Refactoring OAuth utilities at UI Layer

merge-requests/7/head
dilanua 9 years ago
parent 5e0f5cc406
commit 2efdc30177

@ -23,7 +23,7 @@ var uri = request.getRequestURI();
var uriMatcher = new URIMatcher(String(uri));
var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
var serviceInvokers = require("/app/modules/token-protected-service-invokers.js")["invokers"];
function appendQueryParam (url, queryParam , value) {
if (url.indexOf("?") > 0) {

@ -26,7 +26,7 @@ var deviceModule = require("/app/modules/device.js").deviceModule;
var utility = require("/app/modules/utility.js").utility;
var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
var userModule = require("/app/modules/user.js").userModule;
var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
var serviceInvokers = require("/app/modules/token-protected-service-invokers.js")["invokers"];
var user = session.get(constants.USER_SESSION_KEY);
var result;

@ -24,7 +24,7 @@ var log = new Log("api/device-api.jag");
var constants = require("/app/modules/constants.js");
var utility = require("/app/modules/utility.js").utility;
var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
var serviceInvokers = require("/app/modules/token-protected-service-invokers.js")["invokers"];
var user = session.get(constants.USER_SESSION_KEY);
var result;

@ -24,7 +24,7 @@ var uriMatcher = new URIMatcher(String(uri));
var constants = require("/app/modules/constants.js");
var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
var serviceInvokers = require("/app/modules/token-protected-service-invokers.js")["invokers"];
if (uriMatcher.match("/{context}/api/invoker/execute/")) {
var restAPIRequestDetails = request.getContent();
@ -97,8 +97,8 @@ if (uriMatcher.match("/{context}/api/invoker/execute/")) {
break;
}
} catch (e) {
log.error("Exception occurred while trying to access backend " +
"REST API services from Jaggery API invoker layer", e);
throw new Error("Exception occurred while trying to access " +
"backend REST API services from Jaggery API invoker layer", e);
}
}
%>

@ -22,7 +22,7 @@ var uriMatcher = new URIMatcher(String(uri));
var log = new Log("api/operation-api.jag");
var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
var serviceInvokers = require("/app/modules/token-protected-service-invokers.js")["invokers"];
var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
if (uriMatcher.match("/{context}/api/operation/paginate")) {

@ -21,7 +21,7 @@
@Deprecated - new
*/
// var apiWrapperUtil = require("/app/modules/api-wrapper-util.js")["handlers"];
// var apiWrapperUtil = require("/app/modules/token-handlers.js")["handlers"];
// var tokenCookie = apiWrapperUtil.refreshToken();
// print(tokenCookie);
%>

@ -27,7 +27,7 @@ var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
var userModule = require("/app/modules/user.js").userModule;
var deviceModule = require("/app/modules/device.js").deviceModule;
var utility = require("/app/modules/utility.js").utility;
var apiWrapperUtil = require("/app/modules/api-wrapper-util.js")["handlers"];
var apiWrapperUtil = require("/app/modules/token-handlers.js")["handlers"];
var util = require("/app/modules/util.js").util;
var responseProcessor = require('utils').response;

