/**
* This is override because of query string values hard coded and input values validations are not
* required.
*
* @param request
* @param response
* @param context
* @throws AuthenticationFailedException
*/
@Override
protected void initiateAuthenticationRequest(
HttpServletRequest request, HttpServletResponse response, AuthenticationContext context)
throws AuthenticationFailedException {
try {
Map<String, String> authenticatorProperties = context.getAuthenticatorProperties();
if (authenticatorProperties != null) {
String clientId = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_ID);
String authorizationEP;
if (getAuthorizationServerEndpoint(authenticatorProperties) != null) {
authorizationEP = getAuthorizationServerEndpoint(authenticatorProperties);
} else {
authorizationEP =
authenticatorProperties.get(OIDCAuthenticatorConstants.OAUTH2_AUTHZ_URL);
}
String callBackUrl =
authenticatorProperties.get(GoogleOAuth2AuthenticationConstant.CALLBACK_URL);
if (log.isDebugEnabled()) {
log.debug("Google-callback-url : " + callBackUrl);
}
if (callBackUrl == null) {
callBackUrl = CarbonUIUtil.getAdminConsoleURL(request);
callBackUrl = callBackUrl.replace("commonauth/carbon/", "commonauth");
}
String state = context.getContextIdentifier() + "," + OIDCAuthenticatorConstants.LOGIN_TYPE;
state = getState(state, authenticatorProperties);
OAuthClientRequest authzRequest;
// This is the query string need to send in order to get email and
// profile
String queryString = GoogleOAuth2AuthenticationConstant.QUERY_STRING;
authzRequest =
OAuthClientRequest.authorizationLocation(authorizationEP)
.setClientId(clientId)
.setRedirectURI(callBackUrl)
.setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE)
.setState(state)
.buildQueryMessage();
String loginPage = authzRequest.getLocationUri();
String domain = request.getParameter("domain");
if (domain != null) {
loginPage = loginPage + "&fidp=" + domain;
}
if (queryString != null) {
if (!queryString.startsWith("&")) {
loginPage = loginPage + "&" + queryString;
} else {
loginPage = loginPage + queryString;
}
}
response.sendRedirect(loginPage);
} else {
if (log.isDebugEnabled()) {
log.debug("Error while retrieving properties. Authenticator Properties cannot be null");
}
throw new AuthenticationFailedException(
"Error while retrieving properties. Authenticator Properties cannot be null");
}
} catch (IOException e) {
throw new AuthenticationFailedException("Exception while sending to the login page", e);
} catch (OAuthSystemException e) {
throw new AuthenticationFailedException(
"Exception while building authorization code request", e);
}
}
/**
* this method are overridden for extra claim request to google end-point
*
* @param request
* @param response
* @param context
* @throws AuthenticationFailedException
*/
@Override
protected void processAuthenticationResponse(
HttpServletRequest request, HttpServletResponse response, AuthenticationContext context)
throws AuthenticationFailedException {
try {
Map<String, String> authenticatorProperties = context.getAuthenticatorProperties();
String clientId = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_ID);
String clientSecret = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_SECRET);
String tokenEndPoint;
if (getTokenEndpoint(authenticatorProperties) != null) {
tokenEndPoint = getTokenEndpoint(authenticatorProperties);
} else {
tokenEndPoint = authenticatorProperties.get(OIDCAuthenticatorConstants.OAUTH2_TOKEN_URL);
}
String callBackUrl =
authenticatorProperties.get(GoogleOAuth2AuthenticationConstant.CALLBACK_URL);
log.debug("callBackUrl : " + callBackUrl);
if (callBackUrl == null) {
callBackUrl = CarbonUIUtil.getAdminConsoleURL(request);
