/* * Find the Subject identifier among federated claims */ public static String getFederatedSubjectFromClaims( AuthenticationContext context, String otherDialect) throws FrameworkException { String value; boolean useLocalClaimDialect = context.getExternalIdP().useDefaultLocalIdpDialect(); String userIdClaimURI = context.getExternalIdP().getUserIdClaimUri(); Map<ClaimMapping, String> claimMappings = context.getSubject().getUserAttributes(); if (useLocalClaimDialect) { Map<String, String> extAttributesValueMap = FrameworkUtils.getClaimMappings(claimMappings, false); Map<String, String> mappedAttrs = null; try { mappedAttrs = ClaimMetadataHandler.getInstance() .getMappingsMapFromOtherDialectToCarbon( otherDialect, extAttributesValueMap.keySet(), context.getTenantDomain(), true); } catch (ClaimMetadataException e) { throw new FrameworkException("Error while loading claim mappings.", e); } String spUserIdClaimURI = mappedAttrs.get(userIdClaimURI); value = extAttributesValueMap.get(spUserIdClaimURI); } else { ClaimMapping claimMapping = new ClaimMapping(); Claim claim = new Claim(); claim.setClaimUri(userIdClaimURI); claimMapping.setRemoteClaim(claim); value = claimMappings.get(claimMapping); } return value; }
/* (non-Javadoc) * @see org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator#processAuthenticationResponse(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext) */ @Override protected void processAuthenticationResponse( HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext context) throws AuthenticationFailedException { // String msisdn = httpServletRequest.getParameter("msisdn"); log.info("MSS PIN Authenticator authentication Start "); String sessionDataKey = httpServletRequest.getParameter("sessionDataKey"); String msisdn = (String) context.getProperty("msisdn"); boolean isAuthenticated = false; try { String responseStatus = DBUtils.getUserResponse(sessionDataKey); if (responseStatus.equalsIgnoreCase(UserResponse.APPROVED.toString())) { isAuthenticated = true; } } catch (AuthenticatorException e) { log.error("SMS Authentication failed while trying to authenticate", e); throw new AuthenticationFailedException(e.getMessage(), e); } if (!isAuthenticated) { log.info("MSS PIN Authenticator authentication failed "); context.setProperty("faileduser", msisdn); if (log.isDebugEnabled()) { log.debug("User authentication failed due to not existing user MSISDN."); } throw new AuthenticationFailedException("Authentication Failed"); } log.info("MSS PIN Authenticator authentication success for MSISDN - " + msisdn); context.setProperty("msisdn", msisdn); // context.setSubject(msisdn); // AuthenticatedUser user=new AuthenticatedUser(); // context.setSubject(user); AuthenticationContextHelper.setSubject(context, msisdn); String rememberMe = httpServletRequest.getParameter("chkRemember"); if (rememberMe != null && "on".equals(rememberMe)) { context.setRememberMe(true); } }
/* (non-Javadoc) * @see org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator#process(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext) */ @Override public AuthenticatorFlowStatus process( HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws AuthenticationFailedException, LogoutFailedException { if (context.isLogoutRequest()) { return AuthenticatorFlowStatus.SUCCESS_COMPLETED; } else { return super.process(request, response, context); } }
private boolean isForceAuthenticate(AuthenticationContext context) { boolean forceAuthenticate = false; String forceAuthenticateProp = properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.FORCE_AUTHENTICATION); if ("yes".equalsIgnoreCase(forceAuthenticateProp)) { forceAuthenticate = true; } else if ("as_request".equalsIgnoreCase(forceAuthenticateProp)) { forceAuthenticate = context.isForceAuthenticate(); } return forceAuthenticate; }
