org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl クラス

org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl の継承関係図

org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl 連携図

公開メンバ関数
Response	requestAccessToken (String grantType, String code, String redirectUri, String username, String password, String scope, String assertion, String refreshToken, String clientId, String clientSecret, String codeVerifier, String ticket, String claimToken, String claimTokenFormat, String pctCode, String rptCode, HttpServletRequest request, SecurityContext sec)
String	getJSonResponse (AccessToken accessToken, TokenType tokenType, Integer expiresIn, RefreshToken refreshToken, String scope, IdToken idToken)
Response	requestAccessToken ( @FormParam("grant_type") @ApiParam(value="Grant type value, one of these: authorization_code, implicit, password, client_credentials, refresh_token as described in OAuth 2.0 [RFC6749]", required=true) String grantType, @FormParam("code") @ApiParam(value="Code which is returned by authorization endpoint. (For grant_type=authorization_code)", required=false) String code, @FormParam("redirect_uri") @ApiParam(value="Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider", required=false) String redirectUri, @FormParam("username") @ApiParam(value="End-User username.", required=false) String username, @FormParam("password") @ApiParam(value="End-User password.", required=false) String password, @FormParam("scope") @ApiParam(value="OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored.", required=false) String scope, @FormParam("assertion") @ApiParam(value="Assertion", required=false) String assertion, @FormParam("refresh_token") @ApiParam(value="Refresh token", required=false) String refreshToken, @FormParam("client_id") @ApiParam(value="OAuth 2.0 Client Identifier valid at the Authorization Server.", required=false) String clientId, @FormParam("client_secret") @ApiParam(value="The client secret. The client MAY omit the parameter if the client secret is an empty string.", required=false) String clientSecret, @FormParam("code_verifier") @ApiParam(value="The client's PKCE code verifier.", required=false) String codeVerifier, @FormParam("ticket") String ticket, @FormParam("claim_token") String claimToken, @FormParam("claim_token_format") String claimTokenFormat, @FormParam("pct") String pctCode, @FormParam("rpt") String rptCode, @Context HttpServletRequest request, @Context SecurityContext sec)

非公開メンバ関数
void	validatePKCE (AuthorizationCodeGrant grant, String codeVerifier, OAuth2AuditLog oAuth2AuditLog)
Response	response (ResponseBuilder builder, OAuth2AuditLog oAuth2AuditLog)
ResponseBuilder	error (int p_status, TokenErrorResponseType p_type)

非公開変数類
Logger	log
Identity	identity
ApplicationAuditLogger	applicationAuditLogger
ErrorResponseFactory	errorResponseFactory
AuthorizationGrantList	authorizationGrantList
UserService	userService
GrantService	grantService
AuthenticationFilterService	authenticationFilterService
AuthenticationService	authenticationService
AppConfiguration	appConfiguration
UmaTokenService	umaTokenService

詳解

Provides interface for token REST web services

著者

Yuriy Zabrovarnyy

Javier Rojas Blum

バージョン

September 3, 2018

関数詳解

error()

ResponseBuilder org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.error ( int  p_status, TokenErrorResponseType  p_type  )

inlineprivate

                                                                               {
        return Response.status(p_status).entity(errorResponseFactory.getErrorAsJson(p_type));
    }

getJSonResponse()

String org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.getJSonResponse ( AccessToken  accessToken, TokenType  tokenType, Integer  expiresIn, RefreshToken  refreshToken, String  scope, IdToken  idToken  )

inline

Builds a JSon String with the structure for token issues.

                                                   {
        JSONObject jsonObj = new JSONObject();
        try {
            jsonObj.put("access_token", accessToken.getCode()); // Required
            jsonObj.put("token_type", tokenType.toString()); // Required
            if (expiresIn != null) { // Optional
                jsonObj.put("expires_in", expiresIn);
            }
            if (refreshToken != null) { // Optional
                jsonObj.put("refresh_token", refreshToken.getCode());
            }
            if (scope != null) { // Optional
                jsonObj.put("scope", scope);
            }
            if (idToken != null) {
                jsonObj.put("id_token", idToken.getCode());
            }
        } catch (JSONException e) {
            log.error(e.getMessage(), e);
        }

        return jsonObj.toString();
    }

requestAccessToken() [1/2]

