protected AuthChallenge loginRedirect() { final String state = getStateCode(); final String redirect = getRedirectUri(state); if (redirect == null) { return challenge(403, OIDCAuthenticationError.Reason.NO_REDIRECT_URI, null); } return new AuthChallenge() { @Override public int getResponseCode() { return 0; } @Override public boolean challenge(HttpFacade exchange) { tokenStore.saveRequest(); log.debug("Sending redirect to login page: " + redirect); exchange.getResponse().setStatus(302); exchange.getResponse().setCookie(deployment.getStateCookieName(), state, /* need to set path? */ null, null, -1, deployment.getSslRequired().isRequired(facade.getRequest().getRemoteAddr()), true); exchange.getResponse().setHeader("Location", redirect); return true; } }; }
protected AuthChallenge checkStateCookie() { OIDCHttpFacade.Cookie stateCookie = getCookie(deployment.getStateCookieName()); if (stateCookie == null) { log.warn("No state cookie"); return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null); } // reset the cookie log.debug("** reseting application state cookie"); facade.getResponse().resetCookie(deployment.getStateCookieName(), stateCookie.getPath()); String stateCookieValue = getCookieValue(deployment.getStateCookieName()); String state = getQueryParamValue(OAuth2Constants.STATE); if (state == null) { log.warn("state parameter was null"); return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null); } if (!state.equals(stateCookieValue)) { log.warn("state parameter invalid"); log.warn("cookie: " + stateCookieValue); log.warn("queryParam: " + state); return challenge(400, OIDCAuthenticationError.Reason.INVALID_STATE_COOKIE, null); } return null; }
public AuthOutcome authenticate() { String code = getCode(); if (code == null) { log.debug("there was no code"); String error = getError(); if (error != null) { // todo how do we send a response? log.warn("There was an error: " + error); challenge = challenge(400, OIDCAuthenticationError.Reason.OAUTH_ERROR, error); return AuthOutcome.FAILED; } else { log.debug("redirecting to auth server"); challenge = loginRedirect(); return AuthOutcome.NOT_ATTEMPTED; } } else { log.debug("there was a code, resolving"); challenge = resolveCode(code); if (challenge != null) { return AuthOutcome.FAILED; } return AuthOutcome.AUTHENTICATED; } }
return challenge(403, OIDCAuthenticationError.Reason.SSL_REQUIRED, null); log.error(" " + failure.getError()); return challenge(403, OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null); return challenge(403, OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE, null); } catch (VerificationException e) { log.error("failed verification of token: " + e.getMessage()); return challenge(403, OIDCAuthenticationError.Reason.INVALID_TOKEN, null); return challenge(403, OIDCAuthenticationError.Reason.STALE_TOKEN, null);