From 1ac460a4fe0ca362ecb825826f38e56357dfb547 Mon Sep 17 00:00:00 2001 From: Vigneshan Date: Wed, 23 Nov 2022 15:14:24 +0000 Subject: [PATCH 1/2] Fix signature validation issue for jwt token requests --- .../apimgt/keymgt/extension/service/KeyMgtServiceImpl.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.keymgt.extension/src/main/java/org/wso2/carbon/apimgt/keymgt/extension/service/KeyMgtServiceImpl.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.keymgt.extension/src/main/java/org/wso2/carbon/apimgt/keymgt/extension/service/KeyMgtServiceImpl.java index 49fc818851c..4640fc9a575 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.keymgt.extension/src/main/java/org/wso2/carbon/apimgt/keymgt/extension/service/KeyMgtServiceImpl.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.keymgt.extension/src/main/java/org/wso2/carbon/apimgt/keymgt/extension/service/KeyMgtServiceImpl.java @@ -159,6 +159,8 @@ public class KeyMgtServiceImpl implements KeyMgtService { } String tenantDomain = MultitenantUtils.getTenantDomain(application.getOwner()); + kmConfig = getKeyManagerConfig(); + String appTokenEndpoint = kmConfig.getServerUrl() + KeyMgtConstants.OAUTH2_TOKEN_ENDPOINT; RequestBody appTokenPayload; switch (tokenRequest.getGrantType()) { @@ -184,6 +186,7 @@ public class KeyMgtServiceImpl implements KeyMgtService { .add("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer") .add("assertion", tokenRequest.getAssertion()) .add("scope", tokenRequest.getScope()).build(); + appTokenEndpoint += "?tenantDomain=carbon.super"; break; case "access_token": appTokenPayload = new FormBody.Builder() @@ -198,8 +201,6 @@ public class KeyMgtServiceImpl implements KeyMgtService { break; } - kmConfig = getKeyManagerConfig(); - String appTokenEndpoint = kmConfig.getServerUrl() + KeyMgtConstants.OAUTH2_TOKEN_ENDPOINT; Request request = new Request.Builder() .url(appTokenEndpoint) .addHeader(KeyMgtConstants.AUTHORIZATION_HEADER, Credentials.basic(tokenRequest.getClientId(), tokenRequest.getClientSecret())) From 96b07648cae94ad2affc1b1f30ed082af9cd8b95 Mon Sep 17 00:00:00 2001 From: Vigneshan Date: Wed, 23 Nov 2022 16:56:38 +0000 Subject: [PATCH 2/2] Update token introspection endpoint inside user handler --- .../java/io/entgra/ui/request/interceptor/LoginHandler.java | 2 +- .../ui/request/interceptor/SsoLoginCallbackHandler.java | 2 +- .../io/entgra/ui/request/interceptor/SsoLoginHandler.java | 2 +- .../java/io/entgra/ui/request/interceptor/UserHandler.java | 3 ++- .../entgra/ui/request/interceptor/util/HandlerConstants.java | 3 ++- .../io/entgra/ui/request/interceptor/util/HandlerUtil.java | 5 ++--- 6 files changed, 9 insertions(+), 8 deletions(-) diff --git a/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/LoginHandler.java b/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/LoginHandler.java index f41f94a7647..4120069a56a 100644 --- a/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/LoginHandler.java +++ b/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/LoginHandler.java @@ -229,7 +229,7 @@ public class LoginHandler extends HttpServlet { * @throws IOException IO exception throws if an error occurred when invoking token endpoint */ private ProxyResponse getTokenResult(String encodedClientApp, JsonArray scopes) throws IOException { - HttpPost tokenEndpoint = new HttpPost(kmManagerUrl+ HandlerConstants.TOKEN_ENDPOINT); + HttpPost tokenEndpoint = new HttpPost(gatewayUrl + HandlerConstants.INTERNAL_TOKEN_ENDPOINT); tokenEndpoint.setHeader(HttpHeaders.AUTHORIZATION, HandlerConstants.BASIC + encodedClientApp); tokenEndpoint.setHeader(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_FORM_URLENCODED.toString()); String scopeString = HandlerUtil.getScopeString(scopes); diff --git a/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/SsoLoginCallbackHandler.java b/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/SsoLoginCallbackHandler.java index 6fc5afa8efd..30efb713d59 100644 --- a/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/SsoLoginCallbackHandler.java +++ b/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/SsoLoginCallbackHandler.java @@ -68,7 +68,7 @@ public class SsoLoginCallbackHandler extends HttpServlet { String scope = session.getAttribute("scope").toString(); - HttpPost tokenEndpoint = new HttpPost(keyManagerUrl + HandlerConstants.TOKEN_ENDPOINT); + HttpPost tokenEndpoint = new HttpPost(keyManagerUrl + HandlerConstants.OAUTH2_TOKEN_ENDPOINT); tokenEndpoint.setHeader(HttpHeaders.AUTHORIZATION, HandlerConstants.BASIC + session.getAttribute("encodedClientApp")); tokenEndpoint.setHeader(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_FORM_URLENCODED.toString()); diff --git a/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/SsoLoginHandler.java b/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/SsoLoginHandler.java