@ -1,23 +1,34 @@
{
"appContext" : "/devicemgt/",
"webAgentContext" : "/devicemgt-web-agent/",
"apiContext" : "api",
"httpsURL" : "https://localhost:8243",
"appContext": "/emm/",
"webAgentContext" : "/emm-web-agent/",
"apiContext": "api",
"httpsURL" : "%https.ip%",
"httpURL" : "%http.ip%",
"httpsWebURL" : "%https.ip%",
"wssURL" : "%https.ip%",
"wsURL" : "%http.ip%",
"dashboardserverURL" : "%https.ip%",
"dashboardServerURL" : "%https.ip%",
"enrollmentDir": "/emm-web-agent/enrollment",
"iOSConfigRoot" : "%https.ip%/ios-enrollment/",
"iOSAPIRoot" : "%https.ip%/ios/",
"dynamicClientRegistrationEndPoint" : "https://localhost:8243/dynamic-client-web/register/",
"adminService":"%https.ip%",
"idPServer":"https://localhost:8243",
"callBackUrl":"%https.ip%/devicemgt_admin",
"adminService": "%https.ip%",
"oauthProvider": {
"appRegistration": {
"appType": "webapp",
"clientName": "emm",
"owner": "admin@carbon.super",
"dynamicClientAppRegistrationServiceURL": "%https.ip%/dynamic-client-web/register",
"apiManagerClientAppRegistrationServiceURL": "%https.ip%/api-application-registration/register/tenants",
"grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer",
"tokenScope": "admin",
"callbackUrl": "%https.ip%/api/device-mgt/v1.0"
},
"tokenServiceURL": "%https.ip%/oauth2/token"
},
"adminUser":"admin@carbon.super",
"adminRole":"admin",
"usernameLength":30,
"pageSize":10,
"ssoConfiguration" : {
"enabled" : false,
"issuer" : "devicemgt",
@ -45,9 +56,9 @@
"groupNameHelpMsg": "Should be in minimum 3 characters long and should not include any whitespaces."
},
"roleValidationConfig" : {
"rolenameJSRegEx" : "^[\\S]{3,30}$",
"rolenameRegExViolationErrorMsg" : "Provided role name is invalid.",
"rolenameHelpMsg" : "should be in minimum 3 characters long and do not include any whitespaces."
"roleNameJSRegEx" : "^[\\S]{3,30}$",
"roleNameRegExViolationErrorMsg" : "Provided role name is invalid.",
"roleNameHelpMsg" : "should be in minimum 3 characters long and do not include any whitespaces."
},
"generalConfig" : {
"host" : "https://localhost:9443",
@ -58,11 +69,21 @@
"copyrightOwnersSite" : "http://www.wso2.org",
"copyrightSuffix" : " All Rights Reserved."
},
"scopes" : ["license-add", "license-view", "device-view", "device-info", "device-list", "device-view-own",
"device-modify", "device-search", "operation-install", "operation-view", "operation-modify", "operation-uninstall",
"group-add", "group-share", "group-modify", "group-view", "group-remove", "certificate-modify", "certificate-view",
"configuration-view", "configuration-modify", "policy-view", "policy-modify", "device-notification-view",
"device-notification-modify", "feature-view", "arduino_device", "arduino_user", " android_sense_user",
"virtual_firealarm_user", "raspberrypi_user", "roles-view", "roles-modify", "roles-remove", "roles-add",
"user-password-reset", "user-password-modify", "user-modify", "user-view", "user-invite", "user-remove", "user-add"]
"scopes" : [
"license-add", "license-view", "device-view",
"device-info", "device-list", "device-view-own", "device-modify", "device-search",
"operation-install", "operation-view", "operation-modify", "operation-uninstall",
"group-add", "group-share", "group-modify", "group-view", "group-remove",
"certificate-modify", "certificate-view",
"configuration-view", "configuration-modify",
"policy-view", "policy-modify",
"device-notification-view", "device-notification-modify",
"feature-view",
"roles-view", "roles-modify", "roles-remove", "roles-add",
"user-password-reset", "user-password-modify", "user-modify", "user-view", "user-invite", "user-remove", "user-add"
],
"isOAuthEnabled" : true,
"backendRestEndpoints" : {
"deviceMgt" : "/api/device-mgt/v1.0"
}
}

@ -23,7 +23,7 @@ deviceModule = function () {
var utility = require('/app/modules/utility.js').utility;
var constants = require('/app/modules/constants.js');
var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
var serviceInvokers = require("/app/modules/token-protected-service-invokers.js")["invokers"];
var ArrayList = Packages.java.util.ArrayList;
var Properties = Packages.java.util.Properties;

@ -24,7 +24,7 @@ var groupModule = {};
var constants = require('/app/modules/constants.js');
var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
var utility = require("/app/modules/utility.js").utility;
var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
var serviceInvokers = require("/app/modules/token-protected-service-invokers.js")["invokers"];
var groupServiceEndpoint = devicemgtProps["httpsURL"] + constants.ADMIN_SERVICE_CONTEXT + "/groups";

