oauthApp = new OAuthAppDO(); oauthApp.setOauthConsumerKey(consumerKey); if (isHashDisabled) { oauthApp.setOauthConsumerSecret(persistenceProcessor.getPreprocessedClientSecret(rSet .getString(1))); } else { oauthApp.setOauthConsumerSecret(rSet.getString(1)); oauthApp.setApplicationName(rSet.getString(3)); oauthApp.setOauthVersion(rSet.getString(4)); oauthApp.setCallbackUrl(rSet.getString(5)); authenticatedUser.setTenantDomain(IdentityTenantUtil.getTenantDomain(rSet.getInt(6))); authenticatedUser.setUserStoreDomain(rSet.getString(7)); oauthApp.setUser(authenticatedUser); oauthApp.setGrantTypes(rSet.getString(8)); oauthApp.setId(rSet.getInt(9)); if (isPKCESupportEnabled) { oauthApp.setPkceMandatory(!"0".equals(rSet.getString(10))); oauthApp.setPkceSupportPlain(!"0".equals(rSet.getString(11))); oauthApp.setUserAccessTokenExpiryTime(rSet.getLong(12)); oauthApp.setApplicationAccessTokenExpiryTime(rSet.getLong(13)); oauthApp.setRefreshTokenExpiryTime(rSet.getLong(14)); oauthApp.setIdTokenExpiryTime(rSet.getLong(15)); oauthApp.setState(rSet.getString(16)); } else { oauthApp.setUserAccessTokenExpiryTime(rSet.getLong(10)); oauthApp.setApplicationAccessTokenExpiryTime(rSet.getLong(11)); oauthApp.setRefreshTokenExpiryTime(rSet.getLong(12)); oauthApp.setIdTokenExpiryTime(rSet.getLong(13));
dto.setApplicationName(appDO.getApplicationName()); dto.setCallbackUrl(appDO.getCallbackUrl()); dto.setOauthConsumerKey(appDO.getOauthConsumerKey()); dto.setOauthConsumerSecret(appDO.getOauthConsumerSecret()); dto.setOAuthVersion(appDO.getOauthVersion()); dto.setGrantTypes(appDO.getGrantTypes()); dto.setScopeValidators(appDO.getScopeValidators()); dto.setUsername(appDO.getUser().toFullQualifiedUsername()); dto.setState(appDO.getState()); dto.setPkceMandatory(appDO.isPkceMandatory()); dto.setPkceSupportPlain(appDO.isPkceSupportPlain()); dto.setUserAccessTokenExpiryTime(appDO.getUserAccessTokenExpiryTime()); dto.setApplicationAccessTokenExpiryTime(appDO.getApplicationAccessTokenExpiryTime()); dto.setRefreshTokenExpiryTime(appDO.getRefreshTokenExpiryTime()); dto.setIdTokenExpiryTime(appDO.getIdTokenExpiryTime()); dto.setAudiences(appDO.getAudiences()); dto.setRequestObjectSignatureValidationEnabled(appDO.isRequestObjectSignatureValidationEnabled()); dto.setIdTokenEncryptionEnabled(appDO.isIdTokenEncryptionEnabled()); dto.setIdTokenEncryptionAlgorithm(appDO.getIdTokenEncryptionAlgorithm()); dto.setIdTokenEncryptionMethod(appDO.getIdTokenEncryptionMethod()); dto.setBackChannelLogoutUrl(appDO.getBackChannelLogoutUrl()); dto.setFrontchannelLogoutUrl(appDO.getFrontchannelLogoutUrl()); dto.setTokenType(appDO.getTokenType()); dto.setBypassClientCredentials(appDO.isBypassClientCredentials()); return dto;
private void setValuesToStatementWithPKCENoOwnerUpdate(OAuthAppDO oauthAppDO, PreparedStatement prepStmt) throws SQLException, IdentityOAuth2Exception { prepStmt.setString(4, oauthAppDO.isPkceMandatory() ? "1" : "0"); prepStmt.setString(5, oauthAppDO.isPkceSupportPlain() ? "1" : "0"); prepStmt.setLong(6, oauthAppDO.getUserAccessTokenExpiryTime()); prepStmt.setLong(7, oauthAppDO.getApplicationAccessTokenExpiryTime()); prepStmt.setLong(8, oauthAppDO.getRefreshTokenExpiryTime()); prepStmt.setLong(9, oauthAppDO.getIdTokenExpiryTime()); prepStmt.setString(10, persistenceProcessor.getProcessedClientId(oauthAppDO.getOauthConsumerKey())); }
