add validation for query.jwt response mode

wso2-extensions · Oct 11, 2023 · 4c63e74 · 4c63e74
1 parent c13dc2d
commit 4c63e74
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 8 deletions.
diff --git a/...oint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java b/...oint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java
@@ -548,7 +548,8 @@ private AuthorizationResponseDTO getAuthResponseDTO(OAuth2Parameters oauth2Param
      * @param authorizationResponseDTO AuthorizationResponseDTO instance
      * @return ResponseModeProvider
      */
-    private ResponseModeProvider getResponseModeProvider(AuthorizationResponseDTO authorizationResponseDTO) {
+    private ResponseModeProvider getResponseModeProvider(AuthorizationResponseDTO authorizationResponseDTO)
+            throws IdentityOAuth2ClientException {
 
         Map<String, ResponseModeProvider> responseModeProviders =
                 OAuth2ServiceComponentHolder.getResponseModeProviders();
@@ -625,7 +626,12 @@ private Response handleResponseFromConsent(OAuthMessage oAuthMessage) throws OAu
 
         OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage);
         AuthorizationResponseDTO authorizationResponseDTO = getAuthResponseDTO(oauth2Params);
-        ResponseModeProvider responseModeProvider = getResponseModeProvider(authorizationResponseDTO);
+        ResponseModeProvider responseModeProvider = null;
+        try {
+            responseModeProvider = getResponseModeProvider(authorizationResponseDTO);
+        } catch (IdentityOAuth2ClientException e) {
+            return handleClientException(e);
+        }
         authorizationResponseDTO.setFormPostRedirectPage(formPostRedirectPage);
 
         if (consent != null) {
@@ -683,6 +689,21 @@ private Response handleResponseFromConsent(OAuthMessage oAuthMessage) throws OAu
                 .location(new URI(responseModeProvider.getAuthResponseRedirectUrl(authorizationResponseDTO))).build();
     }
 
+    private Response handleClientException(IdentityOAuth2ClientException e) {
+
+        String errorCode = e.getErrorCode();
+        JSONObject errorResponse = new JSONObject();
+        errorResponse.put(OAuthConstants.OAUTH_ERROR, errorCode);
+        errorResponse.put(OAuthConstants.OAUTH_ERROR_DESCRIPTION, e.getMessage());
+        Response.ResponseBuilder respBuilder;
+        if (errorCode.equals(OAuth2ErrorCodes.INVALID_REQUEST)) {
+            respBuilder = Response.status(HttpServletResponse.SC_BAD_REQUEST);
+        } else {
+            respBuilder = Response.status(HttpServletResponse.SC_UNAUTHORIZED);
+        }
+        return respBuilder.entity(errorResponse.toString()).build();
+    }
+
     private boolean isConsentHandlingFromFrameworkSkipped(OAuth2Parameters oAuth2Parameters)
             throws OAuthSystemException {
 
@@ -1068,7 +1089,12 @@ private Response handleAuthenticationResponse(OAuthMessage oAuthMessage)
         String sessionDataKeyFromLogin = getSessionDataKeyFromLogin(oAuthMessage);
         AuthenticationResult authnResult = getAuthenticationResult(oAuthMessage, sessionDataKeyFromLogin);
         AuthorizationResponseDTO authorizationResponseDTO = getAuthResponseDTO(oauth2Params);
-        ResponseModeProvider responseModeProvider = getResponseModeProvider(authorizationResponseDTO);
+        ResponseModeProvider responseModeProvider = null;
+        try {
+            responseModeProvider = getResponseModeProvider(authorizationResponseDTO);
+        } catch (IdentityOAuth2ClientException e) {
+            return handleClientException(e);
+        }
         authorizationResponseDTO.setFormPostRedirectPage(formPostRedirectPage);
 
         if (isAuthnResultFound(authnResult)) {

diff --git a/...a/org/wso2/carbon/identity/oauth2/responsemode/provider/AbstractResponseModeProvider.java b/...a/org/wso2/carbon/identity/oauth2/responsemode/provider/AbstractResponseModeProvider.java
@@ -20,6 +20,7 @@
 
 import org.apache.commons.lang.StringUtils;
 import org.wso2.carbon.identity.oauth.common.OAuthConstants;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException;
 
 /**
  * Abstract class for response mode provider classes
@@ -44,7 +45,7 @@ protected boolean hasIDTokenOrTokenInResponseType(String responseType) {
      * @return true if response mode can be handled
      */
     @Override
-    public boolean canHandle(AuthorizationResponseDTO authorizationResponseDTO) {
+    public boolean canHandle(AuthorizationResponseDTO authorizationResponseDTO) throws IdentityOAuth2ClientException {
 
         return getResponseMode().equals(authorizationResponseDTO.getResponseMode());
     }

diff --git a/...main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/ResponseModeProvider.java b/...main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/ResponseModeProvider.java
@@ -18,6 +18,8 @@
 
 package org.wso2.carbon.identity.oauth2.responsemode.provider;
 
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException;
+
 /**
  * Interface class for all response mode provider classes
  */
@@ -44,7 +46,7 @@ enum AuthResponseType {
      * @param authorizationResponseDTO AuthorizationResponseDTO instance
      * @return true if relevant ResponseModeProvider can handle the given response_mode
      */
-    boolean canHandle(AuthorizationResponseDTO authorizationResponseDTO);
+    boolean canHandle(AuthorizationResponseDTO authorizationResponseDTO) throws IdentityOAuth2ClientException;
 
     /**
      * Use this method only when AuthResponseType is set to REDIRECTION

diff --git a/.../carbon/identity/oauth2/responsemode/provider/jarm/impl/QueryJwtResponseModeProvider.java b/.../carbon/identity/oauth2/responsemode/provider/jarm/impl/QueryJwtResponseModeProvider.java
@@ -23,7 +23,9 @@
 import org.apache.commons.logging.LogFactory;
 import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
 import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
+import org.wso2.carbon.identity.oauth.common.OAuth2ErrorCodes;
 import org.wso2.carbon.identity.oauth.common.OAuthConstants;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException;
 import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
 import org.wso2.carbon.identity.oauth2.responsemode.provider.AuthorizationResponseDTO;
 import org.wso2.carbon.identity.oauth2.responsemode.provider.ResponseModeProvider;
@@ -49,13 +51,21 @@ public String getResponseMode() {
     }
 
     @Override
-    public boolean canHandle(AuthorizationResponseDTO authorizationResponseDTO) {
+    public boolean canHandle(AuthorizationResponseDTO authorizationResponseDTO) throws IdentityOAuth2ClientException {
 
         // This ResponseModeProvider cannot handle response types that contain "token" or "ide_token".
         String responseType = authorizationResponseDTO.getResponseType();
 
-        return !hasIDTokenOrTokenInResponseType(responseType) &&
-                getResponseMode().equals(authorizationResponseDTO.getResponseMode());
+
+        if (hasIDTokenOrTokenInResponseType(responseType) &&
+                getResponseMode().equals(authorizationResponseDTO.getResponseMode())) {
+
+            throw new IdentityOAuth2ClientException(OAuth2ErrorCodes.INVALID_REQUEST,
+                    String.format("Cannot handle response type: %s with response mode: %s", responseType,
+                    authorizationResponseDTO.getResponseMode()));
+        }
+
+        return getResponseMode().equals(authorizationResponseDTO.getResponseMode());
     }
 
     @Override