@ -26,7 +26,7 @@
//var invokerRequestWrapper = function () {
//
// var constants = require("/modules/constants.js");
// var serviceInvokers = require("/modules/backend-service-invoker.js").backendServiceInvoker;
// var serviceInvokers = require("/modules/token-protected-service-invokers.js").backendServiceInvoker;
//
// var publicWrappers = [];
//

@ -24,7 +24,7 @@ var onFail;
var constants = require("/app/modules/constants.js");
onSuccess = function (context) {
var utility = require("/app/modules/utility.js").utility;
var apiWrapperUtil = require("/app/modules/api-wrapper-util.js")["handlers"];
var apiWrapperUtil = require("/app/modules/token-handlers.js")["handlers"];
if (context.input.samlToken) {
apiWrapperUtil.setupAccessTokenPairBySamlGrantType(context.input.username, context.input.samlToken);
} else {

@ -21,7 +21,7 @@ var operationModule = function () {
var utility = require('/app/modules/utility.js').utility;
var constants = require('/app/modules/constants.js');
var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];;
var serviceInvokers = require("/app/modules/token-protected-service-invokers.js")["invokers"];;
var publicMethods = {};
var privateMethods = {};

@ -26,7 +26,7 @@ policyModule = function () {
var constants = require('/app/modules/constants.js');
var utility = require("/app/modules/utility.js")["utility"];
var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
var serviceInvokers = require("/app/modules/token-protected-service-invokers.js")["invokers"];
var publicMethods = {};
var privateMethods = {};

@ -17,11 +17,10 @@
*/
/**
* ----------------------------------------------------------------------------
* Following module includes invokers
* at Jaggery Layer for calling Backend Services, protected by OAuth Tokens.
* These Services include both REST and SOAP Services.
* ----------------------------------------------------------------------------
* -----------------------------------------------------
* Following module includes handlers
* at Jaggery Layer for handling OAuth tokens.
* -----------------------------------------------------
*/
var handlers = function () {
var log = new Log("/app/modules/token-handlers.js");
@ -39,19 +38,20 @@ var handlers = function () {
"client credentials to session context. No username is found as " +
"input - setUpEncodedTenantBasedClientCredentials(x)");
} else {
var dynamicClientCredentials = tokenUtil.getDynamicClientCredentials();
var dynamicClientCredentials = tokenUtil.getDynamicClientAppCredentials();
if (!dynamicClientCredentials) {
throw new Error("{/app/modules/token-handlers.js} Could not set up encoded tenant based " +
"client credentials to session context as the server is unable to obtain " +
"dynamic client credentials - setUpEncodedTenantBasedClientCredentials(x)");
} else {
var jwtToken = tokenUtil.getTokenWithJWTGrantType(dynamicClientCredentials);
var jwtToken = tokenUtil.getAccessTokenByJWTGrantType(dynamicClientCredentials);
if (!jwtToken) {
throw new Error("{/app/modules/token-handlers.js} Could not set up encoded tenant based " +
"client credentials to session context as the server is unable to obtain " +
"a jwt token - setUpEncodedTenantBasedClientCredentials(x)");
} else {
var tenantBasedClientCredentials = tokenUtil.getTenantBasedAppCredentials(username, jwtToken);
var tenantBasedClientCredentials = tokenUtil.
getTenantBasedClientAppCredentials(username, jwtToken);
if (!tenantBasedClientCredentials) {
throw new Error("{/app/modules/token-handlers.js} Could not set up encoded tenant " +
"based client credentials to session context as the server is unable " +
@ -89,7 +89,7 @@ var handlers = function () {
stringOfScopes += entry + " ";
});
accessTokenPair = tokenUtil.
getTokenWithPasswordGrantType(username,
getAccessTokenByPasswordGrantType(username,
encodeURIComponent(password), encodedClientCredentials, stringOfScopes);
if (!accessTokenPair) {
throw new Error("{/app/modules/token-handlers.js} Could not set up access " +
@ -119,7 +119,7 @@ var handlers = function () {
var accessTokenPair;
// accessTokenPair will include current access token as well as current refresh token
accessTokenPair = tokenUtil.
getTokenWithSAMLGrantType(samlToken, encodedClientCredentials, "PRODUCTION");
getAccessTokenBySAMLGrantType(samlToken, encodedClientCredentials, "PRODUCTION");
if (!accessTokenPair) {
throw new Error("{/app/modules/token-handlers.js} Could not set up access token " +
"pair by password grant type. Error in token " +
@ -141,7 +141,7 @@ var handlers = function () {
"token pair, encoded client credentials or both input are not found under " +
"session context - refreshToken()");
} else {
var newAccessTokenPair = tokenUtil.refreshToken(accessTokenPair, encodedClientCredentials);
var newAccessTokenPair = tokenUtil.refreshToken(accessTokenPair["refreshToken"], encodedClientCredentials);
if (!newAccessTokenPair) {
log.error("{/app/modules/token-handlers.js} Error in refreshing tokens. Unable to update " +
"session context with new access token pair - refreshToken()");

