@Override public void validateRequiredParameters(HttpServletRequest request) throws OAuthProblemException { super.validateRequiredParameters(request); String clientID = request.getParameter(CLIENT_ID); // For code token response type, the scope parameter should contain 'openid' as one of the scopes. String openIdScope = request.getParameter(SCOPE); if (StringUtils.isBlank(openIdScope) || !isContainOIDCScope(openIdScope)) { throw OAuthProblemException.error(OAuthError.TokenResponse.INVALID_REQUEST) .description("Request with \'client_id\' = \'" + clientID + "\' has " + "\'response_type\' for \'hybrid flow\'; but \'openid\' scope not found."); } }
public void validateRequiredParameters(HttpServletRequest request) throws OAuthProblemException { super.validateRequiredParameters(request); // for id_token response type, the scope parameter should contain 'openid' as one of the scopes. String openIdScope = request.getParameter(SCOPE); if (StringUtils.isBlank(openIdScope) || !containOIDCScope(openIdScope)) { throw OAuthProblemException.error(OAuthError.TokenResponse.INVALID_REQUEST) .description("\'response_type\' contains \'id_token\'; but \'openid\' scope not found."); } }
@Override public boolean authenticateClient(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception { OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO = tokReqMsgCtx.getOauth2AccessTokenReqDTO(); //Skipping credential validation for saml2 bearer if not configured as needed if (StringUtils.isEmpty(oAuth2AccessTokenReqDTO.getClientSecret()) && org.wso2.carbon.identity.oauth.common .GrantType.SAML20_BEARER.toString().equals(oAuth2AccessTokenReqDTO.getGrantType()) && JavaUtils .isFalseExplicitly(authConfig)) { if (log.isDebugEnabled()) { log.debug("Grant type : " + oAuth2AccessTokenReqDTO.getGrantType() + " " + "Strict client validation set to : " + authConfig + " Authenticating without client secret"); } return true; } if (log.isDebugEnabled()) { log.debug("Grant type : " + oAuth2AccessTokenReqDTO.getGrantType() + " " + "Strict client validation set to : " + authConfig); } return false; } }
@Override public boolean authorizeAccessDelegation(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception { OAuthCallback authzCallback = new OAuthCallback(tokReqMsgCtx.getAuthorizedUser(), tokReqMsgCtx.getOauth2AccessTokenReqDTO().getClientId(), OAuthCallback.OAuthCallbackType.ACCESS_DELEGATION_TOKEN); authzCallback.setRequestedScope(tokReqMsgCtx.getScope()); if (tokReqMsgCtx.getOauth2AccessTokenReqDTO().getGrantType().equals( org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString())) { authzCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf( OAuthConstants.OAUTH_SAML2_BEARER_GRANT_ENUM.toString())); } else if (tokReqMsgCtx.getOauth2AccessTokenReqDTO().getGrantType().equals( org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM.toString())) { authzCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf( OAuthConstants.OAUTH_IWA_NTLM_GRANT_ENUM.toString())); } else { authzCallback.setGrantType(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getGrantType()); } callbackManager.handleCallback(authzCallback); tokReqMsgCtx.setValidityPeriod(authzCallback.getValidityPeriod()); return authzCallback.isAuthorized(); }
@Override public boolean authorizeAccessDelegation(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception { OAuthCallback authzCallback = new OAuthCallback(tokReqMsgCtx.getAuthorizedUser(), tokReqMsgCtx.getOauth2AccessTokenReqDTO().getClientId(), OAuthCallback.OAuthCallbackType.ACCESS_DELEGATION_TOKEN); authzCallback.setRequestedScope(tokReqMsgCtx.getScope()); if (tokReqMsgCtx.getOauth2AccessTokenReqDTO().getGrantType().equals( org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString())) { authzCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf( OAuthConstants.OAUTH_SAML2_BEARER_GRANT_ENUM)); } else if (tokReqMsgCtx.getOauth2AccessTokenReqDTO().getGrantType().equals( org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM.toString())) { authzCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf( OAuthConstants.OAUTH_IWA_NTLM_GRANT_ENUM)); } else { authzCallback.setGrantType(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getGrantType()); } callbackManager.handleCallback(authzCallback); tokReqMsgCtx.setValidityPeriod(authzCallback.getValidityPeriod()); return authzCallback.isAuthorized(); }
