use of org.xdi.oxauth.model.registration.Client in project oxAuth by GluuFederation.
the class RedirectionUriService method validateRedirectionUri.
public String validateRedirectionUri(String clientIdentifier, String redirectionUri) {
try {
Client client = clientService.getClient(clientIdentifier);
if (client != null) {
String sectorIdentifierUri = client.getSectorIdentifierUri();
String[] redirectUris = client.getRedirectUris();
if (StringUtils.isNotBlank(sectorIdentifierUri)) {
ClientRequest clientRequest = new ClientRequest(sectorIdentifierUri);
clientRequest.setHttpMethod(HttpMethod.GET);
ClientResponse<String> clientResponse = clientRequest.get(String.class);
int status = clientResponse.getStatus();
if (status == 200) {
String entity = clientResponse.getEntity(String.class);
JSONArray sectorIdentifierJsonArray = new JSONArray(entity);
redirectUris = new String[sectorIdentifierJsonArray.length()];
for (int i = 0; i < sectorIdentifierJsonArray.length(); i++) {
redirectUris[i] = sectorIdentifierJsonArray.getString(i);
}
} else {
return null;
}
}
if (StringUtils.isNotBlank(redirectionUri)) {
log.debug("Validating redirection URI: clientIdentifier = {}, redirectionUri = {}, found = {}", clientIdentifier, redirectionUri, redirectUris.length);
final String redirectUriWithoutParams = uriWithoutParams(redirectionUri);
for (String uri : redirectUris) {
log.debug("Comparing {} == {}", uri, redirectionUri);
if (uri.equals(redirectionUri)) {
// compare complete uri
return redirectionUri;
}
String uriWithoutParams = uriWithoutParams(uri);
final Map<String, String> params = getParams(uri);
if ((uriWithoutParams.equals(redirectUriWithoutParams) && params.size() == 0 && getParams(redirectionUri).size() == 0) || uriWithoutParams.equals(redirectUriWithoutParams) && params.size() > 0 && compareParams(redirectionUri, uri)) {
return redirectionUri;
}
}
} else {
// Accept Request Without redirect_uri when One Registered
if (redirectUris != null && redirectUris.length == 1) {
return redirectUris[0];
}
}
}
} catch (Exception e) {
return null;
}
return null;
}
use of org.xdi.oxauth.model.registration.Client in project oxAuth by GluuFederation.
the class RedirectionUriService method validatePostLogoutRedirectUri.
public String validatePostLogoutRedirectUri(String clientId, String postLogoutRedirectUri) {
boolean isBlank = Util.isNullOrEmpty(postLogoutRedirectUri);
Client client = clientService.getClient(clientId);
if (client != null) {
String[] postLogoutRedirectUris = client.getPostLogoutRedirectUris();
if (postLogoutRedirectUris != null && StringUtils.isNotBlank(postLogoutRedirectUri)) {
log.debug("Validating post logout redirect URI: clientId = {}, postLogoutRedirectUri = {}", clientId, postLogoutRedirectUri);
for (String uri : postLogoutRedirectUris) {
log.debug("Comparing {} == {}", uri, postLogoutRedirectUri);
if (uri.equals(postLogoutRedirectUri)) {
return postLogoutRedirectUri;
}
}
} else {
// Accept Request Without post_logout_redirect_uri when One Registered
if (postLogoutRedirectUris != null && postLogoutRedirectUris.length == 1) {
return postLogoutRedirectUris[0];
}
}
}
if (!isBlank) {
errorResponseFactory.throwBadRequestException(EndSessionErrorResponseType.INVALID_REQUEST);
}
return null;
}
use of org.xdi.oxauth.model.registration.Client in project oxAuth by GluuFederation.
the class ClientAssertion method load.
