private OAuth2AccessTokenRespDTO getAccessToken(CarbonOAuthTokenRequest oauthRequest) {
OAuth2AccessTokenReqDTO tokenReqDTO = new OAuth2AccessTokenReqDTO();
String grantType = oauthRequest.getGrantType();
tokenReqDTO.setGrantType(grantType);
tokenReqDTO.setClientId(oauthRequest.getClientId());
tokenReqDTO.setClientSecret(oauthRequest.getClientSecret());
tokenReqDTO.setCallbackURI(oauthRequest.getRedirectURI());
tokenReqDTO.setScope(
oauthRequest.getScopes().toArray(new String[oauthRequest.getScopes().size()]));
tokenReqDTO.setTenantDomain(oauthRequest.getTenantDomain());
// Check the grant type and set the corresponding parameters
if (GrantType.AUTHORIZATION_CODE.toString().equals(grantType)) {
tokenReqDTO.setAuthorizationCode(oauthRequest.getCode());
} else if (GrantType.PASSWORD.toString().equals(grantType)) {
tokenReqDTO.setResourceOwnerUsername(oauthRequest.getUsername());
tokenReqDTO.setResourceOwnerPassword(oauthRequest.getPassword());
} else if (GrantType.REFRESH_TOKEN.toString().equals(grantType)) {
tokenReqDTO.setRefreshToken(oauthRequest.getRefreshToken());
} else if (org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER
.toString()
.equals(grantType)) {
tokenReqDTO.setAssertion(oauthRequest.getAssertion());
} else if (org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM
.toString()
.equals(grantType)) {
tokenReqDTO.setWindowsToken(oauthRequest.getWindowsToken());
} else {
// Set all request parameters to the OAuth2AccessTokenReqDTO
tokenReqDTO.setRequestParameters(oauthRequest.getRequestParameters());
}
return EndpointUtil.getOAuth2Service().issueAccessToken(tokenReqDTO);
}
public OAuth2AccessTokenRespDTO issue(OAuth2AccessTokenReqDTO tokenReqDTO)
throws IdentityException, InvalidOAuthClientException {
String grantType = tokenReqDTO.getGrantType();
OAuth2AccessTokenRespDTO tokenRespDTO;
AuthorizationGrantHandler authzGrantHandler = authzGrantHandlers.get(grantType);
OAuthTokenReqMessageContext tokReqMsgCtx = new OAuthTokenReqMessageContext(tokenReqDTO);
// If multiple client authentication methods have been used the authorization server must reject
// the request
int authenticatorHandlerIndex = -1;
for (int i = 0; i < clientAuthenticationHandlers.size(); i++) {
if (clientAuthenticationHandlers.get(i).canAuthenticate(tokReqMsgCtx)) {
if (authenticatorHandlerIndex > -1) {
log.debug(
"Multiple Client Authentication Methods used for client id : "
+ tokenReqDTO.getClientId());
tokenRespDTO =
handleError(
OAuthConstants.OAuthError.TokenResponse.UNSUPPORTED_CLIENT_AUTHENTICATION_METHOD,
"Unsupported Client Authentication Method!",
tokenReqDTO);
setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
return tokenRespDTO;
}
authenticatorHandlerIndex = i;
}
}
if (authenticatorHandlerIndex < 0 && authzGrantHandler.isConfidentialClient()) {
log.debug(
"Confidential client cannot be authenticated for client id : "
+ tokenReqDTO.getClientId());
tokenRespDTO =
handleError(
OAuthConstants.OAuthError.TokenResponse.UNSUPPORTED_CLIENT_AUTHENTICATION_METHOD,
"Unsupported Client Authentication Method!",
tokenReqDTO);
setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
return tokenRespDTO;
}
ClientAuthenticationHandler clientAuthHandler = null;
if (authenticatorHandlerIndex > -1) {
clientAuthHandler = clientAuthenticationHandlers.get(authenticatorHandlerIndex);
}
boolean isAuthenticated;
if (clientAuthHandler != null) {
isAuthenticated = clientAuthHandler.authenticateClient(tokReqMsgCtx);
} else {
isAuthenticated = true;
}