supportedGrantTypeValidatorsTemp.put( org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER .toString(), SAML2GrantValidator.class);
public void validateRequiredParameters(HttpServletRequest request) throws OAuthProblemException { super.validateRequiredParameters(request); String nonce = request.getParameter("nonce"); if (StringUtils.isBlank(nonce)) { throw OAuthProblemException.error(OAuthError.TokenResponse.INVALID_REQUEST) .description("\'response_type\' contains \'id_token\'; but \'nonce\' parameter not found"); } // for id_token response type, the scope parameter should contain 'openid' as one of the scopes. String openIdScope = request.getParameter("scope"); if (StringUtils.isBlank(openIdScope) || !containOIDCScope(openIdScope)) { throw OAuthProblemException.error(OAuthError.TokenResponse.INVALID_REQUEST) .description("\'response_type\' contains \'id_token\'; but \'openid\' scope not found."); } }
@Override public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception { OAuthCallback scopeValidationCallback = new OAuthCallback(tokReqMsgCtx.getAuthorizedUser(), tokReqMsgCtx.getOauth2AccessTokenReqDTO().getClientId(), OAuthCallback.OAuthCallbackType .SCOPE_VALIDATION_TOKEN); scopeValidationCallback.setRequestedScope(tokReqMsgCtx.getScope()); if (tokReqMsgCtx.getOauth2AccessTokenReqDTO().getGrantType().equals( org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString())) { scopeValidationCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf( OAuthConstants.OAUTH_SAML2_BEARER_GRANT_ENUM.toString())); } else if (tokReqMsgCtx.getOauth2AccessTokenReqDTO().getGrantType().equals( org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM.toString())) { scopeValidationCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf( OAuthConstants.OAUTH_IWA_NTLM_GRANT_ENUM.toString())); } else { scopeValidationCallback.setGrantType(tokReqMsgCtx.getOauth2AccessTokenReqDTO().getGrantType()); } callbackManager.handleCallback(scopeValidationCallback); tokReqMsgCtx.setValidityPeriod(scopeValidationCallback.getValidityPeriod()); tokReqMsgCtx.setScope(scopeValidationCallback.getApprovedScope()); return scopeValidationCallback.isValidScope(); }
supportedGrantTypeValidatorsTemp.put( org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER .toString(), SAML2GrantValidator.class);
scopeValidationCallback.setRequestedScope(tokReqMsgCtx.getScope()); if (tokReqMsgCtx.getOauth2AccessTokenReqDTO().getGrantType().equals( org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString())) { scopeValidationCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf( OAuthConstants.OAUTH_SAML2_BEARER_GRANT_ENUM.toString())); } else if (tokReqMsgCtx.getOauth2AccessTokenReqDTO().getGrantType().equals( org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM.toString())) { scopeValidationCallback.setCarbonGrantType(org.wso2.carbon.identity.oauth.common.GrantType.valueOf( OAuthConstants.OAUTH_IWA_NTLM_GRANT_ENUM.toString())); } else {
if (org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString().equals( oAuth2AccessTokenReqDTO.getGrantType())) {
defaultGrantTypes.put(GrantType.PASSWORD.toString(), PASSWORD_GRANT_HANDLER_CLASS); defaultGrantTypes.put(GrantType.REFRESH_TOKEN.toString(), REFRESH_TOKEN_GRANT_HANDLER_CLASS); defaultGrantTypes.put(org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString(), SAML20_BEARER_GRANT_HANDLER_CLASS); defaultGrantTypes.put(org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM.toString(), IWA_NTLM_BEARER_GRANT_HANDLER_CLASS); supportedGrantTypeClassNames.putAll(defaultGrantTypes);
defaultGrantTypes.put(GrantType.PASSWORD.toString(), PASSWORD_GRANT_HANDLER_CLASS); defaultGrantTypes.put(GrantType.REFRESH_TOKEN.toString(), REFRESH_TOKEN_GRANT_HANDLER_CLASS); defaultGrantTypes.put(org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString(), SAML20_BEARER_GRANT_HANDLER_CLASS); defaultGrantTypes.put(org.wso2.carbon.identity.oauth.common.GrantType.IWA_NTLM.toString(), IWA_NTLM_BEARER_GRANT_HANDLER_CLASS); supportedGrantTypeClassNames.putAll(defaultGrantTypes);
if (GrantType.SAML20_BEARER.toString().equals(grantType) && Boolean.parseBoolean(isSAML2Enabled)) { Assertion assertion = (Assertion) tokReqMsgCtx.getProperty(ResourceConstants.SAML2_ASSERTION); userRoles = getRolesFromAssertion(assertion);
!org.wso2.carbon.identity.oauth.common.GrantType.SAML20_BEARER.toString().equals( request.getOauth2AccessTokenReqDTO().getGrantType())) {