/** initiate the authentication request */ @Override protected void initiateAuthenticationRequest( HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws AuthenticationFailedException { String loginPage = ConfigurationFacade.getInstance().getAuthenticationEndpointURL(); loginPage = loginPage.replace(InweboConstants.INWEBO_LOGINPAGE, InweboConstants.INWEBO_PAGE); try { String retryParam = ""; if (context.isRetrying()) { retryParam = InweboConstants.RETRY_PARAM; } response.sendRedirect( response.encodeRedirectURL( loginPage + "?" + FrameworkConstants.SESSION_DATA_KEY + "=" + context.getContextIdentifier() + retryParam)); } catch (IOException e) { throw new AuthenticationFailedException("Error while redirecting", e); } }
/* (non-Javadoc) * @see org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator#initiateAuthenticationRequest(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext) */ @Override protected void initiateAuthenticationRequest( HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws AuthenticationFailedException { String loginPage = ConfigurationFacade.getInstance().getAuthenticationEndpointURL(); String queryParams = FrameworkUtils.getQueryStringWithFrameworkContextId( context.getQueryParams(), context.getCallerSessionKey(), context.getContextIdentifier()); try { String retryParam = ""; if (context.isRetrying()) { retryParam = "&authFailure=true&authFailureMsg=login.fail.message"; } else { // Insert entry to DB only if this is not a retry DBUtils.insertUserResponse( context.getContextIdentifier(), String.valueOf(MSSAuthenticator.UserResponse.PENDING)); } // MSISDN will be saved in the context in the MSISDNAuthenticator String msisdn = (String) context.getProperty("msisdn"); MSSRequest mssRequest = new MSSRequest(); mssRequest.setMsisdnNo("+" + msisdn); mssRequest.setSendString( DataHolder.getInstance().getMobileConnectConfig().getMSS().getMssText()); String contextIdentifier = context.getContextIdentifier(); MSSRestClient mssRestClient = new MSSRestClient(contextIdentifier, mssRequest); mssRestClient.start(); response.sendRedirect( response.encodeRedirectURL(loginPage + ("?" + queryParams)) + "&authenticators=" + getName() + ":" + "LOCAL" + retryParam); } catch (IOException e) { throw new AuthenticationFailedException(e.getMessage(), e); } catch (AuthenticatorException e) { throw new AuthenticationFailedException(e.getMessage(), e); } }
protected AuthnRequest getAuthnRequest(AuthenticationContext context) throws SAMLSSOException { AuthnRequest authnRequest = null; AuthenticationRequest authenticationRequest = context.getAuthenticationRequest(); String[] samlRequestParams = authenticationRequest.getRequestQueryParam(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ); String samlRequest = null; if (samlRequestParams != null && samlRequestParams.length > 0) { samlRequest = samlRequestParams[0]; XMLObject xmlObject; if (authenticationRequest.isPost()) { xmlObject = unmarshall(SSOUtils.decodeForPost(samlRequest)); } else { xmlObject = unmarshall(SSOUtils.decode(samlRequest)); } if (xmlObject instanceof AuthnRequest) { authnRequest = (AuthnRequest) xmlObject; } } return authnRequest; }
/** * @param request * @param isLogout * @param isPassive * @param loginPage * @return return encoded SAML Auth request * @throws SAMLSSOException */ public String buildPostRequest( HttpServletRequest request, boolean isLogout, boolean isPassive, String loginPage, AuthenticationContext context) throws SAMLSSOException { doBootstrap(); RequestAbstractType requestMessage; String signatureAlgoProp = null; String digestAlgoProp = null; String includeCertProp = null; String signatureAlgo = null; String digestAlgo = null; boolean includeCert = false; // get Signature Algorithm signatureAlgoProp = properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.SIGNATURE_ALGORITHM); if (StringUtils.isEmpty(signatureAlgoProp)) { signatureAlgoProp = IdentityApplicationConstants.XML.SignatureAlgorithm.RSA_SHA1; } signatureAlgo = IdentityApplicationManagementUtil.getXMLSignatureAlgorithms().get(signatureAlgoProp); // get Digest Algorithm digestAlgoProp = properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.DIGEST_ALGORITHM); if (StringUtils.isEmpty(digestAlgoProp)) { digestAlgoProp = IdentityApplicationConstants.XML.DigestAlgorithm.SHA1; } digestAlgo = IdentityApplicationManagementUtil.getXMLDigestAlgorithms().get(digestAlgoProp); includeCertProp = properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.INCLUDE_CERT); if (StringUtils.isEmpty(includeCertProp) || Boolean.parseBoolean(includeCertProp)) { includeCert = true; } if (!isLogout) { requestMessage = buildAuthnRequest(request, isPassive, loginPage, context); if (SSOUtils.isAuthnRequestSigned(properties)) { SSOUtils.setSignature( requestMessage, signatureAlgo, digestAlgo, includeCert, new X509CredentialImpl(context.getTenantDomain(), null)); } } else { String username = (String) request.getSession().getAttribute(SSOConstants.LOGOUT_USERNAME); String sessionIndex = (String) request.getSession().getAttribute(SSOConstants.LOGOUT_SESSION_INDEX); String nameQualifier = (String) request.getSession().getAttribute(SSOConstants.NAME_QUALIFIER); String spNameQualifier = (String) request.getSession().getAttribute(SSOConstants.SP_NAME_QUALIFIER); requestMessage = buildLogoutRequest(username, sessionIndex, loginPage, nameQualifier, spNameQualifier); if (SSOUtils.isLogoutRequestSigned(properties)) { SSOUtils.setSignature( requestMessage, signatureAlgo, digestAlgo, includeCert, new X509CredentialImpl(context.getTenantDomain(), null)); } } return SSOUtils.encode(SSOUtils.marshall(requestMessage)); }
/** * Returns the redirection URL with the appended SAML2 Request message * * @param request SAML 2 request * @return redirectionUrl */ @Override public String buildRequest( HttpServletRequest request, boolean isLogout, boolean isPassive, String loginPage, AuthenticationContext context) throws SAMLSSOException { doBootstrap(); String contextIdentifier = context.getContextIdentifier(); RequestAbstractType requestMessage; if (request.getParameter(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ) == null) { String queryParam = context.getQueryParams(); if (queryParam != null) { String[] params = queryParam.split("&"); for (String param : params) { String[] values = param.split("="); if (values.length == 2 && SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ.equals(values[0])) { request.setAttribute(SSOConstants.HTTP_POST_PARAM_SAML2_AUTH_REQ, values[1]); break; } } } } if (!isLogout) { requestMessage = buildAuthnRequest(request, isPassive, loginPage, context); } else { String username = (String) request.getSession().getAttribute(SSOConstants.LOGOUT_USERNAME); String sessionIndex = (String) request.getSession().getAttribute(SSOConstants.LOGOUT_SESSION_INDEX); String nameQualifier = (String) request.getSession().getAttribute(SSOConstants.NAME_QUALIFIER); String spNameQualifier = (String) request.getSession().getAttribute(SSOConstants.SP_NAME_QUALIFIER); requestMessage = buildLogoutRequest(username, sessionIndex, loginPage, nameQualifier, spNameQualifier); } String idpUrl = null; boolean isSignAuth2SAMLUsingSuperTenant = false; String encodedRequestMessage = encodeRequestMessage(requestMessage); StringBuilder httpQueryString = new StringBuilder("SAMLRequest=" + encodedRequestMessage); try { httpQueryString.append("&RelayState=" + URLEncoder.encode(contextIdentifier, "UTF-8").trim()); } catch (UnsupportedEncodingException e) { throw new SAMLSSOException("Error occurred while url encoding RelayState", e); } if (SSOUtils.isAuthnRequestSigned(properties)) { String signatureAlgoProp = properties.get(IdentityApplicationConstants.Authenticator.SAML2SSO.SIGNATURE_ALGORITHM); if (StringUtils.isEmpty(signatureAlgoProp)) { signatureAlgoProp = IdentityApplicationConstants.XML.SignatureAlgorithm.RSA_SHA1; } String signatureAlgo = IdentityApplicationManagementUtil.getXMLSignatureAlgorithms().get(signatureAlgoProp); Map<String, String> parameterMap = FileBasedConfigurationBuilder.getInstance() .getAuthenticatorBean(SSOConstants.AUTHENTICATOR_NAME) .getParameterMap(); if (parameterMap.size() > 0) { isSignAuth2SAMLUsingSuperTenant = Boolean.parseBoolean(parameterMap.get(SIGN_AUTH2_SAML_USING_SUPER_TENANT)); } if (isSignAuth2SAMLUsingSuperTenant) { SSOUtils.addSignatureToHTTPQueryString( httpQueryString, signatureAlgo, new X509CredentialImpl(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME, null)); } else { SSOUtils.addSignatureToHTTPQueryString( httpQueryString, signatureAlgo, new X509CredentialImpl(context.getTenantDomain(), null)); } } if (loginPage.indexOf("?") > -1) { idpUrl = loginPage.concat("&").concat(httpQueryString.toString()); } else { idpUrl = loginPage.concat("?").concat(httpQueryString.toString()); } return idpUrl; }
/** * This is override because of query string values hard coded and input values validations are not * required. * * @param request * @param response * @param context * @throws AuthenticationFailedException */ @Override protected void initiateAuthenticationRequest( HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws AuthenticationFailedException { try { Map<String, String> authenticatorProperties = context.getAuthenticatorProperties(); if (authenticatorProperties != null) { String clientId = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_ID); String authorizationEP; if (getAuthorizationServerEndpoint(authenticatorProperties) != null) { authorizationEP = getAuthorizationServerEndpoint(authenticatorProperties); } else { authorizationEP = authenticatorProperties.get(OIDCAuthenticatorConstants.OAUTH2_AUTHZ_URL); } String callBackUrl = authenticatorProperties.get(GoogleOAuth2AuthenticationConstant.CALLBACK_URL); if (log.isDebugEnabled()) { log.debug("Google-callback-url : " + callBackUrl); } if (callBackUrl == null) { callBackUrl = CarbonUIUtil.getAdminConsoleURL(request); callBackUrl = callBackUrl.replace("commonauth/carbon/", "commonauth"); } String state = context.getContextIdentifier() + "," + OIDCAuthenticatorConstants.LOGIN_TYPE; state = getState(state, authenticatorProperties); OAuthClientRequest authzRequest; // This is the query string need to send in order to get email and // profile String queryString = GoogleOAuth2AuthenticationConstant.QUERY_STRING; authzRequest = OAuthClientRequest.authorizationLocation(authorizationEP) .setClientId(clientId) .setRedirectURI(callBackUrl) .setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE) .setState(state) .buildQueryMessage(); String loginPage = authzRequest.getLocationUri(); String domain = request.getParameter("domain"); if (domain != null) { loginPage = loginPage + "&fidp=" + domain; } if (queryString != null) { if (!queryString.startsWith("&")) { loginPage = loginPage + "&" + queryString; } else { loginPage = loginPage + queryString; } } response.sendRedirect(loginPage); } else { if (log.isDebugEnabled()) { log.debug("Error while retrieving properties. Authenticator Properties cannot be null"); } throw new AuthenticationFailedException( "Error while retrieving properties. Authenticator Properties cannot be null"); } } catch (IOException e) { throw new AuthenticationFailedException("Exception while sending to the login page", e); } catch (OAuthSystemException e) { throw new AuthenticationFailedException( "Exception while building authorization code request", e); } }
