From 4c63e743cb6e6fe2697e7a8ce1cc632a58bde754 Mon Sep 17 00:00:00 2001 From: Chamath Samarawickrama Date: Wed, 11 Oct 2023 22:29:55 +0530 Subject: [PATCH] add validation for query.jwt response mode --- .../endpoint/authz/OAuth2AuthzEndpoint.java | 32 +++++++++++++++++-- .../AbstractResponseModeProvider.java | 3 +- .../provider/ResponseModeProvider.java | 4 ++- .../impl/QueryJwtResponseModeProvider.java | 16 ++++++++-- 4 files changed, 47 insertions(+), 8 deletions(-) diff --git a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java index 3f94afeb760..75c6c4f24a0 100644 --- a/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java +++ b/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/authz/OAuth2AuthzEndpoint.java @@ -548,7 +548,8 @@ private AuthorizationResponseDTO getAuthResponseDTO(OAuth2Parameters oauth2Param * @param authorizationResponseDTO AuthorizationResponseDTO instance * @return ResponseModeProvider */ - private ResponseModeProvider getResponseModeProvider(AuthorizationResponseDTO authorizationResponseDTO) { + private ResponseModeProvider getResponseModeProvider(AuthorizationResponseDTO authorizationResponseDTO) + throws IdentityOAuth2ClientException { Map responseModeProviders = OAuth2ServiceComponentHolder.getResponseModeProviders(); @@ -625,7 +626,12 @@ private Response handleResponseFromConsent(OAuthMessage oAuthMessage) throws OAu OAuth2Parameters oauth2Params = getOauth2Params(oAuthMessage); AuthorizationResponseDTO authorizationResponseDTO = getAuthResponseDTO(oauth2Params); - ResponseModeProvider responseModeProvider = getResponseModeProvider(authorizationResponseDTO); + ResponseModeProvider responseModeProvider = null; + try { + responseModeProvider = getResponseModeProvider(authorizationResponseDTO); + } catch (IdentityOAuth2ClientException e) { + return handleClientException(e); + } authorizationResponseDTO.setFormPostRedirectPage(formPostRedirectPage); if (consent != null) { @@ -683,6 +689,21 @@ private Response handleResponseFromConsent(OAuthMessage oAuthMessage) throws OAu .location(new URI(responseModeProvider.getAuthResponseRedirectUrl(authorizationResponseDTO))).build(); } + private Response handleClientException(IdentityOAuth2ClientException e) { + + String errorCode = e.getErrorCode(); + JSONObject errorResponse = new JSONObject(); + errorResponse.put(OAuthConstants.OAUTH_ERROR, errorCode); + errorResponse.put(OAuthConstants.OAUTH_ERROR_DESCRIPTION, e.getMessage()); + Response.ResponseBuilder respBuilder; + if (errorCode.equals(OAuth2ErrorCodes.INVALID_REQUEST)) { + respBuilder = Response.status(HttpServletResponse.SC_BAD_REQUEST); + } else { + respBuilder = Response.status(HttpServletResponse.SC_UNAUTHORIZED); + } + return respBuilder.entity(errorResponse.toString()).build(); + } + private boolean isConsentHandlingFromFrameworkSkipped(OAuth2Parameters oAuth2Parameters) throws OAuthSystemException { @@ -1068,7 +1089,12 @@ private Response handleAuthenticationResponse(OAuthMessage oAuthMessage) String sessionDataKeyFromLogin = getSessionDataKeyFromLogin(oAuthMessage); AuthenticationResult authnResult = getAuthenticationResult(oAuthMessage, sessionDataKeyFromLogin); AuthorizationResponseDTO authorizationResponseDTO = getAuthResponseDTO(oauth2Params); - ResponseModeProvider responseModeProvider = getResponseModeProvider(authorizationResponseDTO); + ResponseModeProvider responseModeProvider = null; + try { + responseModeProvider = getResponseModeProvider(authorizationResponseDTO); + } catch (IdentityOAuth2ClientException e) { + return handleClientException(e); + } authorizationResponseDTO.setFormPostRedirectPage(formPostRedirectPage); if (isAuthnResultFound(authnResult)) { diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/AbstractResponseModeProvider.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/AbstractResponseModeProvider.java index c82d03eab7b..fef64f8557d 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/AbstractResponseModeProvider.