/** * Validates the proposed state with the given request identifier. Will return false if the * state does not match or if entry for this request identifier has expired. * * @param oidcRequestIdentifier request identifier * @param proposedState proposed state * @return whether the state is valid or not */ public boolean isStateValid(final String oidcRequestIdentifier, final State proposedState) { if (!isOidcEnabled()) { throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED); } if (proposedState == null) { throw new IllegalArgumentException("Proposed state must be specified."); } final CacheKey oidcRequestIdentifierKey = new CacheKey(oidcRequestIdentifier); synchronized (stateLookupForPendingRequests) { final State state = stateLookupForPendingRequests.getIfPresent(oidcRequestIdentifierKey); if (state != null) { stateLookupForPendingRequests.invalidate(oidcRequestIdentifierKey); } return state != null && timeConstantEqualityCheck(state.getValue(), proposedState.getValue()); } }
/** * Initiates an OpenId Connection authorization code flow using the specified request identifier to maintain state. * * @param oidcRequestIdentifier request identifier * @return state */ public State createState(final String oidcRequestIdentifier) { if (!isOidcEnabled()) { throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED); } final CacheKey oidcRequestIdentifierKey = new CacheKey(oidcRequestIdentifier); final State state = new State(generateStateValue()); try { synchronized (stateLookupForPendingRequests) { final State cachedState = stateLookupForPendingRequests.get(oidcRequestIdentifierKey, () -> state); if (!timeConstantEqualityCheck(state.getValue(), cachedState.getValue())) { throw new IllegalStateException("An existing login request is already in progress."); } } } catch (ExecutionException e) { throw new IllegalStateException("Unable to store the login request state."); } return state; }
.queryParam("response_type", "code") .queryParam("scope", oidcService.getScope().toString()) .queryParam("state", state.getValue()) .queryParam("redirect_uri", getOidcCallback()) .build();
public void setState(State state) { if (state != null) { queryParams.put(OAuthConstants.STATE_QUERY_PARAM, state.getValue()); } }
/** * Validates the proposed state with the given request identifier. Will return false if the * state does not match or if entry for this request identifier has expired. * * @param oidcRequestIdentifier request identifier * @param proposedState proposed state * @return whether the state is valid or not */ public boolean isStateValid(final String oidcRequestIdentifier, final State proposedState) { if (!isOidcEnabled()) { throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED); } if (proposedState == null) { throw new IllegalArgumentException("Proposed state must be specified."); } final CacheKey oidcRequestIdentifierKey = new CacheKey(oidcRequestIdentifier); synchronized (stateLookupForPendingRequests) { final State state = stateLookupForPendingRequests.getIfPresent(oidcRequestIdentifierKey); if (state != null) { stateLookupForPendingRequests.invalidate(oidcRequestIdentifierKey); } return state != null && timeConstantEqualityCheck(state.getValue(), proposedState.getValue()); } }
/** * Initiates an OpenId Connection authorization code flow using the specified request identifier to maintain state. * * @param oidcRequestIdentifier request identifier * @return state */ public State createState(final String oidcRequestIdentifier) { if (!isOidcEnabled()) { throw new IllegalStateException(OPEN_ID_CONNECT_SUPPORT_IS_NOT_CONFIGURED); } final CacheKey oidcRequestIdentifierKey = new CacheKey(oidcRequestIdentifier); final State state = new State(generateStateValue()); try { synchronized (stateLookupForPendingRequests) { final State cachedState = stateLookupForPendingRequests.get(oidcRequestIdentifierKey, () -> state); if (!timeConstantEqualityCheck(state.getValue(), cachedState.getValue())) { throw new IllegalStateException("An existing login request is already in progress."); } } } catch (ExecutionException e) { throw new IllegalStateException("Unable to store the login request state."); } return state; }
protected void addStateAndNonceParameters(final WebContext context, final Map<String, String> params) { // Init state for CSRF mitigation final State state; if (configuration.isWithState()) { state = new State(configuration.getStateGenerator().generateState(context)); } else { state = new State(); } params.put(OidcConfiguration.STATE, state.getValue()); context.getSessionStore().set(context, OidcConfiguration.STATE_SESSION_ATTRIBUTE, state); // Init nonce for replay attack mitigation if (configuration.isUseNonce()) { final Nonce nonce = new Nonce(); params.put(OidcConfiguration.NONCE, nonce.getValue()); context.getSessionStore().set(context, OidcConfiguration.NONCE_SESSION_ATTRIBUTE, nonce.getValue()); } }