/** * this method are overridden for extra claim request to google end-point * * @param request * @param response * @param context * @throws AuthenticationFailedException */ @Override protected void processAuthenticationResponse( HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws AuthenticationFailedException { try { Map<String, String> authenticatorProperties = context.getAuthenticatorProperties(); String clientId = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_ID); String clientSecret = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_SECRET); String tokenEndPoint; if (getTokenEndpoint(authenticatorProperties) != null) { tokenEndPoint = getTokenEndpoint(authenticatorProperties); } else { tokenEndPoint = authenticatorProperties.get(OIDCAuthenticatorConstants.OAUTH2_TOKEN_URL); } String callBackUrl = authenticatorProperties.get(GoogleOAuth2AuthenticationConstant.CALLBACK_URL); log.debug("callBackUrl : " + callBackUrl); if (callBackUrl == null) { callBackUrl = CarbonUIUtil.getAdminConsoleURL(request); callBackUrl = callBackUrl.replace("commonauth/carbon/", "commonauth"); } @SuppressWarnings({"unchecked"}) Map<String, String> paramValueMap = (Map<String, String>) context.getProperty("oidc:param.map"); if (paramValueMap != null && paramValueMap.containsKey("redirect_uri")) { callBackUrl = paramValueMap.get("redirect_uri"); } OAuthAuthzResponse authzResponse = OAuthAuthzResponse.oauthCodeAuthzResponse(request); String code = authzResponse.getCode(); OAuthClientRequest accessRequest = null; accessRequest = getAccessRequest(tokenEndPoint, clientId, clientSecret, callBackUrl, code); // create OAuth client that uses custom http client under the hood OAuthClient oAuthClient = new OAuthClient(new URLConnectionClient()); OAuthClientResponse oAuthResponse = null; oAuthResponse = getOAuthResponse(accessRequest, oAuthClient, oAuthResponse); // TODO : return access token and id token to framework String accessToken = ""; String idToken = ""; if (oAuthResponse != null) { accessToken = oAuthResponse.getParam(OIDCAuthenticatorConstants.ACCESS_TOKEN); idToken = oAuthResponse.getParam(OIDCAuthenticatorConstants.ID_TOKEN); } if (accessToken != null && (idToken != null || !requiredIDToken(authenticatorProperties))) { context.setProperty(OIDCAuthenticatorConstants.ACCESS_TOKEN, accessToken); if (idToken != null) { context.setProperty(OIDCAuthenticatorConstants.ID_TOKEN, idToken); String base64Body = idToken.split("\\.")[1]; byte[] decoded = Base64.decodeBase64(base64Body.getBytes()); String json = new String(decoded, Charset.forName("utf-8")); if (log.isDebugEnabled()) { log.debug("Id token json string : " + json); } Map<String, Object> jsonObject = JSONUtils.parseJSON(json); if (jsonObject != null) { Map<ClaimMapping, String> claims = getSubjectAttributes(oAuthResponse); String authenticatedUser = (String) jsonObject.get(OIDCAuthenticatorConstants.Claim.EMAIL); AuthenticatedUser authenticatedUserObj = AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier( authenticatedUser); authenticatedUserObj.setUserAttributes(claims); context.setSubject(authenticatedUserObj); } else { if (log.isDebugEnabled()) { log.debug("Decoded json object is null"); } throw new AuthenticationFailedException("Decoded json object is null"); } } else { if (log.isDebugEnabled()) { log.debug("Authentication Failed"); } throw new AuthenticationFailedException("Authentication Failed"); } } else { throw new AuthenticationFailedException("Authentication Failed"); } } catch (OAuthProblemException e) { throw new AuthenticationFailedException("Error occurred while acquiring access token", e); } catch (JSONException e) { throw new AuthenticationFailedException("Error occurred while parsing json object", e); } }