private boolean load(AppConfiguration appConfiguration, String clientId, ClientAssertionType clientAssertionType, String encodedAssertion) throws Exception {
boolean result;
if (clientAssertionType == ClientAssertionType.JWT_BEARER) {
if (StringUtils.isNotBlank(encodedAssertion)) {
jwt = Jwt.parse(encodedAssertion);
// TODO: Store jti this value to check for duplicates
// Validate clientId
String issuer = jwt.getClaims().getClaimAsString(JwtClaimName.ISSUER);
String subject = jwt.getClaims().getClaimAsString(JwtClaimName.SUBJECT_IDENTIFIER);
List<String> audience = jwt.getClaims().getClaimAsStringList(JwtClaimName.AUDIENCE);
Date expirationTime = jwt.getClaims().getClaimAsDate(JwtClaimName.EXPIRATION_TIME);
//SignatureAlgorithm algorithm = SignatureAlgorithm.fromName(jwt.getHeader().getClaimAsString(JwtHeaderName.ALGORITHM));
if ((clientId == null && StringUtils.isNotBlank(issuer) && StringUtils.isNotBlank(subject) && issuer.equals(subject)) || (StringUtils.isNotBlank(clientId) && StringUtils.isNotBlank(issuer) && StringUtils.isNotBlank(subject) && clientId.equals(issuer) && issuer.equals(subject))) {
// Validate audience
String tokenUrl = appConfiguration.getTokenEndpoint();
if (audience != null && audience.contains(tokenUrl)) {
// Validate expiration
if (expirationTime.after(new Date())) {
ClientService clientService = CdiUtil.bean(ClientService.class);
Client client = clientService.getClient(subject);
// Validate client
if (client != null) {
JwtType jwtType = JwtType.fromString(jwt.getHeader().getClaimAsString(JwtHeaderName.TYPE));
AuthenticationMethod authenticationMethod = client.getAuthenticationMethod();
SignatureAlgorithm signatureAlgorithm = jwt.getHeader().getAlgorithm();
if (jwtType == null && signatureAlgorithm != null) {
jwtType = signatureAlgorithm.getJwtType();
}
if (jwtType != null && signatureAlgorithm != null && signatureAlgorithm.getFamily() != null && ((authenticationMethod == AuthenticationMethod.CLIENT_SECRET_JWT && signatureAlgorithm.getFamily().equals("HMAC")) || (authenticationMethod == AuthenticationMethod.PRIVATE_KEY_JWT && (signatureAlgorithm.getFamily().equals("RSA") || signatureAlgorithm.getFamily().equals("EC"))))) {
clientSecret = clientService.decryptSecret(client.getClientSecret());
// Validate the crypto segment
String keyId = jwt.getHeader().getKeyId();
JSONObject jwks = Strings.isNullOrEmpty(client.getJwks()) ? JwtUtil.getJSONWebKeys(client.getJwksUri()) : new JSONObject(client.getJwks());
String sharedSecret = clientService.decryptSecret(client.getClientSecret());
AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(appConfiguration);
boolean validSignature = cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), keyId, jwks, sharedSecret, signatureAlgorithm);
if (validSignature) {
result = true;
} else {
throw new InvalidJwtException("Invalid cryptographic segment");
}
} else {
throw new InvalidJwtException("Invalid authentication method");
}
} else {
throw new InvalidJwtException("Invalid client");
}
} else {
throw new InvalidJwtException("JWT has expired");
}
} else {
throw new InvalidJwtException("Invalid audience: " + audience + ", tokenUrl: " + tokenUrl);
}
} else {
throw new InvalidJwtException("Invalid clientId");
}
} else {
throw new InvalidJwtException("The Client Assertion is null or empty");
}
} else {
throw new InvalidJwtException("Invalid Client Assertion Type");
}
return result;
}
use of org.xdi.oxauth.model.registration.Client in project oxAuth by GluuFederation.
the class RegisterRestWebServiceImpl method registerClientImpl.
