예제 #1
0
  /**
   * Issue access token in exchange to an Authorization Grant.
   *
   * @param tokenReqDTO <Code>OAuth2AccessTokenReqDTO</Code> representing the Access Token request
   * @return <Code>OAuth2AccessTokenRespDTO</Code> representing the Access Token response
   */
  public OAuth2AccessTokenRespDTO issueAccessToken(OAuth2AccessTokenReqDTO tokenReqDTO) {

    if (log.isDebugEnabled()) {
      log.debug(
          "Access Token request received for Client ID "
              + tokenReqDTO.getClientId()
              + ", User ID "
              + tokenReqDTO.getResourceOwnerUsername()
              + ", Scope : "
              + Arrays.toString(tokenReqDTO.getScope())
              + " and Grant Type : "
              + tokenReqDTO.getGrantType());
    }

    try {
      AccessTokenIssuer tokenIssuer = AccessTokenIssuer.getInstance();
      return tokenIssuer.issue(tokenReqDTO);
    } catch (InvalidOAuthClientException e) {
      if (log.isDebugEnabled()) {
        log.debug(
            "Error occurred while issuing access token for Client ID : "
                + tokenReqDTO.getClientId()
                + ", User ID: "
                + tokenReqDTO.getResourceOwnerUsername()
                + ", Scope : "
                + Arrays.toString(tokenReqDTO.getScope())
                + " and Grant Type : "
                + tokenReqDTO.getGrantType(),
            e);
      }
      OAuth2AccessTokenRespDTO tokenRespDTO = new OAuth2AccessTokenRespDTO();
      tokenRespDTO.setError(true);
      tokenRespDTO.setErrorCode(OAuth2ErrorCodes.INVALID_CLIENT);
      tokenRespDTO.setErrorMsg("Invalid Client");
      return tokenRespDTO;
    } catch (Exception e) { // in case of an error, consider it as a system error
      log.error(
          "Error occurred while issuing the access token for Client ID : "
              + tokenReqDTO.getClientId()
              + ", User ID "
              + tokenReqDTO.getResourceOwnerUsername()
              + ", Scope : "
              + Arrays.toString(tokenReqDTO.getScope())
              + " and Grant Type : "
              + tokenReqDTO.getGrantType(),
          e);
      OAuth2AccessTokenRespDTO tokenRespDTO = new OAuth2AccessTokenRespDTO();
      tokenRespDTO.setError(true);
      if (e.getCause().getCause() instanceof SQLIntegrityConstraintViolationException) {
        tokenRespDTO.setErrorCode("sql_error");
      } else {
        tokenRespDTO.setErrorCode(OAuth2ErrorCodes.SERVER_ERROR);
      }
      tokenRespDTO.setErrorMsg("Server Error");
      return tokenRespDTO;
    }
  }
 private void setResponseHeaders(
     OAuthTokenReqMessageContext tokReqMsgCtx, OAuth2AccessTokenRespDTO tokenRespDTO) {
   if (tokReqMsgCtx.getProperty("RESPONSE_HEADERS") != null) {
     tokenRespDTO.setResponseHeaders(
         (ResponseHeader[]) tokReqMsgCtx.getProperty("RESPONSE_HEADERS"));
   }
 }
  private void addUserAttributesToCache(
      OAuth2AccessTokenReqDTO tokenReqDTO, OAuth2AccessTokenRespDTO tokenRespDTO) {
    AuthorizationGrantCacheKey oldCacheKey =
        new AuthorizationGrantCacheKey(tokenReqDTO.getAuthorizationCode());
    // checking getUserAttributesId vale of cacheKey before retrieve entry from cache as it causes
    // to NPE
    if (oldCacheKey.getUserAttributesId() != null) {
      AuthorizationGrantCacheEntry authorizationGrantCacheEntry =
          AuthorizationGrantCache.getInstance().getValueFromCacheByCode(oldCacheKey);
      AuthorizationGrantCacheKey newCacheKey =
          new AuthorizationGrantCacheKey(tokenRespDTO.getAccessToken());