/** Process the response of the Inwebo end-point */ @Override protected void processAuthenticationResponse( HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws AuthenticationFailedException { int waitTime; int retryInterval; String username = null; // Getting the last authenticated local user for (Integer stepMap : context.getSequenceConfig().getStepMap().keySet()) if (context.getSequenceConfig().getStepMap().get(stepMap).getAuthenticatedUser() != null && context .getSequenceConfig() .getStepMap() .get(stepMap) .getAuthenticatedAutenticator() .getApplicationAuthenticator() instanceof LocalApplicationAuthenticator) { username = String.valueOf( context.getSequenceConfig().getStepMap().get(stepMap).getAuthenticatedUser()); break; } if (username != null) { UserRealm userRealm = null; try { String tenantDomain = MultitenantUtils.getTenantDomain(username); int tenantId = IdentityTenantUtil.getTenantId(tenantDomain); RealmService realmService = IdentityTenantUtil.getRealmService(); userRealm = (UserRealm) realmService.getTenantUserRealm(tenantId); username = MultitenantUtils.getTenantAwareUsername(username); if (userRealm != null) { userId = userRealm .getUserStoreManager() .getUserClaimValue(username, InweboConstants.INWEBO_USERID, null) .toString(); } else { throw new AuthenticationFailedException( "Cannot find the user claim for the given userId: " + userId); } } catch (UserStoreException e) { throw new AuthenticationFailedException( "Error while getting the user realm" + e.getMessage(), e); } } Map<String, String> authenticatorProperties = context.getAuthenticatorProperties(); if (authenticatorProperties != null) { String serviceId = authenticatorProperties.get(InweboConstants.SERVICE_ID); String p12file = authenticatorProperties.get(InweboConstants.INWEBO_P12FILE); String p12password = authenticatorProperties.get(InweboConstants.INWEBO_P12PASSWORD); if (!StringUtils.isEmpty(authenticatorProperties.get(InweboConstants.RETRY_COUNT))) { waitTime = Integer.parseInt(authenticatorProperties.get(InweboConstants.RETRY_COUNT)); } else { waitTime = Integer.parseInt(InweboConstants.WAITTIME_DEFAULT); } if (!StringUtils.isEmpty(authenticatorProperties.get(InweboConstants.RETRY_INTERVAL))) { retryInterval = Integer.parseInt(authenticatorProperties.get(InweboConstants.RETRY_INTERVAL)); } else { retryInterval = Integer.parseInt(InweboConstants.RETRYINTERVAL_DEFAULT); } PushRestCall push = new PushRestCall(serviceId, p12file, p12password, userId, waitTime, retryInterval); pushResponse = push.run(); if (pushResponse.contains(InweboConstants.PUSHRESPONSE)) { if (log.isDebugEnabled()) { log.info("Authentication successful"); } context.setSubject( AuthenticatedUser.createLocalAuthenticatedUserFromSubjectIdentifier(userId)); } else { throw new AuthenticationFailedException("Authentication failed"); } pushResponse = null; userId = null; } else { throw new AuthenticationFailedException("Required parameters are empty"); } }
@Override protected void processAuthenticationResponse( HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws AuthenticationFailedException { try { Map<String, String> authenticatorProperties = context.getAuthenticatorProperties(); String clientId = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_ID); String clientSecret = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_SECRET); String tokenEndPoint = getTokenEndpoint(authenticatorProperties); if (tokenEndPoint == null) { tokenEndPoint = authenticatorProperties.get(OIDCAuthenticatorConstants.OAUTH2_TOKEN_URL); } String callbackUrl = getCallbackUrl(authenticatorProperties); if (StringUtils.isBlank(callbackUrl)) { callbackUrl = IdentityUtil.getServerURL(FrameworkConstants.COMMONAUTH, true, true); } @SuppressWarnings({"unchecked"}) Map<String, String> paramValueMap = (Map<String, String>) context.getProperty("oidc:param.map"); if (paramValueMap != null && paramValueMap.containsKey("redirect_uri")) { callbackUrl = paramValueMap.get("redirect_uri"); } OAuthAuthzResponse authzResponse = OAuthAuthzResponse.oauthCodeAuthzResponse(request); String code = authzResponse.getCode(); OAuthClientRequest accessRequest = getaccessRequest(tokenEndPoint, clientId, code, clientSecret, callbackUrl); // Create OAuth client that uses custom http client under the hood OAuthClient oAuthClient = new OAuthClient(new URLConnectionClient()); OAuthClientResponse oAuthResponse = getOauthResponse(oAuthClient, accessRequest); // TODO : return access token and id token to framework String accessToken = oAuthResponse.getParam(OIDCAuthenticatorConstants.ACCESS_TOKEN); if (StringUtils.isBlank(accessToken)) { throw new AuthenticationFailedException("Access token is empty or null"); } String idToken = oAuthResponse.getParam(OIDCAuthenticatorConstants.ID_TOKEN); if (StringUtils.isBlank(idToken) && requiredIDToken(authenticatorProperties)) { throw new AuthenticationFailedException("Id token is required and is missing"); } context.setProperty(OIDCAuthenticatorConstants.ACCESS_TOKEN, accessToken); AuthenticatedUser authenticatedUserObj; Map<ClaimMapping, String> claims = new HashMap<>(); Map<String, Object> jsonObject = new HashMap<>(); if (StringUtils.isNotBlank(idToken)) { context.setProperty(OIDCAuthenticatorConstants.ID_TOKEN, idToken); String base64Body = idToken.split("\\.")[1]; byte[] decoded = Base64.decodeBase64(base64Body.getBytes()); String json = new String(decoded); jsonObject = JSONUtils.parseJSON(json); if (jsonObject == null) { if (log.isDebugEnabled()) { log.debug("Decoded json object is null"); } throw new AuthenticationFailedException("Decoded json object is null"); } if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.USER_ID_TOKEN)) { log.debug("Retrieved the User Information:" + jsonObject); } String authenticatedUser = null; String isSubjectInClaimsProp = context .getAuthenticatorProperties() .get(IdentityApplicationConstants.Authenticator.SAML2SSO.IS_USER_ID_IN_CLAIMS); if (StringUtils.equalsIgnoreCase("true", isSubjectInClaimsProp)) { authenticatedUser = getSubjectFromUserIDClaimURI(context); if (authenticatedUser == null && log.isDebugEnabled()) { log.debug( "Subject claim could not be found amongst subject attributes. " + "Defaulting to the sub attribute in IDToken."); } } if (authenticatedUser == null) { authenticatedUser = getAuthenticateUser(context, jsonObject, oAuthResponse); if (authenticatedUser == null) { throw new AuthenticationFailedException("Cannot find federated User Identifier"); } } String attributeSeparator = null; try { String tenantDomain = context.getTenantDomain(); if (StringUtils.isBlank(tenantDomain)) { tenantDomain = MultitenantConstants.SUPER_TENANT_DOMAIN_NAME; } int tenantId = OpenIDConnectAuthenticatorServiceComponent.getRealmService() .getTenantManager() .getTenantId(tenantDomain); UserRealm userRealm = OpenIDConnectAuthenticatorServiceComponent.getRealmService() .getTenantUserRealm(tenantId); if (userRealm != null) { UserStoreManager userStore = (UserStoreManager) userRealm.getUserStoreManager(); attributeSeparator = userStore .getRealmConfiguration() .getUserStoreProperty(IdentityCoreConstants.MULTI_ATTRIBUTE_SEPARATOR); if (log.isDebugEnabled()) { log.debug( "For the claim mapping: " + attributeSeparator + " is used as the attributeSeparator in tenant: " + tenantDomain); } } } catch (UserStoreException e) { throw new AuthenticationFailedException( "Error while retrieving multi attribute " + "separator", e); } for (Map.Entry<String, Object> entry : jsonObject.entrySet()) { buildClaimMappings(claims, entry, attributeSeparator); } authenticatedUserObj = AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier( authenticatedUser); } else { if (log.isDebugEnabled()) { log.debug("The IdToken is null"); } authenticatedUserObj = AuthenticatedUser.createFederateAuthenticatedUserFromSubjectIdentifier( getAuthenticateUser(context, jsonObject, oAuthResponse)); } claims.putAll(getSubjectAttributes(oAuthResponse, authenticatorProperties)); authenticatedUserObj.setUserAttributes(claims); context.setSubject(authenticatedUserObj); } catch (OAuthProblemException e) { throw new AuthenticationFailedException("Authentication process failed", e); } }
