public OAuthTokenExpiryTimeDTO getTokenExpiryTimes() { OAuthTokenExpiryTimeDTO tokenExpiryTime = new OAuthTokenExpiryTimeDTO(); tokenExpiryTime.setUserAccessTokenExpiryTime(OAuthServerConfiguration .getInstance().getUserAccessTokenValidityPeriodInSeconds()); tokenExpiryTime.setApplicationAccessTokenExpiryTime(OAuthServerConfiguration .getInstance().getApplicationAccessTokenValidityPeriodInSeconds()); tokenExpiryTime.setRefreshTokenExpiryTime(OAuthServerConfiguration .getInstance().getRefreshTokenValidityPeriodInSeconds()); tokenExpiryTime.setIdTokenExpiryTime(OAuthServerConfiguration .getInstance().getOpenIDConnectIDTokenExpiryTimeInSeconds()); return tokenExpiryTime; }
/** * Convert {@link org.wso2.carbon.identity.oauth.dto.OAuthConsumerAppDTO} to an * {@link org.wso2.carbon.apimgt.api.model.OAuthApplicationInfo} * * @param createdApp Response from OAuthAdminService * @return Converted {@link org.wso2.carbon.apimgt.api.model.OAuthApplicationInfo} */ private OAuthApplicationInfo createOAuthAppInfoFromDTO(OAuthConsumerAppDTO createdApp) { OAuthApplicationInfo oAuthApplicationInfo = new OAuthApplicationInfo(); oAuthApplicationInfo.setClientId(createdApp.getOauthConsumerKey()); oAuthApplicationInfo.setCallBackURL(createdApp.getCallbackUrl()); oAuthApplicationInfo.setClientSecret(createdApp.getOauthConsumerSecret()); oAuthApplicationInfo.addParameter(ApplicationConstants. OAUTH_REDIRECT_URIS, createdApp.getCallbackUrl()); oAuthApplicationInfo.addParameter(ApplicationConstants. OAUTH_CLIENT_NAME, createdApp.getApplicationName()); oAuthApplicationInfo.addParameter(ApplicationConstants. OAUTH_CLIENT_GRANT, createdApp.getGrantTypes()); return oAuthApplicationInfo; } }
@Override public ScopeDTO getClaims(String scope, int tenantId) throws IdentityOAuth2Exception { OIDCScopeClaimCacheEntry oidcScopeClaimCacheEntry = oidcScopeClaimCache.getScopeClaimMap(tenantId); oidcScopeClaimCacheEntry = loadOIDCScopeClaims(tenantId, oidcScopeClaimCacheEntry); ScopeDTO scopeDTO = new ScopeDTO(); for (ScopeDTO scopeObj : oidcScopeClaimCacheEntry.getScopeClaimMapping()) { if (scope.equals(scopeObj.getName()) && scopeObj.getClaim() != null) { scopeDTO = scopeObj; } } return scopeDTO; }
OAuthConsumerAppDTO dto = new OAuthConsumerAppDTO(); dto.setApplicationName(appDO.getApplicationName()); dto.setCallbackUrl(appDO.getCallbackUrl()); dto.setOauthConsumerKey(appDO.getOauthConsumerKey()); dto.setOauthConsumerSecret(appDO.getOauthConsumerSecret()); dto.setOAuthVersion(appDO.getOauthVersion()); dto.setGrantTypes(appDO.getGrantTypes()); dto.setScopeValidators(appDO.getScopeValidators()); dto.setUsername(appDO.getUser().toFullQualifiedUsername()); dto.setState(appDO.getState()); dto.setPkceMandatory(appDO.isPkceMandatory()); dto.setPkceSupportPlain(appDO.isPkceSupportPlain()); dto.setUserAccessTokenExpiryTime(appDO.getUserAccessTokenExpiryTime()); dto.setApplicationAccessTokenExpiryTime(appDO.getApplicationAccessTokenExpiryTime()); dto.setRefreshTokenExpiryTime(appDO.getRefreshTokenExpiryTime()); dto.setIdTokenExpiryTime(appDO.getIdTokenExpiryTime()); dto.setAudiences(appDO.getAudiences()); dto.setRequestObjectSignatureValidationEnabled(appDO.isRequestObjectSignatureValidationEnabled()); dto.setIdTokenEncryptionEnabled(appDO.isIdTokenEncryptionEnabled()); dto.setIdTokenEncryptionAlgorithm(appDO.getIdTokenEncryptionAlgorithm()); dto.setIdTokenEncryptionMethod(appDO.getIdTokenEncryptionMethod()); dto.setBackChannelLogoutUrl(appDO.getBackChannelLogoutUrl()); dto.setFrontchannelLogoutUrl(appDO.getFrontchannelLogoutUrl()); dto.setTokenType(appDO.getTokenType()); dto.setBypassClientCredentials(appDO.isBypassClientCredentials()); return dto;
