Java Code Examples for org.apache.cxf.rs.security.oauth2.utils.OAuthConstants#INVALID_GRANT

The following examples show how to use org.apache.cxf.rs.security.oauth2.utils.OAuthConstants#INVALID_GRANT . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: JwtBearerAuthHandler.java    From cxf with Apache License 2.0 6 votes vote down vote up
@Override
protected void validateToken(JwtToken jwt) {
    super.validateToken(jwt);

    // We must have an issuer
    if (jwt.getClaim(JwtConstants.CLAIM_ISSUER) == null) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }

    // We must have a Subject
    if (jwt.getClaim(JwtConstants.CLAIM_SUBJECT) == null) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }

    // We must have an Expiry
    if (jwt.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }

    JwtUtils.validateTokenClaims(jwt.getClaims(), getTtl(), getClockOffset(), isValidateAudience());
}
 
Example 2
Source File: AbstractGrantHandler.java    From cxf with Apache License 2.0 6 votes vote down vote up
protected ServerAccessToken getPreAuthorizedToken(Client client,
                                                  UserSubject subject,
                                                  String requestedGrant,
                                                  List<String> requestedScopes,
                                                  List<String> audiences) {
    if (!OAuthUtils.validateScopes(requestedScopes, client.getRegisteredScopes(),
                                   partialMatchScopeValidation)) {
        throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE));
    }
    if (!OAuthUtils.validateAudiences(audiences, client.getRegisteredAudiences())) {
        throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_GRANT));
    }

    // Get a pre-authorized token if available
    return dataProvider.getPreauthorizedToken(
                                 client, requestedScopes, subject, requestedGrant);

}
 
Example 3
Source File: Saml2BearerGrantHandler.java    From cxf with Apache License 2.0 5 votes vote down vote up
private InputStream decodeAssertion(String assertion) {
    try {
        byte[] deflatedToken = Base64UrlUtility.decode(assertion);
        return new ByteArrayInputStream(deflatedToken);
    } catch (Base64Exception ex) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
}
 
Example 4
Source File: Saml2BearerGrantHandler.java    From cxf with Apache License 2.0 5 votes vote down vote up
protected Element readToken(InputStream tokenStream) {

        try {
            Document doc = StaxUtils.read(new InputStreamReader(tokenStream, StandardCharsets.UTF_8));
            return doc.getDocumentElement();
        } catch (Exception ex) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
    }
 
Example 5
Source File: ResourceOwnerGrantHandler.java    From cxf with Apache License 2.0 5 votes vote down vote up
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params)
    throws OAuthServiceException {

    String ownerName = params.getFirst(OAuthConstants.RESOURCE_OWNER_NAME);
    String ownerPassword = params.getFirst(OAuthConstants.RESOURCE_OWNER_PASSWORD);
    if (ownerName == null || ownerPassword == null) {
        throw new OAuthServiceException(
             new OAuthError(OAuthConstants.INVALID_REQUEST));
    }
    UserSubject subject = loginHandler.createSubject(client, ownerName, ownerPassword);
    if (subject == null) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
    return doCreateAccessToken(client, subject, params);
}
 
Example 6
Source File: AbstractJwtHandler.java    From cxf with Apache License 2.0 5 votes vote down vote up
protected void validateClaims(Client client, JwtClaims claims) {
    if (getAudience() != null) {
        JAXRSUtils.getCurrentMessage().put(JwtConstants.EXPECTED_CLAIM_AUDIENCE, getAudience());
    }
    JwtUtils.validateTokenClaims(claims, ttl, clockOffset, true);

    validateIssuer(claims.getIssuer());
    validateSubject(client, claims.getSubject());

    // We must have an Expiry
    if (claims.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
}
 
Example 7
Source File: AuthorizationCodeGrantHandler.java    From cxf with Apache License 2.0 5 votes vote down vote up
public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> params)
    throws OAuthServiceException {

    // Get the grant representation from the provider
    String codeValue = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VALUE);
    ServerAuthorizationCodeGrant grant =
        ((AuthorizationCodeDataProvider)getDataProvider()).removeCodeGrant(codeValue);
    if (grant == null) {
        return null;
    }
    // check it has not expired, the client ids are the same
    if (OAuthUtils.isExpired(grant.getIssuedAt(), grant.getExpiresIn())) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
    if (!grant.getClient().getClientId().equals(client.getClientId())) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
    // redirect URIs must match too
    String expectedRedirectUri = grant.getRedirectUri();
    String providedRedirectUri = params.getFirst(OAuthConstants.REDIRECT_URI);
    if (providedRedirectUri != null) {
        if (!providedRedirectUri.equals(expectedRedirectUri)) {
            throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
        }
    } else if (expectedRedirectUri == null && !isCanSupportPublicClients()
        || expectedRedirectUri != null
            && (client.getRedirectUris().size() != 1
            || !client.getRedirectUris().contains(expectedRedirectUri))) {
        throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
    }