index f6180c0a379..01116717245 100644 --- a/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/SsoLoginHandler.java +++ b/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/SsoLoginHandler.java @@ -325,7 +325,7 @@ public class SsoLoginHandler extends HttpServlet { * @throws IOException IO exception throws if an error occurred when invoking token endpoint */ private ProxyResponse getTokenResult(String encodedClientApp) throws IOException { - HttpPost tokenEndpoint = new HttpPost(keyManagerUrl + HandlerConstants.TOKEN_ENDPOINT); + HttpPost tokenEndpoint = new HttpPost(keyManagerUrl + HandlerConstants.OAUTH2_TOKEN_ENDPOINT); tokenEndpoint.setHeader(HttpHeaders.AUTHORIZATION, HandlerConstants.BASIC + encodedClientApp); tokenEndpoint.setHeader(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_FORM_URLENCODED.toString()); diff --git a/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/UserHandler.java b/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/UserHandler.java index 4e1f120734c..997015ce8f6 100644 --- a/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/UserHandler.java +++ b/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/UserHandler.java @@ -71,6 +71,7 @@ public class UserHandler extends HttpServlet { } String accessToken = authData.getAccessToken(); + String accessTokenWithoutPrefix = accessToken.substring(accessToken.indexOf("_") + 1); HttpPost tokenEndpoint = new HttpPost(keymanagerUrl + HandlerConstants.INTROSPECT_ENDPOINT); tokenEndpoint.setHeader(HttpHeaders.CONTENT_TYPE, ContentType.APPLICATION_FORM_URLENCODED.toString()); @@ -79,7 +80,7 @@ public class UserHandler extends HttpServlet { String adminPassword = dmc.getKeyManagerConfigurations().getAdminPassword(); tokenEndpoint.setHeader(HttpHeaders.AUTHORIZATION, HandlerConstants.BASIC + Base64.getEncoder() .encodeToString((adminUsername + HandlerConstants.COLON + adminPassword).getBytes())); - StringEntity tokenEPPayload = new StringEntity("token=" + accessToken, + StringEntity tokenEPPayload = new StringEntity("token=" + accessTokenWithoutPrefix, ContentType.APPLICATION_FORM_URLENCODED); tokenEndpoint.setEntity(tokenEPPayload); ProxyResponse tokenStatus = HandlerUtil.execute(tokenEndpoint); diff --git a/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/util/HandlerConstants.java b/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/util/HandlerConstants.java index 828547c08fd..bf9947a9af1 100644 --- a/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/util/HandlerConstants.java +++ b/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/util/HandlerConstants.java @@ -22,7 +22,8 @@ public class HandlerConstants { public static final String PUBLISHER_APPLICATION_NAME = "application-mgt-publisher"; public static final String APP_REG_ENDPOINT = "/api-application-registration/register"; public static final String UI_CONFIG_ENDPOINT = "/api/device-mgt-config/v1.0/configurations/ui-config"; - public static final String TOKEN_ENDPOINT = "/oauth2/token"; + public static final String OAUTH2_TOKEN_ENDPOINT = "/oauth2/token"; + public static final String INTERNAL_TOKEN_ENDPOINT = "/token"; public static final String INTROSPECT_ENDPOINT = "/oauth2/introspect"; public static final String AUTHORIZATION_ENDPOINT = "/oauth2/authorize"; public static final String APIM_APPLICATIONS_ENDPOINT = "/api/am/devportal/v2/applications/"; diff --git a/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/util/HandlerUtil.java b/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/util/HandlerUtil.java index 6be995f1918..fb565bf59b8 100644 --- a/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/util/HandlerUtil.java +++ b/components/ui-request-interceptor/io.entgra.ui.request.interceptor/src/main/java/io/entgra/ui/request/interceptor/util/HandlerUtil.java @@ -55,7 +55,6 @@ import org.json.JSONException; import org.json.JSONObject; import org.w3c.dom.Document; import io.entgra.ui.request.interceptor.beans.ProxyResponse; -import org.wso2.carbon.device.mgt.core.common.util.HttpUtil; import org.xml.sax.SAXException; import javax.servlet.http.HttpServletRequest; @@ -654,7 +653,7 @@ public class HandlerUtil { return tokenResultResponse; } public static ProxyResponse getTokenResult(AuthData authData, String keymanagerUrl) throws IOException { - HttpPost tokenEndpoint = new HttpPost(keymanagerUrl + HandlerConstants.TOKEN_ENDPOINT); + HttpPost tokenEndpoint = new HttpPost(keymanagerUrl + HandlerConstants.OAUTH2_TOKEN_ENDPOINT); StringEntity tokenEndpointPayload = new StringEntity( "grant_type=refresh_token&refresh_token=" + authData.getRefreshToken(), ContentType.APPLICATION_FORM_URLENCODED); @@ -735,4 +734,4 @@ public class HandlerUtil { public static boolean isPropertyDefined(String property) { return StringUtils.isEmpty(System.getProperty(property)); } -} \ No newline at end of file +}