Example 1 with ClientAuthenticationException
use of uk.gov.di.ipv.cri.passport.accesstoken.exceptions.ClientAuthenticationException in project di-ipv-cri-uk-passport-back by alphagov.
the class TokenRequestValidatorTest method shouldThrowIfClaimsSetHasExpired.
@Test
void shouldThrowIfClaimsSetHasExpired() throws NoSuchAlgorithmException, InvalidKeySpecException, JOSEException {
when(mockConfigurationService.getClientAuthenticationMethod(anyString())).thenReturn("jwt");
var expiredClaimsSetValues = new HashMap<>(getValidClaimsSetValues());
expiredClaimsSetValues.put(JWTClaimNames.EXPIRATION_TIME, new Date(new Date().getTime() - 61000).getTime() / 1000);
var expiredQueryParams = getValidQueryParams(generateClientAssertion(expiredClaimsSetValues));
ClientAuthenticationException exception = assertThrows(ClientAuthenticationException.class, () -> validator.authenticateClient(queryMapToString(expiredQueryParams)));
assertTrue(exception.getMessage().contains("Expired JWT"));
}
Also used :
ClientAuthenticationException(uk.gov.di.ipv.cri.passport.accesstoken.exceptions.ClientAuthenticationException)
HashMap(java.util.HashMap)
Date(java.util.Date)
Test(org.junit.jupiter.api.Test)
Example 2 with ClientAuthenticationException
use of uk.gov.di.ipv.cri.passport.accesstoken.exceptions.ClientAuthenticationException in project di-ipv-cri-uk-passport-back by alphagov.
the class TokenRequestValidatorTest method shouldThrowIfMissingClientAssertionAndClientIdParams.
@Test
void shouldThrowIfMissingClientAssertionAndClientIdParams() {
var missingClientIdParams = getParamsWithoutClientAuthOrClientId();
ClientAuthenticationException exception = assertThrows(ClientAuthenticationException.class, () -> validator.authenticateClient(queryMapToString(missingClientIdParams)));
assertEquals("Unknown client, no client_id value or client_assertion jwt found in request", exception.getMessage());
}
Also used :
ClientAuthenticationException(uk.gov.di.ipv.cri.passport.accesstoken.exceptions.ClientAuthenticationException)
Test(org.junit.jupiter.api.Test)
Example 3 with ClientAuthenticationException
use of uk.gov.di.ipv.cri.passport.accesstoken.exceptions.ClientAuthenticationException in project di-ipv-cri-uk-passport-back by alphagov.
the class TokenRequestValidatorTest method shouldThrowIfWrongAudience.
@Test
void shouldThrowIfWrongAudience() throws NoSuchAlgorithmException, InvalidKeySpecException, JOSEException {
when(mockConfigurationService.getClientAuthenticationMethod(anyString())).thenReturn("jwt");
var wrongAudienceClaimsSetValues = new HashMap<>(getValidClaimsSetValues());
wrongAudienceClaimsSetValues.put(JWTClaimNames.AUDIENCE, "NOT_THE_AUDIENCE_YOU_ARE_LOOKING_FOR");
var wrongAudienceQueryParams = getValidQueryParams(generateClientAssertion(wrongAudienceClaimsSetValues));
ClientAuthenticationException exception = assertThrows(ClientAuthenticationException.class, () -> validator.authenticateClient(queryMapToString(wrongAudienceQueryParams)));
assertTrue(exception.getMessage().contains("Invalid JWT audience claim, expected [https://audience.example.com]"));
}
Also used :
ClientAuthenticationException(uk.gov.di.ipv.cri.passport.accesstoken.exceptions.ClientAuthenticationException)
HashMap(java.util.HashMap)
Test(org.junit.jupiter.api.Test)
Example 4 with ClientAuthenticationException
use of uk.gov.di.ipv.cri.passport.accesstoken.exceptions.ClientAuthenticationException in project di-ipv-cri-uk-passport-back by alphagov.
the class TokenRequestValidator method authenticateClientWithJwt.