@ -24,7 +24,7 @@
* ----------------------------------------------------------------------------
*/
var invokers = function () {
var log = new Log("/app/modules/backend-service-invoker.js");
var log = new Log("/app/modules/token-protected-service-invokers.js");
var publicXMLHTTPInvokers = {};
var publicHTTPClientInvokers = {};
@ -38,7 +38,7 @@ var invokers = function () {
var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
var constants = require("/app/modules/constants.js");
var userModule = require("/app/modules/user.js")["userModule"];
var tokenUtil = require("/app/modules/api-wrapper-util.js")["handlers"];
var tokenUtil = require("/app/modules/token-handlers.js")["handlers"];
/**
* This method reads the token pair from the session and return the access token.

@ -25,7 +25,7 @@ var userModule = function () {
var constants = require("/app/modules/constants.js");
var utility = require("/app/modules/utility.js")["utility"];
var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
var serviceInvokers = require("/app/modules/token-protected-service-invokers.js")["invokers"];
/* Initializing user manager */
var carbon = require("carbon");

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
@ -10,217 +10,276 @@
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
* either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
var util = function () {
var log = new Log("/app/modules/util.js");
var module = {};
var privateMethods = {};
var publicMethods = {};
var Base64 = Packages.org.apache.commons.codec.binary.Base64;
var String = Packages.java.lang.String;
var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
var carbon = require('carbon');
var deviceMgtProps = require("/app/conf/reader/main.js")["conf"];
var adminUser = deviceMgtProps["adminUser"];
var constants = require("/app/modules/constants.js");
var adminUser = devicemgtProps["adminUser"];
var clientName = devicemgtProps["clientName"];
module.getDynamicClientCredentials = function () {
var payload = {
"callbackUrl": devicemgtProps.callBackUrl,
"clientName": clientName,
"tokenScope": "admin",
"owner": adminUser,
"applicationType": "webapp",
"grantType": "password refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer",
"saasApp" :true
var carbon = require("carbon");
publicMethods.encode = function (payload) {
return new String(Base64.encodeBase64(new String(payload).getBytes()));
};
publicMethods.decode = function (payload) {
return new String(Base64.decodeBase64(new String(payload).getBytes()));
};
publicMethods.getDynamicClientAppCredentials = function () {
// setting up dynamic client application properties
var dcAppProperties = {
"applicationType": deviceMgtProps["oauthProvider"]["appRegistration"]["appType"],
"clientName": deviceMgtProps["oauthProvider"]["appRegistration"]["clientName"],
"owner": deviceMgtProps["oauthProvider"]["appRegistration"]["owner"],
"tokenScope": deviceMgtProps["oauthProvider"]["appRegistration"]["tokenScope"],
"grantType": deviceMgtProps["oauthProvider"]["appRegistration"]["grantType"],
"callbackUrl": deviceMgtProps["oauthProvider"]["appRegistration"]["callbackUrl"],
"saasApp" : true
};
// calling dynamic client app registration service endpoint
var requestURL = deviceMgtProps["oauthProvider"]["appRegistration"]
["dynamicClientAppRegistrationServiceURL"];
var requestPayload = dcAppProperties;
var xhr = new XMLHttpRequest();
var tokenEndpoint = devicemgtProps.dynamicClientRegistrationEndPoint;
xhr.open("POST", tokenEndpoint, false);
xhr.open("POST", requestURL, false);
xhr.setRequestHeader("Content-Type", "application/json");
xhr.send(payload);
var clientData = {};
if (xhr.status == 201) {
