private OAuth2AccessTokenRespDTO getAccessToken(CarbonOAuthTokenRequest oauthRequest) { OAuth2AccessTokenReqDTO tokenReqDTO = new OAuth2AccessTokenReqDTO(); String grantType = oauthRequest.getGrantType(); tokenReqDTO.setGrantType(grantType); tokenReqDTO.setClientId(oauthRequest.getClientId()); tokenReqDTO.setClientSecret(oauthRequest.getClientSecret()); tokenReqDTO.setCallbackURI(oauthRequest.getRedirectURI()); tokenReqDTO.setScope( oauthRequest.getScopes().toArray(new String[oauthRequest.getScopes().size()])); tokenReqDTO.setTenantDomain(oauthRequest.getTenantDomain()); // Check the grant type and set the corresponding parameters if (GrantType.AUTHORIZATION_CODE.toString().equals(grantType)) { tokenReqDTO.setAuthorizationCode(oauthRequest.getCode()); } else if (GrantType.PASSWORD.toString().equals(grantType)) { tokenReqDTO.setResourceOwnerUsername(oauthRequest.getUsername()); tokenReqDTO.setResourceOwnerPassword(oauthRequest.getPassword()); } else if (GrantType.REFRESH_TOKEN.toString().equals(grantType)) { tokenReqDTO.setRefreshToken(oauthRequest.getRefreshToken()); } else if (org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER .toString() .equals(grantType)) { tokenReqDTO.setAssertion(oauthRequest.getAssertion()); } else if (org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM .toString() .equals(grantType)) { tokenReqDTO.setWindowsToken(oauthRequest.getWindowsToken()); } else { // Set all request parameters to the OAuth2AccessTokenReqDTO tokenReqDTO.setRequestParameters(oauthRequest.getRequestParameters()); } return EndpointUtil.getOAuth2Service().issueAccessToken(tokenReqDTO); }
public OAuth2AccessTokenRespDTO issue(OAuth2AccessTokenReqDTO tokenReqDTO) throws IdentityException, InvalidOAuthClientException { String grantType = tokenReqDTO.getGrantType(); OAuth2AccessTokenRespDTO tokenRespDTO; AuthorizationGrantHandler authzGrantHandler = authzGrantHandlers.get(grantType); OAuthTokenReqMessageContext tokReqMsgCtx = new OAuthTokenReqMessageContext(tokenReqDTO); // If multiple client authentication methods have been used the authorization server must reject // the request int authenticatorHandlerIndex = -1; for (int i = 0; i < clientAuthenticationHandlers.size(); i++) { if (clientAuthenticationHandlers.get(i).canAuthenticate(tokReqMsgCtx)) { if (authenticatorHandlerIndex > -1) { log.debug( "Multiple Client Authentication Methods used for client id : " + tokenReqDTO.getClientId()); tokenRespDTO = handleError( OAuthConstants.OAuthError.TokenResponse.UNSUPPORTED_CLIENT_AUTHENTICATION_METHOD, "Unsupported Client Authentication Method!", tokenReqDTO); setResponseHeaders(tokReqMsgCtx, tokenRespDTO); return tokenRespDTO; } authenticatorHandlerIndex = i; } } if (authenticatorHandlerIndex < 0 && authzGrantHandler.isConfidentialClient()) { log.debug( "Confidential client cannot be authenticated for client id : " + tokenReqDTO.getClientId()); tokenRespDTO = handleError( OAuthConstants.OAuthError.TokenResponse.UNSUPPORTED_CLIENT_AUTHENTICATION_METHOD, "Unsupported Client Authentication Method!", tokenReqDTO); setResponseHeaders(tokReqMsgCtx, tokenRespDTO); return tokenRespDTO; } ClientAuthenticationHandler clientAuthHandler = null; if (authenticatorHandlerIndex > -1) { clientAuthHandler = clientAuthenticationHandlers.get(authenticatorHandlerIndex); } boolean isAuthenticated; if (clientAuthHandler != null) { isAuthenticated = clientAuthHandler.authenticateClient(tokReqMsgCtx); } else { isAuthenticated = true; } if (!isAuthenticated) { if (log.isDebugEnabled()) { log.debug("Client Authentication failed for client Id: " + tokenReqDTO.getClientId()); } tokenRespDTO = handleError( OAuthError.TokenResponse.INVALID_CLIENT, "Client credentials are invalid.", tokenReqDTO); setResponseHeaders(tokReqMsgCtx, tokenRespDTO); return tokenRespDTO; } // loading the stored application data OAuthAppDO oAuthAppDO = getAppInformation(tokenReqDTO); if (!authzGrantHandler.isOfTypeApplicationUser()) { tokReqMsgCtx.setAuthorizedUser(OAuth2Util.getUserFromUserName(oAuthAppDO.getUserName())); tokReqMsgCtx .getAuthorizedUser() .setTenantDomain(IdentityTenantUtil.getTenantDomain(oAuthAppDO.getTenantId())); } boolean isValidGrant = false; String error = "Provided Authorization Grant is invalid"; try { isValidGrant = authzGrantHandler.validateGrant(tokReqMsgCtx); } catch (IdentityOAuth2Exception e) { if (log.isDebugEnabled()) { log.debug("Error occurred while validating grant", e); } error = e.getMessage(); } if (!isValidGrant) { if (log.isDebugEnabled()) { log.debug("Invalid Grant provided by the client Id: " + tokenReqDTO.getClientId()); } tokenRespDTO = handleError(OAuthError.TokenResponse.INVALID_GRANT, error, tokenReqDTO); setResponseHeaders(tokReqMsgCtx, tokenRespDTO); return tokenRespDTO; } boolean isAuthorized = authzGrantHandler.authorizeAccessDelegation(tokReqMsgCtx); if (!isAuthorized) { if (log.isDebugEnabled()) { log.debug("Invalid authorization for client Id = " + tokenReqDTO.getClientId()); } tokenRespDTO = handleError( OAuthError.TokenResponse.UNAUTHORIZED_CLIENT, "Unauthorized Client!", tokenReqDTO); setResponseHeaders(tokReqMsgCtx, tokenRespDTO); return tokenRespDTO; } boolean isValidScope = authzGrantHandler.validateScope(tokReqMsgCtx); if (!isValidScope) { if (log.isDebugEnabled()) { log.debug("Invalid scope provided by client Id: " + tokenReqDTO.getClientId()); } tokenRespDTO = handleError(OAuthError.TokenResponse.INVALID_SCOPE, "Invalid Scope!", tokenReqDTO); setResponseHeaders(tokReqMsgCtx, tokenRespDTO); return tokenRespDTO; } try { // set the token request context to be used by downstream handlers. This is introduced as a // fix for // IDENTITY-4111. OAuth2Util.setTokenRequestContext(tokReqMsgCtx); tokenRespDTO = authzGrantHandler.issue(tokReqMsgCtx); } finally { // clears the token request context. OAuth2Util.clearTokenRequestContext(); } tokenRespDTO.setCallbackURI(oAuthAppDO.getCallbackUrl()); String[] scopes = tokReqMsgCtx.getScope(); if (scopes != null && scopes.length > 0) { StringBuilder scopeString = new StringBuilder(""); for (String scope : scopes) { scopeString.append(scope); scopeString.append(" "); } tokenRespDTO.setAuthorizedScopes(scopeString.toString().trim()); } setResponseHeaders(tokReqMsgCtx, tokenRespDTO); // Do not change this log format as these logs use by external applications if (log.isDebugEnabled()) { log.debug( "Access token issued to client Id: " + tokenReqDTO.getClientId() + " username: "******" and scopes: " + tokenRespDTO.getAuthorizedScopes()); } if (tokReqMsgCtx.getScope() != null && OAuth2Util.isOIDCAuthzRequest(tokReqMsgCtx.getScope())) { IDTokenBuilder builder = OAuthServerConfiguration.getInstance().getOpenIDConnectIDTokenBuilder(); tokenRespDTO.setIDToken(builder.buildIDToken(tokReqMsgCtx, tokenRespDTO)); } if (tokenReqDTO.getGrantType().equals(GrantType.AUTHORIZATION_CODE.toString())) { addUserAttributesToCache(tokenReqDTO, tokenRespDTO); } return tokenRespDTO; }