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE, authorizationGrant.getAcrValues());
        setAmrClaim(jwt, authorizationGrant.getAcrValues());
    }
    if (StringUtils.isNotBlank(nonce)) {
        jwt.getClaims().setClaim(JwtClaimName.NONCE, nonce);
    }
    if (authorizationGrant.getAuthenticationTime() != null) {
        jwt.getClaims().setClaim(JwtClaimName.AUTHENTICATION_TIME, authorizationGrant.getAuthenticationTime());
    }
    if (authorizationCode != null) {
        String codeHash = authorizationCode.getHash(jwtSigner.getSignatureAlgorithm());
        jwt.getClaims().setClaim(JwtClaimName.CODE_HASH, codeHash);
    }
    if (accessToken != null) {
        String accessTokenHash = accessToken.getHash(jwtSigner.getSignatureAlgorithm());
        jwt.getClaims().setClaim(JwtClaimName.ACCESS_TOKEN_HASH, accessTokenHash);
    }
    jwt.getClaims().setClaim(JwtClaimName.OX_OPENID_CONNECT_VERSION, appConfiguration.getOxOpenIdConnectVersion());
    List<org.xdi.oxauth.model.common.Scope> dynamicScopes = Lists.newArrayList();
    if (includeIdTokenClaims) {
        for (String scopeName : scopes) {
            org.xdi.oxauth.model.common.Scope scope = scopeService.getScopeByDisplayName(scopeName);
            if ((scope != null) && (org.xdi.oxauth.model.common.ScopeType.DYNAMIC == scope.getScopeType())) {
                dynamicScopes.add(scope);
                continue;
            }
            if (scope != null && scope.getOxAuthClaims() != null) {
                if (scope.getIsOxAuthGroupClaims()) {
                    JwtSubClaimObject groupClaim = new JwtSubClaimObject();
                    groupClaim.setName(scope.getDisplayName());
                    for (String claimDn : scope.getOxAuthClaims()) {
                        GluuAttribute gluuAttribute = attributeService.getAttributeByDn(claimDn);
                        String claimName = gluuAttribute.getOxAuthClaimName();
                        String ldapName = gluuAttribute.getName();
                        String attributeValue;
                        if (StringUtils.isNotBlank(claimName) && StringUtils.isNotBlank(ldapName)) {
                            if (ldapName.equals("uid")) {
                                attributeValue = authorizationGrant.getUser().getUserId();
                            } else {
                                attributeValue = authorizationGrant.getUser().getAttribute(gluuAttribute.getName());
                            }
                            groupClaim.setClaim(claimName, attributeValue);
                        }
                    }
                    jwt.getClaims().setClaim(scope.getDisplayName(), groupClaim);
                } else {
                    for (String claimDn : scope.getOxAuthClaims()) {
                        GluuAttribute gluuAttribute = attributeService.getAttributeByDn(claimDn);
                        String claimName = gluuAttribute.getOxAuthClaimName();
                        String ldapName = gluuAttribute.getName();
                        String attributeValue;
                        if (StringUtils.isNotBlank(claimName) && StringUtils.isNotBlank(ldapName)) {
                            if (ldapName.equals("uid")) {
                                attributeValue = authorizationGrant.getUser().getUserId();
                            } else {
                                attributeValue = authorizationGrant.getUser().getAttribute(gluuAttribute.getName());
                            }
                            jwt.getClaims().setClaim(claimName, attributeValue);
                        }
                    }
                }
            }
        }
    }
    if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getIdTokenMember() != null) {
        for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getIdTokenMember().getClaims()) {
            // ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
            boolean optional = true;
            GluuAttribute gluuAttribute = attributeService.getByClaimName(claim.getName());
            if (gluuAttribute != null) {
                String ldapClaimName = gluuAttribute.getName();
                Object attribute = authorizationGrant.getUser().getAttribute(ldapClaimName, optional);
                if (attribute != null) {
                    if (attribute instanceof JSONArray) {
                        JSONArray jsonArray = (JSONArray) attribute;
                        List<String> values = new ArrayList<String>();
                        for (int i = 0; i < jsonArray.length(); i++) {
                            String value = jsonArray.optString(i);
                            if (value != null) {
