@POST @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Consumes(MediaType.APPLICATION_FORM_URLENCODED) public AccessTokenValidation getTokenValidationInfo(@Encoded MultivaluedMap<String, String> params) { checkSecurityContext(); String authScheme = params.getFirst(OAuthConstants.AUTHORIZATION_SCHEME_TYPE); String authSchemeData = params.getFirst(OAuthConstants.AUTHORIZATION_SCHEME_DATA); try { return super.getAccessTokenValidation(authScheme, authSchemeData, params); } catch (NotAuthorizedException ex) { // at this point it does not mean that RS failed to authenticate but that the basic // local or chained token validation has failed AccessTokenValidation v = new AccessTokenValidation(); v.setInitialValidationSuccessful(false); return v; } }
protected SecurityContext createSecurityContext(HttpServletRequest request, AccessTokenValidation accessTokenV) { UserSubject resourceOwnerSubject = accessTokenV.getTokenSubject(); UserSubject clientSubject = accessTokenV.getClientSubject(); final UserSubject theSubject = OAuthRequestFilter.this.useUserSubject ? resourceOwnerSubject : clientSubject; return new SecurityContext() { public Principal getUserPrincipal() { return theSubject != null ? new SimplePrincipal(theSubject.getLogin()) : null; } public boolean isUserInRole(String role) { if (theSubject == null) { return false; } return theSubject.getRoles().contains(role); } }; }
private AccessTokenValidation convertIntrospectionToValidation(TokenIntrospection response) { AccessTokenValidation atv = new AccessTokenValidation(); atv.setInitialValidationSuccessful(response.isActive()); if (response.getClientId() != null) { atv.setClientId(response.getClientId()); atv.setTokenIssuedAt(response.getIat()); } else { Instant now = Instant.now(); atv.setTokenIssuedAt(now.toEpochMilli()); atv.setTokenLifetime(response.getExp() - atv.getTokenIssuedAt()); atv.setTokenNotBefore(response.getNbf()); atv.setAudiences(response.getAud()); atv.setTokenIssuer(response.getIss()); atv.setTokenScopes(perms); atv.setTokenSubject(new UserSubject(response.getUsername())); atv.getExtraProps().putAll(response.getExtensions());
if (!accessTokenV.isInitialValidationSuccessful()) { AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); String validAudience = validateAudiences(accessTokenV.getAudiences()); if (issuer != null && !issuer.equals(accessTokenV.getTokenIssuer())) { AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); List<OAuthPermission> permissions = accessTokenV.getTokenScopes(); List<OAuthPermission> matchingPermissions = new ArrayList<>(); if (accessTokenV.getClientIpAddress() != null) { String remoteAddress = getMessageContext().getHttpServletRequest().getRemoteAddr(); if (remoteAddress == null || accessTokenV.getClientIpAddress().equals(remoteAddress)) { String message = "Client IP Address is invalid"; LOG.warning(message); if (blockPublicClients && !accessTokenV.isClientConfidential()) { String message = "Only Confidential Clients are supported"; LOG.warning(message); throw ExceptionUtils.toForbiddenException(null, null); if (am != null && !am.equals(accessTokenV.getTokenSubject().getAuthenticationMethod())) { String message = "The token has been authorized by the resource owner " + "using an unsupported authentication method"; String certThumbprint = accessTokenV.getExtraProps().get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256); if (certThumbprint != null) { TLSSessionInfo tlsInfo = getTlsSessionInfo();
Collections.singleton(authScheme), realm); accessTokenV = new AccessTokenValidation(localAccessToken); if (OAuthUtils.isExpired(accessTokenV.getTokenIssuedAt(), accessTokenV.getTokenLifetime())) { if (localAccessToken != null) { removeAccessToken(localAccessToken); if (accessTokenV.getTokenNotBefore() > 0 && accessTokenV.getTokenNotBefore() > System.currentTimeMillis() / 1000L) { AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
