Java Code Examples for org.apache.cxf.rs.security.oauth2.utils.OAuthConstants#INVALID_REQUEST

The following examples show how to use org.apache.cxf.rs.security.oauth2.utils.OAuthConstants#INVALID_REQUEST . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: OidcClientCodeRequestFilter.java    From cxf with Apache License 2.0 6 votes vote down vote up 
private void validateIdToken(IdToken idToken, MultivaluedMap<String, String> state) {

        String nonce = state.getFirst(IdToken.NONCE_CLAIM);
        String tokenNonce = idToken.getNonce();
        if (nonce != null && (tokenNonce == null || !nonce.equals(tokenNonce))) {
            throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
        }
        if (maxAgeOffset != null) {
            long authTime = Long.parseLong(state.getFirst(MAX_AGE_PARAMETER));
            Long tokenAuthTime = idToken.getAuthenticationTime();
            if (tokenAuthTime > authTime) {
                throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
            }
        }

        String acr = idToken.getAuthenticationContextRef();
        // Skip the check if the acr is not set given it is a voluntary claim
        if (acr != null && authenticationContextRef != null && !authenticationContextRef.contains(acr)) {
            throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
        }

    }
Example 2
Source File: ResourceOwnerGrantHandler.java    From cxf with Apache License 2.0 5 votes vote down vote up 
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params)
    throws OAuthServiceException {

    String ownerName = params.getFirst(OAuthConstants.RESOURCE_OWNER_NAME);
    String ownerPassword = params.getFirst(OAuthConstants.RESOURCE_OWNER_PASSWORD);
    if (ownerName == null || ownerPassword == null) {
        throw new OAuthServiceException(
             new OAuthError(OAuthConstants.INVALID_REQUEST));
    }
    UserSubject subject = loginHandler.createSubject(client, ownerName, ownerPassword);
    if (subject == null) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
    return doCreateAccessToken(client, subject, params);
}
Example 3
Source File: AuthorizationCodeGrantHandler.java    From cxf with Apache License 2.0 5 votes vote down vote up 
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params)
    throws OAuthServiceException {

    // Get the grant representation from the provider
    String codeValue = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE);
    ServerAuthorizationCodeGrant grant =
        ((AuthorizationCodeDataProvider)getDataProvider()).removeCodeGrant(codeValue);
    if (grant == null) {
        return null;
    }
    // check it has not expired, the client ids are the same
    if (OAuthUtils.isExpired(grant.getIssuedAt(), grant.getExpiresIn())) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
    if (!grant.getClient().getClientId().equals(client.getClientId())) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
    // redirect URIs must match too
    String expectedRedirectUri = grant.getRedirectUri();
    String providedRedirectUri = params.getFirst(OAuthConstants.REDIRECT_URI);
    if (providedRedirectUri != null) {
        if (!providedRedirectUri.equals(expectedRedirectUri)) {
            throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
        }
    } else if (expectedRedirectUri == null && !isCanSupportPublicClients()
        || expectedRedirectUri != null
            && (client.getRedirectUris().size() != 1
            || !client.getRedirectUris().contains(expectedRedirectUri))) {
        throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
    }

    String clientCodeVerifier = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER);
    String clientCodeChallenge = grant.getClientCodeChallenge();
    if (!compareCodeVerifierWithChallenge(client, clientCodeVerifier, clientCodeChallenge)) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
    List<String> audiences = getAudiences(client, params, grant.getAudience());
    return doCreateAccessToken(client, grant, getSingleGrantType(), clientCodeVerifier, audiences);
}
Example 4
Source File: AuthorizationCodeGrantHandler.java    From cxf with Apache License 2.0 5 votes vote down vote up 
protected List<String> getAudiences(Client client, MultivaluedMap<String, String> params,
                                    String grantAudience) {
    String clientAudience = params.getFirst(OAuthConstants.CLIENT_AUDIENCE);
    if (client.getRegisteredAudiences().isEmpty() && clientAudience == null && grantAudience == null) {
        return Collections.emptyList();
    }
    // if the audience was approved at the grant creation time and the audience is also
    // sent to the token endpoint then both values must match
    if (grantAudience != null && clientAudience != null && !grantAudience.equals(clientAudience)) {
        throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
    }
    return getAudiences(client, clientAudience == null ? grantAudience : clientAudience);
}
Example 5
Source File: DynamicRegistrationService.java    From cxf with Apache License 2.0 4 votes vote down vote up 
protected void fromClientRegistrationToClient(ClientRegistration request, Client client) {
    final List<String> grantTypes = client.getAllowedGrantTypes();

    // Client Redirect URIs
    List<String> redirectUris = request.getRedirectUris();
    if (redirectUris != null) {
        String appType = request.getApplicationType();
        if (appType == null) {
            appType = DEFAULT_APPLICATION_TYPE;
        }
        for (String uri : redirectUris) {
            validateRequestUri(uri, appType, grantTypes);
        }
        client.setRedirectUris(redirectUris);
    }

    if (client.getRedirectUris().isEmpty()
        && (grantTypes.contains(OAuthConstants.AUTHORIZATION_CODE_GRANT)
            || grantTypes.contains(OAuthConstants.IMPLICIT_GRANT))) {
        // Throw an error as we need a redirect URI for these grants.
        OAuthError error =
            new OAuthError(OAuthConstants.INVALID_REQUEST, "A Redirection URI is required");
        reportInvalidRequestError(error);
    }

    // Client Resource Audience URIs
    List<String> resourceUris = request.getResourceUris();
    if (resourceUris != null) {
        client.setRegisteredAudiences(resourceUris);
    }

    // Client Scopes
    String scope = request.getScope();
    if (!StringUtils.isEmpty(scope)) {
        client.setRegisteredScopes(OAuthUtils.parseScope(scope));
    }
    // Client Application URI
    String clientUri = request.getClientUri();
    if (clientUri != null) {
        client.setApplicationWebUri(clientUri);
    }
    // Client Logo URI
    String clientLogoUri = request.getLogoUri();
    if (clientLogoUri != null) {
        client.setApplicationLogoUri(clientLogoUri);
    }

    //TODO: check other properties
    // Add more typed properties like tosUri, policyUri, etc to Client
    // or set them as Client extra properties
}
Example 6
Source File: AbstractOAuthService.java    From cxf with Apache License 2.0 4 votes vote down vote up 
protected void reportInvalidRequestError(String errorDescription, MediaType mt) {
    OAuthError error =
        new OAuthError(OAuthConstants.INVALID_REQUEST, errorDescription);
    reportInvalidRequestError(error, mt);
}