org.apache.oltu.oauth2.common.error.OAuthError Java Examples

@Override
public String validateRequest(HttpServletRequest request) throws UserInfoEndpointException {

    String schema = request.getParameter("schema");
    String authzHeaders = request.getHeader(HttpHeaders.AUTHORIZATION);

    if (!"openid".equals(schema)) {
        throw new UserInfoEndpointException(UserInfoEndpointException.ERROR_CODE_INVALID_SCHEMA,
                "Schema should be openid");
    }

    if (authzHeaders == null) {
        throw new UserInfoEndpointException(OAuthError.ResourceResponse.INVALID_REQUEST,
                "Authorization header missing");
    }

    String[] authzHeaderInfo = ((String) authzHeaders).trim().split(" ");
    if (!"Bearer".equals(authzHeaderInfo[0])) {
        throw new UserInfoEndpointException(OAuthError.ResourceResponse.INVALID_REQUEST, "Bearer token missing");
    }
    return authzHeaderInfo[1];
}
 

public void validateErrorResponse(OAuthClientResponse response) throws OAuthProblemException {
    String error = response.getParam(OAuthError.OAUTH_ERROR);
    if (!OAuthUtils.isEmpty(error)) {
        String errorDesc = response.getParam(OAuthError.OAUTH_ERROR_DESCRIPTION);
        String errorUri = response.getParam(OAuthError.OAUTH_ERROR_URI);
        String state = response.getParam(OAuth.OAUTH_STATE);
        throw OAuthProblemException.error(error).description(errorDesc).uri(errorUri).state(state);
    }
}
 

protected void setBody(String body) throws OAuthProblemException {

        try {
            this.body = body;
            parameters = JSONUtils.parseJSON(body);
        } catch (Throwable e) {
            throw OAuthProblemException.error(OAuthError.CodeResponse.UNSUPPORTED_RESPONSE_TYPE,
                "Invalid response! Response body is not " + OAuth.ContentType.JSON + " encoded");
        }
    }
 

public OAuthErrorResponseBuilder error(OAuthProblemException ex) {
    this.parameters.put(OAuthError.OAUTH_ERROR, ex.getError());
    this.parameters.put(OAuthError.OAUTH_ERROR_DESCRIPTION, ex.getDescription());
    this.parameters.put(OAuthError.OAUTH_ERROR_URI, ex.getUri());
    this.parameters.put(OAuth.OAUTH_STATE, ex.getState());
    return this;
}
 

/**
 * Validates the access token with WSO2 IS token validation OSGI service.
 * Scope is checked.
 */
@Override
public OAuth2TokenValidationResponseDTO validateToken(String accessTokenIdentifier)
        throws UserInfoEndpointException {

    OAuth2TokenValidationRequestDTO dto = new OAuth2TokenValidationRequestDTO();
    OAuth2TokenValidationRequestDTO.OAuth2AccessToken accessToken = dto.new OAuth2AccessToken();
    accessToken.setTokenType("bearer");
    accessToken.setIdentifier(accessTokenIdentifier);
    dto.setAccessToken(accessToken);
    OAuth2TokenValidationResponseDTO response =
            EndpointUtil.getOAuth2TokenValidationService()
                    .validate(dto);
    // invalid access token
    if (!response.isValid()) {
        throw new UserInfoEndpointException(OAuthError.ResourceResponse.INVALID_TOKEN,
                "Access token validation failed");
    }
    // check the scope
    boolean isOpenIDScope = false;
    String[] scope = response.getScope();
    for (String curScope : scope) {
        if ("openid".equals(curScope)) {
            isOpenIDScope = true;
        }
    }
    if (!isOpenIDScope) {
        throw new UserInfoEndpointException(OAuthError.ResourceResponse.INSUFFICIENT_SCOPE,
                "Access token does not have the openid scope");
    }
    if (response.getAuthorizedUser() == null) {
        throw new UserInfoEndpointException(OAuthError.ResourceResponse.INVALID_TOKEN,
                "Access token is not valid. No authorized user found. Invalid grant");
    }
    OAuth2TokenValidationResponseDTO.AuthorizationContextToken authorizationContextToken = response.new AuthorizationContextToken(accessToken.getTokenType(), accessToken.getIdentifier());
    response.setAuthorizationContextToken(authorizationContextToken);
    return response;
}
 

public void validateRequiredParameters(HttpServletRequest request) throws OAuthProblemException {

        super.validateRequiredParameters(request);