var data = parse(xhr.responseText);
clientData.clientId = data.client_id;
clientData.clientSecret = data.client_secret;
} else if (xhr.status == 400) {
throw "Invalid client meta data";
xhr.send(stringify(requestPayload));
var dynamicClientCredentials = {};
if (xhr["status"] == 201 && xhr["responseText"]) {
var responsePayload = parse(xhr["responseText"]);
dynamicClientCredentials["clientId"] = responsePayload["client_id"];
dynamicClientCredentials["clientSecret"] = responsePayload["client_secret"];
} else if (xhr["status"] == 400) {
log.error("{/app/modules/util.js - getDynamicClientAppCredentials()} " +
"Bad request. Invalid data provided as dynamic client application properties.");
dynamicClientCredentials = null;
} else {
throw "Error in obtaining client id and secret";
log.error("{/app/modules/util.js - getDynamicClientAppCredentials()} " +
"Error in retrieving dynamic client credentials.");
dynamicClientCredentials = null;
}
return clientData;
// returning dynamic client credentials
return dynamicClientCredentials;
};
/**
* Encode the payload in Base64
* @param payload
* @returns {Packages.java.lang.String}
*/
module.encode = function (payload) {
return new String(Base64.encodeBase64(new String(payload).getBytes()));
}
module.decode = function (payload) {
return new String(Base64.decodeBase64(new String(payload).getBytes()));
}
publicMethods.getAccessTokenByPasswordGrantType = function (username, password, encodedClientCredentials, scopes) {
if (!username || !password || !encodedClientCredentials || !scopes) {
log.error("{/app/modules/util.js} Error in retrieving access token by password " +
"grant type. No username, password, encoded client credentials or scopes are " +
"found - getAccessTokenByPasswordGrantType(a, b, c, d)");
return null;
} else {
// calling oauth provider token service endpoint
var requestURL = deviceMgtProps["oauthProvider"]["tokenServiceURL"];
var requestPayload = "grant_type=password&username=" +
username + "&password=" + password + "&scope=" + scopes;
/**
* Get an AccessToken pair based on username and password
* @param username
* @param password
* @param clientId
* @param clientSecret
* @param scope
* @returns {{accessToken: "", refreshToken: ""}}
*/
module.getTokenWithPasswordGrantType = function (username, password, encodedClientKeys, scope) {
var xhr = new XMLHttpRequest();
var tokenEndpoint = devicemgtProps.idPServer;
xhr.open("POST", tokenEndpoint, false);
xhr.open("POST", requestURL, false);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("Authorization", "Basic " + encodedClientKeys);
xhr.send("grant_type=password&username=" + username + "&password=" + password + "&scope=" + scope);
delete password, delete clientSecret, delete encodedClientKeys;
xhr.setRequestHeader("Authorization", "Basic " + encodedClientCredentials);
xhr.send(requestPayload);
if (xhr["status"] == 200 && xhr["responseText"]) {
var responsePayload = parse(xhr["responseText"]);
var tokenPair = {};
if (xhr.status == 200) {
var data = parse(xhr.responseText);
tokenPair.refreshToken = data.refresh_token;
tokenPair.accessToken = data.access_token;
} else if (xhr.status == 403) {
log.error("Error in obtaining token with Password grant type");
return null;
tokenPair["accessToken"] = responsePayload["access_token"];
tokenPair["refreshToken"] = responsePayload["refresh_token"];
return tokenPair;
} else {
log.error("Error in obtaining token with Password grant type");
log.error("{/app/modules/util.js} Error in retrieving access token by password " +
"grant type - getAccessTokenByPasswordGrantType(a, b, c, d)");
return null;
}
return tokenPair;
}
};
module.getTokenWithSAMLGrantType = function (assertion, clientKeys, scope) {