private void setValuesToStatementWithNoPKCEAndNoOwnerUpdate(OAuthAppDO oauthAppDO, PreparedStatement prepStmt) throws SQLException, IdentityOAuth2Exception { prepStmt.setLong(4, oauthAppDO.getUserAccessTokenExpiryTime()); prepStmt.setLong(5, oauthAppDO.getApplicationAccessTokenExpiryTime()); prepStmt.setLong(6, oauthAppDO.getRefreshTokenExpiryTime()); prepStmt.setLong(7, oauthAppDO.getIdTokenExpiryTime()); prepStmt.setString(8, persistenceProcessor.getProcessedClientId(oauthAppDO.getOauthConsumerKey())); }
private static long getConfiguredRefreshTokenValidityPeriodInMillis(OAuthAppDO oAuthAppBean) { long refreshTokenValidityPeriodInMillis; if (oAuthAppBean.getRefreshTokenExpiryTime() != 0) { refreshTokenValidityPeriodInMillis = oAuthAppBean.getRefreshTokenExpiryTime() * SECOND_TO_MILLISECONDS_FACTOR; if (log.isDebugEnabled()) { log.debug("OAuth application id : " + oAuthAppBean.getOauthConsumerKey() + ", using refresh token " + "validity period configured for application: " + refreshTokenValidityPeriodInMillis + " ms"); } } else { refreshTokenValidityPeriodInMillis = OAuthServerConfiguration.getInstance() .getRefreshTokenValidityPeriodInSeconds() * SECOND_TO_MILLISECONDS_FACTOR; if (log.isDebugEnabled()) { log.debug("OAuth application id: " + oAuthAppBean.getOauthConsumerKey() + ", using refresh token " + "validity period configured for server: " + refreshTokenValidityPeriodInMillis + " ms"); } } return refreshTokenValidityPeriodInMillis; }
OAuthAppDO app = new OAuthAppDO(); if (tenantAwareLoggedInUser != null) { String tenantDomain = CarbonContext.getThreadLocalCarbonContext().getTenantDomain(); app.setApplicationName(application.getApplicationName()); if ((application.getGrantTypes().contains(AUTHORIZATION_CODE) || application.getGrantTypes() .contains(IMPLICIT)) && StringUtils.isEmpty(application.getCallbackUrl())) { throw new IdentityOAuthAdminException("Callback Url is required for Code or Implicit grant types"); app.setCallbackUrl(application.getCallbackUrl()); app.setState(APP_STATE_ACTIVE); if (StringUtils.isEmpty(application.getOauthConsumerKey())) { app.setOauthConsumerKey(OAuthUtil.getRandomNumber()); app.setOauthConsumerSecret(OAuthUtil.getRandomNumber()); } else { app.setOauthConsumerKey(application.getOauthConsumerKey()); if (StringUtils.isEmpty(application.getOauthConsumerSecret())) { app.setOauthConsumerSecret(OAuthUtil.getRandomNumber()); } else { app.setOauthConsumerSecret(application.getOauthConsumerSecret()); app.setAppOwner(appOwner); app.setOauthVersion(application.getOAuthVersion()); } else { // by default, assume OAuth 2.0, if it is not set. app.setOauthVersion(OAuthConstants.OAuthVersions.VERSION_2); if (OAuthConstants.OAuthVersions.VERSION_2.equals(app.getOauthVersion())) { List<String> allowedGrantTypes = new ArrayList<>(Arrays.asList(getAllowedGrantTypes()));
oauthApp = new OAuthAppDO(); oauthApp.setOauthConsumerKey(consumerKey); oauthApp.setOauthConsumerSecret(persistenceProcessor.getPreprocessedClientSecret(rSet.getString(1))); AuthenticatedUser authenticatedUser = new AuthenticatedUser(); authenticatedUser.setUserName(rSet.getString(2)); oauthApp.setApplicationName(rSet.getString(3)); oauthApp.setOauthVersion(rSet.getString(4)); oauthApp.setCallbackUrl(rSet.getString(5)); authenticatedUser.setTenantDomain(IdentityTenantUtil.getTenantDomain(rSet.getInt(6))); authenticatedUser.setUserStoreDomain(rSet.getString(7)); oauthApp.setUser(authenticatedUser); oauthApp.setGrantTypes(rSet.getString(8)); oauthApp.setId(rSet.getInt(9)); if (isPKCESupportEnabled) { oauthApp.setPkceMandatory("0".equals(rSet.getString(10)) ? false : true); oauthApp.setPkceSupportPlain("0".equals(rSet.getString(11)) ? false : true);
