Recomended Changes to Enabling OAuth Authentication for BackEnd Services

2025-10-06 02:01:45 +00:00 · 2015-10-08 17:54:49 +05:30 · 2015-10-08 17:54:49 +05:30 · 786728b49b
commit 786728b49b
parent 97df36842d
7 changed files with 58 additions and 88 deletions
--- a/components/identity-extensions/backend-oauth-authenticator/pom.xml
+++ b/components/identity-extensions/backend-oauth-authenticator/pom.xml
@ -1,4 +1,21 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!--
  ~ Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
  ~
  ~ WSO2 Inc. licenses this file to you under the Apache License,
  ~ Version 2.0 (the "License"); you may not use this file except
  ~ in compliance with the License.
  ~ you may obtain a copy of the License at
  ~
  ~   http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing,
  ~ software distributed under the License is distributed on an
  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  ~ KIND, either express or implied.  See the License for the
  ~ specific language governing permissions and limitations
  ~ under the License.
  -->
 <project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
@ -16,47 +33,38 @@
        <dependency>
            <groupId>org.wso2.carbon</groupId>
            <artifactId>org.wso2.carbon.utils</artifactId>
            <version>${carbon.kernel.version}</version>
             </dependency>
        <dependency>
            <groupId>org.wso2.carbon.identity</groupId>
            <artifactId>org.wso2.carbon.identity.base</artifactId>
            <version>${carbon.identity.version}</version>
                   </dependency>
        <dependency>
            <groupId>org.wso2.carbon.identity</groupId>
            <artifactId>org.wso2.carbon.identity.core</artifactId>
            <version>${carbon.identity.version}</version>
                   </dependency>
        <dependency>
            <groupId>org.wso2.carbon</groupId>
            <artifactId>org.wso2.carbon.core</artifactId>
            <version>${carbon.kernel.version}</version>
                   </dependency>
        <dependency>
            <groupId>org.wso2.carbon</groupId>
            <artifactId>org.wso2.carbon.logging</artifactId>
            <version>${carbon.kernel.version}</version>
                   </dependency>
        <dependency>
            <groupId>org.wso2.carbon.identity</groupId>
            <artifactId>org.wso2.carbon.identity.application.authentication.framework</artifactId>
            <version>${carbon.identity.version}</version>
                   </dependency>
        <dependency>
            <groupId>org.wso2.carbon</groupId>
            <artifactId>org.wso2.carbon.core.services</artifactId>
            <version>${carbon.kernel.version}</version>
                   </dependency>
        <dependency>
            <groupId>org.wso2.carbon.identity</groupId>
            <artifactId>org.wso2.carbon.identity.oauth</artifactId>
            <version>${carbon.identity.version}</version>
                   </dependency>
        <dependency>
            <groupId>org.wso2.carbon.identity</groupId>
            <artifactId>org.wso2.carbon.identity.application.common</artifactId>
            <version>${carbon.identity.version}</version>
                   </dependency>
        <dependency>
            <groupId>org.wso2.carbon.identity</groupId>
@ -98,11 +106,9 @@
                        <Export-Package>
                            org.wso2.carbon.identity.authenticator.backend.oauth.*;
                        </Export-Package>
                        <DynamicImport-Package>*</DynamicImport-Package>
                               </instructions>
                </configuration>
            </plugin>
        </plugins>
    </build>
 </project>
--- a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/OauthAuthenticator.java
+++ b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/OauthAuthenticator.java
@ -41,18 +41,24 @@ public class OauthAuthenticator implements CarbonServerAuthenticator {
    private static final Log log = LogFactory.getLog(OauthAuthenticator.class);
    private static final int PRIORITY = 5;
    private static final int ACCESS_TOKEN_INDEX = 1;
    private OAuth2TokenValidator tokenValidator;
-    private static String hostUrl = "";
+    public OauthAuthenticator() {
    private static boolean isRemote = false;
    static {
        AuthenticatorsConfiguration authenticatorsConfiguration = AuthenticatorsConfiguration.getInstance();
-        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = authenticatorsConfiguration.getAuthenticatorConfig(OauthAuthenticatorConstants.AUTHENTICATOR_NAME);
+        AuthenticatorsConfiguration.AuthenticatorConfig authenticatorConfig = authenticatorsConfiguration.
