/** * Process the authorization request and issue an authorization code or access token depending on * the Response Type available in the request. * * @param oAuth2AuthorizeReqDTO <code>OAuth2AuthorizeReqDTO</code> containing information about * the authorization request. * @return <code>OAuth2AuthorizeRespDTO</code> instance containing the access token/authorization * code or an error code. */ public OAuth2AuthorizeRespDTO authorize(OAuth2AuthorizeReqDTO oAuth2AuthorizeReqDTO) { if (log.isDebugEnabled()) { log.debug( "Authorization Request received for user : "******", Client ID : " + oAuth2AuthorizeReqDTO.getConsumerKey() + ", Authorization Response Type : " + oAuth2AuthorizeReqDTO.getResponseType() + ", Requested callback URI : " + oAuth2AuthorizeReqDTO.getCallbackUrl() + ", Requested Scope : " + OAuth2Util.buildScopeString(oAuth2AuthorizeReqDTO.getScopes())); } try { AuthorizationHandlerManager authzHandlerManager = AuthorizationHandlerManager.getInstance(); return authzHandlerManager.handleAuthorization(oAuth2AuthorizeReqDTO); } catch (Exception e) { log.error( "Error occurred when processing the authorization request. Returning an error back to client.", e); OAuth2AuthorizeRespDTO authorizeRespDTO = new OAuth2AuthorizeRespDTO(); authorizeRespDTO.setErrorCode(OAuth2ErrorCodes.SERVER_ERROR); authorizeRespDTO.setErrorMsg( "Error occurred when processing the authorization " + "request. Returning an error back to client."); authorizeRespDTO.setCallbackURI(oAuth2AuthorizeReqDTO.getCallbackUrl()); return authorizeRespDTO; } }
@Override public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception { OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO = tokReqMsgCtx.getOauth2AccessTokenReqDTO(); String username = oAuth2AccessTokenReqDTO.getResourceOwnerUsername(); int tenantId; try { tenantId = IdentityUtil.getTenantIdOFUser(username); } catch (IdentityException e) { throw new IdentityOAuth2Exception(e.getMessage(), e); } // tenantId == -1, means an invalid tenant. if (tenantId == -1) { /*if (log.isDebugEnabled()) { log.debug("Token request with Password Grant Type for an invalid tenant : " + MultitenantUtils.getTenantDomain(username)); } return false;*/ tenantId = MultitenantConstants.SUPER_TENANT_ID; } RealmService realmService = OAuthComponentServiceHolder.getRealmService(); boolean authStatus; try { UserStoreManager userStoreManager = realmService.getTenantUserRealm(tenantId).getUserStoreManager(); authStatus = userStoreManager.authenticate( MultitenantUtils.getTenantAwareUsername(username), oAuth2AccessTokenReqDTO.getResourceOwnerPassword()); if (log.isDebugEnabled()) { log.debug( "Token request with Password Grant Type received. " + "Username : "******"Scope : " + OAuth2Util.buildScopeString(oAuth2AccessTokenReqDTO.getScope()) + ", Authentication State : " + authStatus); } } catch (UserStoreException e) { throw new IdentityOAuth2Exception("Error when authenticating the user credentials.", e); } tokReqMsgCtx.setAuthorizedUser(oAuth2AccessTokenReqDTO.getResourceOwnerUsername()); tokReqMsgCtx.setScope(oAuth2AccessTokenReqDTO.getScope()); return authStatus; }
private OAuth2AccessTokenRespDTO handleError( String errorCode, String errorMsg, OAuth2AccessTokenReqDTO tokenReqDTO) { if (log.isDebugEnabled()) { log.debug( "OAuth-Error-Code=" + errorCode + " client-id=" + tokenReqDTO.getClientId() + " grant-type=" + tokenReqDTO.getGrantType() + " scope=" + OAuth2Util.buildScopeString(tokenReqDTO.getScope())); } OAuth2AccessTokenRespDTO tokenRespDTO; tokenRespDTO = new OAuth2AccessTokenRespDTO(); tokenRespDTO.setError(true); tokenRespDTO.setErrorCode(errorCode); tokenRespDTO.setErrorMsg(errorMsg); return tokenRespDTO; }
