Recomended Changes to Enabling OAuth Authentication for BackEnd Services

4.x.x
Kamidu Sachith 9 years ago
parent 97df36842d
commit 786728b49b

@ -1,4 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
~
~ WSO2 Inc. licenses this file to you under the Apache License,
~ Version 2.0 (the "License"); you may not use this file except
~ in compliance with the License.
~ you may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<project xmlns="http://maven.apache.org/POM/4.0.0" <project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
@ -16,47 +33,38 @@
<dependency> <dependency>
<groupId>org.wso2.carbon</groupId> <groupId>org.wso2.carbon</groupId>
<artifactId>org.wso2.carbon.utils</artifactId> <artifactId>org.wso2.carbon.utils</artifactId>
<version>${carbon.kernel.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.wso2.carbon.identity</groupId> <groupId>org.wso2.carbon.identity</groupId>
<artifactId>org.wso2.carbon.identity.base</artifactId> <artifactId>org.wso2.carbon.identity.base</artifactId>
<version>${carbon.identity.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.wso2.carbon.identity</groupId> <groupId>org.wso2.carbon.identity</groupId>
<artifactId>org.wso2.carbon.identity.core</artifactId> <artifactId>org.wso2.carbon.identity.core</artifactId>
<version>${carbon.identity.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.wso2.carbon</groupId> <groupId>org.wso2.carbon</groupId>
<artifactId>org.wso2.carbon.core</artifactId> <artifactId>org.wso2.carbon.core</artifactId>
<version>${carbon.kernel.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.wso2.carbon</groupId> <groupId>org.wso2.carbon</groupId>
<artifactId>org.wso2.carbon.logging</artifactId> <artifactId>org.wso2.carbon.logging</artifactId>
<version>${carbon.kernel.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.wso2.carbon.identity</groupId> <groupId>org.wso2.carbon.identity</groupId>
<artifactId>org.wso2.carbon.identity.application.authentication.framework</artifactId> <artifactId>org.wso2.carbon.identity.application.authentication.framework</artifactId>
<version>${carbon.identity.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.wso2.carbon</groupId> <groupId>org.wso2.carbon</groupId>
<artifactId>org.wso2.carbon.core.services</artifactId> <artifactId>org.wso2.carbon.core.services</artifactId>
<version>${carbon.kernel.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.wso2.carbon.identity</groupId> <groupId>org.wso2.carbon.identity</groupId>
<artifactId>org.wso2.carbon.identity.oauth</artifactId> <artifactId>org.wso2.carbon.identity.oauth</artifactId>
<version>${carbon.identity.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.wso2.carbon.identity</groupId> <groupId>org.wso2.carbon.identity</groupId>
<artifactId>org.wso2.carbon.identity.application.common</artifactId> <artifactId>org.wso2.carbon.identity.application.common</artifactId>
<version>${carbon.identity.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.wso2.carbon.identity</groupId> <groupId>org.wso2.carbon.identity</groupId>
@ -98,11 +106,9 @@
<Export-Package> <Export-Package>
org.wso2.carbon.identity.authenticator.backend.oauth.*; org.wso2.carbon.identity.authenticator.backend.oauth.*;
</Export-Package> </Export-Package>
<DynamicImport-Package>*</DynamicImport-Package>
</instructions> </instructions>
</configuration> </configuration>
</plugin> </plugin>
</plugins> </plugins>
</build> </build>
</project> </project>