      if (AuthorizationGrantCache.getInstance().getValueFromCacheByToken(newCacheKey) == null) {
        if (log.isDebugEnabled()) {
          log.debug(
              "No AuthorizationGrantCache entry found for the access token:"
                  + newCacheKey.getUserAttributesId()
                  + ", hence adding to cache");
        }
        AuthorizationGrantCache.getInstance()
            .addToCacheByToken(newCacheKey, authorizationGrantCacheEntry);
        AuthorizationGrantCache.getInstance().clearCacheEntryByCode(oldCacheKey);
      } else {
        // if the user attributes are already saved for access token, no need to add again.
      }
    }
  }
 private OAuth2AccessTokenRespDTO handleError(
     String errorCode, String errorMsg, OAuth2AccessTokenReqDTO tokenReqDTO) {
   if (log.isDebugEnabled()) {
     log.debug(
         "OAuth-Error-Code="
             + errorCode
             + " client-id="
             + tokenReqDTO.getClientId()
             + " grant-type="
             + tokenReqDTO.getGrantType()
             + " scope="
             + OAuth2Util.buildScopeString(tokenReqDTO.getScope()));
   }
   OAuth2AccessTokenRespDTO tokenRespDTO;
   tokenRespDTO = new OAuth2AccessTokenRespDTO();
   tokenRespDTO.setError(true);
   tokenRespDTO.setErrorCode(errorCode);
   tokenRespDTO.setErrorMsg(errorMsg);
   return tokenRespDTO;
 }
  @POST
  @Path("/")
  @Consumes("application/x-www-form-urlencoded")
  @Produces("application/json")
  public Response issueAccessToken(
      @Context HttpServletRequest request, MultivaluedMap<String, String> paramMap)
      throws OAuthSystemException {

    try {
      PrivilegedCarbonContext.startTenantFlow();
      PrivilegedCarbonContext carbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
      carbonContext.setTenantId(MultitenantConstants.SUPER_TENANT_ID);
      carbonContext.setTenantDomain(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME);

      HttpServletRequestWrapper httpRequest = new OAuthRequestWrapper(request, paramMap);

      if (log.isDebugEnabled()) {
        logAccessTokenRequest(httpRequest);
      }

      // extract the basic auth credentials if present in the request and use for
      // authentication.
      if (request.getHeader(OAuthConstants.HTTP_REQ_HEADER_AUTHZ) != null) {

        try {
          String[] clientCredentials =
              EndpointUtil.extractCredentialsFromAuthzHeader(
                  request.getHeader(OAuthConstants.HTTP_REQ_HEADER_AUTHZ));

          // The client MUST NOT use more than one authentication method in each request
          if (paramMap.containsKey(OAuth.OAUTH_CLIENT_ID)
              && paramMap.containsKey(OAuth.OAUTH_CLIENT_SECRET)) {
            return handleBasicAuthFailure();
          }

          // If a client sends an invalid base64 encoded clientid:clientsecret value, it results in
          // this
          // array to only contain 1 element. This happens on specific errors though.
          if (clientCredentials.length != 2) {
            return handleBasicAuthFailure();
          }

          // add the credentials available in Authorization header to the parameter map
          paramMap.add(OAuth.OAUTH_CLIENT_ID, clientCredentials[0]);
          paramMap.add(OAuth.OAUTH_CLIENT_SECRET, clientCredentials[1]);

        } catch (OAuthClientException e) {
          // malformed credential string is considered as an auth failure.
          log.error("Error while extracting credentials from authorization header", e);
          return handleBasicAuthFailure();
        }
      }

      try {
        CarbonOAuthTokenRequest oauthRequest = new CarbonOAuthTokenRequest(httpRequest);
        // exchange the access token for the authorization grant.
        OAuth2AccessTokenRespDTO oauth2AccessTokenResp = getAccessToken(oauthRequest);
        // if there BE has returned an error
        if (oauth2AccessTokenResp.getErrorMsg() != null) {
          // if there is an auth failure, HTTP 401 Status Code should be sent back to the client.
          if (OAuth2ErrorCodes.INVALID_CLIENT.equals(oauth2AccessTokenResp.getErrorCode())) {
            return handleBasicAuthFailure();
          } else if ("sql_error".equals(oauth2AccessTokenResp.getErrorCode())) {
            return handleSQLError();
          } else if (OAuth2ErrorCodes.SERVER_ERROR.equals(oauth2AccessTokenResp.getErrorCode())) {
            return handleServerError();
          } else {
            // Otherwise send back HTTP 400 Status Code
            OAuthResponse.OAuthErrorResponseBuilder oAuthErrorResponseBuilder =
                OAuthASResponse.errorResponse(HttpServletResponse.SC_BAD_REQUEST)
                    .setError(oauth2AccessTokenResp.getErrorCode())
                    .setErrorDescription(oauth2AccessTokenResp.getErrorMsg());
            OAuthResponse response = oAuthErrorResponseBuilder.buildJSONMessage();

