Пример #1
0
  public void addOAuthApplication(OAuthAppDO consumerAppDO) throws IdentityOAuthAdminException {
    Connection connection = null;
    PreparedStatement prepStmt = null;

    if (!isDuplicateApplication(
        consumerAppDO.getUserName(), consumerAppDO.getTenantId(), consumerAppDO)) {
      try {
        connection = JDBCPersistenceManager.getInstance().getDBConnection();
        prepStmt = connection.prepareStatement(SQLQueries.OAuthAppDAOSQLQueries.ADD_OAUTH_APP);
        prepStmt.setString(
            1, tokenPersistenceProcessor.getProcessedToken(consumerAppDO.getOauthConsumerKey()));
        prepStmt.setString(
            2, tokenPersistenceProcessor.getProcessedToken(consumerAppDO.getOauthConsumerSecret()));
        prepStmt.setString(3, consumerAppDO.getUserName());
        prepStmt.setInt(4, consumerAppDO.getTenantId());
        prepStmt.setString(5, consumerAppDO.getApplicationName());
        prepStmt.setString(6, consumerAppDO.getOauthVersion());
        prepStmt.setString(7, consumerAppDO.getCallbackUrl());
        prepStmt.setString(8, consumerAppDO.getGrantTypes());
        prepStmt.execute();
        connection.commit();

      } catch (IdentityException e) {
        String errorMsg = "Error when getting an Identity Persistence Store instance.";
        log.error(errorMsg, e);
        throw new IdentityOAuthAdminException(errorMsg, e);
      } catch (SQLException e) {
        log.error(
            "Error when executing the SQL : " + SQLQueries.OAuthAppDAOSQLQueries.ADD_OAUTH_APP);
        log.error(e.getMessage(), e);
        throw new IdentityOAuthAdminException(
            "Error when adding a new OAuth consumer application.");
      } finally {
        IdentityDatabaseUtil.closeAllConnections(connection, null, prepStmt);
      }
    } else {
      throw new IdentityOAuthAdminException(
          "Error when adding the consumer application. "
              + "An application with the same name already exists.");
    }
  }
  public OAuth2AccessTokenRespDTO issue(OAuth2AccessTokenReqDTO tokenReqDTO)
      throws IdentityException, InvalidOAuthClientException {

    String grantType = tokenReqDTO.getGrantType();
    OAuth2AccessTokenRespDTO tokenRespDTO;

    AuthorizationGrantHandler authzGrantHandler = authzGrantHandlers.get(grantType);

    OAuthTokenReqMessageContext tokReqMsgCtx = new OAuthTokenReqMessageContext(tokenReqDTO);

    // If multiple client authentication methods have been used the authorization server must reject
    // the request
    int authenticatorHandlerIndex = -1;
    for (int i = 0; i < clientAuthenticationHandlers.size(); i++) {
      if (clientAuthenticationHandlers.get(i).canAuthenticate(tokReqMsgCtx)) {
        if (authenticatorHandlerIndex > -1) {
          log.debug(
              "Multiple Client Authentication Methods used for client id : "
                  + tokenReqDTO.getClientId());
          tokenRespDTO =
              handleError(
                  OAuthConstants.OAuthError.TokenResponse.UNSUPPORTED_CLIENT_AUTHENTICATION_METHOD,
                  "Unsupported Client Authentication Method!",
                  tokenReqDTO);
          setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
          return tokenRespDTO;
        }
        authenticatorHandlerIndex = i;
      }
    }
    if (authenticatorHandlerIndex < 0 && authzGrantHandler.isConfidentialClient()) {
      log.debug(
          "Confidential client cannot be authenticated for client id : "
              + tokenReqDTO.getClientId());
      tokenRespDTO =
          handleError(
              OAuthConstants.OAuthError.TokenResponse.UNSUPPORTED_CLIENT_AUTHENTICATION_METHOD,
              "Unsupported Client Authentication Method!",
              tokenReqDTO);
      setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
      return tokenRespDTO;
    }

    ClientAuthenticationHandler clientAuthHandler = null;
    if (authenticatorHandlerIndex > -1) {
      clientAuthHandler = clientAuthenticationHandlers.get(authenticatorHandlerIndex);
    }
    boolean isAuthenticated;
    if (clientAuthHandler != null) {
      isAuthenticated = clientAuthHandler.authenticateClient(tokReqMsgCtx);
    } else {
      isAuthenticated = true;
    }
    if (!isAuthenticated) {
      if (log.isDebugEnabled()) {
        log.debug("Client Authentication failed for client Id: " + tokenReqDTO.getClientId());
      }
      tokenRespDTO =
          handleError(
              OAuthError.TokenResponse.INVALID_CLIENT,
              "Client credentials are invalid.",
              tokenReqDTO);
      setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
      return tokenRespDTO;
    }

