org.openid4java.message.AuthRequest Java Examples

/**
 * Simple Registration Extension example.
 * 
 * @param httpReq
 * @param authReq
 * @throws MessageException
 * @see <a href="http://code.google.com/p/openid4java/wiki/SRegHowTo">Simple Registration HowTo</a>
 * @see <a href="http://openid.net/specs/openid-simple-registration-extension-1_0.html">OpenID Simple Registration Extension 1.0</a>
 */
private void addSimpleRegistrationToAuthRequest(HttpServletRequest httpReq,
		AuthRequest authReq) throws MessageException {
	// Attribute Exchange example: fetching the 'email' attribute
	// FetchRequest fetch = FetchRequest.createFetchRequest();
	SRegRequest sregReq = SRegRequest.createFetchRequest();

	String[] attributes = { "nickname", "email", "fullname", "dob",
			"gender", "postcode", "country", "language", "timezone" };
	for (int i = 0, l = attributes.length; i < l; i++) {
		String attribute = attributes[i];
		String value = httpReq.getParameter(attribute);
		if (OPTIONAL_VALUE.equals(value)) {
			sregReq.addAttribute(attribute, false);
		} else if (REQUIRED_VALUE.equals(value)) {
			sregReq.addAttribute(attribute, true);
		}
	}

	// attach the extension to the authentication request
	if (!sregReq.getAttributes().isEmpty()) {
		authReq.addExtension(sregReq);
	}
}
 

/**
 * Attribute exchange example.
 * 
 * @param httpReq
 * @param authReq
 * @throws MessageException
 * @see <a href="http://code.google.com/p/openid4java/wiki/AttributeExchangeHowTo">Attribute Exchange HowTo</a>
 * @see <a href="http://openid.net/specs/openid-attribute-exchange-1_0.html">OpenID Attribute Exchange 1.0 - Final</a>
 */
private void addAttributeExchangeToAuthRequest(HttpServletRequest httpReq,
		AuthRequest authReq) throws MessageException {
	String[] aliases = httpReq.getParameterValues("alias");
	String[] typeUris = httpReq.getParameterValues("typeUri");
	String[] counts = httpReq.getParameterValues("count");
	FetchRequest fetch = FetchRequest.createFetchRequest();
	for (int i = 0, l = typeUris == null ? 0 : typeUris.length; i < l; i++) {
		String typeUri = typeUris[i];
		if (StringUtils.isNotBlank(typeUri)) {
			String alias = aliases[i];
			boolean required = httpReq.getParameter("required" + i) != null;
			int count = NumberUtils.toInt(counts[i], 1);
			fetch.addAttribute(alias, typeUri, required, count);
		}
	}
	authReq.addExtension(fetch);
}
 

/**
 * Creates an OpenID Token. Depending of the global config, either a token
 * for the valid user or for the attacker is created.
 *
 * @param authRequest
 *
 * @return
 *
 * @throws MessageException
 * @throws ServerException
 * @throws AssociationException
 */
private AttackParameterKeeper processTokenRequest(final AuthRequest authRequest) throws OpenIdAttackerServerException {
    final String userSelId = getValidUser().getIdentifier();
    final String userSelClaimed = getValidUser().getClaimedId();
    final Message token = serverManager.authResponse(authRequest, userSelId, userSelClaimed, true, false);
    if (token instanceof AuthSuccess) {
        try {
            processAxExtension(token, authRequest);
            processSRegExtension(token, authRequest);
            generateSignatureForValidValues((AuthSuccess) token);
            generateSignatureForAttackValues();
        } catch (ServerException | MessageException | AssociationException ex) {
            throw new OpenIdAttackerServerException(ex.getMessage());
        }
    } else {
        throw new OpenIdAttackerServerException("Error while creating auth Response");
    }
    return getKeeper();
}
 

private Message processSRegExtension(Message token, final AuthRequest authRequest) throws MessageException {
    String sregNamespace = detectSRegVersion(authRequest);
    if (sregNamespace != null) {
        MessageExtension ext = authRequest.getExtension(sregNamespace);
        if (ext instanceof SRegRequest) {
            SRegRequest sregReq = (SRegRequest) ext;
            SRegResponse sregResp = SRegResponse.createSRegResponse(sregReq, getValidUser().getUserDataMap());
            token.addExtension(sregResp, "sreg");
        } else if (ext instanceof SRegResponse) {
            // what to do here?
        } else {
            final String message = String.format("TODO - Support of '%s'", ext.getClass().getCanonicalName());
            throw new UnsupportedOperationException(message);
        }
    }
    return token;
}
 

