OpenAMOAuth2ProviderSettings.java revision 252ba3279625d5b00898aeb7fb73eaf160d811db
/*
* The contents of this file are subject to the terms of the Common Development and
* Distribution License (the License). You may not use this file except in compliance with the
* License.
*
* You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
* specific language governing permission and limitations under the License.
*
* When distributing Covered Software, include this CDDL Header Notice in each file and include
* the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
* Header, with the fields enclosed by brackets [] replaced by your own identifying
* information: "Portions copyright [year] [name of copyright owner]".
*
* Copyright 2014-2015 ForgeRock AS.
* Portions Copyrighted 2015 Nomura Research Institute, Ltd.
*/
/**
* Models all of the possible settings the OpenAM OAuth2 provider can have and that can be configured.
*
* @since 12.0.0
*/
public class OpenAMOAuth2ProviderSettings extends OpenAMSettingsImpl implements OAuth2ProviderSettings {
private final String deploymentUrl;
private final ResourceSetStore resourceSetStore;
private final CookieExtractor cookieExtractor;
private ScopeValidator scopeValidator;
private volatile Template loginUrlTemplate;
/**
* Constructs a new OpenAMOAuth2ProviderSettings.
*
* @param realm The realm.
* @param baseDeploymentUri The base deployment url.
* @param resourceSetStore An instance of the ResourceSetStore for the current realm.
* @param cookieExtractor An instance of the CookieExtractor.
*/
public OpenAMOAuth2ProviderSettings(String realm, String baseDeploymentUri, ResourceSetStore resourceSetStore,
this.deploymentUrl = baseDeploymentUri;
this.resourceSetStore = resourceSetStore;
this.cookieExtractor = cookieExtractor;
}
private void addServiceListener() {
try {
"changes will not be dynamically updated for realm " + realm);
}
} catch (Exception e) {
}
}
/**
* {@inheritDoc}
*/
public Set<String> getSetting(String realm, String attributeName) throws SSOException, SMSException {
synchronized (attributeCache) {
}
return value;
}
}
/**
* {@inheritDoc}
*/
public Map<String, ResponseTypeHandler> getAllowedResponseTypes() throws UnsupportedResponseTypeException,
try {
return Collections.emptyMap();
}
continue;
}
}
return responseTypes;
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
throws UnsupportedResponseTypeException {
logger.warning("Requested a response type that is not configured. response_type=" + responseTypeName);
throw new UnsupportedResponseTypeException("Response type is not supported");
return new NoneResponseTypeHandler();
}
try {
.asSubclass(ResponseType.class));
}
} catch (ClassNotFoundException e) {
throw new UnsupportedResponseTypeException("Response type is not supported");
}
}
/**
* {@inheritDoc}
*/
try {
if (consentAttribute != null) {
if (attributeSet != null) {
if (logger.messageEnabled()) {
}
//check the values of the attribute set vs the scope and client requested
//attribute set is in the form of client_id|scope1 scope2 scope3
}
} else {
}
//if both the client and the scopes are identical to the saved consent then approve
return true;
}
}
} else {
if (logger.messageEnabled()) {
}
}
}
} else {
}
} catch (Exception e) {
}
return false;
}
if (scopeValidator == null) {
try {
final String scopeValidatorClassName =
if (isEmpty(scopeValidatorClassName)) {
throw new ServerException("Scope Validator class not set.");
}
return new LegacyScopeValidator(scopeClass);
}
} catch (SSOException e) {
throw new ServerException(e);
} catch (SMSException e) {
throw new ServerException(e);
} catch (ClassNotFoundException e) {
throw new ServerException(e);
}
}
return scopeValidator;
}
/**
* Wraps a legacy {@link Scope} as a {@link ScopeValidator}.