/** * Revoke tokens issued to OAuth clients * * @param revokeRequestDTO DTO representing consumerKey, consumerSecret and tokens[] * @return revokeRespDTO DTO representing success or failure message */ public OAuthRevocationResponseDTO revokeTokenByOAuthClient( OAuthRevocationRequestDTO revokeRequestDTO) { // fix here remove associated cache entry TokenMgtDAO tokenMgtDAO = new TokenMgtDAO(); OAuthRevocationResponseDTO revokeResponseDTO = new OAuthRevocationResponseDTO(); try { if (StringUtils.isNotEmpty(revokeRequestDTO.getConsumerKey()) && StringUtils.isNotEmpty(revokeRequestDTO.getToken())) { boolean refreshTokenFirst = false; if (StringUtils.equals( GrantType.REFRESH_TOKEN.toString(), revokeRequestDTO.getToken_type())) { refreshTokenFirst = true; } RefreshTokenValidationDataDO refreshTokenDO = null; AccessTokenDO accessTokenDO = null; if (refreshTokenFirst) { refreshTokenDO = tokenMgtDAO.validateRefreshToken( revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getToken()); if (refreshTokenDO == null || StringUtils.isEmpty(refreshTokenDO.getRefreshTokenState()) || !(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE.equals( refreshTokenDO.getRefreshTokenState()) || OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED.equals( refreshTokenDO.getRefreshTokenState()))) { accessTokenDO = tokenMgtDAO.retrieveAccessToken(revokeRequestDTO.getToken(), true); refreshTokenDO = null; } } else { accessTokenDO = tokenMgtDAO.retrieveAccessToken(revokeRequestDTO.getToken(), true); if (accessTokenDO == null) { refreshTokenDO = tokenMgtDAO.validateRefreshToken( revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getToken()); if (refreshTokenDO == null || StringUtils.isEmpty(refreshTokenDO.getRefreshTokenState()) || !(OAuthConstants.TokenStates.TOKEN_STATE_ACTIVE.equals( refreshTokenDO.getRefreshTokenState()) || OAuthConstants.TokenStates.TOKEN_STATE_EXPIRED.equals( refreshTokenDO.getRefreshTokenState()))) { return revokeResponseDTO; } } } String grantType = StringUtils.EMPTY; if (accessTokenDO != null) { grantType = accessTokenDO.getGrantType(); } else if (refreshTokenDO != null) { grantType = refreshTokenDO.getGrantType(); } if (!StringUtils.equals(OAuthConstants.GrantTypes.IMPLICIT, grantType) && !OAuth2Util.authenticateClient( revokeRequestDTO.getConsumerKey(), revokeRequestDTO.getConsumerSecret())) { OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO(); revokeRespDTO.setError(true); revokeRespDTO.setErrorCode(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT); revokeRespDTO.setErrorMsg("Unauthorized Client"); return revokeRespDTO; } if (refreshTokenDO != null) { org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache( revokeRequestDTO.getConsumerKey(), refreshTokenDO.getAuthorizedUser(), OAuth2Util.buildScopeString(refreshTokenDO.getScope())); org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache( revokeRequestDTO.getConsumerKey(), refreshTokenDO.getAuthorizedUser()); org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(refreshTokenDO.getAccessToken()); tokenMgtDAO.revokeTokens(new String[] {refreshTokenDO.getAccessToken()}); addRevokeResponseHeaders( revokeResponseDTO, refreshTokenDO.getAccessToken(), revokeRequestDTO.getToken(), refreshTokenDO.getAuthorizedUser().toString()); } else