callBackUrl = callBackUrl.replace("commonauth/carbon/", "commonauth");
}
@SuppressWarnings({"unchecked"})
Map<String, String> paramValueMap =
(Map<String, String>) context.getProperty("oidc:param.map");
if (paramValueMap != null && paramValueMap.containsKey("redirect_uri")) {
callBackUrl = paramValueMap.get("redirect_uri");
}
OAuthAuthzResponse authzResponse = OAuthAuthzResponse.oauthCodeAuthzResponse(request);
String code = authzResponse.getCode();
OAuthClientRequest accessRequest = null;
accessRequest = getAccessRequest(tokenEndPoint, clientId, clientSecret, callBackUrl, code);
// create OAuth client that uses custom http client under the hood
OAuthClient oAuthClient = new OAuthClient(new URLConnectionClient());
OAuthClientResponse oAuthResponse = null;
oAuthResponse = getOAuthResponse(accessRequest, oAuthClient, oAuthResponse);
// TODO : return access token and id token to framework
String accessToken = "";
String idToken = "";
if (oAuthResponse != null) {
accessToken = oAuthResponse.getParam(OIDCAuthenticatorConstants.ACCESS_TOKEN);
idToken = oAuthResponse.getParam(OIDCAuthenticatorConstants.ID_TOKEN);
}
if (accessToken != null && (idToken != null || !requiredIDToken(authenticatorProperties))) {
context.setProperty(OIDCAuthenticatorConstants.ACCESS_TOKEN, accessToken);
if (idToken != null) {
context.setProperty(OIDCAuthenticatorConstants.ID_TOKEN, idToken);
String base64Body = idToken.split("\\.")[1];
byte[] decoded = Base64.decodeBase64(base64Body.getBytes());
String json = new String(decoded, Charset.forName("utf-8"));
if (log.isDebugEnabled()) {
log.debug("Id token json string : " + json);
}
Map<String, Object> jsonObject = JSONUtils.parseJSON(json);
if (jsonObject != null) {
Map<ClaimMapping, String> claims = getSubjectAttributes(oAuthResponse);
String authenticatedUser =
(String) jsonObject.get(OIDCAuthenticatorConstants.Claim.EMAIL);
AuthenticatedUser authenticatedUserObj =
AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(
authenticatedUser);
authenticatedUserObj.setUserAttributes(claims);
context.setSubject(authenticatedUserObj);
} else {
if (log.isDebugEnabled()) {
log.debug("Decoded json object is null");
}
throw new AuthenticationFailedException("Decoded json object is null");
}
} else {
if (log.isDebugEnabled()) {
log.debug("Authentication Failed");
}
throw new AuthenticationFailedException("Authentication Failed");
}
} else {
throw new AuthenticationFailedException("Authentication Failed");
}
} catch (OAuthProblemException e) {
throw new AuthenticationFailedException("Error occurred while acquiring access token", e);
} catch (JSONException e) {
throw new AuthenticationFailedException("Error occurred while parsing json object", e);
}
}
@Override
protected void processAuthenticationResponse(
HttpServletRequest request, HttpServletResponse response, AuthenticationContext context)
throws AuthenticationFailedException {
try {
Map<String, String> authenticatorProperties = context.getAuthenticatorProperties();
String clientId = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_ID);
String clientSecret = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_SECRET);
String tokenEndPoint = getTokenEndpoint(authenticatorProperties);
if (tokenEndPoint == null) {
tokenEndPoint = authenticatorProperties.get(OIDCAuthenticatorConstants.OAUTH2_TOKEN_URL);
}
String callbackUrl = getCallbackUrl(authenticatorProperties);
if (StringUtils.isBlank(callbackUrl)) {
callbackUrl = IdentityUtil.getServerURL(FrameworkConstants.COMMONAUTH, true, true);
}
@SuppressWarnings({"unchecked"})
Map<String, String> paramValueMap =
(Map<String, String>) context.getProperty("oidc:param.map");