@Override protected void initiateAuthenticationRequest( HttpServletRequest request, HttpServletResponse response, AuthenticationContext context) throws AuthenticationFailedException { try { Map<String, String> authenticatorProperties = context.getAuthenticatorProperties(); if (authenticatorProperties != null) { String clientId = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_ID); String authorizationEP = getAuthorizationServerEndpoint(authenticatorProperties); if (authorizationEP == null) { authorizationEP = authenticatorProperties.get(OIDCAuthenticatorConstants.OAUTH2_AUTHZ_URL); } String callbackurl = getCallbackUrl(authenticatorProperties); if (StringUtils.isBlank(callbackurl)) { callbackurl = IdentityUtil.getServerURL(FrameworkConstants.COMMONAUTH, true, true); } String state = context.getContextIdentifier() + "," + OIDCAuthenticatorConstants.LOGIN_TYPE; state = getState(state, authenticatorProperties); OAuthClientRequest authzRequest; String queryString = getQueryString(authenticatorProperties); Map<String, String> paramValueMap = new HashMap<>(); if (StringUtils.isNotBlank(queryString)) { String[] params = queryString.split("&"); if (params != null && params.length > 0) { for (String param : params) { String[] intParam = param.split("="); paramValueMap.put(intParam[0], intParam[1]); } context.setProperty("oidc:param.map", paramValueMap); } } String scope = paramValueMap.get("scope"); if (scope == null) { scope = OIDCAuthenticatorConstants.OAUTH_OIDC_SCOPE; } scope = getScope(scope, authenticatorProperties); if (queryString != null && queryString.toLowerCase().contains("scope=") && queryString.toLowerCase().contains("redirect_uri=")) { authzRequest = OAuthClientRequest.authorizationLocation(authorizationEP) .setClientId(clientId) .setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE) .setState(state) .buildQueryMessage(); } else if (queryString != null && queryString.toLowerCase().contains("scope=")) { authzRequest = OAuthClientRequest.authorizationLocation(authorizationEP) .setClientId(clientId) .setRedirectURI(callbackurl) .setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE) .setState(state) .buildQueryMessage(); } else if (queryString != null && queryString.toLowerCase().contains("redirect_uri=")) { authzRequest = OAuthClientRequest.authorizationLocation(authorizationEP) .setClientId(clientId) .setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE) .setScope(OIDCAuthenticatorConstants.OAUTH_OIDC_SCOPE) .setState(state) .buildQueryMessage(); } else { authzRequest = OAuthClientRequest.authorizationLocation(authorizationEP) .setClientId(clientId) .setRedirectURI(callbackurl) .setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE) .setScope(scope) .setState(state) .buildQueryMessage(); } String loginPage = authzRequest.getLocationUri(); String domain = request.getParameter("domain"); if (domain != null) { loginPage = loginPage + "&fidp=" + domain; } if (queryString != null) { if (!queryString.startsWith("&")) { loginPage = loginPage + "&" + queryString; } else { loginPage = loginPage + queryString; } } response.sendRedirect(loginPage); } else { if (log.isDebugEnabled()) { log.debug("Error while retrieving properties. Authenticator Properties cannot be null"); } throw new AuthenticationFailedException( "Error while retrieving properties. Authenticator Properties cannot be null"); } } catch (IOException e) { log.error("Exception while sending to the login page", e); throw new AuthenticationFailedException(e.getMessage(), e); } catch (OAuthSystemException e) { log.error("Exception while building authorization code request", e); throw new AuthenticationFailedException(e.getMessage(), e); } return; }