if (accessTokenDO != null) { org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache( revokeRequestDTO.getConsumerKey(), accessTokenDO.getAuthzUser(), OAuth2Util.buildScopeString(accessTokenDO.getScope())); org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache( revokeRequestDTO.getConsumerKey(), accessTokenDO.getAuthzUser()); org.wso2.carbon.identity.oauth.OAuthUtil.clearOAuthCache(revokeRequestDTO.getToken()); tokenMgtDAO.revokeTokens(new String[] {revokeRequestDTO.getToken()}); addRevokeResponseHeaders( revokeResponseDTO, revokeRequestDTO.getToken(), accessTokenDO.getRefreshToken(), accessTokenDO.getAuthzUser().toString()); } return revokeResponseDTO; } else { revokeResponseDTO.setError(true); revokeResponseDTO.setErrorCode(OAuth2ErrorCodes.INVALID_REQUEST); revokeResponseDTO.setErrorMsg("Invalid revocation request"); return revokeResponseDTO; } } catch (InvalidOAuthClientException e) { log.error("Unauthorized Client", e); OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO(); revokeRespDTO.setError(true); revokeRespDTO.setErrorCode(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT); revokeRespDTO.setErrorMsg("Unauthorized Client"); return revokeRespDTO; } catch (IdentityException e) { log.error("Error occurred while revoking authorization grant for applications", e); OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO(); revokeRespDTO.setError(true); revokeRespDTO.setErrorCode(OAuth2ErrorCodes.SERVER_ERROR); revokeRespDTO.setErrorMsg( "Error occurred while revoking authorization grant for applications"); return revokeRespDTO; } }
/** * Check Whether the provided client_id and the callback URL are valid. * * @param clientId client_id available in the request, Not null parameter. * @param callbackURI callback_uri available in the request, can be null. * @return <code>OAuth2ClientValidationResponseDTO</code> bean with validity information, * callback, App Name, Error Code and Error Message when appropriate. */ public OAuth2ClientValidationResponseDTO validateClientInfo(String clientId, String callbackURI) { OAuth2ClientValidationResponseDTO validationResponseDTO = new OAuth2ClientValidationResponseDTO(); if (log.isDebugEnabled()) { log.debug( "Validate Client information request for client_id : " + clientId + " and callback_uri " + callbackURI); } try { OAuthAppDAO oAuthAppDAO = new OAuthAppDAO(); OAuthAppDO appDO = oAuthAppDAO.getAppInformation(clientId); if (StringUtils.isEmpty(appDO.getGrantTypes()) || StringUtils.isEmpty(appDO.getCallbackUrl())) { if (log.isDebugEnabled()) { log.debug( "Registered App found for the given Client Id : " + clientId + " ,App Name : " + appDO.getApplicationName() + ", does not support the requested grant type."); } validationResponseDTO.setValidClient(false); validationResponseDTO.setErrorCode(OAuth2ErrorCodes.UNSUPPORTED_GRANT_TYPE); validationResponseDTO.setErrorMsg("Requested Grant type is not supported."); return validationResponseDTO; } OAuth2Util.setClientTenatId( IdentityTenantUtil.getTenantId(appDO.getUser().getTenantDomain())); // Valid Client, No callback has provided. Use the callback provided during the registration. if (callbackURI == null) { validationResponseDTO.setValidClient(true); validationResponseDTO.setCallbackURL(appDO.getCallbackUrl()); validationResponseDTO.setApplicationName(appDO.getApplicationName()); return validationResponseDTO; } if (log.isDebugEnabled()) { log.debug( "Registered