/**
 * @param authRequest OpenID authentication request
 * @return A set of policies requested
 * @throws IdentityException
 */
public static String[] getAuthenticationPolicies(AuthRequest authRequest) throws IdentityException {

    MessageExtension message = null;
    PapeRequest papeRequest = null;
    List preferredPolicies = null;

    try {
        if (authRequest.hasExtension(PapeMessage.OPENID_NS_PAPE)) {
            message = authRequest.getExtension(PapeMessage.OPENID_NS_PAPE);

            if (message instanceof PapeRequest) {
                papeRequest = (PapeRequest) message;
                preferredPolicies = papeRequest.getPreferredAuthPoliciesList();
                if (preferredPolicies != null && !preferredPolicies.isEmpty()) {
                    return (String[]) preferredPolicies.toArray(new String[preferredPolicies.size()]);
                }
            }
        }
        return new String[0];
    } catch (MessageException e) {
        throw IdentityException.error("Failed retrieve authentication policies", e);
    }
}
 

/**
 * @param authRequest
 * @return
 * @throws IdentityException
 */
private List<String> getRequestedAttributes(AuthRequest authRequest) throws IdentityException {
    OpenIDAuthenticationRequest req = null;
    OpenIDExtension extension = null;
    List<String> requiredAttributes = null;

    req = new OpenIDAuthenticationRequest();
    req.setAuthRequest(authRequest);
    requiredAttributes = new ArrayList<String>();

    for (Object alias : authRequest.getExtensions()) {
        req.setExtensionAlias((String) alias);
        extension = OpenIDExtensionFactory.getInstance().getExtension(req);
        if (extension != null) {
            extension.addRequiredAttributes(requiredAttributes);
        }
    }

    return requiredAttributes;
}
 

/**
 * Get Profile details of an user
 *
 * @param openId
 * @return
 * @throws IdentityProviderException
 */
public OpenIDUserProfileDTO[] getUserProfiles(String openId, OpenIDParameterDTO[] requredClaims)
        throws IdentityProviderException {
    String userName = null;
    UserRealm realm = null;
    UserStoreManager reader = null;
    String tenatUser = null;
    String domainName = null;

    try {
        userName = OpenIDUtil.getUserName(openId);
        tenatUser = MultitenantUtils.getTenantAwareUsername(userName);
        domainName = MultitenantUtils.getDomainNameFromOpenId(openId);
        realm = IdentityTenantUtil.getRealm(domainName, userName);
        reader = realm.getUserStoreManager();
        String[] profileNames = reader.getProfileNames(tenatUser);
        OpenIDUserProfileDTO[] profileDtoSet = new OpenIDUserProfileDTO[profileNames.length];

        List<String> claimList = null;
        ParameterList paramList = getParameterList(requredClaims);
        AuthRequest authReq =
                AuthRequest.createAuthRequest(paramList, OpenIDProvider.getInstance()
                                                                       .getManager()
                                                                       .getRealmVerifier());

        claimList = getRequestedAttributes(authReq);

        for (int i = 0; i < profileNames.length; i++) {
            OpenIDUserProfileDTO profileDTO = new OpenIDUserProfileDTO();
            OpenIDClaimDTO[] claimSet =
                    getOpenIDClaimValues(openId, profileNames[i], claimList);
            profileDTO.setProfileName(profileNames[i]);
            profileDTO.setClaimSet(claimSet);
            profileDtoSet[i] = profileDTO;
        }
        return profileDtoSet;
    } catch (MalformedURLException | UserStoreException | MessageException | IdentityException e) {
        throw new IdentityProviderException("Error while retrieving user profiles", e);
    }
}
 