            ResponseHeader[] headers = oauth2AccessTokenResp.getResponseHeaders();
            ResponseBuilder respBuilder = Response.status(response.getResponseStatus());

            if (headers != null && headers.length > 0) {
              for (int i = 0; i < headers.length; i++) {
                if (headers[i] != null) {
                  respBuilder.header(headers[i].getKey(), headers[i].getValue());
                }
              }
            }

            return respBuilder.entity(response.getBody()).build();
          }
        } else {
          OAuthTokenResponseBuilder oAuthRespBuilder =
              OAuthASResponse.tokenResponse(HttpServletResponse.SC_OK)
                  .setAccessToken(oauth2AccessTokenResp.getAccessToken())
                  .setRefreshToken(oauth2AccessTokenResp.getRefreshToken())
                  .setExpiresIn(Long.toString(oauth2AccessTokenResp.getExpiresIn()))
                  .setTokenType(BEARER);
          oAuthRespBuilder.setScope(oauth2AccessTokenResp.getAuthorizedScopes());

          // OpenID Connect ID token
          if (oauth2AccessTokenResp.getIDToken() != null) {
            oAuthRespBuilder.setParam(OAuthConstants.ID_TOKEN, oauth2AccessTokenResp.getIDToken());
          }
          OAuthResponse response = oAuthRespBuilder.buildJSONMessage();
          ResponseHeader[] headers = oauth2AccessTokenResp.getResponseHeaders();
          ResponseBuilder respBuilder =
              Response.status(response.getResponseStatus())
                  .header(
                      OAuthConstants.HTTP_RESP_HEADER_CACHE_CONTROL,
                      OAuthConstants.HTTP_RESP_HEADER_VAL_CACHE_CONTROL_NO_STORE)
                  .header(
                      OAuthConstants.HTTP_RESP_HEADER_PRAGMA,
                      OAuthConstants.HTTP_RESP_HEADER_VAL_PRAGMA_NO_CACHE);

          if (headers != null && headers.length > 0) {
            for (int i = 0; i < headers.length; i++) {
              if (headers[i] != null) {
                respBuilder.header(headers[i].getKey(), headers[i].getValue());
              }
            }
          }

          return respBuilder.entity(response.getBody()).build();
        }

      } catch (OAuthProblemException e) {
        log.error("Error while creating the Carbon OAuth token request", e);
        OAuthResponse res =
            OAuthASResponse.errorResponse(HttpServletResponse.SC_BAD_REQUEST)
                .error(e)
                .buildJSONMessage();
        return Response.status(res.getResponseStatus()).entity(res.getBody()).build();
      }

    } finally {
      PrivilegedCarbonContext.endTenantFlow();
    }
  }
  public OAuth2AccessTokenRespDTO issue(OAuth2AccessTokenReqDTO tokenReqDTO)
      throws IdentityException, InvalidOAuthClientException {

    String grantType = tokenReqDTO.getGrantType();
    OAuth2AccessTokenRespDTO tokenRespDTO;

    AuthorizationGrantHandler authzGrantHandler = authzGrantHandlers.get(grantType);

    OAuthTokenReqMessageContext tokReqMsgCtx = new OAuthTokenReqMessageContext(tokenReqDTO);

    // If multiple client authentication methods have been used the authorization server must reject
    // the request
    int authenticatorHandlerIndex = -1;
    for (int i = 0; i < clientAuthenticationHandlers.size(); i++) {
      if (clientAuthenticationHandlers.get(i).canAuthenticate(tokReqMsgCtx)) {
        if (authenticatorHandlerIndex > -1) {
          log.debug(
              "Multiple Client Authentication Methods used for client id : "
                  + tokenReqDTO.getClientId());
          tokenRespDTO =
              handleError(
                  OAuthConstants.OAuthError.TokenResponse.UNSUPPORTED_CLIENT_AUTHENTICATION_METHOD,
                  "Unsupported Client Authentication Method!",
                  tokenReqDTO);
          setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
          return tokenRespDTO;
        }
        authenticatorHandlerIndex = i;
      }
    }
    if (authenticatorHandlerIndex < 0 && authzGrantHandler.isConfidentialClient()) {
      log.debug(
          "Confidential client cannot be authenticated for client id : "
              + tokenReqDTO.getClientId());
      tokenRespDTO =
          handleError(
              OAuthConstants.OAuthError.TokenResponse.UNSUPPORTED_CLIENT_AUTHENTICATION_METHOD,
              "Unsupported Client Authentication Method!",
              tokenReqDTO);
      setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
      return tokenRespDTO;
    }