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/AbstractResponseModeProvider.java @@ -20,6 +20,7 @@ import org.apache.commons.lang.StringUtils; import org.wso2.carbon.identity.oauth.common.OAuthConstants; +import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException; /** * Abstract class for response mode provider classes @@ -44,7 +45,7 @@ protected boolean hasIDTokenOrTokenInResponseType(String responseType) { * @return true if response mode can be handled */ @Override - public boolean canHandle(AuthorizationResponseDTO authorizationResponseDTO) { + public boolean canHandle(AuthorizationResponseDTO authorizationResponseDTO) throws IdentityOAuth2ClientException { return getResponseMode().equals(authorizationResponseDTO.getResponseMode()); } diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/ResponseModeProvider.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/ResponseModeProvider.java index dd97022825b..2dfd7243795 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/ResponseModeProvider.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/ResponseModeProvider.java @@ -18,6 +18,8 @@ package org.wso2.carbon.identity.oauth2.responsemode.provider; +import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException; + /** * Interface class for all response mode provider classes */ @@ -44,7 +46,7 @@ enum AuthResponseType { * @param authorizationResponseDTO AuthorizationResponseDTO instance * @return true if relevant ResponseModeProvider can handle the given response_mode */ - boolean canHandle(AuthorizationResponseDTO authorizationResponseDTO); + boolean canHandle(AuthorizationResponseDTO authorizationResponseDTO) throws IdentityOAuth2ClientException; /** * Use this method only when AuthResponseType is set to REDIRECTION diff --git a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/jarm/impl/QueryJwtResponseModeProvider.java b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/jarm/impl/QueryJwtResponseModeProvider.java index 32320f8e669..c01fefb06c8 100644 --- a/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/jarm/impl/QueryJwtResponseModeProvider.java +++ b/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/responsemode/provider/jarm/impl/QueryJwtResponseModeProvider.java @@ -23,7 +23,9 @@ import org.apache.commons.logging.LogFactory; import org.apache.oltu.oauth2.common.exception.OAuthSystemException; import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils; +import org.wso2.carbon.identity.oauth.common.OAuth2ErrorCodes; import org.wso2.carbon.identity.oauth.common.OAuthConstants; +import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException; import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder; import org.wso2.carbon.identity.oauth2.responsemode.provider.AuthorizationResponseDTO; import org.wso2.carbon.identity.oauth2.responsemode.provider.ResponseModeProvider; @@ -49,13 +51,21 @@ public String getResponseMode() { } @Override - public boolean canHandle(AuthorizationResponseDTO authorizationResponseDTO) { + public boolean canHandle(AuthorizationResponseDTO authorizationResponseDTO) throws IdentityOAuth2ClientException { // This ResponseModeProvider cannot handle response types that contain "token" or "ide_token". String responseType = authorizationResponseDTO.getResponseType(); - return !hasIDTokenOrTokenInResponseType(responseType) && - getResponseMode().equals(authorizationResponseDTO.getResponseMode()); + + if (hasIDTokenOrTokenInResponseType(responseType) && + getResponseMode().equals(authorizationResponseDTO.getResponseMode())) { + + throw new IdentityOAuth2ClientException(OAuth2ErrorCodes.INVALID_REQUEST, + String.format("Cannot handle response type: %s with response mode: %s", responseType, + authorizationResponseDTO.getResponseMode())); + } + + return getResponseMode().equals(authorizationResponseDTO.getResponseMode()); } @Override