App found for the given Client Id : " + clientId + " ,App Name : " + appDO.getApplicationName() + ", Callback URL : " + appDO.getCallbackUrl()); } // Valid Client with a callback url in the request. Check whether they are equal. if (appDO.getCallbackUrl().equals(callbackURI)) { validationResponseDTO.setValidClient(true); validationResponseDTO.setApplicationName(appDO.getApplicationName()); validationResponseDTO.setCallbackURL(callbackURI); return validationResponseDTO; } else { // Provided callback URL does not match the registered callback url. log.warn("Provided Callback URL does not match with the provided one."); validationResponseDTO.setValidClient(false); validationResponseDTO.setErrorCode(OAuth2ErrorCodes.INVALID_CALLBACK); validationResponseDTO.setErrorMsg( "Registered callback does not match with the provided url."); return validationResponseDTO; } } catch (InvalidOAuthClientException e) { // There is no such Client ID being registered. So it is a request from an invalid client. log.error("Error while retrieving the Application Information", e); validationResponseDTO.setValidClient(false); validationResponseDTO.setErrorCode(OAuth2ErrorCodes.INVALID_CLIENT); validationResponseDTO.setErrorMsg(e.getMessage()); return validationResponseDTO; } catch (IdentityOAuth2Exception e) { log.error("Error when reading the Application Information.", e); validationResponseDTO.setValidClient(false); validationResponseDTO.setErrorCode(OAuth2ErrorCodes.SERVER_ERROR); validationResponseDTO.setErrorMsg("Error when processing the authorization request."); return validationResponseDTO; } }
public OAuth2AccessTokenRespDTO issue(OAuth2AccessTokenReqDTO tokenReqDTO) throws IdentityException, InvalidOAuthClientException { String grantType = tokenReqDTO.getGrantType(); OAuth2AccessTokenRespDTO tokenRespDTO; AuthorizationGrantHandler authzGrantHandler = authzGrantHandlers.get(grantType); OAuthTokenReqMessageContext tokReqMsgCtx = new OAuthTokenReqMessageContext(tokenReqDTO); // If multiple client authentication methods have been used the authorization server must reject // the request int authenticatorHandlerIndex = -1; for (int i = 0; i < clientAuthenticationHandlers.size(); i++) { if (clientAuthenticationHandlers.get(i).canAuthenticate(tokReqMsgCtx)) { if (authenticatorHandlerIndex > -1) { log.debug( "Multiple Client Authentication Methods used for client id : " + tokenReqDTO.getClientId()); tokenRespDTO = handleError( OAuthConstants.OAuthError.TokenResponse.UNSUPPORTED_CLIENT_AUTHENTICATION_METHOD, "Unsupported Client Authentication Method!", tokenReqDTO); setResponseHeaders(tokReqMsgCtx, tokenRespDTO); return tokenRespDTO; } authenticatorHandlerIndex = i; } } if (authenticatorHandlerIndex < 0 && authzGrantHandler.isConfidentialClient()) { log.debug( "Confidential client cannot be authenticated for client id : " + tokenReqDTO.getClientId()); tokenRespDTO = handleError( OAuthConstants.OAuthError.TokenResponse.UNSUPPORTED_CLIENT_AUTHENTICATION_METHOD, "Unsupported Client Authentication Method!", tokenReqDTO); setResponseHeaders(tokReqMsgCtx, tokenRespDTO); return tokenRespDTO; } ClientAuthenticationHandler clientAuthHandler = null; if (authenticatorHandlerIndex > -1) { clientAuthHandler = clientAuthenticationHandlers.get(authenticatorHandlerIndex); } boolean isAuthenticated; if (clientAuthHandler != null) { isAuthenticated = clientAuthHandler.authenticateClient(tokReqMsgCtx); } else { isAuthenticated = true; } if (!isAuthenticated) { if (log.isDebugEnabled()) { log.debug("Client Authentication failed for client Id: " + tokenReqDTO.getClientId()); } tokenRespDTO = handleError( OAuthError.TokenResponse.INVALID_CLIENT, "Client credentials are invalid.", tokenReqDTO); setResponseHeaders(tokReqMsgCtx, tokenRespDTO); return tokenRespDTO; } // loading the stored application data OAuthAppDO oAuthAppDO = getAppInformation(tokenReqDTO); if (!authzGrantHandler.isOfTypeApplicationUser()) { tokReqMsgCtx.setAuthorizedUser(OAuth2Util.getUserFromUserName(oAuthAppDO.getUserName())); tokReqMsgCtx .getAuthorizedUser() .setTenantDomain(IdentityTenantUtil.getTenantDomain(oAuthAppDO.getTenantId())); } boolean isValidGrant = false; String error = "Provided Authorization Grant is invalid"; try { isValidGrant = authzGrantHandler.validateGrant(tokReqMsgCtx); } catch (IdentityOAuth2Exception e) { if (log.isDebugEnabled()) { log.debug("Error occurred while validating grant", e); } error = e.getMessage(); } if (!isValidGrant) { if (log.isDebugEnabled()) { log.debug("Invalid Grant provided by the client Id: " + tokenReqDTO.getClientId()); } tokenRespDTO = handleError(OAuthError.TokenResponse.INVALID_GRANT, error, tokenReqDTO); setResponseHeaders(tokReqMsgCtx, tokenRespDTO); return tokenRespDTO; } boolean isAuthorized = authzGrantHandler.authorizeAccessDelegation(tokReqMsgCtx); if (!isAuthorized) { if (log.isDebugEnabled()) { log.debug("Invalid authorization for client Id = " + tokenReqDTO.getClientId()); } tokenRespDTO = handleError( OAuthError.TokenResponse.UNAUTHORIZED_CLIENT, "Unauthorized Client!", tokenReqDTO); setResponseHeaders(tokReqMsgCtx, tokenRespDTO); return tokenRespDTO; } boolean isValidScope = authzGrantHandler.validateScope(tokReqMsgCtx); if (!isValidScope) { if (log.isDebugEnabled()) { log.debug("Invalid scope provided by client Id: " + tokenReqDTO.getClientId()); } tokenRespDTO = handleError(OAuthError.TokenResponse.INVALID_SCOPE, "Invalid Scope!", tokenReqDTO); setResponseHeaders(tokReqMsgCtx, tokenRespDTO); return tokenRespDTO; } try { // set the token request context to be used by downstream handlers. This is introduced as a // fix for // IDENTITY-4111. OAuth2Util.setTokenRequestContext(tokReqMsgCtx); tokenRespDTO = authzGrantHandler.issue(tokReqMsgCtx); } finally { // clears the token request context. OAuth2Util.clearTokenRequestContext(); } tokenRespDTO.setCallbackURI(oAuthAppDO.getCallbackUrl()); String[] scopes = tokReqMsgCtx.getScope(); if (scopes != null && scopes.length > 0) { StringBuilder scopeString = new StringBuilder(""); for (String scope : scopes) { scopeString.append(scope); scopeString.append(" "); } tokenRespDTO.setAuthorizedScopes(scopeString.toString().trim()); } setResponseHeaders(tokReqMsgCtx, tokenRespDTO); // Do not change this log format as these logs use by external applications if (log.isDebugEnabled()) { log.debug( "Access token issued to client Id: " + tokenReqDTO.getClientId() + " username: "******" and scopes: " + tokenRespDTO.getAuthorizedScopes()); } if (tokReqMsgCtx.getScope() != null && OAuth2Util.isOIDCAuthzRequest(tokReqMsgCtx.getScope())) { IDTokenBuilder builder = OAuthServerConfiguration.getInstance().getOpenIDConnectIDTokenBuilder(); tokenRespDTO.setIDToken(builder.buildIDToken(tokReqMsgCtx, tokenRespDTO)); } if (tokenReqDTO.getGrantType().equals(GrantType.AUTHORIZATION_CODE.toString())) { addUserAttributesToCache(tokenReqDTO, tokenRespDTO); } return tokenRespDTO; }