prepStmt.setString(1, oauthAppDO.getApplicationName()); prepStmt.setString(2, oauthAppDO.getCallbackUrl()); prepStmt.setString(3, oauthAppDO.getGrantTypes()); if(OAuth2ServiceComponentHolder.isPkceEnabled()) { prepStmt.setString(4, oauthAppDO.isPkceMandatory() ? "1" : "0"); prepStmt.setString(5, oauthAppDO.isPkceSupportPlain() ? "1" : "0"); prepStmt.setString(6, persistenceProcessor.getProcessedClientId(oauthAppDO.getOauthConsumerKey())); prepStmt.setString(7, persistenceProcessor.getProcessedClientSecret(oauthAppDO.getOauthConsumerSecret())); } else { prepStmt.setString(4, persistenceProcessor.getProcessedClientId(oauthAppDO.getOauthConsumerKey())); prepStmt.setString(5, persistenceProcessor.getProcessedClientSecret(oauthAppDO.getOauthConsumerSecret()));
int spTenantId = IdentityTenantUtil.getTenantId(consumerAppDO.getUser().getTenantDomain()); String userStoreDomain = consumerAppDO.getUser().getUserStoreDomain(); if (!isDuplicateApplication(consumerAppDO.getUser().getUserName(), spTenantId, userStoreDomain, consumerAppDO)) { int appId = 0; try (Connection connection = IdentityDatabaseUtil.getDBConnection()) { String processedClientId = persistenceProcessor.getProcessedClientId(consumerAppDO.getOauthConsumerKey()); String processedClientSecret = persistenceProcessor.getProcessedClientSecret(consumerAppDO.getOauthConsumerSecret()); prepStmt.setString(1, processedClientId); prepStmt.setString(2, processedClientSecret); prepStmt.setString(3, consumerAppDO.getUser().getUserName()); prepStmt.setInt(4, spTenantId); prepStmt.setString(5, userStoreDomain); prepStmt.setString(6, consumerAppDO.getApplicationName()); prepStmt.setString(7, consumerAppDO.getOauthVersion()); prepStmt.setString(8, consumerAppDO.getCallbackUrl()); prepStmt.setString(9, consumerAppDO.getGrantTypes()); prepStmt.setString(10, consumerAppDO.isPkceMandatory() ? "1" : "0"); prepStmt.setString(11, consumerAppDO.isPkceSupportPlain() ? "1" : "0"); prepStmt.setLong(12, consumerAppDO.getUserAccessTokenExpiryTime()); prepStmt.setLong(13, consumerAppDO.getApplicationAccessTokenExpiryTime()); prepStmt.setLong(14, consumerAppDO.getRefreshTokenExpiryTime()); prepStmt.setLong(15, consumerAppDO.getIdTokenExpiryTime()); prepStmt.execute(); try (ResultSet results = prepStmt.getGeneratedKeys()) {
if (StringUtils.isEmpty(appDO.getGrantTypes()) || StringUtils.isEmpty(appDO.getCallbackUrl())) { if (log.isDebugEnabled()) { log.debug("Registered App found for the given Client Id : " + clientId + " ,App Name : " + appDO .getApplicationName() + ", does not support the requested grant type."); OAuth2Util.setClientTenatId(IdentityTenantUtil.getTenantId(appDO.getUser().getTenantDomain())); validationResponseDTO.setCallbackURL(appDO.getCallbackUrl()); validationResponseDTO.setApplicationName(appDO.getApplicationName()); validationResponseDTO.setPkceMandatory(appDO.isPkceMandatory()); validationResponseDTO.setPkceSupportPlain(appDO.isPkceSupportPlain()); return validationResponseDTO; .getApplicationName() + ", Callback URL : " + appDO.getCallbackUrl()); String registeredCallbackUrl = appDO.getCallbackUrl(); if (registeredCallbackUrl.startsWith(OAuthConstants.CALLBACK_URL_REGEXP_PREFIX)) { regexp = registeredCallbackUrl.substring(OAuthConstants.CALLBACK_URL_REGEXP_PREFIX.length()); validationResponseDTO.setApplicationName(appDO.getApplicationName()); validationResponseDTO.setCallbackURL(callbackURI); return validationResponseDTO; } else if (appDO.getCallbackUrl().equals(callbackURI)) { validationResponseDTO.setValidClient(true); validationResponseDTO.setApplicationName(appDO.getApplicationName()); validationResponseDTO.setCallbackURL(callbackURI); validationResponseDTO.setPkceMandatory(appDO.isPkceMandatory()); validationResponseDTO.setPkceSupportPlain(appDO.isPkceSupportPlain()); return validationResponseDTO;