@ -41,18 +41,24 @@ public class OauthAuthenticator implements CarbonServerAuthenticator {
private static final Log log = LogFactory.getLog(OauthAuthenticator.class); private static final Log log = LogFactory.getLog(OauthAuthenticator.class);
private static final int PRIORITY = 5; private static final int PRIORITY = 5;
private static final int ACCESS_TOKEN_INDEX = 1; private static final int ACCESS_TOKEN_INDEX = 1;
private OAuth2TokenValidator tokenValidator;
private static String hostUrl = ""; public OauthAuthenticator() {
private static boolean isRemote = false;
static {
AuthenticatorsConfiguration authenticatorsConfiguration = AuthenticatorsConfiguration.getInstance(); AuthenticatorsConfiguration authenticatorsConfiguration = AuthenticatorsConfiguration.getInstance();
AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = authenticatorsConfiguration.getAuthenticatorConfig(OauthAuthenticatorConstants.AUTHENTICATOR_NAME); AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = authenticatorsConfiguration.
getAuthenticatorConfig(OauthAuthenticatorConstants.AUTHENTICATOR_NAME);
boolean isRemote;
String hostUrl;
if (authenticatorConfig != null) { if (authenticatorConfig != null) {
isRemote = Boolean.parseBoolean(authenticatorConfig.getParameters().get("isRemote")); isRemote = Boolean.parseBoolean(authenticatorConfig.getParameters().get("isRemote"));
hostUrl = authenticatorConfig.getParameters().get("hostURL"); hostUrl = authenticatorConfig.getParameters().get("hostURL");
}else{
throw new IllegalArgumentException("Configuration parameters need to be defined in Authenticators.xml");
}
try {
tokenValidator = OAuthValidatorFactory.getValidator(isRemote, hostUrl);
} catch (IllegalArgumentException e) {
log.error("Failed to initialise Authenticator",e);
} }
} }
@ -65,10 +71,8 @@ public class OauthAuthenticator implements CarbonServerAuthenticator {
public boolean isHandle(MessageContext messageContext) { public boolean isHandle(MessageContext messageContext) {
HttpServletRequest httpServletRequest = getHttpRequest(messageContext); HttpServletRequest httpServletRequest = getHttpRequest(messageContext);
String headerValue = httpServletRequest.getHeader(HTTPConstants.HEADER_AUTHORIZATION); String headerValue = httpServletRequest.getHeader(HTTPConstants.HEADER_AUTHORIZATION);
if (headerValue != null && !headerValue.trim().isEmpty()) { if (headerValue != null && !headerValue.trim().isEmpty()) {
String[] headerPart = headerValue.trim().split(OauthAuthenticatorConstants.SPLITING_CHARACTOR); String[] headerPart = headerValue.trim().split(OauthAuthenticatorConstants.SPLITING_CHARACTOR);
if (OauthAuthenticatorConstants.AUTHORIZATION_HEADER_PREFIX_BEARER.equals(headerPart[0])) { if (OauthAuthenticatorConstants.AUTHORIZATION_HEADER_PREFIX_BEARER.equals(headerPart[0])) {
return true; return true;
} }
@ -88,38 +92,25 @@ public class OauthAuthenticator implements CarbonServerAuthenticator {
public boolean isAuthenticated(MessageContext messageContext) { public boolean isAuthenticated(MessageContext messageContext) {
HttpServletRequest httpServletRequest = getHttpRequest(messageContext); HttpServletRequest httpServletRequest = getHttpRequest(messageContext);
String headerValue = httpServletRequest.getHeader(HTTPConstants.HEADER_AUTHORIZATION); String headerValue = httpServletRequest.getHeader(HTTPConstants.HEADER_AUTHORIZATION);
//split the header value to separate the identity type and the token.
String[] headerPart = headerValue.trim().split(OauthAuthenticatorConstants.SPLITING_CHARACTOR); String[] headerPart = headerValue.trim().split(OauthAuthenticatorConstants.SPLITING_CHARACTOR);
String accessToken = headerPart[ACCESS_TOKEN_INDEX]; String accessToken = headerPart[ACCESS_TOKEN_INDEX];
OAuth2TokenValidator tokenValidator = OAuthValidatorFactory.getValidator(isRemote,hostUrl); OAuthValidationRespond response = null;
if (tokenValidator == null) {
log.error("OAuthValidationFactory failed to return a validator",
new AuthenticatorException("OAuthValidatorFactory Failed to determine the validator"));
return false;
}
OAuthValidationRespond respond = null;
try { try {
respond = tokenValidator.validateToken(accessToken); response = tokenValidator.validateToken(accessToken);
} catch (RemoteException e) { } catch (RemoteException e) {
log.error("Failed to validate the OAuth token provided.", e); log.error("Failed to validate the OAuth token provided.", e);
} }
if (response != null && response.isValid()) {
if (respond != null && respond.isValid()) {
HttpSession session; HttpSession session;
if ((session = httpServletRequest.getSession(false)) != null) { if ((session = httpServletRequest.getSession(false)) != null) {
session.setAttribute(MultitenantConstants.TENANT_DOMAIN, respond.getTenantDomain()); session.setAttribute(MultitenantConstants.TENANT_DOMAIN, response.getTenantDomain());
session.setAttribute(ServerConstants.USER_LOGGED_IN, respond.getUserName()); session.setAttribute(ServerConstants.USER_LOGGED_IN, response.getUserName());
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("Authentication successful for " + session.getAttribute(ServerConstants.USER_LOGGED_IN)); log.debug("Authentication successful for " + session.getAttribute(ServerConstants.USER_LOGGED_IN));
} }
} }
return true; return true;
} }
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("Authentication failed.Illegal attempt from session " + httpServletRequest.getSession().getId()); log.debug("Authentication failed.Illegal attempt from session " + httpServletRequest.getSession().getId());
} }