                                values.add(value);
                            }
                        }
                        jwt.getClaims().setClaim(claim.getName(), values);
                    } else {
                        String value = (String) attribute;
                        jwt.getClaims().setClaim(claim.getName(), value);
                    }
                }
            }
        }
    }
    // Check for Subject Identifier Type
    if (authorizationGrant.getClient().getSubjectType() != null && SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
        String sectorIdentifierUri = null;
        if (StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri())) {
            sectorIdentifierUri = authorizationGrant.getClient().getSectorIdentifierUri();
        } else {
            sectorIdentifierUri = authorizationGrant.getClient().getRedirectUris()[0];
        }
        String userInum = authorizationGrant.getUser().getAttribute("inum");
        PairwiseIdentifier pairwiseIdentifier = pairwiseIdentifierService.findPairWiseIdentifier(userInum, sectorIdentifierUri);
        if (pairwiseIdentifier == null) {
            pairwiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
            pairwiseIdentifier.setId(UUID.randomUUID().toString());
            pairwiseIdentifier.setDn(pairwiseIdentifierService.getDnForPairwiseIdentifier(pairwiseIdentifier.getId(), userInum));
            pairwiseIdentifierService.addPairwiseIdentifier(userInum, pairwiseIdentifier);
        }
        jwt.getClaims().setSubjectIdentifier(pairwiseIdentifier.getId());
    } else {
        String openidSubAttribute = appConfiguration.getOpenidSubAttribute();
        if (openidSubAttribute.equals("uid")) {
            jwt.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getUserId());
        } else {
            jwt.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(openidSubAttribute));
        }
    }
    if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
        final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
        DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jwt, unmodifiableAuthorizationGrant);
        externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
    }
    return jwtSigner.sign();
}
Also used : PairwiseIdentifier(org.xdi.oxauth.model.ldap.PairwiseIdentifier) org.xdi.oxauth.model.common(org.xdi.oxauth.model.common) Jwt(org.xdi.oxauth.model.jwt.Jwt) JSONArray(org.codehaus.jettison.json.JSONArray) DynamicScopeExternalContext(org.xdi.oxauth.service.external.context.DynamicScopeExternalContext) JwtSubClaimObject(org.xdi.oxauth.model.jwt.JwtSubClaimObject) GluuAttribute(org.xdi.model.GluuAttribute) JwtSubClaimObject(org.xdi.oxauth.model.jwt.JwtSubClaimObject) JSONObject(org.codehaus.jettison.json.JSONObject) Claim(org.xdi.oxauth.model.authorize.Claim)

Example 5 with PairwiseIdentifier

use of org.xdi.oxauth.model.ldap.PairwiseIdentifier in project oxAuth by GluuFederation.

the class IdTokenFactory method generateEncryptedIdToken.

public Jwe generateEncryptedIdToken(IAuthorizationGrant authorizationGrant, String nonce, AuthorizationCode authorizationCode, AccessToken accessToken, Set<String> scopes, boolean includeIdTokenClaims) throws Exception {
    Jwe jwe = new Jwe();
    // Header
    KeyEncryptionAlgorithm keyEncryptionAlgorithm = KeyEncryptionAlgorithm.fromName(authorizationGrant.getClient().getIdTokenEncryptedResponseAlg());
    BlockEncryptionAlgorithm blockEncryptionAlgorithm = BlockEncryptionAlgorithm.fromName(authorizationGrant.getClient().getIdTokenEncryptedResponseEnc());
    jwe.getHeader().setType(JwtType.JWT);
    jwe.getHeader().setAlgorithm(keyEncryptionAlgorithm);
    jwe.getHeader().setEncryptionMethod(blockEncryptionAlgorithm);
    // Claims
    jwe.getClaims().setIssuer(appConfiguration.getIssuer());
    jwe.getClaims().setAudience(authorizationGrant.getClient().getClientId());
    int lifeTime = appConfiguration.getIdTokenLifetime();
    Calendar calendar = Calendar.getInstance();
    Date issuedAt = calendar.getTime();
    calendar.add(Calendar.SECOND, lifeTime);
    Date expiration = calendar.getTime();
    jwe.getClaims().setExpirationTime(expiration);
    jwe.getClaims().setIssuedAt(issuedAt);
    if (authorizationGrant.getAcrValues() != null) {
        jwe.getClaims().setClaim(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE, authorizationGrant.getAcrValues());
        setAmrClaim(jwe, authorizationGrant.getAcrValues());
    }
    if (StringUtils.isNotBlank(nonce)) {
        jwe.getClaims().setClaim(JwtClaimName.NONCE, nonce);
    }
    if (authorizationGrant.getAuthenticationTime() != null) {