private Response registerClientImpl(String requestParams, HttpServletRequest httpRequest, SecurityContext securityContext) {
Response.ResponseBuilder builder = Response.ok();
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpRequest), Action.CLIENT_REGISTRATION);
try {
if (appConfiguration.getDynamicRegistrationEnabled()) {
final RegisterRequest r = RegisterRequest.fromJson(requestParams);
log.debug("Attempting to register client: applicationType = {}, clientName = {}, redirectUris = {}, isSecure = {}, sectorIdentifierUri = {}, params = {}", r.getApplicationType(), r.getClientName(), r.getRedirectUris(), securityContext.isSecure(), r.getSectorIdentifierUri(), requestParams);
if (r.getSubjectType() == null) {
SubjectType defaultSubjectType = SubjectType.fromString(appConfiguration.getDefaultSubjectType());
if (defaultSubjectType != null) {
r.setSubjectType(defaultSubjectType);
} else if (appConfiguration.getSubjectTypesSupported().contains(SubjectType.PUBLIC.toString())) {
r.setSubjectType(SubjectType.PUBLIC);
} else if (appConfiguration.getSubjectTypesSupported().contains(SubjectType.PAIRWISE.toString())) {
r.setSubjectType(SubjectType.PAIRWISE);
}
}
if (r.getIdTokenSignedResponseAlg() == null) {
r.setIdTokenSignedResponseAlg(SignatureAlgorithm.fromString(appConfiguration.getDefaultSignatureAlgorithm()));
}
if (r.getIdTokenSignedResponseAlg() != SignatureAlgorithm.NONE) {
if (registerParamsValidator.validateParamsClientRegister(r.getApplicationType(), r.getSubjectType(), r.getRedirectUris(), r.getSectorIdentifierUri())) {
if (!registerParamsValidator.validateRedirectUris(r.getApplicationType(), r.getSubjectType(), r.getRedirectUris(), r.getSectorIdentifierUri())) {
builder = Response.status(Response.Status.BAD_REQUEST.getStatusCode());
builder.entity(errorResponseFactory.getErrorAsJson(RegisterErrorResponseType.INVALID_REDIRECT_URI));
} else {
registerParamsValidator.validateLogoutUri(r.getFrontChannelLogoutUris(), r.getRedirectUris(), errorResponseFactory);
String clientsBaseDN = staticConfiguration.getBaseDn().getClients();
String inum = inumService.generateClientInum();
String generatedClientSecret = UUID.randomUUID().toString();
final Client client = new Client();
client.setDn("inum=" + inum + "," + clientsBaseDN);
client.setClientId(inum);
client.setClientSecret(clientService.encryptSecret(generatedClientSecret));
client.setRegistrationAccessToken(HandleTokenFactory.generateHandleToken());
final Calendar calendar = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
client.setClientIdIssuedAt(calendar.getTime());
if (appConfiguration.getDynamicRegistrationExpirationTime() > 0) {
calendar.add(Calendar.SECOND, appConfiguration.getDynamicRegistrationExpirationTime());
client.setClientSecretExpiresAt(calendar.getTime());
}
if (StringUtils.isBlank(r.getClientName()) && r.getRedirectUris() != null && !r.getRedirectUris().isEmpty()) {
try {
URI redUri = new URI(r.getRedirectUris().get(0));
client.setClientName(redUri.getHost());
} catch (Exception e) {
//ignore
log.error(e.getMessage(), e);
client.setClientName("Unknown");
}
}
updateClientFromRequestObject(client, r);
boolean registerClient = true;
if (externalDynamicClientRegistrationService.isEnabled()) {
registerClient = externalDynamicClientRegistrationService.executeExternalUpdateClientMethods(r, client);
}
if (registerClient) {
Date currentTime = Calendar.getInstance().getTime();
client.setLastAccessTime(currentTime);
client.setLastLogonTime(currentTime);
Boolean persistClientAuthorizations = appConfiguration.getDynamicRegistrationPersistClientAuthorizations();
client.setPersistClientAuthorizations(persistClientAuthorizations != null ? persistClientAuthorizations : false);
clientService.persist(client);
JSONObject jsonObject = getJSONObject(client);
builder.entity(jsonObject.toString(4).replace("\\/", "/"));
oAuth2AuditLog.setClientId(client.getClientId());
oAuth2AuditLog.setScope(clientScopesToString(client));
oAuth2AuditLog.setSuccess(true);
} else {
log.trace("Client parameters are invalid, returns invalid_request error.");