if (paramValueMap != null && paramValueMap.containsKey("redirect_uri")) {
callbackUrl = paramValueMap.get("redirect_uri");
}
OAuthAuthzResponse authzResponse = OAuthAuthzResponse.oauthCodeAuthzResponse(request);
String code = authzResponse.getCode();
OAuthClientRequest accessRequest =
getaccessRequest(tokenEndPoint, clientId, code, clientSecret, callbackUrl);
// Create OAuth client that uses custom http client under the hood
OAuthClient oAuthClient = new OAuthClient(new URLConnectionClient());
OAuthClientResponse oAuthResponse = getOauthResponse(oAuthClient, accessRequest);
// TODO : return access token and id token to framework
String accessToken = oAuthResponse.getParam(OIDCAuthenticatorConstants.ACCESS_TOKEN);
if (StringUtils.isBlank(accessToken)) {
throw new AuthenticationFailedException("Access token is empty or null");
}
String idToken = oAuthResponse.getParam(OIDCAuthenticatorConstants.ID_TOKEN);
if (StringUtils.isBlank(idToken) && requiredIDToken(authenticatorProperties)) {
throw new AuthenticationFailedException("Id token is required and is missing");
}
context.setProperty(OIDCAuthenticatorConstants.ACCESS_TOKEN, accessToken);
AuthenticatedUser authenticatedUserObj;
Map<ClaimMapping, String> claims = new HashMap<>();
Map<String, Object> jsonObject = new HashMap<>();
if (StringUtils.isNotBlank(idToken)) {
context.setProperty(OIDCAuthenticatorConstants.ID_TOKEN, idToken);
String base64Body = idToken.split("\\.")[1];
byte[] decoded = Base64.decodeBase64(base64Body.getBytes());
String json = new String(decoded);
jsonObject = JSONUtils.parseJSON(json);
if (jsonObject == null) {
if (log.isDebugEnabled()) {
log.debug("Decoded json object is null");
}
throw new AuthenticationFailedException("Decoded json object is null");
}
if (log.isDebugEnabled()
&& IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.USER_ID_TOKEN)) {
log.debug("Retrieved the User Information:" + jsonObject);
}
String authenticatedUser = null;
String isSubjectInClaimsProp =
context
.getAuthenticatorProperties()
.get(IdentityApplicationConstants.Authenticator.SAML2SSO.IS_USER_ID_IN_CLAIMS);
if (StringUtils.equalsIgnoreCase("true", isSubjectInClaimsProp)) {
authenticatedUser = getSubjectFromUserIDClaimURI(context);
if (authenticatedUser == null && log.isDebugEnabled()) {
log.debug(
"Subject claim could not be found amongst subject attributes. "
+ "Defaulting to the sub attribute in IDToken.");
}
}
if (authenticatedUser == null) {
authenticatedUser = getAuthenticateUser(context, jsonObject, oAuthResponse);
if (authenticatedUser == null) {
throw new AuthenticationFailedException("Cannot find federated User Identifier");
}
}
String attributeSeparator = null;
try {
String tenantDomain = context.getTenantDomain();
if (StringUtils.isBlank(tenantDomain)) {
tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
}
int tenantId =
OpenIDConnectAuthenticatorServiceComponent.getRealmService()
.getTenantManager()
.getTenantId(tenantDomain);
UserRealm userRealm =
OpenIDConnectAuthenticatorServiceComponent.getRealmService()
.getTenantUserRealm(tenantId);
if (userRealm != null) {
UserStoreManager userStore = (UserStoreManager) userRealm.getUserStoreManager();
attributeSeparator =
userStore
.getRealmConfiguration()
.getUserStoreProperty(IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR);
if (log.isDebugEnabled()) {
log.debug(
"For the claim mapping: "
+ attributeSeparator
+ " is used as the attributeSeparator in tenant: "
+ tenantDomain);
}
}
} catch (UserStoreException e) {
throw new AuthenticationFailedException(
"Error while retrieving multi attribute " + "separator", e);
}
for (Map.Entry<String, Object> entry : jsonObject.entrySet()) {