/** * Get OAuth application data by the consumer key. * * @param consumerKey Consumer Key * @return <code>OAuthConsumerAppDTO</code> with application information * @throws Exception Error when reading application information from persistence store. */ public OAuthConsumerAppDTO getOAuthApplicationData(String consumerKey) throws IdentityOAuthAdminException { OAuthConsumerAppDTO dto = new OAuthConsumerAppDTO(); OAuthAppDAO dao = new OAuthAppDAO(); try { OAuthAppDO app = dao.getAppInformation(consumerKey); if (app != null) { dto.setApplicationName(app.getApplicationName()); dto.setCallbackUrl(app.getCallbackUrl()); dto.setOauthConsumerKey(app.getOauthConsumerKey()); dto.setOauthConsumerSecret(app.getOauthConsumerSecret()); dto.setOAuthVersion(app.getOauthVersion()); dto.setGrantTypes(app.getGrantTypes()); dto.setPkceMandatory(app.isPkceMandatory()); dto.setPkceSupportPlain(app.isPkceSupportPlain()); } return dto; } catch (InvalidOAuthClientException | IdentityOAuth2Exception e) { throw new IdentityOAuthAdminException("Error while retrieving the app information using consumer key", e); } }
private void validateTokenExpiryConfigurations(OAuthConsumerAppDTO oAuthConsumerAppDTO) { if (oAuthConsumerAppDTO.getUserAccessTokenExpiryTime() == 0) { oAuthConsumerAppDTO.setUserAccessTokenExpiryTime( OAuthServerConfiguration.getInstance().getUserAccessTokenValidityPeriodInSeconds()); logOnInvalidConfig(oAuthConsumerAppDTO.getApplicationName(), "user access token", oAuthConsumerAppDTO.getUserAccessTokenExpiryTime()); } if (oAuthConsumerAppDTO.getApplicationAccessTokenExpiryTime() == 0) { oAuthConsumerAppDTO.setApplicationAccessTokenExpiryTime( OAuthServerConfiguration.getInstance().getApplicationAccessTokenValidityPeriodInSeconds()); logOnInvalidConfig(oAuthConsumerAppDTO.getApplicationName(), "application access token", oAuthConsumerAppDTO.getApplicationAccessTokenExpiryTime()); } if (oAuthConsumerAppDTO.getRefreshTokenExpiryTime() == 0) { oAuthConsumerAppDTO.setRefreshTokenExpiryTime( OAuthServerConfiguration.getInstance().getRefreshTokenValidityPeriodInSeconds()); logOnInvalidConfig(oAuthConsumerAppDTO.getApplicationName(), "refresh token", oAuthConsumerAppDTO.getRefreshTokenExpiryTime()); } if (oAuthConsumerAppDTO.getIdTokenExpiryTime() == 0) { oAuthConsumerAppDTO.setIdTokenExpiryTime( OAuthServerConfiguration.getInstance().getOpenIDConnectIDTokenExpiryTimeInSeconds()); logOnInvalidConfig(oAuthConsumerAppDTO.getApplicationName(), "id token", oAuthConsumerAppDTO.getIdTokenExpiryTime()); } }
/** * Get OAuth application data by the consumer key. * * @param consumerKey Consumer Key * @return <code>OAuthConsumerAppDTO</code> with application information * @throws IdentityOAuthAdminException Error when reading application information from persistence store. */ public OAuthConsumerAppDTO getOAuthApplicationData(String consumerKey) throws IdentityOAuthAdminException { OAuthConsumerAppDTO dto; OAuthAppDAO dao = new OAuthAppDAO(); try { OAuthAppDO app = dao.getAppInformation(consumerKey); if (app != null) { dto = buildConsumerAppDTO(app); if (log.isDebugEnabled()) { log.debug("Found App :" + dto.getApplicationName() + " for consumerKey: " + consumerKey); } } else { dto = new OAuthConsumerAppDTO(); } return dto; } catch (InvalidOAuthClientException | IdentityOAuth2Exception e) { throw handleError("Error while retrieving the app information using consumerKey: " + consumerKey, e); } }