Response org.xdi.oxauth.token.ws.rs.TokenRestWebService.requestAccessToken ( @FormParam("grant_type") @ApiParam(value="Grant type value, one of these: authorization_code, implicit, password, client_credentials, refresh_token as described in OAuth 2.0 [RFC6749]", required=true) String  grantType, @FormParam("code") @ApiParam(value="Code which is returned by authorization endpoint. (For grant_type=authorization_code)", required=false) String  code, @FormParam("redirect_uri") @ApiParam(value="Redirection URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI values for the Client pre-registered at the OpenID Provider", required=false) String  redirectUri, @FormParam("username") @ApiParam(value="End-User username.", required=false) String  username, @FormParam("password") @ApiParam(value="End-User password.", required=false) String  password, @FormParam("scope") @ApiParam(value="OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored.", required=false) String  scope, @FormParam("assertion") @ApiParam(value="Assertion", required=false) String  assertion, @FormParam("refresh_token") @ApiParam(value="Refresh token", required=false) String  refreshToken, @FormParam("client_id") @ApiParam(value="OAuth 2.0 Client Identifier valid at the Authorization Server.", required=false) String  clientId, @FormParam("client_secret") @ApiParam(value="The client secret. The client MAY omit the parameter if the client secret is an empty string.", required=false) String  clientSecret, @FormParam("code_verifier") @ApiParam(value="The client's PKCE code verifier.", required=false) String  codeVerifier, @FormParam("ticket") String  ticket, @FormParam("claim_token") String  claimToken, @FormParam("claim_token_format") String  claimTokenFormat, @FormParam("pct") String  pctCode, @FormParam("rpt") String  rptCode, @Context HttpServletRequest  request, @Context SecurityContext  sec  )

inherited

requestAccessToken() [2/2]

Response org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.requestAccessToken ( String  grantType, String  code, String  redirectUri, String  username, String  password, String  scope, String  assertion, String  refreshToken, String  clientId, String  clientSecret, String  codeVerifier, String  ticket, String  claimToken, String  claimTokenFormat, String  pctCode, String  rptCode, HttpServletRequest  request, SecurityContext  sec  )

inline

                                                                                        {
        log.debug(
                "Attempting to request access token: grantType = {}, code = {}, redirectUri = {}, username = {}, refreshToken = {}, " +
                        "clientId = {}, ExtraParams = {}, isSecure = {}, codeVerifier = {}, ticket = {}",
                grantType, code, redirectUri, username, refreshToken, clientId, request.getParameterMap(),
                sec.isSecure(), codeVerifier, ticket);

        boolean isUma = StringUtils.isNotBlank(ticket);
        if (isUma) {
            return umaTokenService.requestRpt(grantType, ticket, claimToken, claimTokenFormat, pctCode, rptCode, scope, request);
        }

        OAuth2AuditLog oAuth2AuditLog = new OAuth2AuditLog(ServerUtil.getIpAddress(request), Action.TOKEN_REQUEST);
        oAuth2AuditLog.setClientId(clientId);
        oAuth2AuditLog.setUsername(username);
        oAuth2AuditLog.setScope(scope);

        String tokenBindingHeader = request.getHeader("Sec-Token-Binding");

        scope = ServerUtil.urlDecode(scope); // it may be encoded in uma case
        ResponseBuilder builder = Response.ok();

        try {
            log.debug("Starting to validate request parameters");
            if (!TokenParamsValidator.validateParams(grantType, code, redirectUri, username, password,
                    scope, assertion, refreshToken)) {
                log.trace("Failed to validate request parameters");
                builder = error(400, TokenErrorResponseType.INVALID_REQUEST);
            } else {
                log.trace("Request parameters are right");
                GrantType gt = GrantType.fromString(grantType);
                log.debug("Grant type: '{}'", gt);