    // loading the stored application data
    OAuthAppDO oAuthAppDO = getAppInformation(tokenReqDTO);
    if (!authzGrantHandler.isOfTypeApplicationUser()) {
      tokReqMsgCtx.setAuthorizedUser(OAuth2Util.getUserFromUserName(oAuthAppDO.getUserName()));
      tokReqMsgCtx
          .getAuthorizedUser()
          .setTenantDomain(IdentityTenantUtil.getTenantDomain(oAuthAppDO.getTenantId()));
    }

    boolean isValidGrant = false;
    String error = "Provided Authorization Grant is invalid";
    try {
      isValidGrant = authzGrantHandler.validateGrant(tokReqMsgCtx);
    } catch (IdentityOAuth2Exception e) {
      if (log.isDebugEnabled()) {
        log.debug("Error occurred while validating grant", e);
      }
      error = e.getMessage();
    }

    if (!isValidGrant) {
      if (log.isDebugEnabled()) {
        log.debug("Invalid Grant provided by the client Id: " + tokenReqDTO.getClientId());
      }
      tokenRespDTO = handleError(OAuthError.TokenResponse.INVALID_GRANT, error, tokenReqDTO);
      setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
      return tokenRespDTO;
    }

    boolean isAuthorized = authzGrantHandler.authorizeAccessDelegation(tokReqMsgCtx);
    if (!isAuthorized) {
      if (log.isDebugEnabled()) {
        log.debug("Invalid authorization for client Id = " + tokenReqDTO.getClientId());
      }
      tokenRespDTO =
          handleError(
              OAuthError.TokenResponse.UNAUTHORIZED_CLIENT, "Unauthorized Client!", tokenReqDTO);
      setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
      return tokenRespDTO;
    }

    boolean isValidScope = authzGrantHandler.validateScope(tokReqMsgCtx);
    if (!isValidScope) {
      if (log.isDebugEnabled()) {
        log.debug("Invalid scope provided by client Id: " + tokenReqDTO.getClientId());
      }
      tokenRespDTO =
          handleError(OAuthError.TokenResponse.INVALID_SCOPE, "Invalid Scope!", tokenReqDTO);
      setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
      return tokenRespDTO;
    }

    try {
      // set the token request context to be used by downstream handlers. This is introduced as a
      // fix for
      // IDENTITY-4111.
      OAuth2Util.setTokenRequestContext(tokReqMsgCtx);
      tokenRespDTO = authzGrantHandler.issue(tokReqMsgCtx);
    } finally {
      // clears the token request context.
      OAuth2Util.clearTokenRequestContext();
    }

    tokenRespDTO.setCallbackURI(oAuthAppDO.getCallbackUrl());

    String[] scopes = tokReqMsgCtx.getScope();
    if (scopes != null && scopes.length > 0) {
      StringBuilder scopeString = new StringBuilder("");
      for (String scope : scopes) {
        scopeString.append(scope);
        scopeString.append(" ");
      }
      tokenRespDTO.setAuthorizedScopes(scopeString.toString().trim());
    }

    setResponseHeaders(tokReqMsgCtx, tokenRespDTO);

    // Do not change this log format as these logs use by external applications
    if (log.isDebugEnabled()) {
      log.debug(
          "Access token issued to client Id: "
              + tokenReqDTO.getClientId()
              + " username: "******" and scopes: "
              + tokenRespDTO.getAuthorizedScopes());
    }

    if (tokReqMsgCtx.getScope() != null && OAuth2Util.isOIDCAuthzRequest(tokReqMsgCtx.getScope())) {
      IDTokenBuilder builder =
          OAuthServerConfiguration.getInstance().getOpenIDConnectIDTokenBuilder();
      tokenRespDTO.setIDToken(builder.buildIDToken(tokReqMsgCtx, tokenRespDTO));
    }

    if (tokenReqDTO.getGrantType().equals(GrantType.AUTHORIZATION_CODE.toString())) {
      addUserAttributesToCache(tokenReqDTO, tokenRespDTO);
    }

    return tokenRespDTO;
  }