var assertionXML = module.decode(assertion) ;
var encodedExtractedAssertion;
var extractedAssertion;
//TODO: make assertion extraction with proper parsing. Since Jaggery XML parser seem to add formatting
//which causes signature verification to fail.
publicMethods.getAccessTokenBySAMLGrantType = function (assertion, encodedClientCredentials, scopes) {
if (!assertion || !encodedClientCredentials || !scopes) {
log.error("{/app/modules/util.js} Error in retrieving access token by saml " +
"grant type. No assertion, encoded client credentials or scopes are " +
"found - getAccessTokenBySAMLGrantType(x, y, z)");
return null;
} else {
var assertionXML = publicMethods.decode(assertion);
/*
TODO: make assertion extraction with proper parsing. Since Jaggery XML parser seem
to add formatting which causes signature verification to fail.
*/
var assertionStartMarker = "<saml2:Assertion";
var assertionEndMarker = "<\/saml2:Assertion>";
var assertionStartIndex = assertionXML.indexOf(assertionStartMarker);
var assertionEndIndex = assertionXML.indexOf(assertionEndMarker);
if (assertionStartIndex != -1 && assertionEndIndex != -1) {
extractedAssertion = assertionXML.substring(assertionStartIndex, assertionEndIndex) + assertionEndMarker;
var extractedAssertion;
if (assertionStartIndex == -1 || assertionEndIndex == -1) {
log.error("{/app/modules/util.js} Error in retrieving access token by saml grant type. " +
"Issue in assertion format - getAccessTokenBySAMLGrantType(x, y, z)");
return null;
} else {
throw "Invalid SAML response. SAML response has no valid assertion string";
}
extractedAssertion = assertionXML.
substring(assertionStartIndex, assertionEndIndex) + assertionEndMarker;
var encodedAssertion = publicMethods.encode(extractedAssertion);
encodedExtractedAssertion = this.encode(extractedAssertion);
// calling oauth provider token service endpoint
var requestURL = deviceMgtProps["oauthProvider"]["tokenServiceURL"];
var requestPayload = "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&" +
"assertion=" + encodeURIComponent(encodedAssertion) + "&scope=" + scopes;
var xhr = new XMLHttpRequest();
var tokenEndpoint = devicemgtProps.idPServer;
xhr.open("POST", tokenEndpoint, false);
xhr.open("POST", requestURL, false);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("Authorization", "Basic " + clientKeys);
xhr.send("grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=" +
encodeURIComponent(encodedExtractedAssertion) + "&scope=" + "PRODUCTION");
xhr.setRequestHeader("Authorization", "Basic " + encodedClientCredentials);
xhr.send(requestPayload);
if (xhr["status"] == 200 && xhr["responseText"]) {
var responsePayload = parse(xhr["responseText"]);
var tokenPair = {};
if (xhr.status == 200) {
var data = parse(xhr.responseText);
tokenPair.refreshToken = data.refresh_token;
tokenPair.accessToken = data.access_token;
} else if (xhr.status == 403) {
throw "Error in obtaining token with SAML extension grant type";
tokenPair["accessToken"] = responsePayload["access_token"];
tokenPair["refreshToken"] = responsePayload["refresh_token"];
return tokenPair;
} else {
throw "Error in obtaining token with SAML extension grant type";
log.error("{/app/modules/util.js} Error in retrieving access token by password " +
"grant type - getAccessTokenBySAMLGrantType(x, y, z)");
return null;
}
}
}
return tokenPair;
};
module.refreshToken = function (tokenPair, clientData, scope) {
publicMethods.getNewAccessTokenByRefreshToken = function (refreshToken, encodedClientCredentials, scopes) {
if (!refreshToken || !encodedClientCredentials) {
log.error("{/app/modules/util.js} Error in retrieving new access token by current " +
