Add new oauth grant type

4.x.x
Janak Amarasena 8 years ago
parent e3dfbdfdbd
commit a9a246c2c4

@ -34,6 +34,10 @@
<url>http://wso2.org</url>
<dependencies>
<dependency>
<groupId>org.wso2.carbon.devicemgt</groupId>
<artifactId>org.wso2.carbon.identity.authenticator.backend.oauth</artifactId>
</dependency>
<dependency>
<groupId>commons-codec.wso2</groupId>
<artifactId>commons-codec</artifactId>
@ -87,13 +91,17 @@
org.wso2.carbon.device.mgt.oauth.extensions.*
</Export-Package>
<Import-Package>
org.wso2.carbon.identity.authenticator.backend.oauth.*,
org.wso2.carbon.identity.oauth2.grant.jwt;version="${carbon.identity.jwt.grant.version.range}",
org.apache.commons.lang.StringUtils,
org.apache.commons.logging,
org.osgi.service.component,
org.wso2.carbon.identity.application.common.model;version="${carbon.identity.framework.version.range}",
org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;version="${carbon.identity.framework.version.range}",
org.wso2.carbon.user.api,
org.wso2.carbon.user.core.service,
org.wso2.carbon.user.core.tenant,
org.wso2.carbon.user.core.util,
org.json.simple,
javax.cache,
org.wso2.carbon.identity.core.util;version="${carbon.identity.framework.version.range}",

@ -0,0 +1,134 @@
/*
* Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuth2TokenValidator;
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidationResponse;
import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidatorFactory;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
import java.rmi.RemoteException;
/**
* This allows user to generate a new access token using an existing access token.
*/
@SuppressWarnings("unused")
public class AccessTokenGrantHandler extends AbstractAuthorizationGrantHandler {
private static Log log = LogFactory.getLog(AccessTokenGrantHandler.class);
private static final String TENANT_DOMAIN_KEY = "tenantDomain";
private OAuth2TokenValidator tokenValidator;
public static final String TOKEN_GRANT_PARAM = "admin_access_token";
public AccessTokenGrantHandler() {
try {
tokenValidator = OAuthValidatorFactory.getValidator();
} catch (IllegalArgumentException e) {
log.error("Failed to initialise Authenticator", e);
}
}
@Override
public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception {
if (!super.validateGrant(tokReqMsgCtx)) {
return false;
} else {
OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO = tokReqMsgCtx.getOauth2AccessTokenReqDTO();
String username = null;
String userTenantDomain = null;
String clientId = oAuth2AccessTokenReqDTO.getClientId();
String spTenantDomain = null;
OAuthValidationResponse response;
ServiceProvider serviceProvider;
boolean authStatus = false;
String accessToken = null;
RequestParameter[] parameters = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getRequestParameters();
for (RequestParameter parameter : parameters) {
if (TOKEN_GRANT_PARAM.equals(parameter.getKey())) {
if (parameter.getValue() != null && parameter.getValue().length > 0) {
accessToken = parameter.getValue()[0];
}
}
}
if (accessToken != null && !accessToken.isEmpty()) {
try {
response = tokenValidator.validateToken(accessToken);
} catch (RemoteException e) {
log.error("Failed to validate the OAuth token provided.", e);
return false;
}
if (response != null && response.isValid()) {
authStatus = true;
username = response.getUserName();
userTenantDomain = MultitenantUtils.getTenantDomain(username);
spTenantDomain = response.getTenantDomain();
}
}
try {
serviceProvider = OAuth2ServiceComponentHolder.getApplicationMgtService()
.getServiceProviderByClientId(clientId, "oauth2", spTenantDomain);
} catch (IdentityApplicationManagementException var15) {
throw new IdentityOAuth2Exception("Error occurred while retrieving OAuth2 application data for client id "
+ clientId, var15);
}
if (!serviceProvider.isSaasApp() && !userTenantDomain.equals(spTenantDomain)) {
if (log.isDebugEnabled()) {
log.debug("Non-SaaS service provider tenant domain is not same as user tenant domain; "
+ spTenantDomain + " != " + userTenantDomain);
}
return false;
} else {
String tenantAwareUserName = MultitenantUtils.getTenantAwareUsername(username);
username = tenantAwareUserName + "@" + userTenantDomain;
if (authStatus) {
if (!username.contains("/") && StringUtils.isNotBlank(UserCoreUtil.getDomainFromThreadLocal())) {
username = UserCoreUtil.getDomainFromThreadLocal() + "/" + username;
}
AuthenticatedUser user = OAuth2Util.getUserFromUserName(username);
user.setAuthenticatedSubjectIdentifier(user.toString());
tokReqMsgCtx.setAuthorizedUser(user);
tokReqMsgCtx.setScope(oAuth2AccessTokenReqDTO.getScope());
return authStatus;
} else {
throw new IdentityOAuth2Exception("Authentication failed for " + username);
}
}
}
}
}

@ -0,0 +1,33 @@
/*
* Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
*
* WSO2 Inc. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.wso2.carbon.device.mgt.oauth.extensions.validators;
import org.apache.oltu.oauth2.common.validators.AbstractValidator;
import org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant.AccessTokenGrantHandler;
import javax.servlet.http.HttpServletRequest;
@SuppressWarnings("unused")
public class AccessTokenGrantValidator extends AbstractValidator<HttpServletRequest> {
public AccessTokenGrantValidator() {
requiredParams.add(AccessTokenGrantHandler.TOKEN_GRANT_PARAM);
}
}

@ -34,10 +34,10 @@
<url>http://wso2.org</url>
<modules>
<module>org.wso2.carbon.identity.authenticator.backend.oauth</module>
<module>org.wso2.carbon.device.mgt.oauth.extensions</module>
<module>org.wso2.carbon.identity.jwt.client.extension</module>
<module>dynamic-client-registration</module>
<module>org.wso2.carbon.identity.authenticator.backend.oauth</module>
</modules>
</project>

Loading…
Cancel
Save