protected AccessTokenValidation getAccessTokenValidation(MessageContext mc, String authScheme, String authSchemeData, MultivaluedMap<String, String> extraProps, Map<String, String> schemeParams) { String macKey = schemeParams.get(OAuthConstants.HAWK_TOKEN_ID); ServerAccessToken accessToken = dataProvider.getAccessToken(macKey); if (!(accessToken instanceof HawkAccessToken)) { throw new OAuthServiceException(OAuthConstants.SERVER_ERROR); } HawkAccessToken macAccessToken = (HawkAccessToken)accessToken; AccessTokenValidation atv = new AccessTokenValidation(macAccessToken); // OAuth2 Pop token introspection will likely support returning a JWE-encrypted key if (!isRemoteSignatureValidation() || mc.getSecurityContext().isSecure()) { atv.getExtraProps().put(OAuthConstants.HAWK_TOKEN_KEY, macAccessToken.getMacKey()); atv.getExtraProps().put(OAuthConstants.HAWK_TOKEN_ALGORITHM, macAccessToken.getMacAlgorithm()); } return atv; }
String macKey = atv.getExtraProps().get(OAuthConstants.HAWK_TOKEN_KEY); String macAlgo = atv.getExtraProps().get(OAuthConstants.HAWK_TOKEN_ALGORITHM);
private AccessTokenValidation convertIntrospectionToValidation(TokenIntrospection response) { AccessTokenValidation atv = new AccessTokenValidation(); atv.setInitialValidationSuccessful(response.isActive()); if (response.getClientId() != null) { atv.setClientId(response.getClientId()); atv.setTokenIssuedAt(response.getIat()); } else { Instant now = Instant.now(); atv.setTokenIssuedAt(now.toEpochMilli()); atv.setTokenLifetime(response.getExp() - atv.getTokenIssuedAt()); atv.setTokenNotBefore(response.getNbf()); atv.setAudiences(response.getAud()); atv.setTokenIssuer(response.getIss()); atv.setTokenScopes(perms); atv.setTokenSubject(new UserSubject(response.getUsername())); atv.getExtraProps().putAll(response.getExtensions());
if (!accessTokenV.isInitialValidationSuccessful()) { AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); String validAudience = validateAudiences(accessTokenV.getAudiences()); if (issuer != null && !issuer.equals(accessTokenV.getTokenIssuer())) { AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm); List<OAuthPermission> permissions = accessTokenV.getTokenScopes(); List<OAuthPermission> matchingPermissions = new ArrayList<>(); if (accessTokenV.getClientIpAddress() != null) { String remoteAddress = getMessageContext().getHttpServletRequest().getRemoteAddr(); if (remoteAddress == null || accessTokenV.getClientIpAddress().equals(remoteAddress)) { String message = "Client IP Address is invalid"; LOG.warning(message); if (blockPublicClients && !accessTokenV.isClientConfidential()) { String message = "Only Confidential Clients are supported"; LOG.warning(message); throw ExceptionUtils.toForbiddenException(null, null); if (am != null && !am.equals(accessTokenV.getTokenSubject().getAuthenticationMethod())) { String message = "The token has been authorized by the resource owner " + "using an unsupported authentication method"; String certThumbprint = accessTokenV.getExtraProps().get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256); if (certThumbprint != null) { TLSSessionInfo tlsInfo = getTlsSessionInfo();
Collections.singleton(authScheme), realm); accessTokenV = new AccessTokenValidation(localAccessToken); if (OAuthUtils.isExpired(accessTokenV.getTokenIssuedAt(), accessTokenV.getTokenLifetime())) { if (localAccessToken != null) { removeAccessToken(localAccessToken); if (accessTokenV.getTokenNotBefore() > 0 && accessTokenV.getTokenNotBefore() > System.currentTimeMillis() / 1000L) { AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