/** * Revoke approve always of the consent for OAuth apps by resource owners * * @param appName name of the app * @param state state of the approve always * @return revokeRespDTO DTO representing success or failure message */ public OAuthRevocationResponseDTO updateApproveAlwaysForAppConsentByResourceOwner(String appName, String state) throws IdentityOAuthAdminException { OAuthRevocationResponseDTO revokeRespDTO = new OAuthRevocationResponseDTO(); String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); String tenantAwareUserName = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername(); try { OAuthTokenPersistenceFactory.getInstance().getTokenManagementDAO() .updateApproveAlwaysForAppConsentByResourceOwner(tenantAwareUserName, tenantDomain, appName, state); } catch (IdentityOAuth2Exception e) { String errorMsg = "Error occurred while revoking OAuth Consent approve always of Application " + appName + " of user " + tenantAwareUserName; log.error(errorMsg, e); revokeRespDTO.setError(true); revokeRespDTO.setErrorCode(OAuth2ErrorCodes.INVALID_REQUEST); revokeRespDTO.setErrorMsg("Invalid revocation request"); } return revokeRespDTO; }
/** * Delete OAuth2/OIDC application with client_id * @param clientId * @throws DCRMException */ public void deleteApplication(String clientId) throws DCRMException { OAuthConsumerAppDTO appDTO = getApplicationById(clientId); String applicationOwner = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUsername(); String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain(); deleteServiceProvider(appDTO.getApplicationName(), tenantDomain, applicationOwner); }
/** * Get supported algorithms from OAuthServerConfiguration and construct an OAuthIDTokenAlgorithmDTO object. * * @return Constructed OAuthIDTokenAlgorithmDTO object with supported algorithms. */ public OAuthIDTokenAlgorithmDTO getSupportedIDTokenAlgorithms() { OAuthIDTokenAlgorithmDTO oAuthIDTokenAlgorithmDTO = new OAuthIDTokenAlgorithmDTO(); oAuthIDTokenAlgorithmDTO.setDefaultIdTokenEncryptionAlgorithm( OAuthServerConfiguration.getInstance().getDefaultIdTokenEncryptionAlgorithm()); oAuthIDTokenAlgorithmDTO.setDefaultIdTokenEncryptionMethod( OAuthServerConfiguration.getInstance().getDefaultIdTokenEncryptionMethod()); oAuthIDTokenAlgorithmDTO.setSupportedIdTokenEncryptionAlgorithms( OAuthServerConfiguration.getInstance().getSupportedIdTokenEncryptionAlgorithm()); oAuthIDTokenAlgorithmDTO.setSupportedIdTokenEncryptionMethods( OAuthServerConfiguration.getInstance().getSupportedIdTokenEncryptionMethods()); return oAuthIDTokenAlgorithmDTO; }
private boolean isUserAuthorized(String clientId) throws DCRMServerException { OAuthConsumerAppDTO[] oAuthConsumerAppDTOS; try { // Get applications owned by the user oAuthConsumerAppDTOS = oAuthAdminService.getAllOAuthApplicationData(); for (OAuthConsumerAppDTO appDTO : oAuthConsumerAppDTOS) { if (clientId.equals(appDTO.getOauthConsumerKey())) { return true; } } } catch (IdentityOAuthAdminException e) { throw DCRMUtils.generateServerException( DCRMConstants.ErrorMessages.FAILED_TO_GET_APPLICATION_BY_ID, clientId, e); } return false; }