*
* @since 12.0.0
*/
private final class LegacyScopeValidator implements ScopeValidator {
private Scope scopeValidator;
this.scopeValidator = scopeValidator;
}
/**
* {@inheritDoc}
*/
public Set<String> validateAuthorizationScope(ClientRegistration clientRegistration, Set<String> scope,
return scopeValidator.scopeToPresentOnAuthorizationPage(scope, clientRegistration.getAllowedScopes(),
}
/**
* {@inheritDoc}
*/
public Set<String> validateAccessTokenScope(ClientRegistration clientRegistration, Set<String> scope,
}
/**
* {@inheritDoc}
*/
public Set<String> validateRefreshTokenScope(ClientRegistration clientRegistration, Set<String> requestedScope,
return scopeValidator.scopeRequestedForRefreshToken(requestedScope, clientRegistration.getAllowedScopes(),
}
/**
* {@inheritDoc}
*/
throws UnauthorizedClientException {
}
/**
* {@inheritDoc}
*/
}
/**
* {@inheritDoc}
*/
try {
} catch (ServerException e) {
}
}
return scopeValidator.extraDataToReturnForAuthorizeEndpoint(new HashMap<String, String>(), legacyTokens);
}
/**
* {@inheritDoc}
*/
data.put(OAuth2Constants.Custom.SSO_TOKEN_ID, getSsoToken(ServletUtils.getRequest(request.<Request>getRequest())));
if (tokenEntries != null) {
}
}
}
}
}
}
return null;
}
}
/**
* {@inheritDoc}
*/
public Set<String> validateAuthorizationScope(ClientRegistration clientRegistration, Set<String> scope,
}
/**
* {@inheritDoc}
*/
public Set<String> validateAccessTokenScope(ClientRegistration clientRegistration, Set<String> scope,
}
/**
* {@inheritDoc}
*/
public Set<String> validateRefreshTokenScope(ClientRegistration clientRegistration, Set<String> requestedScope,
return getScopeValidator().validateRefreshTokenScope(clientRegistration, requestedScope, tokenScope, request);
}
/**
* {@inheritDoc}
*/
public Map<String, Object> getUserInfo(AccessToken token, OAuth2Request request) throws ServerException,
}
/**
* {@inheritDoc}
*/
}
/**
* {@inheritDoc}
*/
}
/**
* {@inheritDoc}
*/
}
/**
* {@inheritDoc}
*/
try {
if (consentAttribute != null) {
//get the current set of consents and add our new consent to it if they exist.
} else {
}
if (logger.messageEnabled()) {
}
//update the user profile with our new consent settings
} else {
}
} catch (Exception e) {
}
}
/**
* {@inheritDoc}
*/
public boolean issueRefreshTokens() throws ServerException {
try {
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
public boolean issueRefreshTokensOnRefreshingToken() throws ServerException {
try {
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
public long getAuthorizationCodeLifetime() throws ServerException {
try {
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
public long getAccessTokenLifetime() throws ServerException {
try {
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
public long getOpenIdTokenLifetime() throws ServerException {
try {
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
public long getRefreshTokenLifetime() throws ServerException {
try {
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
try {
return getServerKeyPair(realm);
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
try {
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
try {
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
try {
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
try {
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
try {
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
public String getOpenIDConnectVersion() {
return "3.0";
}
/**
* {@inheritDoc}
*/
return getOAuth2BaseUrl();
}
private String getOAuth2BaseUrl() {
return getBaseUrl("/oauth2");
}
}
return uri;
}
/**
* {@inheritDoc}
*/
public String getAuthorizationEndpoint() {
return getOAuth2BaseUrl()+ "/authorize";
}
/**
* {@inheritDoc}
*/
public String getTokenEndpoint() {
}
/**
* {@inheritDoc}
*/
public String getIntrospectionEndpoint() {
return getOAuth2BaseUrl() + "/introspect";
}
/**
* {@inheritDoc}
*/
}
/**
* {@inheritDoc}
*/
public String getResourceSetRegistrationEndpoint() {
return getOAuth2BaseUrl() + "/resource_set";
}
public boolean getClaimsParameterSupported() throws ServerException {
try {
} catch (SSOException e) {
throw new ServerException(e);
} catch (SMSException e) {
}
return false;
}
public String validateRequestedClaims(String requestedClaims) throws InvalidRequestException, ServerException {
if (!getClaimsParameterSupported()) {
return null;
}
return null;
}
try {
}
}
}
}
} catch (JSONException e) {