private Message processAxExtension(Message token, final AuthRequest authRequest) throws MessageException {
    if (authRequest.hasExtension(AxMessage.OPENID_NS_AX)) {
        MessageExtension extension = authRequest.getExtension(AxMessage.OPENID_NS_AX);
        if (extension instanceof FetchRequest) {
            final FetchRequest fetchRequest = (FetchRequest) extension;
            final Map userDataMap = getValidUser().getUserDataMap();
            final FetchResponse fetchResponse = FetchResponse.createFetchResponse(fetchRequest, userDataMap);
            token.addExtension(fetchResponse, "ax");
        } else {
            throw new UnsupportedOperationException("TODO: if (ext instanceof StoreRequest)");
        }
    }
    return token;
}
 

private AuthRequest createAuthenticationRequest(final ParameterList token_parameter) throws OpenIdAttackerServerException {
        AuthRequest authRequest;
        try {
//            authRequest = AuthRequest.createAuthRequest(token_parameter, serverManager.getRealmVerifier());
            authRequest = UnvalidatedAuthRequest.createAuthRequest(token_parameter, serverManager.getRealmVerifier());
        } catch (MessageException ex) {
            throw new OpenIdAttackerServerException(ex);
        }
        return authRequest;
    }
 

private String detectSRegVersion(final AuthRequest authRequest) {
    String sregNamespace = null;
    if (authRequest.hasExtension(SRegMessage.OPENID_NS_SREG)) {
        sregNamespace = SRegMessage.OPENID_NS_SREG;
    } else if (authRequest.hasExtension(SRegMessage.OPENID_NS_SREG11)) {
        sregNamespace = SRegMessage.OPENID_NS_SREG11;
    }
    return sregNamespace;
}
 

public static AuthRequest createAuthRequest(ParameterList params,
  RealmVerifier realmVerifier)
  throws MessageException {
    AuthRequest req = new UnvalidatedAuthRequest(params);

    req.setRealmVerifier(realmVerifier);

    // The request must not be validated
    // req.validate();
    if (DEBUG) {
        LOG.debug("Created auth request:\n" + req.keyValueFormEncoding());
    }

    return req;
}
 

/**
 * {@inheritDoc}
 */
@Override
public MessageExtension getMessageExtension(String userId, String profileName, OpenIDAuthRequestDTO requestDTO)
        throws IdentityException {

    MessageExtension message = null;
    PapeResponse papeResponse = null;
    AuthRequest authRequest = null;

    try {
        authRequest = request.getAuthRequest();

        if (authRequest != null) {
            message = authRequest.getExtension(PapeMessage.OPENID_NS_PAPE);

            if (message instanceof PapeRequest) {
                papeResponse = PapeResponse.createPapeResponse();
                if (request.isPhishingResistanceLogin()) {
                    papeResponse.addAuthPolicy(PapeMessage.PAPE_POLICY_PHISHING_RESISTANT);
                    //papeResponse.setNistAuthLevel(1);  TODO
                }
                if (request.isMultifactorLogin()) {
                    papeResponse.addAuthPolicy(PapeMessage.PAPE_POLICY_MULTI_FACTOR);
                    //papeResponse.setNistAuthLevel(2);  TODO
                }
            }
        }
    } catch (MessageException e) {
        log.error("Failed to create message extension for PAPE", e);
        throw IdentityException.error("Failed to create message extension for PAPE", e);
    }

    return papeResponse;
}
 

@Override
public Message authResponse(AuthRequest authReq, String userSelId, String userSelClaimed,
                            boolean authenticatedAndApproved, String opEndpoint, boolean signNow) {

    if(log.isDebugEnabled()) {
        log.debug("Association handle in AuthRequest : " + authReq.getHandle());
    }
    return super.authResponse(authReq, userSelId, userSelClaimed, authenticatedAndApproved, opEndpoint, signNow);
}
 

