Skip to content

Commit

Permalink
Add api layer for api based authentication
Browse files Browse the repository at this point in the history
  • Loading branch information
janakamarasena committed Oct 23, 2023
1 parent a4c2702 commit 64e2f67
Show file tree
Hide file tree
Showing 22 changed files with 1,693 additions and 29 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ public final class OAuthConstants {
public static final String AUTHENTICATED_IDPS = "AuthenticatedIdPs";
public static final String SESSION_STATE = "session_state";
public static final String STATE = "state";
public static final String AUTHENTICATOR_IDP_SPLITTER = ":";

public static final String SECTOR_IDENTIFIER_URI = "sector_identifier_uri";
public static final String SUBJECT_TYPE = "subject_type";
Expand Down Expand Up @@ -731,6 +732,7 @@ public static class ResponseModes {
public static final String QUERY_JWT = "query.jwt";
public static final String FRAGMENT_JWT = "fragment.jwt";
public static final String FORM_POST_JWT = "form_post.jwt";
public static final String DIRECT = "direct"; // Used for API based authentication.
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@

import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
Expand All @@ -39,6 +40,8 @@ public class OAuthRequestWrapper extends HttpServletRequestWrapper {
private Map<String, List<String>> form;
private Enumeration<String> parameterNames;

private boolean isInternalRequest = false;

@Deprecated
public OAuthRequestWrapper(HttpServletRequest request, MultivaluedMap<String, String> form) {

Expand Down Expand Up @@ -66,7 +69,7 @@ public OAuthRequestWrapper(HttpServletRequest request, Map<String, List<String>>
public String getParameter(String name) {

String value = super.getParameter(name);
if (value == null) {
if (value == null || isInternalRequest) {
if (CollectionUtils.isNotEmpty(form.get(name))) {
value = form.get(name).get(0);
}
Expand All @@ -79,4 +82,29 @@ public Enumeration<String> getParameterNames() {

return parameterNames;
}

/**
* Set whether the request is internal or not.
* If the request is internal, the request parameters
* in the wrapper will get priority over the servlet request.
*
* @param internalRequest Whether the request is internal or not.
*/
public void setInternalRequest(boolean internalRequest) {

isInternalRequest = internalRequest;
}

@Override
public Map<String, String[]> getParameterMap() {

Map<String, String[]> parameterMap = new HashMap<>(super.getParameterMap());

// Add form data to parameterMap.
for (Map.Entry<String, List<String>> entry : form.entrySet()) {
parameterMap.put(entry.getKey(), entry.getValue().toArray(new String[0]));
}

return parameterMap;
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,218 @@
/*
* Copyright (c) 2023, WSO2 LLC. (https://www.wso2.com) All Rights Reserved.
*
* WSO2 LLC. licenses this file to you under the Apache License,
* Version 2.0 (the "License"); you may not use this file except
* in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package org.wso2.carbon.identity.oauth.endpoint.api.auth;

import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.gson.Gson;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.AuthenticationService;
import org.wso2.carbon.identity.application.authentication.framework.exception.auth.service.AuthServiceClientException;
import org.wso2.carbon.identity.application.authentication.framework.exception.auth.service.AuthServiceException;
import org.wso2.carbon.identity.application.authentication.framework.model.auth.service.AuthServiceErrorInfo;
import org.wso2.carbon.identity.application.authentication.framework.model.auth.service.AuthServiceRequest;
import org.wso2.carbon.identity.application.authentication.framework.model.auth.service.AuthServiceResponse;
import org.wso2.carbon.identity.oauth.common.OAuth2ErrorCodes;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
import org.wso2.carbon.identity.oauth.endpoint.OAuthRequestWrapper;
import org.wso2.carbon.identity.oauth.endpoint.api.auth.model.AuthRequest;
import org.wso2.carbon.identity.oauth.endpoint.api.auth.model.AuthResponse;
import org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint;
import org.wso2.carbon.identity.oauth.endpoint.exception.InvalidRequestParentException;

import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;

/**
* Class containing the REST API for API based authentication.
*/
@Path("/authn")
public class ApiAuthnEndpoint {

private final AuthenticationService authenticationService = new AuthenticationService();
private final OAuth2AuthzEndpoint oAuth2AuthzEndpoint = new OAuth2AuthzEndpoint();
private static final String AUTHENTICATOR = "authenticator";
private static final String IDP = "idp";
private static final Log LOG = LogFactory.getLog(ApiAuthnEndpoint.class);
private static final ApiAuthnHandler API_AUTHN_HANDLER = new ApiAuthnHandler();

@POST
@Path("/")
@Consumes("application/json")
@Produces("application/json")
public Response handleAuthentication(@Context HttpServletRequest request, @Context HttpServletResponse response,
String payload) {

try {
AuthRequest authRequest = buildAuthRequest(payload);
AuthServiceRequest authServiceRequest = getAuthServiceRequest(request, response, authRequest);
AuthServiceResponse authServiceResponse = authenticationService.handleAuthentication(authServiceRequest);

switch (authServiceResponse.getFlowStatus()) {
case INCOMPLETE:
return handleIncompleteAuthResponse(authServiceResponse);
case SUCCESS_COMPLETED:
return handleSuccessCompletedAuthResponse(request, response, authServiceResponse);
case FAIL_INCOMPLETE:
return handleFailAuthResponse(authServiceResponse);
case FAIL_COMPLETED:
return handleFailAuthResponse(authServiceResponse);
default:
throw new AuthServiceException("Unknown flow status: " + authServiceResponse.getFlowStatus());
}