connection.prepareStatement(SQLQueries.OAuthAppDAOSQLQueries.ADD_SP_OIDC_PROPERTY)) { if (isOIDCAudienceEnabled() && consumerAppDO.getAudiences() != null) { String[] audiences = consumerAppDO.getAudiences(); for (String audience : audiences) { addToBatchForOIDCPropertyAdd(processedClientId, spTenantId, prepStmtAddOIDCProperty, REQUEST_OBJECT_SIGNED, String.valueOf(consumerAppDO.isRequestObjectSignatureValidationEnabled())); ID_TOKEN_ENCRYPTED, String.valueOf(consumerAppDO.isIdTokenEncryptionEnabled())); ID_TOKEN_ENCRYPTION_ALGORITHM, String.valueOf(consumerAppDO.getIdTokenEncryptionAlgorithm())); ID_TOKEN_ENCRYPTION_METHOD, String.valueOf(consumerAppDO.getIdTokenEncryptionMethod())); BACK_CHANNEL_LOGOUT_URL, consumerAppDO.getBackChannelLogoutUrl()); FRONT_CHANNEL_LOGOUT_URL, consumerAppDO.getFrontchannelLogoutUrl()); TOKEN_TYPE, consumerAppDO.getTokenType()); BYPASS_CLIENT_CREDENTIALS, String.valueOf(consumerAppDO.isBypassClientCredentials()));
if (!inboundAuthKey.equals(oAuthAppDO.getOauthConsumerKey())) { validationMsg.add(String.format("The Inbound Auth Key of the application name %s " + "is not match with Oauth Consumer Key %s.", authConfig.getInboundAuthKey(), oAuthAppDO.getOauthConsumerKey())); try { OAuthAppDO appInformation = dao.getAppInformation(inboundAuthKey); if (!appInformation.getApplicationName().equals( serviceProvider.getApplicationName())) { appInformation.getApplicationName(), inboundAuthKey)); break; IdentityTenantUtil.getTenantId(tenantDomain), tenantDomain, oAuthAppDO)) { validationMsg.add(String.format("There is already an oauth application available with" + " %s as application name", oAuthAppDO.getApplicationName())); break; if ((oAuthAppDO.getGrantTypes().contains(OAuthConstants.GrantTypes.AUTHORIZATION_CODE) || oAuthAppDO.getGrantTypes().contains(OAuthConstants.GrantTypes.IMPLICIT)) && StringUtils.isEmpty(oAuthAppDO.getCallbackUrl())) { validationMsg.add("Callback Url is required for Code or Implicit grant types"); validateScopeValidators(oAuthAppDO.getScopeValidators(), validationMsg); if (OAuthConstants.OAuthVersions.VERSION_2.equals(oAuthAppDO.getOauthVersion())) { validateGrants(oAuthAppDO.getGrantTypes().split("\\s"), validationMsg);
String sqlQuery = getSqlQuery(isUserValidForOwnerUpdate); try (PreparedStatement prepStmt = connection.prepareStatement(sqlQuery)) { prepStmt.setString(1, oauthAppDO.getApplicationName()); prepStmt.setString(2, oauthAppDO.getCallbackUrl()); prepStmt.setString(3, oauthAppDO.getGrantTypes()); updateScopeValidators(connection, oauthAppDO.getId(), oauthAppDO.getScopeValidators()); if (log.isDebugEnabled()) { log.debug("No. of records updated for updating consumer application. : " + count);
OAuthAppDO oAuthAppDO = marshelOAuthDO(authConfig.getInboundConfiguration(), serviceProvider.getApplicationName(), owner.getTenantDomain()); oAuthAppDO.setUser(buildAuthenticatedUser(owner)); if (oAuthAppDO.getOauthConsumerSecret() == null) { oAuthAppDO.setOauthConsumerSecret(OAuthUtil.getRandomNumber()); if (dao.isDuplicateConsumer(oAuthAppDO.getOauthConsumerKey())) { dao.updateConsumerApplication(oAuthAppDO); } else {