protected AccessTokenValidation getAccessTokenValidation(MessageContext mc, String authScheme, String authSchemeData, MultivaluedMap<String, String> extraProps, Map<String, String> schemeParams) { String macKey = schemeParams.get(OAuthConstants.HAWK_TOKEN_ID); ServerAccessToken accessToken = dataProvider.getAccessToken(macKey); if (!(accessToken instanceof HawkAccessToken)) { throw new OAuthServiceException(OAuthConstants.SERVER_ERROR); } HawkAccessToken macAccessToken = (HawkAccessToken)accessToken; AccessTokenValidation atv = new AccessTokenValidation(macAccessToken); // OAuth2 Pop token introspection will likely support returning a JWE-encrypted key if (!isRemoteSignatureValidation() || mc.getSecurityContext().isSecure()) { atv.getExtraProps().put(OAuthConstants.HAWK_TOKEN_KEY, macAccessToken.getMacKey()); atv.getExtraProps().put(OAuthConstants.HAWK_TOKEN_ALGORITHM, macAccessToken.getMacAlgorithm()); } return atv; }
String macKey = atv.getExtraProps().get(OAuthConstants.HAWK_TOKEN_KEY); String macAlgo = atv.getExtraProps().get(OAuthConstants.HAWK_TOKEN_ALGORITHM);
private AccessTokenValidation convertClaimsToValidation(JwtClaims claims) { AccessTokenValidation atv = new AccessTokenValidation(); atv.setInitialValidationSuccessful(true); String clientId = claims.getStringProperty(OAuthConstants.CLIENT_ID); if (clientId != null) { atv.setClientId(clientId); atv.setTokenIssuedAt(claims.getIssuedAt()); } else { Instant now = Instant.now(); atv.setTokenIssuedAt(now.toEpochMilli()); atv.setTokenLifetime(claims.getExpiryTime() - atv.getTokenIssuedAt()); atv.setAudiences(claims.getAudiences()); atv.setTokenIssuer(claims.getIssuer()); atv.setTokenNotBefore(claims.getNotBefore()); atv.setTokenScopes(perms); atv.setTokenSubject(userSubject); } else if (claims.getSubject() != null) { atv.setTokenSubject(new UserSubject(claims.getSubject())); atv.getExtraProps().putAll(extraProperties); Object certCnf = cnfClaim.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256); if (certCnf != null) {
@POST @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Consumes(MediaType.APPLICATION_FORM_URLENCODED) public AccessTokenValidation getTokenValidationInfo(@Encoded MultivaluedMap<String, String> params) { checkSecurityContext(); String authScheme = params.getFirst(OAuthConstants.AUTHORIZATION_SCHEME_TYPE); String authSchemeData = params.getFirst(OAuthConstants.AUTHORIZATION_SCHEME_DATA); try { return super.getAccessTokenValidation(authScheme, authSchemeData, params); } catch (NotAuthorizedException ex) { // at this point it does not mean that RS failed to authenticate but that the basic // local or chained token validation has failed AccessTokenValidation v = new AccessTokenValidation(); v.setInitialValidationSuccessful(false); return v; } }
protected SecurityContext createSecurityContext(HttpServletRequest request, AccessTokenValidation accessTokenV) { UserSubject resourceOwnerSubject = accessTokenV.getTokenSubject(); UserSubject clientSubject = accessTokenV.getClientSubject(); final UserSubject theSubject = OAuthRequestFilter.this.useUserSubject ? resourceOwnerSubject : clientSubject; return new SecurityContext() { public Principal getUserPrincipal() { return theSubject != null ? new SimplePrincipal(theSubject.getLogin()) : null; } public boolean isUserInRole(String role) { if (theSubject == null) { return false; } return theSubject.getRoles().contains(role); } }; }
private AccessTokenValidation convertClaimsToValidation(JwtClaims claims) { AccessTokenValidation atv = new AccessTokenValidation(); atv.setInitialValidationSuccessful(true); String clientId = claims.getStringProperty(OAuthConstants.CLIENT_ID); if (clientId != null) { atv.setClientId(clientId); atv.setTokenIssuedAt(claims.getIssuedAt()); } else { Instant now = Instant.now(); atv.setTokenIssuedAt(now.toEpochMilli()); atv.setTokenLifetime(claims.getExpiryTime() - atv.getTokenIssuedAt()); atv.setAudiences(claims.getAudiences()); atv.setTokenIssuer(claims.getIssuer()); atv.setTokenNotBefore(claims.getNotBefore()); atv.setTokenScopes(perms); atv.setTokenSubject(userSubject); } else if (claims.getSubject() != null) { atv.setTokenSubject(new UserSubject(claims.getSubject())); atv.getExtraProps().putAll(extraProperties); Object certCnf = cnfClaim.get(JoseConstants.HEADER_X509_THUMBPRINT_SHA256); if (certCnf != null) {