@SuppressWarnings("unchecked")
public void authRequest(String openidServiceId, String returnToUrl, HttpServletRequest httpReq, HttpServletResponse httpResp) throws IOException, ServletException {
	try {
		// --- Forward proxy setup (only if needed) ---
		// ProxyProperties proxyProps = new ProxyProperties();
		// proxyProps.setProxyName("proxy.example.com");
		// proxyProps.setProxyPort(8080);
		// HttpClientFactory.setProxyProperties(proxyProps);

		// perform discovery on the user-supplied identifier
		List<?> discoveries = manager.discover(openidServiceId);

		// attempt to associate with the OpenID provider
		// and retrieve one service endpoint for authentication
		DiscoveryInformation discovered = manager.associate(discoveries);

		// store the discovery information in the user's session
		httpReq.getSession().setAttribute(OpenIdConstants.OPENID_DISC, discovered);

		// obtain a AuthRequest message to be sent to the OpenID provider
		AuthRequest authReq = manager.authenticate(discovered, returnToUrl);

		// Attribute Exchange example: fetching the 'email' attribute
		FetchRequest fetch = FetchRequest.createFetchRequest();
		fetch.addAttribute("email",
		// attribute alias
				"http://schema.openid.net/contact/email", // type URI
				true); // required

		// attach the extension to the authentication request
		authReq.addExtension(fetch);

		if (!discovered.isVersion2()) {
			// Option 1: GET HTTP-redirect to the OpenID Provider endpoint
			// The only method supported in OpenID 1.x
			// redirect-URL usually limited ~2048 bytes
			httpResp.sendRedirect(authReq.getDestinationUrl(true));
		} else {
			// Option 2: HTML FORM Redirection (Allows payloads >2048 bytes)

			sendFormRedirect(httpResp, authReq.getDestinationUrl(false), (Map<String,String>)authReq.getParameterMap());
		}
	} catch (OpenIDException e) {
		e.printStackTrace(System.err);
	}

}
 

/**
 * Generates an Openid response.
 * If no ticketId is found, response is negative.
 * If we have a ticket id, then we check if we have an association.
 * If so, we ask OpenId server manager to generate the answer according with the existing association.
 * If not, we send back an answer with the ticket id as association handle.
 * This will force the consumer to ask a verification, which will validate the service ticket.
 * @param ticketId the service ticket to provide to the service.
 * @return the generated authentication answer
 */
@Override
public Response getResponse(final String ticketId) {
    final Map<String, String> parameters = new HashMap<>();
    if (ticketId != null) {

        final ServerManager manager = (ServerManager) ApplicationContextProvider.getApplicationContext().getBean("serverManager");
        final CentralAuthenticationService cas = ApplicationContextProvider.getApplicationContext()
                                            .getBean("centralAuthenticationService", CentralAuthenticationService.class);
        boolean associated = false;
        boolean associationValid = true;
        try {
            final AuthRequest authReq = AuthRequest.createAuthRequest(requestParameters, manager.getRealmVerifier());
            final Map parameterMap = authReq.getParameterMap();
            if (parameterMap != null && parameterMap.size() > 0) {
                final String assocHandle = (String) parameterMap.get(OpenIdConstants.OPENID_ASSOCHANDLE);
                if (assocHandle != null) {
                    final Association association = manager.getSharedAssociations().load(assocHandle);
                    if (association != null) {
                        associated = true;
                        if (association.hasExpired()) {
                            associationValid = false;
                        }
                    }