/** * Unmarshal oauth application to string. * * @param authApplication oauth application to be marshaled * @return string * @throws IdentityApplicationManagementException Identity Application Management Exception */ private String unmarshelOAuthDO(OAuthAppDO authApplication) throws IdentityApplicationManagementException { try { JAXBContext jaxbContext = JAXBContext.newInstance(OAuthAppDO.class); Marshaller jaxbMarshaller = jaxbContext.createMarshaller(); jaxbMarshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); StringWriter sw = new StringWriter(); jaxbMarshaller.marshal(authApplication, sw); return sw.toString(); } catch (JAXBException e) { throw new IdentityApplicationManagementException(String.format("Error in exporting OAuth application " + "%s@%s", authApplication.getApplicationName(), authApplication.getUser().getTenantDomain()), e); } }
return true; if (oAuthAppDO != null && oAuthAppDO.isPkceMandatory() || referenceCodeChallenge != null) { if(oAuthAppDO.isPkceMandatory()) { throw new IdentityOAuth2Exception("No PKCE code verifier found.PKCE is mandatory for this " + "oAuth 2.0 application."); if(!oAuthAppDO.isPkceSupportPlain()) { throw new IdentityOAuth2Exception("This application does not allow 'plain' transformation algorithm.");
tokReqMsgCtx.setAuthorizedUser(oAuthAppDO.getUser()); tokenRespDTO.setCallbackURI(oAuthAppDO.getCallbackUrl());
prepStmt.setString(4, consumerAppDTO.getApplicationName());
scopeValidators = oAuthAppDO.getScopeValidators(); log.debug(String.format("There is no scope validator registered for %s@%s", oAuthAppDO.getApplicationName(), OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO))); throw new IdentityOAuth2Exception(String.format("The scope validators %s registered for application %s@%s" + " are not found in the server configuration ", StringUtils.join(appScopeValidators, ", "), oAuthAppDO.getApplicationName(), OAuth2Util.getTenantDomainOfOauthApp(oAuthAppDO)));
private static long getConfiguredAccessTokenValidityPeriodInMillis(OAuthAuthzReqMessageContext oauthAuthzMsgCtx, OAuthAppDO oAuthAppBean) throws IdentityOAuth2Exception { long validityPeriodInMillis; long callbackValidityPeriod = oauthAuthzMsgCtx.getAccessTokenValidityPeriod(); if (callbackValidityPeriod != OAuthConstants.UNASSIGNED_VALIDITY_PERIOD && callbackValidityPeriod > 0) { // If a valid validity period is set through the callback, use it. validityPeriodInMillis = callbackValidityPeriod * SECOND_TO_MILLISECONDS_FACTOR; if (log.isDebugEnabled()) { log.debug("OAuth application id : " + oAuthAppBean.getOauthConsumerKey() + ", using access token " + "validity period configured from callback: " + validityPeriodInMillis + " ms"); } } else if (oAuthAppBean.getUserAccessTokenExpiryTime() != 0) { // Get user access token expiry time configured for OAuth application. validityPeriodInMillis = oAuthAppBean.getUserAccessTokenExpiryTime() * SECOND_TO_MILLISECONDS_FACTOR; if (log.isDebugEnabled()) { log.debug("OAuth application id: " + oAuthAppBean.getOauthConsumerKey() + ", using user access token " + "" + "validity period configured for application: " + validityPeriodInMillis + " ms"); } } else { // Get user access token expiry time configured over global configuration in identity.xml file. validityPeriodInMillis = OAuthServerConfiguration.getInstance(). getUserAccessTokenValidityPeriodInSeconds() * SECOND_TO_MILLISECONDS_FACTOR; if (log.isDebugEnabled()) { log.debug("OAuth application id: " + oAuthAppBean.getOauthConsumerKey() + ", using user access token " + "" + "validity period configured for server: " + validityPeriodInMillis + " ms"); } } return validityPeriodInMillis; }