@ -20,6 +20,7 @@ package org.wso2.carbon.identity.authenticator.backend.oauth.validator;
/** /**
* This class hold the validation information which can be retrieve by both remote and in house IDPs * This class hold the validation information which can be retrieve by both remote and in house IDPs
*/ */
@SuppressWarnings("unused")
public class OAuthValidationRespond { public class OAuthValidationRespond {
private String userName; private String userName;
private String tenantDomain; private String tenantDomain;

@ -17,34 +17,28 @@
*/ */
package org.wso2.carbon.identity.authenticator.backend.oauth.validator; package org.wso2.carbon.identity.authenticator.backend.oauth.validator;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.authenticator.backend.oauth.AuthenticatorException; import org.wso2.carbon.identity.authenticator.backend.oauth.AuthenticatorException;
import org.wso2.carbon.identity.authenticator.backend.oauth.OauthAuthenticatorConstants; import org.wso2.carbon.identity.authenticator.backend.oauth.OauthAuthenticatorConstants;
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.impl.ExternalOAuthValidator; import org.wso2.carbon.identity.authenticator.backend.oauth.validator.impl.ExternalOAuthValidator;
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.impl.LocalOAuthValidator; import org.wso2.carbon.identity.authenticator.backend.oauth.validator.impl.LocalOAuthValidator;
/** /**
* the class validate the configurations and provide the most suitable implementation according to the configuration. * The class validate the configurations and provide the most suitable implementation according to the configuration.
* Factory class for OAuthValidator. * Factory class for OAuthValidator.
*/ */
public class OAuthValidatorFactory { public class OAuthValidatorFactory {
private static Log log = LogFactory.getLog(OAuthValidatorFactory.class);
/** /**
* the method check the configuration and provide the appropriate implementation for OAuth2TokenValidator * The method check the configuration and provide the appropriate implementation for OAuth2TokenValidator
*
* @return OAuth2TokenValidator * @return OAuth2TokenValidator
*/ */
public static OAuth2TokenValidator getValidator(boolean isRemote ,String hostURL) { public static OAuth2TokenValidator getValidator(boolean isRemote, String hostURL) throws IllegalArgumentException {
if (isRemote) { if (isRemote) {
if (!(hostURL == null || hostURL.trim().isEmpty())) { if (!(hostURL == null || hostURL.trim().isEmpty())) {
hostURL = hostURL + OauthAuthenticatorConstants.OAUTH_ENDPOINT_POSTFIX; hostURL = hostURL + OauthAuthenticatorConstants.OAUTH_ENDPOINT_POSTFIX;
return new ExternalOAuthValidator(hostURL); return new ExternalOAuthValidator(hostURL);
} else { } else {
log.error("IDP Configuration error", throw new IllegalArgumentException("Remote server name and ip both can't be empty");
new AuthenticatorException("Remote server name and ip both can't be empty"));
return null;
} }
} }
return new LocalOAuthValidator(); return new LocalOAuthValidator();

