Java Code Examples for org.apache.cxf.rs.security.oauth2.utils.OAuthConstants#INVALID_GRANT
The following examples show how to use
org.apache.cxf.rs.security.oauth2.utils.OAuthConstants#INVALID_GRANT .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
| Source File: JwtBearerAuthHandler.java From cxf with Apache License 2.0 | 6 votes |
|
@Override
protected void validateToken(JwtToken jwt) {
super.validateToken(jwt);
// We must have an issuer
if (jwt.getClaim(JwtConstants.CLAIM_ISSUER) == null) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
// We must have a Subject
if (jwt.getClaim(JwtConstants.CLAIM_SUBJECT) == null) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
// We must have an Expiry
if (jwt.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
JwtUtils.validateTokenClaims(jwt.getClaims(), getTtl(), getClockOffset(), isValidateAudience());
}
Example 2
| Source File: AbstractGrantHandler.java From cxf with Apache License 2.0 | 6 votes |
|
protected ServerAccessToken getPreAuthorizedToken(Client client,
UserSubject subject,
String requestedGrant,
List<String> requestedScopes,
List<String> audiences) {
if (!OAuthUtils.validateScopes(requestedScopes, client.getRegisteredScopes(),
partialMatchScopeValidation)) {
throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE));
}
if (!OAuthUtils.validateAudiences(audiences, client.getRegisteredAudiences())) {
throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_GRANT));
}
// Get a pre-authorized token if available
return dataProvider.getPreauthorizedToken(
client, requestedScopes, subject, requestedGrant);
}
Example 3
| Source File: Saml2BearerGrantHandler.java From cxf with Apache License 2.0 | 5 votes |
|
private InputStream decodeAssertion(String assertion) {
try {
byte[] deflatedToken = Base64UrlUtility.decode(assertion);
return new ByteArrayInputStream(deflatedToken);
} catch (Base64Exception ex) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
}
Example 4
| Source File: Saml2BearerGrantHandler.java From cxf with Apache License 2.0 | 5 votes |
|
protected Element readToken(InputStream tokenStream) {
try {
Document doc = StaxUtils.read(new InputStreamReader(tokenStream, StandardCharsets.UTF_8));
return doc.getDocumentElement();
} catch (Exception ex) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
}
Example 5
| Source File: ResourceOwnerGrantHandler.java From cxf with Apache License 2.0 | 5 votes |
|
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params)
throws OAuthServiceException {
String ownerName = params.getFirst(OAuthConstants.RESOURCE_OWNER_NAME);
String ownerPassword = params.getFirst(OAuthConstants.RESOURCE_OWNER_PASSWORD);
if (ownerName == null || ownerPassword == null) {
throw new OAuthServiceException(
new OAuthError(OAuthConstants.INVALID_REQUEST));
}
UserSubject subject = loginHandler.createSubject(client, ownerName, ownerPassword);
if (subject == null) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
return doCreateAccessToken(client, subject, params);
}
Example 6
| Source File: AbstractJwtHandler.java From cxf with Apache License 2.0 | 5 votes |
|
protected void validateClaims(Client client, JwtClaims claims) {
if (getAudience() != null) {
JAXRSUtils.getCurrentMessage().put(JwtConstants.EXPECTED_CLAIM_AUDIENCE, getAudience());
}
JwtUtils.validateTokenClaims(claims, ttl, clockOffset, true);
validateIssuer(claims.getIssuer());
validateSubject(client, claims.getSubject());
// We must have an Expiry
if (claims.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
}
Example 7
| Source File: AuthorizationCodeGrantHandler.java From cxf with Apache License 2.0 | 5 votes |
|
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params)
throws OAuthServiceException {
// Get the grant representation from the provider
String codeValue = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE);
ServerAuthorizationCodeGrant grant =
((AuthorizationCodeDataProvider)getDataProvider()).removeCodeGrant(codeValue);
if (grant == null) {
return null;
}
// check it has not expired, the client ids are the same
if (OAuthUtils.isExpired(grant.getIssuedAt(), grant.getExpiresIn())) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
if (!grant.getClient().getClientId().equals(client.getClientId())) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
// redirect URIs must match too
String expectedRedirectUri = grant.getRedirectUri();
String providedRedirectUri = params.getFirst(OAuthConstants.REDIRECT_URI);
if (providedRedirectUri != null) {
if (!providedRedirectUri.equals(expectedRedirectUri)) {
throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
}
} else if (expectedRedirectUri == null && !isCanSupportPublicClients()
|| expectedRedirectUri != null
&& (client.getRedirectUris().size() != 1
|| !client.getRedirectUris().contains(expectedRedirectUri))) {
throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
}
String clientCodeVerifier = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER);
String clientCodeChallenge = grant.getClientCodeChallenge();
if (!compareCodeVerifierWithChallenge(client, clientCodeVerifier, clientCodeChallenge)) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
List<String> audiences = getAudiences(client, params, grant.getAudience());
return doCreateAccessToken(client, grant, getSingleGrantType(), clientCodeVerifier, audiences);
}
Example 8
| Source File: AbstractGrantHandler.java From cxf with Apache License 2.0 | 5 votes |
|
protected List<String> getAudiences(Client client, String clientAudience) {
if (client.getRegisteredAudiences().isEmpty() && clientAudience == null) {
return Collections.emptyList();
}
if (clientAudience != null) {
List<String> audiences = Collections.singletonList(clientAudience);
if (!OAuthUtils.validateAudiences(audiences, client.getRegisteredAudiences())) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
return audiences;
}
return client.getRegisteredAudiences();
}
Example 9
| Source File: AbstractOAuthDataProvider.java From cxf with Apache License 2.0 | 5 votes |
|
protected ServerAccessToken revokeAccessToken(Client client, String accessTokenKey) {
ServerAccessToken at = getAccessToken(accessTokenKey);
if (at != null) {
if (!at.getClient().getClientId().equals(client.getClientId())) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
doRevokeAccessToken(at);
}
return at;
}
Example 10
| Source File: AbstractOAuthDataProvider.java From cxf with Apache License 2.0 | 5 votes |
|
protected RefreshToken revokeRefreshToken(Client client, String refreshTokenKey) {
RefreshToken refreshToken = getRefreshToken(refreshTokenKey);
if (refreshToken != null) {
if (!refreshToken.getClient().getClientId().equals(client.getClientId())) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
doRevokeRefreshToken(refreshToken);
}
return refreshToken;
}
Example 11
| Source File: AbstractJwtHandler.java From cxf with Apache License 2.0 | 4 votes |
|
protected void validateSignature(JwsHeaders headers, String unsignedText, byte[] signature) {
JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(headers);
if (!theSigVerifier.verify(headers, unsignedText, signature)) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
}
Example 12
| Source File: AbstractJwtHandler.java From cxf with Apache License 2.0 | 4 votes |
|
protected void validateIssuer(String issuer) {
if (issuer == null || (supportedIssuers != null && !supportedIssuers.contains(issuer))) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
}
Example 13
| Source File: AbstractJwtHandler.java From cxf with Apache License 2.0 | 4 votes |
|
protected void validateSubject(Client client, String subject) {
// We must have a Subject
if (subject == null) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
}
Example 14
| Source File: AuthorizationCodeGrantHandler.java From cxf with Apache License 2.0 | 4 votes |
|
private ServerAccessToken doCreateAccessToken(Client client,
ServerAuthorizationCodeGrant grant,
String requestedGrant,
String codeVerifier,
List<String> audiences) {
if (grant.isPreauthorizedTokenAvailable()) {
ServerAccessToken token = getPreAuthorizedToken(client,
grant.getSubject(),
requestedGrant,
grant.getRequestedScopes(),
getAudiences(client, grant.getAudience()));
if (token != null) {
if (grant.getNonce() != null) {
JAXRSUtils.getCurrentMessage().getExchange().put(OAuthConstants.NONCE, grant.getNonce());
}
return token;
}
// the grant was issued based on the authorization time check confirming the
// token was available but it has expired by now or been removed then
// creating a completely new token can be wrong - though this needs to be reviewed
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
// Make sure the client supports the authorization code in cases where
// the implicit/hybrid service was initiating the code grant processing flow
if (!client.getAllowedGrantTypes().isEmpty() && !client.getAllowedGrantTypes().contains(requestedGrant)) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
// Delegate to the data provider to create the one
AccessTokenRegistration reg = new AccessTokenRegistration();
reg.setGrantCode(grant.getCode());
reg.setClient(client);
reg.setGrantType(requestedGrant);
reg.setSubject(grant.getSubject());
reg.setRequestedScope(grant.getRequestedScopes());
reg.setNonce(grant.getNonce());
if (grant.getApprovedScopes() != null) {
reg.setApprovedScope(grant.getApprovedScopes());
} else {
reg.setApprovedScope(Collections.emptyList());
}
reg.setAudiences(audiences);
reg.setResponseType(grant.getResponseType());
reg.setClientCodeVerifier(codeVerifier);
reg.getExtraProperties().putAll(grant.getExtraProperties());
return getDataProvider().createAccessToken(reg);
}