                SessionClient sessionClient = identity.getSessionClient();
                Client client = null;
                if (sessionClient != null) {
                    client = sessionClient.getClient();
                    log.debug("Get sessionClient: '{}'", sessionClient);
                }

                if (client != null) {
                    log.debug("Get client from session: '{}'", client.getClientId());
                    if (client.isDisabled()) {
                        return response(error(Response.Status.FORBIDDEN.getStatusCode(), TokenErrorResponseType.DISABLED_CLIENT), oAuth2AuditLog);
                    }
                } else {
                    return response(error(401, TokenErrorResponseType.INVALID_GRANT), oAuth2AuditLog);
                }

                final Function<JsonWebResponse, Void> idTokenTokingBindingPreprocessing = TokenBindingMessage.createIdTokenTokingBindingPreprocessing(
                        tokenBindingHeader, client.getIdTokenTokenBindingCnf()); // for all except authorization code grant

                if (gt == GrantType.AUTHORIZATION_CODE) {
                    if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
                        return response(error(400, TokenErrorResponseType.INVALID_GRANT), oAuth2AuditLog);
                    }

                    log.debug("Attempting to find authorizationCodeGrant by clinetId: '{}', code: '{}'", client.getClientId(), code);
                    final AuthorizationCodeGrant authorizationCodeGrant = authorizationGrantList.getAuthorizationCodeGrant(client.getClientId(), code);
                    log.trace("AuthorizationCodeGrant : '{}'", authorizationCodeGrant);

                    if (authorizationCodeGrant != null) {
                        validatePKCE(authorizationCodeGrant, codeVerifier, oAuth2AuditLog);

                        authorizationCodeGrant.setIsCachedWithNoPersistence(false);
                        authorizationCodeGrant.save();

                        AccessToken accToken = authorizationCodeGrant.createAccessToken();
                        log.debug("Issuing access token: {}", accToken.getCode());

                        RefreshToken reToken = null;
                        if (client.getGrantTypes() != null
                                && client.getGrantTypes().length > 0
                                && Arrays.asList(client.getGrantTypes()).contains(GrantType.REFRESH_TOKEN)) {
                            reToken = authorizationCodeGrant.createRefreshToken();
                        }

                        if (scope != null && !scope.isEmpty()) {
                            scope = authorizationCodeGrant.checkScopesPolicy(scope);
                        }

                        IdToken idToken = null;
                        if (authorizationCodeGrant.getScopes().contains("openid")) {
                            String nonce = authorizationCodeGrant.getNonce();
                            boolean includeIdTokenClaims = Boolean.TRUE.equals(
                                    appConfiguration.getLegacyIdTokenClaims());
                            final String idTokenTokenBindingCnf = client.getIdTokenTokenBindingCnf();
                            Function<JsonWebResponse, Void> authorizationCodePreProcessing = new Function<JsonWebResponse, Void>() {
                                @Override
                                public Void apply(JsonWebResponse jsonWebResponse) {
                                    if (StringUtils.isNotBlank(idTokenTokenBindingCnf) && StringUtils.isNotBlank(authorizationCodeGrant.getTokenBindingHash())) {
                                        TokenBindingMessage.setCnfClaim(jsonWebResponse, authorizationCodeGrant.getTokenBindingHash(), idTokenTokenBindingCnf);
                                    }
                                    return null;
                                }
                            };
                            idToken = authorizationCodeGrant.createIdToken(
                                    nonce, null, accToken, authorizationCodeGrant, includeIdTokenClaims, authorizationCodePreProcessing);
                        }

                        builder.entity(getJSonResponse(accToken,
                                accToken.getTokenType(),
                                accToken.getExpiresIn(),
                                reToken,
                                scope,
                                idToken));

                        oAuth2AuditLog.updateOAuth2AuditLog(authorizationCodeGrant, true);

                        grantService.removeByCode(authorizationCodeGrant.getAuthorizationCode().getCode(), authorizationCodeGrant.getClientId());
                    } else {
                        log.debug("AuthorizationCodeGrant is empty by clinetId: '{}', code: '{}'", client.getClientId(), code);
                        // if authorization code is not found then code was already used = remove all grants with this auth code
                        grantService.removeAllByAuthorizationCode(code);
                        builder = error(400, TokenErrorResponseType.INVALID_GRANT);
                    }
                } else if (gt == GrantType.REFRESH_TOKEN) {
                    if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
                        return response(error(400, TokenErrorResponseType.INVALID_GRANT), oAuth2AuditLog);
                    }