} catch (AuthServiceClientException | InvalidRequestParentException e) {
if (LOG.isDebugEnabled()) {
LOG.debug("Client error while handling authentication request.", e);
}
return buildOAuthInvalidRequestError(e.getMessage());
} catch (AuthServiceException | URISyntaxException e) {
LOG.error("Error while handling authentication request.", e);
return buildOAuthServerError();
}
}

private AuthRequest buildAuthRequest(String payload) throws AuthServiceClientException {

try {
ObjectMapper objectMapper = new ObjectMapper();
return objectMapper.readValue(payload, AuthRequest.class);
} catch (JsonProcessingException e) {
// Throwing a client exception here as the exception can occur due to a malformed request.
throw new AuthServiceClientException(e.getMessage());
}
}

private Response buildResponse(AuthResponse response) {

ObjectMapper objectMapper = new ObjectMapper();
objectMapper.setSerializationInclusion(JsonInclude.Include.NON_EMPTY);
String jsonString = null;
try {
jsonString = objectMapper.writeValueAsString(response);
} catch (JsonProcessingException e) {
throw new RuntimeException(e);
}
return Response.ok().entity(jsonString).build();
}

private AuthServiceRequest getAuthServiceRequest(HttpServletRequest request, HttpServletResponse response,
AuthRequest authRequest) throws AuthServiceClientException {

Map<String, String[]> params = new HashMap<>();
params.put(OAuthConstants.SESSION_DATA_KEY, new String[]{authRequest.getFlowId()});

String authenticatorId = authRequest.getSelectedAuthenticator().getAuthenticatorId();
if (authenticatorId != null) {
String decodedAuthenticatorId = base64URLDecode(authenticatorId);
String[] authenticatorIdSplit = decodedAuthenticatorId.split(OAuthConstants.AUTHENTICATOR_IDP_SPLITTER);

if (authenticatorIdSplit.length == 2) {
params.put(AUTHENTICATOR, new String[]{authenticatorIdSplit[0]});
params.put(IDP, new String[]{authenticatorIdSplit[1]});
} else {
throw new AuthServiceClientException("Provided authenticator id: " + authenticatorId + " is invalid.");
}
} else {
throw new AuthServiceClientException("Authenticator id is not provided.");
}

Map<String, String[]> authParams = authRequest.getSelectedAuthenticator().getParams().entrySet().stream()
.collect(Collectors.toMap(Map.Entry::getKey, e -> new String[]{e.getValue()}));
params.putAll(authParams);

return new AuthServiceRequest(request, response, params);
}

private String base64URLDecode(String value) {

return new String(
Base64.getUrlDecoder().decode(value),
StandardCharsets.UTF_8);
}

private Response handleSuccessCompletedAuthResponse(HttpServletRequest request, HttpServletResponse response,
AuthServiceResponse authServiceResponse) throws
InvalidRequestParentException, URISyntaxException {

String callerSessionDataKey = authServiceResponse.getSessionDataKey();

Map<String, List<String>> internalParamsList = new HashMap<>();
internalParamsList.put(OAuthConstants.SESSION_DATA_KEY, Collections.singletonList(callerSessionDataKey));
OAuthRequestWrapper internalRequest = new OAuthRequestWrapper(request, internalParamsList);
internalRequest.setInternalRequest(true);

return oAuth2AuthzEndpoint.authorize(internalRequest, response);
}

private Response handleIncompleteAuthResponse(AuthServiceResponse authServiceResponse) throws AuthServiceException {

AuthResponse authResponse = API_AUTHN_HANDLER.handleResponse(authServiceResponse);
return buildResponse(authResponse);
}

private Response handleFailAuthResponse(AuthServiceResponse authServiceResponse) {

String errorMsg = "Unhandled flow status: " + authServiceResponse.getFlowStatus();
if (authServiceResponse.getErrorInfo().isPresent()) {
AuthServiceErrorInfo errorInfo = authServiceResponse.getErrorInfo().get();
errorMsg = errorInfo.getErrorCode() + " - " + errorInfo.getErrorMessage();
}
Map<String, String> params = new HashMap<>();
params.put(OAuthConstants.OAUTH_ERROR, OAuth2ErrorCodes.SERVER_ERROR);
params.put(OAuthConstants.OAUTH_ERROR_DESCRIPTION, errorMsg);
String jsonString = new Gson().toJson(params);
return Response.status(HttpServletResponse.SC_INTERNAL_SERVER_ERROR).entity(jsonString).build();
}

private Response buildOAuthInvalidRequestError(String errorMessage) {

Map<String, String> params = new HashMap<>();
params.put(OAuthConstants.OAUTH_ERROR, OAuth2ErrorCodes.INVALID_REQUEST);
params.put(OAuthConstants.OAUTH_ERROR_DESCRIPTION, errorMessage);
String jsonString = new Gson().toJson(params);
return Response.status(HttpServletResponse.SC_INTERNAL_SERVER_ERROR).entity(jsonString).build();
}

private Response buildOAuthServerError() {

Map<String, String> params = new HashMap<>();
params.put(OAuthConstants.OAUTH_ERROR, OAuth2ErrorCodes.SERVER_ERROR);
params.put(OAuthConstants.OAUTH_ERROR_DESCRIPTION, "Server error occurred while performing authentication.");
String jsonString = new Gson().toJson(params);
return Response.status(HttpServletResponse.SC_INTERNAL_SERVER_ERROR).entity(jsonString).build();
}
}
Loading

0 comments on commit 64e2f67

Please sign in to comment.