-
+                getAuthenticatorConfig(OauthAuthenticatorConstants.AUTHENTICATOR_NAME);
        boolean isRemote;
        String hostUrl;
        if (authenticatorConfig != null) {
            isRemote = Boolean.parseBoolean(authenticatorConfig.getParameters().get("isRemote"));
            hostUrl = authenticatorConfig.getParameters().get("hostURL");
-
+        }else{
            throw new IllegalArgumentException("Configuration parameters need to be defined in Authenticators.xml");
        }
        try {
            tokenValidator = OAuthValidatorFactory.getValidator(isRemote, hostUrl);
        } catch (IllegalArgumentException e) {
            log.error("Failed to initialise Authenticator",e);
        }
    }
@ -65,10 +71,8 @@ public class OauthAuthenticator implements CarbonServerAuthenticator {
    public boolean isHandle(MessageContext messageContext) {
        HttpServletRequest httpServletRequest = getHttpRequest(messageContext);
        String headerValue = httpServletRequest.getHeader(HTTPConstants.HEADER_AUTHORIZATION);
        if (headerValue != null && !headerValue.trim().isEmpty()) {
            String[] headerPart = headerValue.trim().split(OauthAuthenticatorConstants.SPLITING_CHARACTOR);
            if (OauthAuthenticatorConstants.AUTHORIZATION_HEADER_PREFIX_BEARER.equals(headerPart[0])) {
                return true;
            }
@ -88,38 +92,25 @@ public class OauthAuthenticator implements CarbonServerAuthenticator {
    public boolean isAuthenticated(MessageContext messageContext) {
        HttpServletRequest httpServletRequest = getHttpRequest(messageContext);
        String headerValue = httpServletRequest.getHeader(HTTPConstants.HEADER_AUTHORIZATION);
        //split the header value to separate the identity type and the token.
        String[] headerPart = headerValue.trim().split(OauthAuthenticatorConstants.SPLITING_CHARACTOR);
        String accessToken = headerPart[ACCESS_TOKEN_INDEX];
-        OAuth2TokenValidator tokenValidator = OAuthValidatorFactory.getValidator(isRemote,hostUrl);
+        OAuthValidationRespond response = null;
        if (tokenValidator == null) {
            log.error("OAuthValidationFactory failed to return a validator",
                    new AuthenticatorException("OAuthValidatorFactory Failed to determine the validator"));
            return false;
        }
        OAuthValidationRespond respond = null;
        try {
-            respond = tokenValidator.validateToken(accessToken);
+            response = tokenValidator.validateToken(accessToken);
        } catch (RemoteException e) {
            log.error("Failed to validate the OAuth token provided.", e);
        }
-
+        if (response != null && response.isValid()) {
        if (respond != null && respond.isValid()) {
            HttpSession session;
            if ((session = httpServletRequest.getSession(false)) != null) {
-                session.setAttribute(MultitenantConstants.TENANT_DOMAIN, respond.getTenantDomain());
+                session.setAttribute(MultitenantConstants.TENANT_DOMAIN, response.getTenantDomain());
-                session.setAttribute(ServerConstants.USER_LOGGED_IN, respond.getUserName());
+                session.setAttribute(ServerConstants.USER_LOGGED_IN, response.getUserName());
                if (log.isDebugEnabled()) {
                    log.debug("Authentication successful for " + session.getAttribute(ServerConstants.USER_LOGGED_IN));
                }
            }
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("Authentication failed.Illegal attempt from session " + httpServletRequest.getSession().getId());
        }
--- a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/OAuthValidationRespond.java
+++ b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/OAuthValidationRespond.java
@ -20,6 +20,7 @@ package org.wso2.carbon.identity.authenticator.backend.oauth.validator;
 /**
 * This class hold the validation information which can be retrieve by both remote and in house IDPs
 */
@SuppressWarnings("unused")
 public class OAuthValidationRespond {
    private String userName;
    private String tenantDomain;
--- a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/OAuthValidatorFactory.java
+++ b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/OAuthValidatorFactory.java
@ -17,34 +17,28 @@
 */
 package org.wso2.carbon.identity.authenticator.backend.oauth.validator;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.identity.authenticator.backend.oauth.AuthenticatorException;
 import org.wso2.carbon.identity.authenticator.backend.oauth.OauthAuthenticatorConstants;
 import org.wso2.carbon.identity.authenticator.backend.oauth.validator.impl.ExternalOAuthValidator;
 import org.wso2.carbon.identity.authenticator.backend.oauth.validator.impl.LocalOAuthValidator;
 /**
- * the class validate the configurations and provide the most suitable implementation according to the configuration.