                }
            }
        } catch (final MessageException me) {
            LOGGER.error("Message exception : {}", me.getMessage(), me);
        }

        boolean successFullAuthentication = true;
        Assertion assertion = null;
        try {
            if (associated) {
                if (associationValid) {
                    assertion = cas.validateServiceTicket(ticketId, this);
                    LOGGER.info("Validated openid ticket");
                } else {
                    successFullAuthentication = false;
                }
            }
        } catch (final TicketException te) {
            LOGGER.error("Could not validate ticket : {}", te.getMessage(), te);
            successFullAuthentication = false;
        }

        final String id;
        if (assertion != null && OpenIdConstants.OPENID_IDENTIFIERSELECT.equals(this.identity)) {
            id = this.openIdPrefixUrl + '/' + assertion.getPrimaryAuthentication().getPrincipal().getId();
        } else {
            id = this.identity;
        }
        // We sign directly (final 'true') because we don't add extensions
        // response message can be either a DirectError or an AuthSuccess here.
        // Anyway, handling is the same : send the response message
        final Message response = manager.authResponse(requestParameters,
                id,
                id,
                successFullAuthentication,
                true);
        parameters.putAll(response.getParameterMap());
        if (!associated) {
            parameters.put(OpenIdConstants.OPENID_ASSOCHANDLE, ticketId);
        }
    } else {
        parameters.put(OpenIdConstants.OPENID_MODE, OpenIdConstants.CANCEL);
    }
    return DefaultResponse.getRedirectResponse(getOriginalUrl(), parameters);
}
 

private String authRequest(final String userSuppliedString,
		final String returnToUrl) throws IOException {
	try {
		// perform discovery on the user-supplied identifier
		List discoveries = manager.discover(userSuppliedString);

		// attempt to associate with the OpenID provider
		// and retrieve one service endpoint for authentication
		discovered = manager.associate(discoveries);

		// // store the discovery information in the user's session
		// httpReq.getSession().setAttribute("openid-disc", discovered);

		// obtain a AuthRequest message to be sent to the OpenID provider
		AuthRequest authReq = manager.authenticate(discovered, returnToUrl);

		// Attribute Exchange example: fetching the 'email' attribute
		FetchRequest fetch = FetchRequest.createFetchRequest();

		// Using axschema
		fetch.addAttribute("emailax", "http://axschema.org/contact/email",
				true);

		fetch.addAttribute("firstnameax",
				"http://axschema.org/namePerson/first", true);

		fetch.addAttribute("lastnameax",
				"http://axschema.org/namePerson/last", true);

		fetch.addAttribute("fullnameax", "http://axschema.org/namePerson",
				true);

		fetch.addAttribute("email",
				"http://schema.openid.net/contact/email", true);

		// Using schema.openid.net (for compatibility)
		fetch.addAttribute("firstname",
				"http://schema.openid.net/namePerson/first", true);

		fetch.addAttribute("lastname",
				"http://schema.openid.net/namePerson/last", true);

		fetch.addAttribute("fullname",
				"http://schema.openid.net/namePerson", true);

		// attach the extension to the authentication request
		authReq.addExtension(fetch);

		return authReq.getDestinationUrl(true);
	} catch (OpenIDException e) {
		e.printStackTrace();
	}

	return null;
}
 

public void setAuthRequest(AuthRequest authRequest) {
    this.authRequest = authRequest;
}
 

public AuthRequest getAuthRequest() {
    return authRequest;
}
 

public String authRequest(String userSuppliedString,
		HttpServletRequest httpReq, HttpServletResponse httpResp)
		throws IOException, ServletException {
	try {
		// configure the return_to URL where your application will receive
		// the authentication responses from the OpenID provider
		// String returnToUrl = "http://example.com/openid";
		String returnToUrl = httpReq.getRequestURL().toString()
				+ "?is_return=true";

		// perform discovery on the user-supplied identifier
		List discoveries = manager.discover(userSuppliedString);

		// attempt to associate with the OpenID provider
		// and retrieve one service endpoint for authentication
		DiscoveryInformation discovered = manager.associate(discoveries);

		// store the discovery information in the user's session
		httpReq.getSession().setAttribute("openid-disc", discovered);

		// obtain a AuthRequest message to be sent to the OpenID provider
		AuthRequest authReq = manager.authenticate(discovered, returnToUrl);

		// Simple registration example
		addSimpleRegistrationToAuthRequest(httpReq, authReq);