@ -21,15 +21,14 @@ import org.apache.axis2.client.Options;
import org.apache.axis2.client.ServiceClient; import org.apache.axis2.client.ServiceClient;
import org.apache.axis2.transport.http.HTTPConstants; import org.apache.axis2.transport.http.HTTPConstants;
import org.apache.commons.httpclient.Header; import org.apache.commons.httpclient.Header;
import org.wso2.carbon.identity.authenticator.backend.oauth.OauthAuthenticatorConstants;
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuth2TokenValidator;
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidationRespond;
import org.wso2.carbon.identity.oauth2.stub.OAuth2TokenValidationServiceStub; import org.wso2.carbon.identity.oauth2.stub.OAuth2TokenValidationServiceStub;
import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2ClientApplicationDTO; import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2ClientApplicationDTO;
import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO; import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO;
import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO_OAuth2AccessToken; import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO_OAuth2AccessToken;
import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO_TokenValidationContextParam;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils; import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import org.wso2.carbon.identity.authenticator.backend.oauth.OauthAuthenticatorConstants;
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuth2TokenValidator;
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidationRespond;
import java.rmi.RemoteException; import java.rmi.RemoteException;
import java.util.ArrayList; import java.util.ArrayList;
@ -37,8 +36,7 @@ import java.util.List;
/** /**
* Handles the Authentication form external IDP servers. * Handles the Authentication form external IDP servers.
* Currently only supports WSO2 IS. * Currently only supports WSO@ IS
* External IDP support is planned for future.
*/ */
public class ExternalOAuthValidator implements OAuth2TokenValidator{ public class ExternalOAuthValidator implements OAuth2TokenValidator{
protected String hostURL ; protected String hostURL ;
@ -54,20 +52,11 @@ public class ExternalOAuthValidator implements OAuth2TokenValidator{
* @return OAuthValidationRespond with the validated results. * @return OAuthValidationRespond with the validated results.
*/ */
public OAuthValidationRespond validateToken(String token) throws RemoteException { public OAuthValidationRespond validateToken(String token) throws RemoteException {
// create an OAuth token validating request DTO
OAuth2TokenValidationRequestDTO validationRequest = new OAuth2TokenValidationRequestDTO(); OAuth2TokenValidationRequestDTO validationRequest = new OAuth2TokenValidationRequestDTO();
// create access token object to validate and populate it
OAuth2TokenValidationRequestDTO_OAuth2AccessToken accessToken = OAuth2TokenValidationRequestDTO_OAuth2AccessToken accessToken =
new OAuth2TokenValidationRequestDTO_OAuth2AccessToken(); new OAuth2TokenValidationRequestDTO_OAuth2AccessToken();
accessToken.setTokenType(OauthAuthenticatorConstants.BEARER_TOKEN_TYPE); accessToken.setTokenType(OauthAuthenticatorConstants.BEARER_TOKEN_TYPE);
accessToken.setIdentifier(token); accessToken.setIdentifier(token);
OAuth2TokenValidationRequestDTO_TokenValidationContextParam tokenValidationContextParam[] =
new OAuth2TokenValidationRequestDTO_TokenValidationContextParam[1];
validationRequest.setContext(tokenValidationContextParam);
//set the token to the validation request
validationRequest.setAccessToken(accessToken); validationRequest.setAccessToken(accessToken);
OAuth2TokenValidationServiceStub validationService = OAuth2TokenValidationServiceStub validationService =
new OAuth2TokenValidationServiceStub(hostURL); new OAuth2TokenValidationServiceStub(hostURL);
@ -85,14 +74,12 @@ public class ExternalOAuthValidator implements OAuth2TokenValidator{
boolean isValid = respond.getAccessTokenValidationResponse().getValid(); boolean isValid = respond.getAccessTokenValidationResponse().getValid();
String userName = null; String userName = null;
String tenantDomain = null; String tenantDomain = null;
if(isValid){ if(isValid){
userName = MultitenantUtils.getTenantAwareUsername( userName = MultitenantUtils.getTenantAwareUsername(
respond.getAccessTokenValidationResponse().getAuthorizedUser()); respond.getAccessTokenValidationResponse().getAuthorizedUser());
tenantDomain = tenantDomain =
MultitenantUtils.getTenantDomain(respond.getAccessTokenValidationResponse().getAuthorizedUser()); MultitenantUtils.getTenantDomain(respond.getAccessTokenValidationResponse().getAuthorizedUser());
} }
return new OAuthValidationRespond(userName,tenantDomain,isValid); return new OAuthValidationRespond(userName,tenantDomain,isValid);
} }
} }

@ -1,4 +1,3 @@
/* /*
* Copyright (c) 2015 WSO2 Inc. (http://www.wso2.org) All Rights Reserved. * Copyright (c) 2015 WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
* *
@ -38,19 +37,11 @@ public class LocalOAuthValidator implements OAuth2TokenValidator {
* @return OAuthValidationRespond with the validated results. * @return OAuthValidationRespond with the validated results.
*/ */
public OAuthValidationRespond validateToken(String token) { public OAuthValidationRespond validateToken(String token) {
// create an OAuth token validating request DTO
OAuth2TokenValidationRequestDTO validationRequest = new OAuth2TokenValidationRequestDTO(); OAuth2TokenValidationRequestDTO validationRequest = new OAuth2TokenValidationRequestDTO();
// create access token object to validate and populate it
OAuth2TokenValidationRequestDTO.OAuth2AccessToken accessToken = OAuth2TokenValidationRequestDTO.OAuth2AccessToken accessToken =
validationRequest.new OAuth2AccessToken(); validationRequest.new OAuth2AccessToken();
accessToken.setTokenType(OauthAuthenticatorConstants.BEARER_TOKEN_TYPE); accessToken.setTokenType(OauthAuthenticatorConstants.BEARER_TOKEN_TYPE);
accessToken.setIdentifier(token); accessToken.setIdentifier(token);
//the workaround till the version is upgraded in both is and EMM to be the same.
OAuth2TokenValidationRequestDTO.TokenValidationContextParam tokenValidationContextParam[] =
new OAuth2TokenValidationRequestDTO.TokenValidationContextParam[1];
//==
validationRequest.setContext(tokenValidationContextParam);
//set the token to the validation request
validationRequest.setAccessToken(accessToken); validationRequest.setAccessToken(accessToken);
OAuth2TokenValidationService validationService = new OAuth2TokenValidationService(); OAuth2TokenValidationService validationService = new OAuth2TokenValidationService();
OAuth2ClientApplicationDTO respond = validationService. OAuth2ClientApplicationDTO respond = validationService.

Loading…
Cancel
Save