"refresh token. No refresh token or encoded client credentials are " +
"found - getNewAccessTokenByRefreshToken(x, y, z)");
return null;
} else {
var requestURL = deviceMgtProps["oauthProvider"]["tokenServiceURL"];
var requestPayload = "grant_type=refresh_token&refresh_token=" + refreshToken;
if (scopes) {
requestPayload = requestPayload + "&scope=" + scopes;
}
var xhr = new XMLHttpRequest();
var tokenEndpoint = devicemgtProps.idPServer;
xhr.open("POST", tokenEndpoint, false);
xhr.open("POST", requestURL, false);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("Authorization", "Basic " + clientData);
var url = "grant_type=refresh_token&refresh_token=" + tokenPair.refreshToken;
if (scope) {
url = url + "&scope=" + scope
}
xhr.send(url);
delete clientData;
xhr.setRequestHeader("Authorization", "Basic " + encodedClientCredentials);
xhr.send(requestPayload);
if (xhr["status"] == 200 && xhr["responseText"]) {
var responsePayload = parse(xhr["responseText"]);
var tokenPair = {};
if (xhr.status == 200) {
var data = parse(xhr.responseText);
tokenPair.refreshToken = data.refresh_token;
tokenPair.accessToken = data.access_token;
} else if (xhr.status == 400) {
tokenPair = session.get(constants.ACCESS_TOKEN_PAIR_IDENTIFIER);
} else if (xhr.status == 403) {
throw "Error in obtaining token with Refresh Token Grant Type";
tokenPair["accessToken"] = responsePayload["access_token"];
tokenPair["refreshToken"] = responsePayload["refresh_token"];
return tokenPair;
} else {
throw "Error in obtaining token with Refresh Token Type";
log.error("{/app/modules/util.js} Error in retrieving new access token by " +
"current refresh token - getNewAccessTokenByRefreshToken(x, y, z)");
return null;
}
}
return tokenPair;
};
module.getTokenWithJWTGrantType = function (clientData) {
var jwtService = carbon.server.osgiService('org.wso2.carbon.identity.jwt.client.extension.service.JWTClientManagerService');
var jwtClient = jwtService.getJWTClient();
var jwtToken = jwtClient.getAccessToken(clientData.clientId, clientData.clientSecret, adminUser, null);
return jwtToken;
publicMethods.getAccessTokenByJWTGrantType = function (clientCredentials) {
if (!clientCredentials) {
log.error("{/app/modules/util.js} Error in retrieving new access token by current refresh " +
"token. No client credentials are found as input - getAccessTokenByJWTGrantType(x)");
return null;
} else {
var JWTClientManagerServicePackagePath =
"org.wso2.carbon.identity.jwt.client.extension.service.JWTClientManagerService";
var JWTClientManagerService = carbon.server.osgiService(JWTClientManagerServicePackagePath);
var jwtClient = JWTClientManagerService.getJWTClient();
// returning access token by JWT grant type
return jwtClient.getAccessToken(clientCredentials["clientId"], clientCredentials["clientSecret"],
deviceMgtProps["oauthProvider"]["appRegistration"]["owner"], null)["accessToken"];
}
};
module.getTenantBasedAppCredentials = function (uname, token) {
var tenantDomain = carbonModule.server.tenantDomain({
username: uname
});
var clientData = this.getCachedCredentials(tenantDomain);
if (!clientData) {
publicMethods.getTenantBasedClientAppCredentials = function (username, jwtToken) {
if (!username || !jwtToken) {
log.error("{/app/modules/util.js} Error in retrieving tenant based client application credentials. " +
"No username or jwt token is found as input - getTenantBasedClientAppCredentials(x, y)");
return null;
} else {
var tenantDomain = carbon.server.tenantDomain({username: username});
if (!tenantDomain) {
log.error("{/app/modules/util.js} Error in retrieving tenant based client application " +