/** * Get OAuth application data by the application name. * * @param appName OAuth application name * @return <code>OAuthConsumerAppDTO</code> with application information * @throws IdentityOAuthAdminException Error when reading application information from persistence store. */ public OAuthConsumerAppDTO getOAuthApplicationDataByAppName(String appName) throws IdentityOAuthAdminException { OAuthConsumerAppDTO dto; OAuthAppDAO dao = new OAuthAppDAO(); try { OAuthAppDO app = dao.getAppInformationByAppName(appName); if (app != null) { dto = buildConsumerAppDTO(app); } else { dto = new OAuthConsumerAppDTO(); } return dto; } catch (InvalidOAuthClientException | IdentityOAuth2Exception e) { throw handleError("Error while retrieving the app information by app name: " + appName, e); } }
@Override public ScopeDTO getClaims(String scope, int tenantId) throws IdentityOAuth2Exception { String sql = SQLQueries.GET_IDN_OIDC_CLAIMS; JdbcTemplate jdbcTemplate = JdbcUtils.getNewTemplate(); ScopeDTO scopeDTO = new ScopeDTO(); try { List<String> claimsList = jdbcTemplate.executeQuery(sql, (resultSet, i) -> resultSet.getString(1) , preparedStatement -> { preparedStatement.setString(1, scope); preparedStatement.setInt(2, tenantId); }); scopeDTO.setName(scope); String[] claimsArr = new String[claimsList.size()]; scopeDTO.setClaim(claimsList.toArray(claimsArr)); } catch (DataAccessException e) { String errorMessage = "Error while loading OIDC claims for the scope: " + scope; throw new IdentityOAuth2Exception(errorMessage, e); } return scopeDTO; }
/** * Checks whether the given consumer is valid or not. This is done by validating the signature, * signed by this particular consumer. * * @param oauthConsumer Parameter related to the OAuth authorization header. * @return * @throws Exception */ public boolean isOAuthConsumerValid(OAuthConsumerDTO oauthConsumer) throws IdentityException { String oAuthSecretKey = getOAuthSecretKey(oauthConsumer.getOauthConsumerKey()); if (oAuthSecretKey == null) { log.debug("Invalid Consumer Key."); throw IdentityException.error("Invalid Consumer Key"); } try { return validateOauthSignature(oauthConsumer, oAuthSecretKey); } catch (AuthenticationException e) { throw IdentityException.error(e.getMessage(), e); } }
@Override public List<String> getScopeNames(int tenantId) throws IdentityOAuth2Exception { OIDCScopeClaimCacheEntry oidcScopeClaimCacheEntry = oidcScopeClaimCache.getScopeClaimMap(tenantId); oidcScopeClaimCacheEntry = loadOIDCScopeClaims(tenantId, oidcScopeClaimCacheEntry); List<String> scopes = new ArrayList<>(); for (ScopeDTO scopeDTO : oidcScopeClaimCacheEntry.getScopeClaimMapping()) { scopes.add(scopeDTO.getName()); } return scopes; }
/** * Get the scope validators registered by the user and filter the allowed ones. * * @param application Application user have registered. * @return List of scope validators. * @throws IdentityOAuthAdminException Identity OAuthAdmin exception. */ private String[] filterScopeValidators(OAuthConsumerAppDTO application) throws IdentityOAuthAdminException { List<String> scopeValidators = new ArrayList<>(Arrays.asList(getAllowedScopeValidators())); String[] requestedScopeValidators = application.getScopeValidators(); if (requestedScopeValidators == null) { requestedScopeValidators = new String[0]; } for (String requestedScopeValidator : requestedScopeValidators) { if (!scopeValidators.contains(requestedScopeValidator)) { throw new IdentityOAuthAdminException(requestedScopeValidator + " not allowed"); } } return requestedScopeValidators; }