    String clientCodeVerifier = params.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER);
    String clientCodeChallenge = grant.getClientCodeChallenge();
    if (!compareCodeVerifierWithChallenge(client, clientCodeVerifier, clientCodeChallenge)) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
    List<String> audiences = getAudiences(client, params, grant.getAudience());
    return doCreateAccessToken(client, grant, getSingleGrantType(), clientCodeVerifier, audiences);
}
 
Example 8
Source File: AbstractGrantHandler.java    From cxf with Apache License 2.0 5 votes vote down vote up
protected List<String> getAudiences(Client client, String clientAudience) {
    if (client.getRegisteredAudiences().isEmpty() && clientAudience == null) {
        return Collections.emptyList();
    }
    if (clientAudience != null) {
        List<String> audiences = Collections.singletonList(clientAudience);
        if (!OAuthUtils.validateAudiences(audiences, client.getRegisteredAudiences())) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
        return audiences;
    }
    return client.getRegisteredAudiences();
}
 
Example 9
Source File: AbstractOAuthDataProvider.java    From cxf with Apache License 2.0 5 votes vote down vote up
protected ServerAccessToken revokeAccessToken(Client client, String accessTokenKey) {
    ServerAccessToken at = getAccessToken(accessTokenKey);
    if (at != null) {
        if (!at.getClient().getClientId().equals(client.getClientId())) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
        doRevokeAccessToken(at);
    }
    return at;
}
 
Example 10
Source File: AbstractOAuthDataProvider.java    From cxf with Apache License 2.0 5 votes vote down vote up
protected RefreshToken revokeRefreshToken(Client client, String refreshTokenKey) {
    RefreshToken refreshToken = getRefreshToken(refreshTokenKey);
    if (refreshToken != null) {
        if (!refreshToken.getClient().getClientId().equals(client.getClientId())) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
        doRevokeRefreshToken(refreshToken);
    }
    return refreshToken;
}
 
Example 11
Source File: AbstractJwtHandler.java    From cxf with Apache License 2.0 4 votes vote down vote up
protected void validateSignature(JwsHeaders headers, String unsignedText, byte[] signature) {
    JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(headers);
    if (!theSigVerifier.verify(headers, unsignedText, signature)) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
}
 
Example 12
Source File: AbstractJwtHandler.java    From cxf with Apache License 2.0 4 votes vote down vote up
protected void validateIssuer(String issuer) {
    if (issuer == null || (supportedIssuers != null && !supportedIssuers.contains(issuer))) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
}
 
Example 13
Source File: AbstractJwtHandler.java    From cxf with Apache License 2.0 4 votes vote down vote up
protected void validateSubject(Client client, String subject) {
    // We must have a Subject
    if (subject == null) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
}
 
Example 14
Source File: AuthorizationCodeGrantHandler.java    From cxf with Apache License 2.0 4 votes vote down vote up
private ServerAccessToken doCreateAccessToken(Client client,
                                              ServerAuthorizationCodeGrant grant,
                                              String requestedGrant,
                                              String codeVerifier,
                                              List<String> audiences) {
    if (grant.isPreauthorizedTokenAvailable()) {
        ServerAccessToken token = getPreAuthorizedToken(client,
                                                        grant.getSubject(),
                                                        requestedGrant,
                                                        grant.getRequestedScopes(),
                                                        getAudiences(client, grant.getAudience()));
        if (token != null) {
            if (grant.getNonce() != null) {
                JAXRSUtils.getCurrentMessage().getExchange().put(OAuthConstants.NONCE, grant.getNonce());
            }
            return token;
        }
        // the grant was issued based on the authorization time check confirming the
        // token was available but it has expired by now or been removed then
        // creating a completely new token can be wrong - though this needs to be reviewed
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
    // Make sure the client supports the authorization code in cases where
    // the implicit/hybrid service was initiating the code grant processing flow

    if (!client.getAllowedGrantTypes().isEmpty() && !client.getAllowedGrantTypes().contains(requestedGrant)) {
        throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
    }
    // Delegate to the data provider to create the one
    AccessTokenRegistration reg = new AccessTokenRegistration();
    reg.setGrantCode(grant.getCode());
    reg.setClient(client);
    reg.setGrantType(requestedGrant);
    reg.setSubject(grant.getSubject());
    reg.setRequestedScope(grant.getRequestedScopes());
    reg.setNonce(grant.getNonce());
    if (grant.getApprovedScopes() != null) {
        reg.setApprovedScope(grant.getApprovedScopes());
    } else {
        reg.setApprovedScope(Collections.emptyList());
    }
    reg.setAudiences(audiences);
    reg.setResponseType(grant.getResponseType());
    reg.setClientCodeVerifier(codeVerifier);
    reg.getExtraProperties().putAll(grant.getExtraProperties());
    return getDataProvider().createAccessToken(reg);
}