                    AuthorizationGrant authorizationGrant = authorizationGrantList.getAuthorizationGrantByRefreshToken(client.getClientId(), refreshToken);

                    if (authorizationGrant != null) {
                        AccessToken accToken = authorizationGrant.createAccessToken();

                        /*
                        The authorization server MAY issue a new refresh token, in which case
                        the client MUST discard the old refresh token and replace it with the
                        new refresh token.
                        */
                        RefreshToken reToken = authorizationGrant.createRefreshToken();
                        grantService.removeByCode(refreshToken, client.getClientId());

                        if (scope != null && !scope.isEmpty()) {
                            scope = authorizationGrant.checkScopesPolicy(scope);
                        }

                        builder.entity(getJSonResponse(accToken,
                                accToken.getTokenType(),
                                accToken.getExpiresIn(),
                                reToken,
                                scope,
                                null));
                        oAuth2AuditLog.updateOAuth2AuditLog(authorizationGrant, true);
                    } else {
                        builder = error(401, TokenErrorResponseType.INVALID_GRANT);
                    }
                } else if (gt == GrantType.CLIENT_CREDENTIALS) {
                    if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
                        return response(error(400, TokenErrorResponseType.INVALID_GRANT), oAuth2AuditLog);
                    }

                    ClientCredentialsGrant clientCredentialsGrant = authorizationGrantList.createClientCredentialsGrant(new User(), client); // TODO: fix the user arg

                    AccessToken accessToken = clientCredentialsGrant.createAccessToken();

                    if (scope != null && !scope.isEmpty()) {
                        scope = clientCredentialsGrant.checkScopesPolicy(scope);
                    }

                    IdToken idToken = null;
                    if (appConfiguration.getOpenidScopeBackwardCompatibility() && clientCredentialsGrant.getScopes().contains("openid")) {
                        boolean includeIdTokenClaims = Boolean.TRUE.equals(
                                appConfiguration.getLegacyIdTokenClaims());
                        idToken = clientCredentialsGrant.createIdToken(
                                null, null, null, clientCredentialsGrant, includeIdTokenClaims, idTokenTokingBindingPreprocessing);
                    }

                    oAuth2AuditLog.updateOAuth2AuditLog(clientCredentialsGrant, true);
                    builder.entity(getJSonResponse(accessToken,
                            accessToken.getTokenType(),
                            accessToken.getExpiresIn(),
                            null,
                            scope,
                            idToken));
                } else if (gt == GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) {
                    if (!TokenParamsValidator.validateGrantType(gt, client.getGrantTypes(), appConfiguration.getGrantTypesSupported())) {
                        return response(error(400, TokenErrorResponseType.INVALID_GRANT), oAuth2AuditLog);
                    }

                    User user = null;
                    if (authenticationFilterService.isEnabled()) {
                        String userDn = authenticationFilterService.processAuthenticationFilters(request.getParameterMap());
                        if (StringHelper.isNotEmpty(userDn)) {
                            user = userService.getUserByDn(userDn);
                        }
                    }

                    if (user == null) {
                        boolean authenticated = authenticationService.authenticate(username, password);
                        if (authenticated) {
                            user = authenticationService.getAuthenticatedUser();
                        }
                    }

                    if (user != null) {
                        ResourceOwnerPasswordCredentialsGrant resourceOwnerPasswordCredentialsGrant = authorizationGrantList.createResourceOwnerPasswordCredentialsGrant(user, client);
                        AccessToken accessToken = resourceOwnerPasswordCredentialsGrant.createAccessToken();
                        RefreshToken reToken = resourceOwnerPasswordCredentialsGrant.createRefreshToken();

                        if (scope != null && !scope.isEmpty()) {
                            scope = resourceOwnerPasswordCredentialsGrant.checkScopesPolicy(scope);
                        }