throw new InvalidRequestException("Requested claims must be valid json.");
}
throw new InvalidRequestException("Requested claims must be allowed by the client's configuration");
}
return requestedClaims;
}
}
return supported;
}
try {
} catch (SSOException e) {
throw new ServerException(e);
} catch (SMSException e) {
throw new ServerException(e);
}
}
public boolean isCodeVerifierRequired() throws ServerException {
try {
} catch (SSOException | SMSException e) {
throw new ServerException(e);
}
}
public boolean isAlwaysAddClaimsToToken() throws ServerException {
try {
} catch (SSOException | SMSException e) {
throw new ServerException(e);
}
}
try {
} catch (SSOException | SMSException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
public ResourceSetStore getResourceSetStore() {
return resourceSetStore;
}
/**
* {@inheritDoc}
*/
public String getUserInfoEndpoint() {
return getOAuth2BaseUrl() + "/userinfo";
}
/**
* {@inheritDoc}
*/
public String getCheckSessionEndpoint() {
return getOAuth2BaseUrl() + "/connect/checkSession";
}
/**
* {@inheritDoc}
*/
public String getEndSessionEndpoint() {
return getOAuth2BaseUrl() + "/connect/endSession";
}
/**
* {@inheritDoc}
*/
try {
return userDefinedJWKUri;
}
return getOAuth2BaseUrl() + "/connect/jwk_uri";
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
synchronized (jwks) {
}
}
}
private Map<String, Object> createRSAJWK(RSAPublicKey key, KeyUse use, String alg) throws ServerException {
try {
} catch (SSOException | SMSException e) {
throw new ServerException(e);
}
throw new ServerException("Alias of ID Token Signing Key not set.");
}
}
try {
} catch (SSOException e) {
throw new ServerException(e);
} catch (SMSException e) {
throw new ServerException(e);
}
}
try {
} catch (SSOException e) {
throw new ServerException(e);
} catch (SMSException e) {
throw new ServerException(e);
}
}
/**
* {@inheritDoc}
*/
public String getClientRegistrationEndpoint() {
return getOAuth2BaseUrl() + "/connect/register";
}
/**
* {@inheritDoc}
*/
try {
} catch (SMSException e) {
throw new ServerException(e);
} catch (SSOException e) {
throw new ServerException(e);
}
}
public boolean isOpenDynamicClientRegistrationAllowed() throws ServerException {
try {
} catch (SSOException e) {
throw new ServerException(e);
} catch (SMSException e) {
throw new ServerException(e);
}
}
public boolean isRegistrationAccessTokenGenerationEnabled() throws ServerException {
try {
} catch (SSOException e) {
throw new ServerException(e);
} catch (SMSException e) {
throw new ServerException(e);
}
}
try {
final Map<String, AuthenticationMethod> methods = new HashMap<String, AuthenticationMethod>(map.size());
}
return methods;
} catch (SSOException e) {
throw new ServerException(e);
} catch (SMSException e) {
throw new ServerException(e);
}
}
try {
} catch (SSOException e) {
throw new ServerException(e);
} catch (SMSException e) {
throw new ServerException(e);
}
}
try {
} catch (SSOException e) {
throw new ServerException(e);
} catch (SMSException e) {
throw new ServerException(e);
}
}
public boolean exists() {
try {
} catch (Exception e) {
return false;
}
}
try {
String loginUrlTemplateString = getStringSetting(realm, OAuth2ProviderService.RESOURCE_OWNER_CUSTOM_LOGIN_URL_TEMPLATE);
if (loginUrlTemplateString != null) {
new Configuration());
}
return loginUrlTemplate;
throw new ServerException(e);
}
}
/**
* ServiceListener implementation to clear cache when it changes.
*/
private final class OAuth2ProviderSettingsChangeListener implements ServiceListener {
+ ". This is unexpected.");
}
public void globalConfigChanged(String serviceName, String version, String groupName, String serviceComponent,
int type) {
logger.warning("The globalConfigChanged ServiceListener method was invoked for service " + serviceName);
//if the global config changes, all organizationalConfig change listeners are invoked as well.
}
public void organizationConfigChanged(String serviceName, String version, String orgName, String groupName,
if (logger.messageEnabled()) {
}
synchronized (attributeCache) {
}
} else {
if (logger.messageEnabled()) {
}
}
}
/*
The listener receives updates for all changes for each service instance in a given realm. I want to be sure
that I only pull updates as necessary if the update pertains to this particular realm.
*/
private boolean currentRealmTargetedByOrganizationUpdate(String serviceName, String version, String orgName,
int type) {
}
}
}