        jwe.getClaims().setClaim(JwtClaimName.AUTHENTICATION_TIME, authorizationGrant.getAuthenticationTime());
    }
    if (authorizationCode != null) {
        String codeHash = authorizationCode.getHash(null);
        jwe.getClaims().setClaim(JwtClaimName.CODE_HASH, codeHash);
    }
    if (accessToken != null) {
        String accessTokenHash = accessToken.getHash(null);
        jwe.getClaims().setClaim(JwtClaimName.ACCESS_TOKEN_HASH, accessTokenHash);
    }
    jwe.getClaims().setClaim(JwtClaimName.OX_OPENID_CONNECT_VERSION, appConfiguration.getOxOpenIdConnectVersion());
    List<org.xdi.oxauth.model.common.Scope> dynamicScopes = Lists.newArrayList();
    if (includeIdTokenClaims) {
        for (String scopeName : scopes) {
            org.xdi.oxauth.model.common.Scope scope = scopeService.getScopeByDisplayName(scopeName);
            if (org.xdi.oxauth.model.common.ScopeType.DYNAMIC == scope.getScopeType()) {
                dynamicScopes.add(scope);
                continue;
            }
            if (scope != null && scope.getOxAuthClaims() != null) {
                for (String claimDn : scope.getOxAuthClaims()) {
                    GluuAttribute gluuAttribute = attributeService.getAttributeByDn(claimDn);
                    String claimName = gluuAttribute.getOxAuthClaimName();
                    String ldapName = gluuAttribute.getName();
                    String attributeValue;
                    if (StringUtils.isNotBlank(claimName) && StringUtils.isNotBlank(ldapName)) {
                        if (ldapName.equals("uid")) {
                            attributeValue = authorizationGrant.getUser().getUserId();
                        } else {
                            attributeValue = authorizationGrant.getUser().getAttribute(gluuAttribute.getName());
                        }
                        jwe.getClaims().setClaim(claimName, attributeValue);
                    }
                }
            }
        }
    }
    if (authorizationGrant.getJwtAuthorizationRequest() != null && authorizationGrant.getJwtAuthorizationRequest().getIdTokenMember() != null) {
        for (Claim claim : authorizationGrant.getJwtAuthorizationRequest().getIdTokenMember().getClaims()) {
            // ClaimValueType.OPTIONAL.equals(claim.getClaimValue().getClaimValueType());
            boolean optional = true;
            GluuAttribute gluuAttribute = attributeService.getByClaimName(claim.getName());
            if (gluuAttribute != null) {
                String ldapClaimName = gluuAttribute.getName();
                Object attribute = authorizationGrant.getUser().getAttribute(ldapClaimName, optional);
                if (attribute != null) {
                    if (attribute instanceof JSONArray) {
                        JSONArray jsonArray = (JSONArray) attribute;
                        List<String> values = new ArrayList<String>();
                        for (int i = 0; i < jsonArray.length(); i++) {
                            String value = jsonArray.optString(i);
                            if (value != null) {
                                values.add(value);
                            }
                        }
                        jwe.getClaims().setClaim(claim.getName(), values);
                    } else {
                        String value = (String) attribute;
                        jwe.getClaims().setClaim(claim.getName(), value);
                    }
                }
            }
        }
    }
    // Check for Subject Identifier Type
    if (authorizationGrant.getClient().getSubjectType() != null && SubjectType.fromString(authorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
        String sectorIdentifierUri;
        if (StringUtils.isNotBlank(authorizationGrant.getClient().getSectorIdentifierUri())) {
            sectorIdentifierUri = authorizationGrant.getClient().getSectorIdentifierUri();
        } else {
            sectorIdentifierUri = authorizationGrant.getClient().getRedirectUris()[0];
        }
        String userInum = authorizationGrant.getUser().getAttribute("inum");
        PairwiseIdentifier pairwiseIdentifier = pairwiseIdentifierService.findPairWiseIdentifier(userInum, sectorIdentifierUri);
        if (pairwiseIdentifier == null) {
            pairwiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
            pairwiseIdentifier.setId(UUID.randomUUID().toString());
            pairwiseIdentifier.setDn(pairwiseIdentifierService.getDnForPairwiseIdentifier(pairwiseIdentifier.getId(), userInum));
            pairwiseIdentifierService.addPairwiseIdentifier(userInum, pairwiseIdentifier);
        }
        jwe.getClaims().setSubjectIdentifier(pairwiseIdentifier.getId());
    } else {
