/**
* @return
* @throws IdentityException
*/
public String[] getClaimURIs() throws IdentityException {
String tenatUser =
MultitenantUtils.getTenantAwareUsername(CarbonContext.getCurrentContext().getUsername());
String domainName = MultitenantUtils.getTenantDomain(tenatUser);
String[] claimUris = null;
try {
UserRealm realm = IdentityTenantUtil.getRealm(domainName, tenatUser);
String claimDialect =
IdentityUtil.getProperty(IdentityConstants.ServerConfig.SSO_ATTRIB_CLAIM_DIALECT);
if (claimDialect == null || claimDialect.equals("")) {
// set default
claimDialect = "http://wso2.org/claims";
}
ClaimMapping[] claims = realm.getClaimManager().getAllClaimMappings(claimDialect);
claimUris = new String[claims.length];
for (int i = 0; i < claims.length; i++) {
Claim claim = claims[i].getClaim();
claimUris[i] = claim.getClaimUri();
}
} catch (IdentityException e) {
log.error("Error while getting realm for " + tenatUser, e);
throw new IdentityException("Error while getting realm for " + tenatUser + e);
} catch (org.wso2.carbon.user.api.UserStoreException e) {
log.error("Error while getting claims for " + tenatUser, e);
throw new IdentityException("Error while getting claims for " + tenatUser + e);
}
return claimUris;
}
/** Retrieving claims from the Identity Server user store with the given claim dialect */
public Map<String, Object> getClaimsMap(OAuth2TokenValidationResponseDTO tokenResponse)
throws OAuthSystemException {
String tenantUser = MultitenantUtils.getTenantAwareUsername(tokenResponse.getAuthorizedUser());
String domainName = MultitenantUtils.getTenantDomain(tokenResponse.getAuthorizedUser());
Claim[] claims;
try {
claims =
IdentityTenantUtil.getRealm(domainName, tenantUser)
.getUserStoreManager()
.getUserClaimValues(tenantUser, null);
} catch (Exception e) {
throw new OAuthSystemException("Error while reading user claims for the user " + tenantUser);
}
String claimDialect =
EndpointUtil.getOAuthServerConfiguration().getOpenIDConnectUserInfoEndpointClaimDialect();
Map<String, Object> dialectClaims = new HashMap<String, Object>();
// lets always return the sub claim
dialectClaims.put("sub", tenantUser);
// add only the claims with the requested dialect
for (Claim curClaim : claims) {
if (curClaim.getClaimUri().contains(claimDialect)) {
dialectClaims.put(curClaim.getClaimUri(), curClaim.getValue());
}
}
return dialectClaims;
}
/**
* Returns an array of claims of the authorized user. This is for the OpenIDConnect user-end-point
* implementation.
*
* <p>TODO : 1. Should return the userinfo response instead. TODO : 2. Should create another
* service API for userinfo endpoint
*
* @param accessTokenIdentifier
* @return
* @throws IdentityException
*/
public Claim[] getUserClaims(String accessTokenIdentifier) {
OAuth2TokenValidationRequestDTO reqDTO = new OAuth2TokenValidationRequestDTO();
OAuth2TokenValidationRequestDTO.OAuth2AccessToken accessToken = reqDTO.new OAuth2AccessToken();
accessToken.setTokenType("bearer");
accessToken.setIdentifier(accessTokenIdentifier);
reqDTO.setAccessToken(accessToken);
OAuth2TokenValidationResponseDTO respDTO = new OAuth2TokenValidationService().validate(reqDTO);
String username = respDTO.getAuthorizedUser();
if (username == null) { // invalid token
log.debug(respDTO.getErrorMsg());
return new Claim[0];
}
String[] scope = respDTO.getScope();
boolean isOICScope = false;
for (String curScope : scope) {
if ("openid".equals(curScope)) {
isOICScope = true;
}
}
if (!isOICScope) {
log.error("AccessToken does not have the openid scope");
return new Claim[0];
}
// TODO : this code is ugly
String profileName = "default"; // TODO : configurable
String tenantDomain = MultitenantUtils.getTenantDomain(username);
String tenatUser = MultitenantUtils.getTenantAwareUsername(username);
List<Claim> claimsList = new ArrayList<Claim>();
// MUST claim
// http://openid.net/specs/openid-connect-basic-1_0-22.html#id_res
Claim subClaim = new Claim();
subClaim.setClaimUri("sub");
subClaim.setValue(username);
claimsList.add(subClaim);
try {
UserStoreManager userStore =
IdentityTenantUtil.getRealm(tenantDomain, tenatUser).getUserStoreManager();
// externel configured claims
String[] claims = OAuthServerConfiguration.getInstance().getSupportedClaims();
if (claims != null) {
Map<String, String> extClaimsMap =
userStore.getUserClaimValues(username, claims, profileName);
for (Map.Entry<String, String> entry : extClaimsMap.entrySet()) {
Claim curClaim = new Claim();
curClaim.setClaimUri(entry.getKey());
curClaim.setValue(entry.getValue());
claimsList.add(curClaim);
}
}
// default claims
String[] defaultClaims = new String[3];
defaultClaims[0] = "http://wso2.org/claims/emailaddress";
defaultClaims[1] = "http://wso2.org/claims/givenname";
defaultClaims[2] = "http://wso2.org/claims/lastname";
String emailAddress = null;
String firstName = null;
String lastName = null;
Map<String, String> defClaimsMap =
userStore.getUserClaimValues(username, defaultClaims, profileName);
if (defClaimsMap.get(defaultClaims[0]) != null) {
emailAddress = defClaimsMap.get(defaultClaims[0]);
Claim email = new Claim();
email.setClaimUri("email");
email.setValue(emailAddress);
claimsList.add(email);
Claim prefName = new Claim();
prefName.setClaimUri("preferred_username");
prefName.setValue(emailAddress.split("@")[0]);
claimsList.add(prefName);
}
if (defClaimsMap.get(defaultClaims[1]) != null) {
firstName = defClaimsMap.get(defaultClaims[1]);
Claim givenName = new Claim();
givenName.setClaimUri("given_name");
givenName.setValue(firstName);
claimsList.add(givenName);
}
if (defClaimsMap.get(defaultClaims[2]) != null) {
lastName = defClaimsMap.get(defaultClaims[2]);
Claim familyName = new Claim();
familyName.setClaimUri("family_name");
familyName.setValue(lastName);
claimsList.add(familyName);
}
if (firstName != null && lastName != null) {
Claim name = new Claim();
name.setClaimUri("name");
name.setValue(firstName + " " + lastName);
claimsList.add(name);
}
} catch (Exception e) {
log.error("Error while reading user claims ", e);
}
Claim[] allClaims = new Claim[claimsList.size()];
for (int i = 0; i < claimsList.size(); i++) {
allClaims[i] = claimsList.get(i);
}
return allClaims;
}