/** * Get OAuth application data by the application name. * * @param appName OAuth application name * @return <code>OAuthConsumerAppDTO</code> with application information * @throws Exception Error when reading application information from persistence store. */ public OAuthConsumerAppDTO getOAuthApplicationDataByAppName(String appName) throws IdentityOAuthAdminException { OAuthConsumerAppDTO dto = new OAuthConsumerAppDTO(); OAuthAppDAO dao = new OAuthAppDAO(); try { OAuthAppDO app = dao.getAppInformationByAppName(appName); if (app != null) { dto.setApplicationName(app.getApplicationName()); dto.setCallbackUrl(app.getCallbackUrl()); dto.setOauthConsumerKey(app.getOauthConsumerKey()); dto.setOauthConsumerSecret(app.getOauthConsumerSecret()); dto.setOAuthVersion(app.getOauthVersion()); dto.setGrantTypes(app.getGrantTypes()); dto.setPkceMandatory(app.isPkceMandatory()); dto.setPkceSupportPlain(app.isPkceSupportPlain()); } return dto; } catch (InvalidOAuthClientException | IdentityOAuth2Exception e) { throw new IdentityOAuthAdminException("Error while retrieving the app information by app name", e); } }
private Application buildResponse(OAuthConsumerAppDTO createdApp) { Application application = new Application(); application.setClient_name(createdApp.getApplicationName()); application.setClient_id(createdApp.getOauthConsumerKey()); application.setClient_secret(createdApp.getOauthConsumerSecret()); List<String> redirectUrisList = new ArrayList<>(); redirectUrisList.add(createdApp.getCallbackUrl()); application.setRedirect_uris(redirectUrisList); return application; }
private OAuthConsumerAppDTO getApplicationById(String clientId) throws DCRMException { if (StringUtils.isEmpty(clientId)) { String errorMessage = "Invalid client_id"; throw DCRMUtils.generateClientException( DCRMConstants.ErrorMessages.BAD_REQUEST_INVALID_INPUT, errorMessage); } try { OAuthConsumerAppDTO dto = oAuthAdminService.getOAuthApplicationData(clientId); if (dto == null || StringUtils.isEmpty(dto.getApplicationName())) { throw DCRMUtils.generateClientException( DCRMConstants.ErrorMessages.NOT_FOUND_APPLICATION_WITH_ID, clientId); } else if (!isUserAuthorized(clientId)) { throw DCRMUtils.generateClientException( DCRMConstants.ErrorMessages.FORBIDDEN_UNAUTHORIZED_USER, clientId); } return dto; } catch (IdentityOAuthAdminException e) { if (e.getCause() instanceof InvalidOAuthClientException) { throw DCRMUtils.generateClientException(DCRMConstants.ErrorMessages.NOT_FOUND_APPLICATION_WITH_ID, clientId); } throw DCRMUtils.generateServerException( DCRMConstants.ErrorMessages.FAILED_TO_GET_APPLICATION_BY_ID, clientId, e); } }
/** * Checks whether the given consumer is valid or not. This is done by validating the signature, * signed by this particular consumer. * * @param oauthConsumer Parameter related to the OAuth authorization header. * @return * @throws Exception */ public boolean isOAuthConsumerValid(OAuthConsumerDTO oauthConsumer) throws IdentityException { String oAuthSecretKey = getOAuthSecretKey(oauthConsumer.getOauthConsumerKey()); if (oAuthSecretKey == null) { log.debug("Invalid Consumer Key."); throw IdentityException.error("Invalid Consumer Key"); } try { return validateOauthSignature(oauthConsumer, oAuthSecretKey); } catch (AuthenticationException e) { throw IdentityException.error(e.getMessage(), e); } }