        String nonce = request.getParameter("nonce");
        if(StringUtils.isBlank(nonce)){
            throw OAuthProblemException.error(OAuthError.TokenResponse.INVALID_REQUEST)
                    .description("\'response_type\' contains \'id_token\'; but \'nonce\' parameter not found");
        }
    }
 

@Override
public void validateMethod(HttpServletRequest request) throws OAuthProblemException {
    String method = request.getMethod();
    if (!OAuth.HttpMethod.GET.equals(method) && !OAuth.HttpMethod.POST.equals(method)) {
        throw OAuthProblemException.error(OAuthError.CodeResponse.INVALID_REQUEST)
                .description("Method not correct.");
    }
}
 

public void validateRequiredParameters(HttpServletRequest request) throws OAuthProblemException {

        super.validateRequiredParameters(request);

        String nonce = request.getParameter("nonce");
        if(StringUtils.isBlank(nonce)){
            throw OAuthProblemException.error(OAuthError.TokenResponse.INVALID_REQUEST)
                    .description("\'response_type\' contains \'id_token\'; but \'nonce\' parameter not found");
        }
    }
 

@Override
public void validateMethod(HttpServletRequest request) throws OAuthProblemException {
    String method = request.getMethod();
    if (!OAuth.HttpMethod.GET.equals(method) && !OAuth.HttpMethod.POST.equals(method)) {
        throw OAuthProblemException.error(OAuthError.CodeResponse.INVALID_REQUEST)
                                   .description("Method not correct.");
    }
}
 

@Override
public boolean validateAccessDelegation(OAuthAuthzReqMessageContext oauthAuthzMsgCtx)
        throws IdentityOAuth2Exception {

    OAuth2AuthorizeReqDTO authzReqDTO = oauthAuthzMsgCtx.getAuthorizationReqDTO();
    String responseType = authzReqDTO.getResponseType();

    OAuthAppDO oAuthAppDO = (OAuthAppDO)oauthAuthzMsgCtx.getProperty("OAuthAppDO");
    // If the application has defined a limited set of grant types, then check the grant
    if (oAuthAppDO.getGrantTypes() != null) {
        if (ResponseType.CODE.toString().equals(responseType)) {
            //Do not change this log format as these logs use by external applications
            if (!oAuthAppDO.getGrantTypes().contains("authorization_code")) {
                log.debug("Unsupported Response Type : " + responseType +
                        " for client id : " + authzReqDTO.getConsumerKey());
                handleErrorRequest(oauthAuthzMsgCtx, OAuthError.CodeResponse.UNSUPPORTED_RESPONSE_TYPE,
                        "Unsupported Response Type!");
                return false;
            }
        } else if (StringUtils.contains(responseType, ResponseType.TOKEN.toString()) &&
                !oAuthAppDO.getGrantTypes().contains(IMPLICIT)) {
            //Do not change this log format as these logs use by external applications
            log.debug("Unsupported Response Type : " + responseType + " for client id : " + authzReqDTO
                    .getConsumerKey());
            handleErrorRequest(oauthAuthzMsgCtx, OAuthError.CodeResponse.UNSUPPORTED_RESPONSE_TYPE,
                    "Unsupported Response Type!");
            return false;
        }
    }

    OAuth2AuthorizeReqDTO authorizationReqDTO = oauthAuthzMsgCtx.getAuthorizationReqDTO();
    OAuthCallback authzCallback = new OAuthCallback(authorizationReqDTO.getUser(),
            authorizationReqDTO.getConsumerKey(), OAuthCallback.OAuthCallbackType.ACCESS_DELEGATION_AUTHZ);
    authzCallback.setRequestedScope(authorizationReqDTO.getScopes());
    authzCallback.setResponseType(authorizationReqDTO.getResponseType());
    callbackManager.handleCallback(authzCallback);

    oauthAuthzMsgCtx.setValidityPeriod(authzCallback.getValidityPeriod());
    return authzCallback.isAuthorized();
}
 

public OAuthErrorResponseBuilder setError(String error) {
    this.parameters.put(OAuthError.OAUTH_ERROR, error);
    return this;
}
 

public OAuthErrorResponseBuilder setErrorDescription(String desc) {
    this.parameters.put(OAuthError.OAUTH_ERROR_DESCRIPTION, desc);
    return this;
}
 

public OAuthErrorResponseBuilder setErrorUri(String state) {
    this.parameters.put(OAuthError.OAUTH_ERROR_URI, state);
    return this;
}
 

public OAuth2AuthorizeRespDTO handleAuthorization(OAuth2AuthorizeReqDTO authzReqDTO)
           throws IdentityOAuth2Exception, IdentityOAuthAdminException, InvalidOAuthClientException {