builder = Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(RegisterErrorResponseType.INVALID_CLIENT_METADATA));
}
}
} else {
log.trace("Client parameters are invalid, returns invalid_request error.");
builder = Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(RegisterErrorResponseType.INVALID_CLIENT_METADATA));
}
} else {
log.debug("The signature algorithm for id_token cannot be none.");
builder = Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(RegisterErrorResponseType.INVALID_CLIENT_METADATA));
}
} else {
log.debug("Dynamic client registration is disabled.");
builder = Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(RegisterErrorResponseType.ACCESS_DENIED));
}
} catch (StringEncrypter.EncryptionException e) {
builder = internalErrorResponse();
log.error(e.getMessage(), e);
} catch (JSONException e) {
builder = internalErrorResponse();
log.error(e.getMessage(), e);
} catch (WebApplicationException e) {
log.error(e.getMessage(), e);
throw e;
} catch (Exception e) {
builder = internalErrorResponse();
log.error(e.getMessage(), e);
}
builder.cacheControl(ServerUtil.cacheControl(true, false));
builder.header("Pragma", "no-cache");
applicationAuditLogger.sendMessage(oAuth2AuditLog);
return builder.build();
}
use of org.xdi.oxauth.model.registration.Client in project oxAuth by GluuFederation.
the class RegisterRestWebServiceImpl method requestClientUpdate.
@Override
public Response requestClientUpdate(String requestParams, String clientId, @HeaderParam("Authorization") String authorization, @Context HttpServletRequest httpRequest, @Context SecurityContext securityContext) {
OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(httpRequest), Action.CLIENT_UPDATE);
oAuth2AuditLog.setClientId(clientId);
try {
log.debug("Attempting to UPDATE client, client_id: {}, requestParams = {}, isSecure = {}", clientId, requestParams, securityContext.isSecure());
final String accessToken = tokenService.getTokenFromAuthorizationParameter(authorization);
if (StringUtils.isNotBlank(accessToken) && StringUtils.isNotBlank(clientId) && StringUtils.isNotBlank(requestParams)) {
final RegisterRequest request = RegisterRequest.fromJson(requestParams);
if (request != null) {
boolean redirectUrisValidated = true;
if (request.getRedirectUris() != null && !request.getRedirectUris().isEmpty()) {
redirectUrisValidated = registerParamsValidator.validateRedirectUris(request.getApplicationType(), request.getSubjectType(), request.getRedirectUris(), request.getSectorIdentifierUri());
}
if (redirectUrisValidated) {
if (request.getSubjectType() != null && !appConfiguration.getSubjectTypesSupported().contains(request.getSubjectType())) {
log.debug("Client UPDATE : parameter subject_type is invalid. Returns BAD_REQUEST response.");
applicationAuditLogger.sendMessage(oAuth2AuditLog);
return Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(RegisterErrorResponseType.INVALID_CLIENT_METADATA)).build();
}
final Client client = clientService.getClient(clientId, accessToken);
if (client != null) {
updateClientFromRequestObject(client, request);
clientService.merge(client);
oAuth2AuditLog.setScope(clientScopesToString(client));
oAuth2AuditLog.setSuccess(true);
applicationAuditLogger.sendMessage(oAuth2AuditLog);
return Response.status(Response.Status.OK).entity(clientAsEntity(client)).build();
} else {
log.trace("The Access Token is not valid for the Client ID, returns invalid_token error.");
applicationAuditLogger.sendMessage(oAuth2AuditLog);
return Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(RegisterErrorResponseType.INVALID_TOKEN)).build();
}
}
}
}
log.debug("Client UPDATE : parameters are invalid. Returns BAD_REQUEST response.");
applicationAuditLogger.sendMessage(oAuth2AuditLog);
return Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(RegisterErrorResponseType.INVALID_CLIENT_METADATA)).build();
} catch (Exception e) {
log.error(e.getMessage(), e);
}
applicationAuditLogger.sendMessage(oAuth2AuditLog);
return internalErrorResponse().build();
}
Aggregations