		// Attribute exchange example
		addAttributeExchangeToAuthRequest(httpReq, authReq);

		if (!discovered.isVersion2()) {
			// Option 1: GET HTTP-redirect to the OpenID Provider endpoint
			// The only method supported in OpenID 1.x
			// redirect-URL usually limited ~2048 bytes
			httpResp.sendRedirect(authReq.getDestinationUrl(true));
			return null;
		} else {
			// Option 2: HTML FORM Redirection (Allows payloads >2048 bytes)

			RequestDispatcher dispatcher = getServletContext()
					.getRequestDispatcher("/formredirection.jsp");
			httpReq.setAttribute("prameterMap", httpReq.getParameterMap());
			httpReq.setAttribute("message", authReq);
			// httpReq.setAttribute("destinationUrl", httpResp
			// .getDestinationUrl(false));
			dispatcher.forward(httpReq, httpResp);
		}
	} catch (OpenIDException e) {
		// present error to the user
		throw new ServletException(e);
	}

	return null;
}
 

/**
 * Generates an Openid response.
 * If no ticketId is found, response is negative.
 * If we have a ticket id, then we check if we have an association.
 * If so, we ask OpenId server manager to generate the answer according with the existing association.
 * If not, we send back an answer with the ticket id as association handle.
 * This will force the consumer to ask a verification, which will validate the service ticket.
 * @param ticketId the service ticket to provide to the service.
 * @return the generated authentication answer
 */
@Override
public Response getResponse(final String ticketId) {
    final Map<String, String> parameters = new HashMap<String, String>();
    if (ticketId != null) {

        ServerManager manager = (ServerManager) ApplicationContextProvider.getApplicationContext().getBean("serverManager");
        CentralAuthenticationService cas = (CentralAuthenticationService) ApplicationContextProvider.getApplicationContext()
                                            .getBean("centralAuthenticationService");
        boolean associated = false;
        boolean associationValid = true;
        try {
            AuthRequest authReq = AuthRequest.createAuthRequest(requestParameters, manager.getRealmVerifier());
            Map parameterMap = authReq.getParameterMap();
            if (parameterMap != null && parameterMap.size() > 0) {
                String assocHandle = (String) parameterMap.get("openid.assoc_handle");
                if (assocHandle != null) {
                    Association association = manager.getSharedAssociations().load(assocHandle);
                    if (association != null) {
                        associated = true;
                        if (association.hasExpired()) {
                            associationValid = false;
                        }
                    }

                }
            }
        } catch (final MessageException me) {
            LOGGER.error("Message exception : {}", me.getMessage(), me);
        }

        boolean successFullAuthentication = true;
        try {
            if (associated) {
                if (associationValid) {
                    cas.validateServiceTicket(ticketId, this);
                    LOGGER.info("Validated openid ticket");
                } else {
                    successFullAuthentication = false;
                }
            }
        } catch (final TicketException te) {
            LOGGER.error("Could not validate ticket : {}", te.getMessage(), te);
            successFullAuthentication = false;
        }

        // We sign directly (final 'true') because we don't add extensions
        // response message can be either a DirectError or an AuthSuccess here.
        // Anyway, handling is the same : send the response message
        Message response = manager.authResponse(requestParameters,
                this.identity,
                this.identity,
                successFullAuthentication,
                true);
        parameters.putAll(response.getParameterMap());
        if (!associated) {
            parameters.put("openid.assoc_handle", ticketId);
        }
    } else {
        parameters.put("openid.mode", "cancel");
    }
    return Response.getRedirectResponse(getOriginalUrl(), parameters);
}
 

/**
 * Creates an OpenID Token. Depending of the global config, either a token
 * for the valid user or for the attacker is created.
 *
 * @param token_parameter
 *
 * @return
 *
 * @throws MessageException
 * @throws ServerException
 * @throws AssociationException
 */
public AttackParameterKeeper processTokenRequest(final ParameterList token_parameter) throws OpenIdAttackerServerException {
    addNamespaceIfNotContained(token_parameter);
    AuthRequest authRequest = createAuthenticationRequest(token_parameter);
    return processTokenRequest(authRequest);
}