        String openidSubAttribute = appConfiguration.getOpenidSubAttribute();
        if (openidSubAttribute.equals("uid")) {
            jwe.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getUserId());
        } else {
            jwe.getClaims().setSubjectIdentifier(authorizationGrant.getUser().getAttribute(openidSubAttribute));
        }
    }
    if ((dynamicScopes.size() > 0) && externalDynamicScopeService.isEnabled()) {
        final UnmodifiableAuthorizationGrant unmodifiableAuthorizationGrant = new UnmodifiableAuthorizationGrant(authorizationGrant);
        DynamicScopeExternalContext dynamicScopeContext = new DynamicScopeExternalContext(dynamicScopes, jwe, unmodifiableAuthorizationGrant);
        externalDynamicScopeService.executeExternalUpdateMethods(dynamicScopeContext);
    }
    // Encryption
    if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5) {
        JSONObject jsonWebKeys = JwtUtil.getJSONWebKeys(authorizationGrant.getClient().getJwksUri());
        AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(appConfiguration);
        String keyId = cryptoProvider.getKeyId(JSONWebKeySet.fromJSONObject(jsonWebKeys), SignatureAlgorithm.RS256);
        PublicKey publicKey = cryptoProvider.getPublicKey(keyId, jsonWebKeys);
        if (publicKey != null) {
            JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, publicKey);
            jwe = jweEncrypter.encrypt(jwe);
        } else {
            throw new InvalidJweException("The public key is not valid");
        }
    } else if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A128KW || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A256KW) {
        try {
            byte[] sharedSymmetricKey = clientService.decryptSecret(authorizationGrant.getClient().getClientSecret()).getBytes(Util.UTF8_STRING_ENCODING);
            JweEncrypter jweEncrypter = new JweEncrypterImpl(keyEncryptionAlgorithm, blockEncryptionAlgorithm, sharedSymmetricKey);
            jwe = jweEncrypter.encrypt(jwe);
        } catch (UnsupportedEncodingException e) {
            throw new InvalidJweException(e);
        } catch (StringEncrypter.EncryptionException e) {
            throw new InvalidJweException(e);
        } catch (Exception e) {
            throw new InvalidJweException(e);
        }
    }
    return jwe;
}
Also used : BlockEncryptionAlgorithm(org.xdi.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm) PairwiseIdentifier(org.xdi.oxauth.model.ldap.PairwiseIdentifier) org.xdi.oxauth.model.common(org.xdi.oxauth.model.common) Jwe(org.xdi.oxauth.model.jwe.Jwe) AbstractCryptoProvider(org.xdi.oxauth.model.crypto.AbstractCryptoProvider) JweEncrypter(org.xdi.oxauth.model.jwe.JweEncrypter) InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException) PublicKey(java.security.PublicKey) JSONArray(org.codehaus.jettison.json.JSONArray) UnsupportedEncodingException(java.io.UnsupportedEncodingException) DynamicScopeExternalContext(org.xdi.oxauth.service.external.context.DynamicScopeExternalContext) InvalidJweException(org.xdi.oxauth.model.exception.InvalidJweException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) GluuAttribute(org.xdi.model.GluuAttribute) JSONObject(org.codehaus.jettison.json.JSONObject) KeyEncryptionAlgorithm(org.xdi.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm) JwtSubClaimObject(org.xdi.oxauth.model.jwt.JwtSubClaimObject) JSONObject(org.codehaus.jettison.json.JSONObject) JweEncrypterImpl(org.xdi.oxauth.model.jwe.JweEncrypterImpl) Claim(org.xdi.oxauth.model.authorize.Claim)

Aggregations

PairwiseIdentifier (org.xdi.oxauth.model.ldap.PairwiseIdentifier)6 JSONArray (org.codehaus.jettison.json.JSONArray)5 JSONObject (org.codehaus.jettison.json.JSONObject)5 GluuAttribute (org.xdi.model.GluuAttribute)5 Claim (org.xdi.oxauth.model.authorize.Claim)5 JwtSubClaimObject (org.xdi.oxauth.model.jwt.JwtSubClaimObject)5 DynamicScopeExternalContext (org.xdi.oxauth.service.external.context.DynamicScopeExternalContext)5 org.xdi.oxauth.model.common (org.xdi.oxauth.model.common)3 AbstractCryptoProvider (org.xdi.oxauth.model.crypto.AbstractCryptoProvider)3 UnsupportedEncodingException (java.io.UnsupportedEncodingException)2 PublicKey (java.security.PublicKey)2 InvalidJweException (org.xdi.oxauth.model.exception.InvalidJweException)2 Jwe (org.xdi.oxauth.model.jwe.Jwe)2 JweEncrypter (org.xdi.oxauth.model.jwe.JweEncrypter)2 JweEncrypterImpl (org.xdi.oxauth.model.jwe.JweEncrypterImpl)2 Jwt (org.xdi.oxauth.model.jwt.Jwt)2 Filter (com.unboundid.ldap.sdk.Filter)1 SignatureException (java.security.SignatureException)1 EntryPersistenceException (org.gluu.site.ldap.persistence.exception.EntryPersistenceException)1 PairwiseIdType (org.xdi.oxauth.model.common.PairwiseIdType)1