       String responseType = authzReqDTO.getResponseType();
       OAuth2AuthorizeRespDTO authorizeRespDTO = new OAuth2AuthorizeRespDTO();

       if (!responseHandlers.containsKey(responseType)) {
           log.warn("Unsupported Response Type : " + responseType +
                   " provided  for user : " + authzReqDTO.getUser());
           handleErrorRequest(authorizeRespDTO, OAuthError.CodeResponse.UNSUPPORTED_RESPONSE_TYPE,
                   "Unsupported Response Type!");
           authorizeRespDTO.setCallbackURI(authzReqDTO.getCallbackUrl());
           return authorizeRespDTO;
       }

       ResponseTypeHandler authzHandler = responseHandlers.get(responseType);
       OAuthAuthzReqMessageContext authzReqMsgCtx = new OAuthAuthzReqMessageContext(authzReqDTO);

       // loading the stored application data
       OAuthAppDO oAuthAppDO = getAppInformation(authzReqDTO);

       authzReqMsgCtx.addProperty("OAuthAppDO", oAuthAppDO);

       boolean accessDelegationAuthzStatus = authzHandler.validateAccessDelegation(authzReqMsgCtx);
       if(authzReqMsgCtx.getProperty("ErrorCode") != null){
           authorizeRespDTO.setErrorCode((String)authzReqMsgCtx.getProperty("ErrorCode"));
           authorizeRespDTO.setErrorMsg((String)authzReqMsgCtx.getProperty("ErrorMsg"));
           authorizeRespDTO.setCallbackURI(authzReqDTO.getCallbackUrl());
           return authorizeRespDTO;
       } else if (!accessDelegationAuthzStatus) {
           log.warn("User : " + authzReqDTO.getUser() +
                   " doesn't have necessary rights to grant access to the resource(s) " +
                   OAuth2Util.buildScopeString(authzReqDTO.getScopes()));
           handleErrorRequest(authorizeRespDTO, OAuthError.CodeResponse.UNAUTHORIZED_CLIENT,
                   "Authorization Failure!");
           authorizeRespDTO.setCallbackURI(authzReqDTO.getCallbackUrl());
           return authorizeRespDTO;
       }

       boolean scopeValidationStatus = authzHandler.validateScope(authzReqMsgCtx);
       if (!scopeValidationStatus) {
           log.warn("Scope validation failed for user : "
                   + authzReqDTO.getUser() + ", for the scope : "
                   + OAuth2Util.buildScopeString(authzReqDTO.getScopes()));
           handleErrorRequest(authorizeRespDTO,
                   OAuthError.CodeResponse.INVALID_SCOPE, "Invalid Scope!");
           authorizeRespDTO.setCallbackURI(authzReqDTO.getCallbackUrl());
           return authorizeRespDTO;
       } else {
           // We are here because the call-back handler has approved the scope.
           // If call-back handler set the approved scope - then we respect that. If not we take
           // the approved scope as the provided scope.
           if (authzReqMsgCtx.getApprovedScope() == null
                   || authzReqMsgCtx.getApprovedScope().length == 0) {
               authzReqMsgCtx
                       .setApprovedScope(authzReqMsgCtx.getAuthorizationReqDTO().getScopes());
           }
       }

try {
    // set the authorization request context to be used by downstream handlers. This is introduced as a fix for
    // IDENTITY-4111
    OAuth2Util.setAuthzRequestContext(authzReqMsgCtx);
    authorizeRespDTO = authzHandler.issue(authzReqMsgCtx);
} finally {
    // clears authorization request context
    OAuth2Util.clearAuthzRequestContext();
}

       return authorizeRespDTO;
   }
 

/**
 * Creates invalid_request exception with given message
 *
 * @param message error message
 * @return OAuthException
 */
public static OAuthProblemException handleOAuthProblemException(String message) {
    return OAuthProblemException.error(OAuthError.TokenResponse.INVALID_REQUEST)
        .description(message);
}