buildClaimMappings(claims, entry, attributeSeparator);
}
authenticatedUserObj =
AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(
authenticatedUser);
} else {
if (log.isDebugEnabled()) {
log.debug("The IdToken is null");
}
authenticatedUserObj =
AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier(
getAuthenticateUser(context, jsonObject, oAuthResponse));
}
claims.putAll(getSubjectAttributes(oAuthResponse, authenticatorProperties));
authenticatedUserObj.setUserAttributes(claims);
context.setSubject(authenticatedUserObj);
} catch (OAuthProblemException e) {
throw new AuthenticationFailedException("Authentication process failed", e);
}
}
/** Process the response of the Inwebo end-point */
@Override
protected void processAuthenticationResponse(
HttpServletRequest request, HttpServletResponse response, AuthenticationContext context)
throws AuthenticationFailedException {
int waitTime;
int retryInterval;
String username = null;
// Getting the last authenticated local user
for (Integer stepMap : context.getSequenceConfig().getStepMap().keySet())
if (context.getSequenceConfig().getStepMap().get(stepMap).getAuthenticatedUser() != null
&& context
.getSequenceConfig()
.getStepMap()
.get(stepMap)
.getAuthenticatedAutenticator()
.getApplicationAuthenticator()
instanceof LocalApplicationAuthenticator) {
username =
String.valueOf(
context.getSequenceConfig().getStepMap().get(stepMap).getAuthenticatedUser());
break;
}
if (username != null) {
UserRealm userRealm = null;
try {
String tenantDomain = MultitenantUtils.getTenantDomain(username);
int tenantId = IdentityTenantUtil.getTenantId(tenantDomain);
RealmService realmService = IdentityTenantUtil.getRealmService();
userRealm = (UserRealm) realmService.getTenantUserRealm(tenantId);
username = MultitenantUtils.getTenantAwareUsername(username);
if (userRealm != null) {
userId =
userRealm
.getUserStoreManager()
.getUserClaimValue(username, InweboConstants.INWEBO_USERID, null)
.toString();
} else {
throw new AuthenticationFailedException(
"Cannot find the user claim for the given userId: " + userId);
}
} catch (UserStoreException e) {
throw new AuthenticationFailedException(
"Error while getting the user realm" + e.getMessage(), e);
}
}
Map<String, String> authenticatorProperties = context.getAuthenticatorProperties();
if (authenticatorProperties != null) {
String serviceId = authenticatorProperties.get(InweboConstants.SERVICE_ID);
String p12file = authenticatorProperties.get(InweboConstants.INWEBO_P12FILE);
String p12password = authenticatorProperties.get(InweboConstants.INWEBO_P12PASSWORD);
if (!StringUtils.isEmpty(authenticatorProperties.get(InweboConstants.RETRY_COUNT))) {
waitTime = Integer.parseInt(authenticatorProperties.get(InweboConstants.RETRY_COUNT));
} else {
waitTime = Integer.parseInt(InweboConstants.WAITTIME_DEFAULT);
}
if (!StringUtils.isEmpty(authenticatorProperties.get(InweboConstants.RETRY_INTERVAL))) {
retryInterval =
Integer.parseInt(authenticatorProperties.get(InweboConstants.RETRY_INTERVAL));
} else {
retryInterval = Integer.parseInt(InweboConstants.RETRYINTERVAL_DEFAULT);
}
PushRestCall push =
new PushRestCall(serviceId, p12file, p12password, userId, waitTime, retryInterval);
pushResponse = push.run();
if (pushResponse.contains(InweboConstants.PUSHRESPONSE)) {
if (log.isDebugEnabled()) {
log.info("Authentication successful");
}
context.setSubject(
AuthenticatedUser.createLocalAuthenticatedUserFromSubjectIdentifier(userId));
} else {
throw new AuthenticationFailedException("Authentication failed");
}
pushResponse = null;
userId = null;
} else {
throw new AuthenticationFailedException("Required parameters are empty");
}
}
@Override