private void authenticateClientWithJwt(String requestBody) throws ClientAuthenticationException {
PrivateKeyJWT clientJwt;
try {
clientJwt = PrivateKeyJWT.parse(requestBody);
String clientId = clientJwt.getClientID().getValue();
String clientAuthenticationMethod = configurationService.getClientAuthenticationMethod(clientId);
if (clientAuthenticationMethod.equals(NONE)) {
return;
}
verifier.verify(clientJwtWithConcatSignature(clientJwt, requestBody), null, null);
validateMaxAllowedAuthClientTtl(clientJwt.getJWTAuthenticationClaimsSet());
} catch (ParseException | InvalidClientException | JOSEException | java.text.ParseException e) {
LOGGER.error("Validation of client_assertion jwt failed");
throw new ClientAuthenticationException(e);
}
}
Also used :
ClientAuthenticationException(uk.gov.di.ipv.cri.passport.accesstoken.exceptions.ClientAuthenticationException)
PrivateKeyJWT(com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT)
InvalidClientException(com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException)
ParseException(com.nimbusds.oauth2.sdk.ParseException)
JOSEException(com.nimbusds.jose.JOSEException)
Example 5 with ClientAuthenticationException
use of uk.gov.di.ipv.cri.passport.accesstoken.exceptions.ClientAuthenticationException in project di-ipv-cri-uk-passport-back by alphagov.
the class AccessTokenHandlerTest method shouldReturn400WhenClientAuthFails.
@Test
void shouldReturn400WhenClientAuthFails() throws Exception {
String tokenRequestBody = "code=12345&redirect_uri=http://test.com&grant_type=authorization_code&client_id=test_client_id";
APIGatewayProxyRequestEvent event = new APIGatewayProxyRequestEvent();
event.setBody(tokenRequestBody);
when(mockAccessTokenService.validateTokenRequest(any())).thenReturn(ValidationResult.createValidResult());
doThrow(new ClientAuthenticationException("error")).when(mockTokenRequestValidator).authenticateClient(any());
APIGatewayProxyResponseEvent response = handler.handleRequest(event, context);
ErrorObject errorResponse = createErrorObjectFromResponse(response.getBody());
assertEquals(HTTPResponse.SC_BAD_REQUEST, response.getStatusCode());
assertEquals(OAuth2Error.INVALID_GRANT.getCode(), errorResponse.getCode());
assertEquals(OAuth2Error.INVALID_GRANT.getDescription(), errorResponse.getDescription());
}
Also used :
ClientAuthenticationException(uk.gov.di.ipv.cri.passport.accesstoken.exceptions.ClientAuthenticationException)
APIGatewayProxyRequestEvent(com.amazonaws.services.lambda.runtime.events.APIGatewayProxyRequestEvent)
ErrorObject(com.nimbusds.oauth2.sdk.ErrorObject)
APIGatewayProxyResponseEvent(com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent)
Test(org.junit.jupiter.api.Test)
Aggregations
ClientAuthenticationException (uk.gov.di.ipv.cri.passport.accesstoken.exceptions.ClientAuthenticationException)10
Test (org.junit.jupiter.api.Test)8
HashMap (java.util.HashMap)5
ErrorObject (com.nimbusds.oauth2.sdk.ErrorObject)2
ParseException (com.nimbusds.oauth2.sdk.ParseException)2
Date (java.util.Date)2
ArgumentMatchers.anyString (org.mockito.ArgumentMatchers.anyString)2
APIGatewayProxyRequestEvent (com.amazonaws.services.lambda.runtime.events.APIGatewayProxyRequestEvent)1
APIGatewayProxyResponseEvent (com.amazonaws.services.lambda.runtime.events.APIGatewayProxyResponseEvent)1
JOSEException (com.nimbusds.jose.JOSEException)1
AccessTokenResponse (com.nimbusds.oauth2.sdk.AccessTokenResponse)1
AuthorizationCodeGrant (com.nimbusds.oauth2.sdk.AuthorizationCodeGrant)1
TokenRequest (com.nimbusds.oauth2.sdk.TokenRequest)1
TokenResponse (com.nimbusds.oauth2.sdk.TokenResponse)1
PrivateKeyJWT (com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT)1
InvalidClientException (com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException)1
AuthorizationCodeItem (uk.gov.di.ipv.cri.passport.library.persistence.item.AuthorizationCodeItem)1
