diff --git a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml index e40c8515c6f..efd91358999 100644 --- a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml +++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml @@ -34,6 +34,10 @@ http://wso2.org + + org.wso2.carbon.devicemgt + org.wso2.carbon.identity.authenticator.backend.oauth + commons-codec.wso2 commons-codec @@ -87,13 +91,18 @@ org.wso2.carbon.device.mgt.oauth.extensions.* + org.wso2.carbon.identity.authenticator.backend.oauth.*, org.wso2.carbon.identity.oauth2.grant.jwt;version="${carbon.identity.jwt.grant.version.range}", + org.apache.commons.lang, org.apache.commons.logging, org.osgi.service.component, org.wso2.carbon.identity.application.common.model;version="${carbon.identity.framework.version.range}", + org.wso2.carbon.identity.application.common;version="${carbon.identity.framework.version.range}", + org.wso2.carbon.identity.application.mgt.*;version="${carbon.identity.framework.version.range}", org.wso2.carbon.user.api, org.wso2.carbon.user.core.service, org.wso2.carbon.user.core.tenant, + org.wso2.carbon.user.core.util, org.json.simple, javax.cache, org.wso2.carbon.identity.core.util;version="${carbon.identity.framework.version.range}", @@ -105,7 +114,8 @@ org.wso2.carbon.identity.application.authentication.framework.model;version="${carbon.identity.framework.version.range}", org.wso2.carbon.identity.base;version="${carbon.identity.framework.version.range}", org.wso2.carbon.identity.oauth2.*;version="${carbon.identity.framework.version.range}", - org.wso2.carbon.utils.multitenancy + org.wso2.carbon.utils.multitenancy, + org.apache.oltu.oauth2.common.validators diff --git a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/AccessTokenGrantHandler.java b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/AccessTokenGrantHandler.java new file mode 100644 index 00000000000..40d87a17eca --- /dev/null +++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/AccessTokenGrantHandler.java @@ -0,0 +1,140 @@ +/* + * Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant; + +import org.apache.commons.lang.StringUtils; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.wso2.carbon.apimgt.keymgt.ScopesIssuer; +import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser; +import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException; +import org.wso2.carbon.identity.application.common.model.ServiceProvider; +import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuth2TokenValidator; +import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidationResponse; +import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidatorFactory; +import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception; +import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO; +import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder; +import org.wso2.carbon.identity.oauth2.model.RequestParameter; +import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext; +import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler; +import org.wso2.carbon.identity.oauth2.util.OAuth2Util; +import org.wso2.carbon.user.core.util.UserCoreUtil; +import org.wso2.carbon.utils.multitenancy.MultitenantUtils; +import java.rmi.RemoteException; + +/** + * This allows user to generate a new access token using an existing access token. + */ +@SuppressWarnings("unused") +public class AccessTokenGrantHandler extends AbstractAuthorizationGrantHandler { + private static Log log = LogFactory.getLog(AccessTokenGrantHandler.class); + private static final String TENANT_DOMAIN_KEY = "tenantDomain"; + + private OAuth2TokenValidator tokenValidator; + public static final String TOKEN_GRANT_PARAM = "admin_access_token"; + + public AccessTokenGrantHandler() { + try { + tokenValidator = OAuthValidatorFactory.getValidator(); + } catch (IllegalArgumentException e) { + log.error("Failed to initialise Authenticator", e); + } + } + + @Override + public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) { + return ScopesIssuer.getInstance().setScopes(tokReqMsgCtx); + } + + @Override + public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception { + if (!super.validateGrant(tokReqMsgCtx)) { + return false; + } else { + OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO = tokReqMsgCtx.getOauth2AccessTokenReqDTO(); + String username = null; + String userTenantDomain = null; + String clientId = oAuth2AccessTokenReqDTO.getClientId(); + String spTenantDomain = null; + OAuthValidationResponse response; + ServiceProvider serviceProvider; + boolean authStatus = false; + + String accessToken = null; + RequestParameter[] parameters = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getRequestParameters(); + + for (RequestParameter parameter : parameters) { + if (TOKEN_GRANT_PARAM.equals(parameter.getKey())) { + if (parameter.getValue() != null && parameter.getValue().length > 0) { + accessToken = parameter.getValue()[0]; + } + } + } + + if (accessToken != null && !accessToken.isEmpty()) { + try { + response = tokenValidator.validateToken(accessToken); + } catch (RemoteException e) { + log.error("Failed to validate the OAuth token provided.", e); + return false; + } + if (response != null && response.isValid()) { + authStatus = true; + username = response.getUserName(); + userTenantDomain = MultitenantUtils.getTenantDomain(username); + spTenantDomain = response.getTenantDomain(); + } + } + + try { + serviceProvider = OAuth2ServiceComponentHolder.getApplicationMgtService() + .getServiceProviderByClientId(clientId, "oauth2", spTenantDomain); + } catch (IdentityApplicationManagementException var15) { + throw new IdentityOAuth2Exception("Error occurred while retrieving OAuth2 application data for client id " + + clientId, var15); + } + + if (!serviceProvider.isSaasApp() && !userTenantDomain.equals(spTenantDomain)) { + if (log.isDebugEnabled()) { + log.debug("Non-SaaS service provider tenant domain is not same as user tenant domain; " + + spTenantDomain + " != " + userTenantDomain); + } + + return false; + } else { + String tenantAwareUserName = MultitenantUtils.getTenantAwareUsername(username); + username = tenantAwareUserName + "@" + userTenantDomain; + if (authStatus) { + if (!username.contains("/") && StringUtils.isNotBlank(UserCoreUtil.getDomainFromThreadLocal())) { + username = UserCoreUtil.getDomainFromThreadLocal() + "/" + username; + } + + AuthenticatedUser user = OAuth2Util.getUserFromUserName(username); + user.setAuthenticatedSubjectIdentifier(user.toString()); + tokReqMsgCtx.setAuthorizedUser(user); + tokReqMsgCtx.setScope(oAuth2AccessTokenReqDTO.getScope()); + return authStatus; + } else { + throw new IdentityOAuth2Exception("Authentication failed for " + username); + } + } + } + } +} diff --git a/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/AccessTokenGrantValidator.java b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/AccessTokenGrantValidator.java new file mode 100644 index 00000000000..c3f323df4d9 --- /dev/null +++ b/components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/AccessTokenGrantValidator.java @@ -0,0 +1,33 @@ +/* + * Copyright (c) 2017, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.device.mgt.oauth.extensions.validators; + +import org.apache.oltu.oauth2.common.validators.AbstractValidator; +import org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant.AccessTokenGrantHandler; + +import javax.servlet.http.HttpServletRequest; + +@SuppressWarnings("unused") +public class AccessTokenGrantValidator extends AbstractValidator { + + public AccessTokenGrantValidator() { + requiredParams.add(AccessTokenGrantHandler.TOKEN_GRANT_PARAM); + } + +} diff --git a/components/identity-extensions/pom.xml b/components/identity-extensions/pom.xml index eb21ecb2ea6..ce9eee400b7 100644 --- a/components/identity-extensions/pom.xml +++ b/components/identity-extensions/pom.xml @@ -34,10 +34,10 @@ http://wso2.org + org.wso2.carbon.identity.authenticator.backend.oauth org.wso2.carbon.device.mgt.oauth.extensions org.wso2.carbon.identity.jwt.client.extension dynamic-client-registration - org.wso2.carbon.identity.authenticator.backend.oauth