protected void initiateAuthenticationRequest(
HttpServletRequest request, HttpServletResponse response, AuthenticationContext context)
throws AuthenticationFailedException {
try {
Map<String, String> authenticatorProperties = context.getAuthenticatorProperties();
if (authenticatorProperties != null) {
String clientId = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_ID);
String authorizationEP = getAuthorizationServerEndpoint(authenticatorProperties);
if (authorizationEP == null) {
authorizationEP =
authenticatorProperties.get(OIDCAuthenticatorConstants.OAUTH2_AUTHZ_URL);
}
String callbackurl = getCallbackUrl(authenticatorProperties);
if (StringUtils.isBlank(callbackurl)) {
callbackurl = IdentityUtil.getServerURL(FrameworkConstants.COMMONAUTH, true, true);
}
String state = context.getContextIdentifier() + "," + OIDCAuthenticatorConstants.LOGIN_TYPE;
state = getState(state, authenticatorProperties);
OAuthClientRequest authzRequest;
String queryString = getQueryString(authenticatorProperties);
Map<String, String> paramValueMap = new HashMap<>();
if (StringUtils.isNotBlank(queryString)) {
String[] params = queryString.split("&");
if (params != null && params.length > 0) {
for (String param : params) {
String[] intParam = param.split("=");
paramValueMap.put(intParam[0], intParam[1]);
}
context.setProperty("oidc:param.map", paramValueMap);
}
}
String scope = paramValueMap.get("scope");
if (scope == null) {
scope = OIDCAuthenticatorConstants.OAUTH_OIDC_SCOPE;
}
scope = getScope(scope, authenticatorProperties);
if (queryString != null
&& queryString.toLowerCase().contains("scope=")
&& queryString.toLowerCase().contains("redirect_uri=")) {
authzRequest =
OAuthClientRequest.authorizationLocation(authorizationEP)
.setClientId(clientId)
.setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE)
.setState(state)
.buildQueryMessage();
} else if (queryString != null && queryString.toLowerCase().contains("scope=")) {
authzRequest =
OAuthClientRequest.authorizationLocation(authorizationEP)
.setClientId(clientId)
.setRedirectURI(callbackurl)
.setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE)
.setState(state)
.buildQueryMessage();
} else if (queryString != null && queryString.toLowerCase().contains("redirect_uri=")) {
authzRequest =
OAuthClientRequest.authorizationLocation(authorizationEP)
.setClientId(clientId)
.setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE)
.setScope(OIDCAuthenticatorConstants.OAUTH_OIDC_SCOPE)
.setState(state)
.buildQueryMessage();
} else {
authzRequest =
OAuthClientRequest.authorizationLocation(authorizationEP)
.setClientId(clientId)
.setRedirectURI(callbackurl)
.setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE)
.setScope(scope)
.setState(state)
.buildQueryMessage();
}
String loginPage = authzRequest.getLocationUri();
String domain = request.getParameter("domain");
if (domain != null) {
loginPage = loginPage + "&fidp=" + domain;
}
if (queryString != null) {
if (!queryString.startsWith("&")) {
loginPage = loginPage + "&" + queryString;
} else {
loginPage = loginPage + queryString;
}
}
response.sendRedirect(loginPage);
} else {
if (log.isDebugEnabled()) {
log.debug("Error while retrieving properties. Authenticator Properties cannot be null");
}
throw new AuthenticationFailedException(
"Error while retrieving properties. Authenticator Properties cannot be null");
}
} catch (IOException e) {
log.error("Exception while sending to the login page", e);
throw new AuthenticationFailedException(e.getMessage(), e);
} catch (OAuthSystemException e) {
log.error("Exception while building authorization code request", e);
throw new AuthenticationFailedException(e.getMessage(), e);
}
return;
}