    ClientAuthenticationHandler clientAuthHandler = null;
    if (authenticatorHandlerIndex > -1) {
      clientAuthHandler = clientAuthenticationHandlers.get(authenticatorHandlerIndex);
    }
    boolean isAuthenticated;
    if (clientAuthHandler != null) {
      isAuthenticated = clientAuthHandler.authenticateClient(tokReqMsgCtx);
    } else {
      isAuthenticated = true;
    }
    if (!isAuthenticated) {
      if (log.isDebugEnabled()) {
        log.debug("Client Authentication failed for client Id: " + tokenReqDTO.getClientId());
      }
      tokenRespDTO =
          handleError(
              OAuthError.TokenResponse.INVALID_CLIENT,
              "Client credentials are invalid.",
              tokenReqDTO);
      setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
      return tokenRespDTO;
    }

    // loading the stored application data
    OAuthAppDO oAuthAppDO = getAppInformation(tokenReqDTO);
    if (!authzGrantHandler.isOfTypeApplicationUser()) {
      tokReqMsgCtx.setAuthorizedUser(OAuth2Util.getUserFromUserName(oAuthAppDO.getUserName()));
      tokReqMsgCtx
          .getAuthorizedUser()
          .setTenantDomain(IdentityTenantUtil.getTenantDomain(oAuthAppDO.getTenantId()));
    }

    boolean isValidGrant = false;
    String error = "Provided Authorization Grant is invalid";
    try {
      isValidGrant = authzGrantHandler.validateGrant(tokReqMsgCtx);
    } catch (IdentityOAuth2Exception e) {
      if (log.isDebugEnabled()) {
        log.debug("Error occurred while validating grant", e);
      }
      error = e.getMessage();
    }

    if (!isValidGrant) {
      if (log.isDebugEnabled()) {
        log.debug("Invalid Grant provided by the client Id: " + tokenReqDTO.getClientId());
      }
      tokenRespDTO = handleError(OAuthError.TokenResponse.INVALID_GRANT, error, tokenReqDTO);
      setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
      return tokenRespDTO;
    }

    boolean isAuthorized = authzGrantHandler.authorizeAccessDelegation(tokReqMsgCtx);
    if (!isAuthorized) {
      if (log.isDebugEnabled()) {
        log.debug("Invalid authorization for client Id = " + tokenReqDTO.getClientId());
      }
      tokenRespDTO =
          handleError(
              OAuthError.TokenResponse.UNAUTHORIZED_CLIENT, "Unauthorized Client!", tokenReqDTO);
      setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
      return tokenRespDTO;
    }

    boolean isValidScope = authzGrantHandler.validateScope(tokReqMsgCtx);
    if (!isValidScope) {
      if (log.isDebugEnabled()) {
        log.debug("Invalid scope provided by client Id: " + tokenReqDTO.getClientId());
      }
      tokenRespDTO =
          handleError(OAuthError.TokenResponse.INVALID_SCOPE, "Invalid Scope!", tokenReqDTO);
      setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
      return tokenRespDTO;
    }

    try {
      // set the token request context to be used by downstream handlers. This is introduced as a
      // fix for
      // IDENTITY-4111.
      OAuth2Util.setTokenRequestContext(tokReqMsgCtx);
      tokenRespDTO = authzGrantHandler.issue(tokReqMsgCtx);
    } finally {
      // clears the token request context.
      OAuth2Util.clearTokenRequestContext();
    }

    tokenRespDTO.setCallbackURI(oAuthAppDO.getCallbackUrl());

    String[] scopes = tokReqMsgCtx.getScope();
    if (scopes != null && scopes.length > 0) {
      StringBuilder scopeString = new StringBuilder("");
      for (String scope : scopes) {
        scopeString.append(scope);
        scopeString.append(" ");
      }
      tokenRespDTO.setAuthorizedScopes(scopeString.toString().trim());
    }

    setResponseHeaders(tokReqMsgCtx, tokenRespDTO);

    // Do not change this log format as these logs use by external applications
    if (log.isDebugEnabled()) {
      log.debug(
          "Access token issued to client Id: "
              + tokenReqDTO.getClientId()
              + " username: "******" and scopes: "
              + tokenRespDTO.getAuthorizedScopes());
    }

    if (tokReqMsgCtx.getScope() != null && OAuth2Util.isOIDCAuthzRequest(tokReqMsgCtx.getScope())) {
      IDTokenBuilder builder =
          OAuthServerConfiguration.getInstance().getOpenIDConnectIDTokenBuilder();
      tokenRespDTO.setIDToken(builder.buildIDToken(tokReqMsgCtx, tokenRespDTO));
    }

    if (tokenReqDTO.getGrantType().equals(GrantType.AUTHORIZATION_CODE.toString())) {
      addUserAttributesToCache(tokenReqDTO, tokenRespDTO);
    }

    return tokenRespDTO;
  }