"credentials. Unable to obtain a valid tenant domain for provided " +
"username - getTenantBasedClientAppCredentials(x, y)");
return null;
} else {
var cachedTenantBasedClientAppCredentials = publicMethods.
getCachedTenantBasedClientAppCredentials(tenantDomain);
if (cachedTenantBasedClientAppCredentials) {
return cachedTenantBasedClientAppCredentials;
} else {
// register a tenant based client app at API Manager
var applicationName = "webapp_" + tenantDomain;
var requestURL = deviceMgtProps["oauthProvider"]["appRegistration"]
["apiManagerClientAppRegistrationServiceURL"] +
"?tenantDomain=" + tenantDomain + "&applicationName=" + applicationName;
var xhr = new XMLHttpRequest();
var endpoint = devicemgtProps["adminService"] + "/api-application-registration/register/tenants?tenantDomain=" +
tenantDomain + "&applicationName=" + applicationName;
xhr.open("POST", endpoint, false);
xhr.open("POST", requestURL, false);
xhr.setRequestHeader("Content-Type", "application/json");
xhr.setRequestHeader("Authorization", "Bearer " + token.accessToken);
xhr.setRequestHeader("Authorization", "Bearer " + jwtToken);
xhr.send();
if (xhr.status == 201) {
var data = parse(xhr.responseText);
clientData = {};
clientData.clientId = data.client_id;
clientData.clientSecret = data.client_secret;
this.setTenantBasedAppCredentials(tenantDomain, clientData);
} else if (xhr.status == 400) {
throw "Invalid client meta data";
if (xhr["status"] == 201 && xhr["responseText"]) {
var responsePayload = parse(xhr["responseText"]);
var tenantBasedClientAppCredentials = {};
tenantBasedClientAppCredentials["clientId"] = responsePayload["client_id"];
tenantBasedClientAppCredentials["clientSecret"] = responsePayload["client_secret"];
publicMethods.
setCachedTenantBasedClientAppCredentials(tenantDomain, tenantBasedClientAppCredentials);
return tenantBasedClientAppCredentials;
} else {
throw "Error in obtaining client id and secret from APIM";
log.error("{/app/modules/util.js} Error in retrieving tenant based client " +
"application credentials from API Manager - getTenantBasedClientAppCredentials(x, y)");
return null;
}
}
}
}
return clientData;
};
module.setTenantBasedAppCredentials = function (tenantDomain, clientData) {
var cachedMap = application.get(constants.CACHED_CREDENTIALS);
if (!cachedMap) {
cachedMap = new Object();
cachedMap[tenantDomain] = clientData;
application.put(constants.CACHED_CREDENTIALS, cachedMap);
} else {
cachedMap[tenantDomain] = clientData;
publicMethods.setCachedTenantBasedClientAppCredentials = function (tenantDomain, clientCredentials) {
var cachedTenantBasedClientAppCredentialsMap = application.get(constants["CACHED_CREDENTIALS"]);
if (!cachedTenantBasedClientAppCredentialsMap) {
cachedTenantBasedClientAppCredentialsMap = {};
cachedTenantBasedClientAppCredentialsMap[tenantDomain] = clientCredentials;
application.put(constants["CACHED_CREDENTIALS"], cachedTenantBasedClientAppCredentialsMap);
} else if (!cachedTenantBasedClientAppCredentialsMap[tenantDomain]) {
cachedTenantBasedClientAppCredentialsMap[tenantDomain] = clientCredentials;
}
};
module.getCachedCredentials = function(tenantDomain) {
var cachedMap = application.get(constants.CACHED_CREDENTIALS);
if (cachedMap) {
return cachedMap[tenantDomain];
}
publicMethods.getCachedTenantBasedClientAppCredentials = function (tenantDomain) {
var cachedTenantBasedClientAppCredentialsMap = application.get(constants["CACHED_CREDENTIALS"]);
if (!cachedTenantBasedClientAppCredentialsMap ||
!cachedTenantBasedClientAppCredentialsMap[tenantDomain]) {
return null;
} else {
return cachedTenantBasedClientAppCredentialsMap[tenantDomain];
}
};
return module;
return publicMethods;
}();

Loading…
Cancel
Save