if (!isAuthenticated) {
if (log.isDebugEnabled()) {
log.debug("Client Authentication failed for client Id: " + tokenReqDTO.getClientId());
}
tokenRespDTO =
handleError(
OAuthError.TokenResponse.INVALID_CLIENT,
"Client credentials are invalid.",
tokenReqDTO);
setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
return tokenRespDTO;
}
// loading the stored application data
OAuthAppDO oAuthAppDO = getAppInformation(tokenReqDTO);
if (!authzGrantHandler.isOfTypeApplicationUser()) {
tokReqMsgCtx.setAuthorizedUser(OAuth2Util.getUserFromUserName(oAuthAppDO.getUserName()));
tokReqMsgCtx
.getAuthorizedUser()
.setTenantDomain(IdentityTenantUtil.getTenantDomain(oAuthAppDO.getTenantId()));
}
boolean isValidGrant = false;
String error = "Provided Authorization Grant is invalid";
try {
isValidGrant = authzGrantHandler.validateGrant(tokReqMsgCtx);
} catch (IdentityOAuth2Exception e) {
if (log.isDebugEnabled()) {
log.debug("Error occurred while validating grant", e);
}
error = e.getMessage();
}
if (!isValidGrant) {
if (log.isDebugEnabled()) {
log.debug("Invalid Grant provided by the client Id: " + tokenReqDTO.getClientId());
}
tokenRespDTO = handleError(OAuthError.TokenResponse.INVALID_GRANT, error, tokenReqDTO);
setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
return tokenRespDTO;
}
boolean isAuthorized = authzGrantHandler.authorizeAccessDelegation(tokReqMsgCtx);
if (!isAuthorized) {
if (log.isDebugEnabled()) {
log.debug("Invalid authorization for client Id = " + tokenReqDTO.getClientId());
}
tokenRespDTO =
handleError(
OAuthError.TokenResponse.UNAUTHORIZED_CLIENT, "Unauthorized Client!", tokenReqDTO);
setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
return tokenRespDTO;
}
boolean isValidScope = authzGrantHandler.validateScope(tokReqMsgCtx);
if (!isValidScope) {
if (log.isDebugEnabled()) {
log.debug("Invalid scope provided by client Id: " + tokenReqDTO.getClientId());
}
tokenRespDTO =
handleError(OAuthError.TokenResponse.INVALID_SCOPE, "Invalid Scope!", tokenReqDTO);
setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
return tokenRespDTO;
}
try {
// set the token request context to be used by downstream handlers. This is introduced as a
// fix for
// IDENTITY-4111.
OAuth2Util.setTokenRequestContext(tokReqMsgCtx);
tokenRespDTO = authzGrantHandler.issue(tokReqMsgCtx);
} finally {
// clears the token request context.
OAuth2Util.clearTokenRequestContext();
}
tokenRespDTO.setCallbackURI(oAuthAppDO.getCallbackUrl());
String[] scopes = tokReqMsgCtx.getScope();
if (scopes != null && scopes.length > 0) {
StringBuilder scopeString = new StringBuilder("");
for (String scope : scopes) {
scopeString.append(scope);
scopeString.append(" ");
}
tokenRespDTO.setAuthorizedScopes(scopeString.toString().trim());
}
setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
// Do not change this log format as these logs use by external applications
if (log.isDebugEnabled()) {
log.debug(
"Access token issued to client Id: "
+ tokenReqDTO.getClientId()
+ " username: "******" and scopes: "
+ tokenRespDTO.getAuthorizedScopes());
}
if (tokReqMsgCtx.getScope() != null && OAuth2Util.isOIDCAuthzRequest(tokReqMsgCtx.getScope())) {
IDTokenBuilder builder =
OAuthServerConfiguration.getInstance().getOpenIDConnectIDTokenBuilder();
tokenRespDTO.setIDToken(builder.buildIDToken(tokReqMsgCtx, tokenRespDTO));
}
if (tokenReqDTO.getGrantType().equals(GrantType.AUTHORIZATION_CODE.toString())) {
addUserAttributesToCache(tokenReqDTO, tokenRespDTO);
}
return tokenRespDTO;
}