                        IdToken idToken = null;
                        if (appConfiguration.getOpenidScopeBackwardCompatibility() && resourceOwnerPasswordCredentialsGrant.getScopes().contains("openid")) {
                            boolean includeIdTokenClaims = Boolean.TRUE.equals(
                                    appConfiguration.getLegacyIdTokenClaims());
                            idToken = resourceOwnerPasswordCredentialsGrant.createIdToken(
                                    null, null, null, resourceOwnerPasswordCredentialsGrant, includeIdTokenClaims, idTokenTokingBindingPreprocessing);
                        }

                        oAuth2AuditLog.updateOAuth2AuditLog(resourceOwnerPasswordCredentialsGrant, true);
                        builder.entity(getJSonResponse(accessToken,
                                accessToken.getTokenType(),
                                accessToken.getExpiresIn(),
                                reToken,
                                scope,
                                idToken));
                    } else {
                        log.error("Invalid user", new RuntimeException("User is empty"));
                        builder = error(401, TokenErrorResponseType.INVALID_CLIENT);
                    }
                }
            }
        } catch (WebApplicationException e) {
            throw e;
        } catch (SignatureException e) {
            builder = Response.status(500);
            log.error(e.getMessage(), e);
        } catch (StringEncrypter.EncryptionException e) {
            builder = Response.status(500);
            log.error(e.getMessage(), e);
        } catch (InvalidJwtException e) {
            builder = Response.status(500);
            log.error(e.getMessage(), e);
        } catch (InvalidJweException e) {
            builder = Response.status(500);
            log.error(e.getMessage(), e);
        } catch (Exception e) {
            builder = Response.status(500);
            log.error(e.getMessage(), e);
        }

        return response(builder, oAuth2AuditLog);
    }

response()

Response org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.response ( ResponseBuilder  builder, OAuth2AuditLog  oAuth2AuditLog  )

inlineprivate

                                                                                      {
        CacheControl cacheControl = new CacheControl();
        cacheControl.setNoTransform(false);
        cacheControl.setNoStore(true);
        builder.cacheControl(cacheControl);
        builder.header("Pragma", "no-cache");

        applicationAuditLogger.sendMessage(oAuth2AuditLog);

        return builder.build();
    }

validatePKCE()

void org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.validatePKCE ( AuthorizationCodeGrant  grant, String  codeVerifier, OAuth2AuditLog  oAuth2AuditLog  )

inlineprivate

                                                                                                                {
        log.trace("PKCE validation, code_verifier: {}, code_challenge: {}, method: {}",
                codeVerifier, grant.getCodeChallenge(), grant.getCodeChallengeMethod());

        if (Strings.isNullOrEmpty(grant.getCodeChallenge()) && Strings.isNullOrEmpty(codeVerifier)) {
            return; // if no code challenge then it's valid, no PKCE check
        }

        if (!CodeVerifier.matched(grant.getCodeChallenge(), grant.getCodeChallengeMethod(), codeVerifier)) {
            log.error("PKCE check fails. Code challenge does not match to request code verifier, " +
                    "grantId:" + grant.getGrantId() + ", codeVerifier: " + codeVerifier);
            throw new WebApplicationException(response(error(401, TokenErrorResponseType.INVALID_GRANT), oAuth2AuditLog));
        }
    }

メンバ詳解

appConfiguration

AppConfiguration org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.appConfiguration

private

applicationAuditLogger

ApplicationAuditLogger org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.applicationAuditLogger

private

authenticationFilterService

AuthenticationFilterService org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.authenticationFilterService

private

authenticationService

AuthenticationService org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.authenticationService

private

authorizationGrantList

AuthorizationGrantList org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.authorizationGrantList

private

errorResponseFactory

ErrorResponseFactory org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.errorResponseFactory

private

grantService

GrantService org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.grantService

private

identity

Identity org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.identity

private

log

Logger org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.log

private

umaTokenService

UmaTokenService org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.umaTokenService

private

userService

UserService org.xdi.oxauth.token.ws.rs.TokenRestWebServiceImpl.userService

private

---

このクラス詳解は次のファイルから抽出されました:

• D:/AppData/OpenId/gluu/src/oxAuth/Server/src/main/java/org/xdi/oxauth/token/ws/rs/TokenRestWebServiceImpl.java