+ * The class validate the configurations and provide the most suitable implementation according to the configuration.
 * Factory class for OAuthValidator.
 */
 public class OAuthValidatorFactory {
    private static Log log = LogFactory.getLog(OAuthValidatorFactory.class);
    /**
-     * the method check the configuration and provide the appropriate implementation for OAuth2TokenValidator
+     * The method check the configuration and provide the appropriate implementation for OAuth2TokenValidator
     *
     * @return OAuth2TokenValidator
     */
-    public static OAuth2TokenValidator getValidator(boolean isRemote ,String hostURL) {
+    public static OAuth2TokenValidator getValidator(boolean isRemote, String hostURL) throws IllegalArgumentException {
        if (isRemote) {
            if (!(hostURL == null || hostURL.trim().isEmpty())) {
                hostURL = hostURL + OauthAuthenticatorConstants.OAUTH_ENDPOINT_POSTFIX;
                return new ExternalOAuthValidator(hostURL);
            } else {
-                log.error("IDP Configuration error",
+                throw new IllegalArgumentException("Remote server name and ip both can't be empty");
                        new AuthenticatorException("Remote server name and ip both can't be empty"));
                return null;
            }
        }
        return new LocalOAuthValidator();
--- a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/ExternalOAuthValidator.java
+++ b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/ExternalOAuthValidator.java
@ -21,15 +21,14 @@ import org.apache.axis2.client.Options;
 import org.apache.axis2.client.ServiceClient;
 import org.apache.axis2.transport.http.HTTPConstants;
 import org.apache.commons.httpclient.Header;
 import org.wso2.carbon.identity.authenticator.backend.oauth.OauthAuthenticatorConstants;
 import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuth2TokenValidator;
 import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidationRespond;
 import org.wso2.carbon.identity.oauth2.stub.OAuth2TokenValidationServiceStub;
 import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2ClientApplicationDTO;
 import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO;
 import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO_OAuth2AccessToken;
 import org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO_TokenValidationContextParam;
 import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
 import org.wso2.carbon.identity.authenticator.backend.oauth.OauthAuthenticatorConstants;
 import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuth2TokenValidator;
 import org.wso2.carbon.identity.authenticator.backend.oauth.validator.OAuthValidationRespond;
 import java.rmi.RemoteException;
 import java.util.ArrayList;
@ -37,8 +36,7 @@ import java.util.List;
 /**
 * Handles the Authentication form external IDP servers.
- * Currently only supports WSO2 IS.
+ * Currently only supports WSO@ IS
 * External IDP support is planned for future.
 */
 public class ExternalOAuthValidator implements OAuth2TokenValidator{
    protected String hostURL ;
@ -54,20 +52,11 @@ public class ExternalOAuthValidator implements OAuth2TokenValidator{
     * @return OAuthValidationRespond with the validated results.
     */
    public OAuthValidationRespond validateToken(String token) throws RemoteException {
        // create an OAuth token validating request DTO
        OAuth2TokenValidationRequestDTO validationRequest = new OAuth2TokenValidationRequestDTO();
        // create access token object to validate and populate it
        OAuth2TokenValidationRequestDTO_OAuth2AccessToken accessToken =
                new OAuth2TokenValidationRequestDTO_OAuth2AccessToken();
        accessToken.setTokenType(OauthAuthenticatorConstants.BEARER_TOKEN_TYPE);
        accessToken.setIdentifier(token);
        OAuth2TokenValidationRequestDTO_TokenValidationContextParam tokenValidationContextParam[] =
                new OAuth2TokenValidationRequestDTO_TokenValidationContextParam[1];
        validationRequest.setContext(tokenValidationContextParam);
        //set the token to the validation request
        validationRequest.setAccessToken(accessToken);
        OAuth2TokenValidationServiceStub validationService =
                new OAuth2TokenValidationServiceStub(hostURL);
@ -85,14 +74,12 @@ public class ExternalOAuthValidator implements OAuth2TokenValidator{
        boolean isValid = respond.getAccessTokenValidationResponse().getValid();
        String userName = null;
        String tenantDomain = null;
        if(isValid){
            userName = MultitenantUtils.getTenantAwareUsername(
                    respond.getAccessTokenValidationResponse().getAuthorizedUser());
            tenantDomain =
                    MultitenantUtils.getTenantDomain(respond.getAccessTokenValidationResponse().getAuthorizedUser());
        }
        return new OAuthValidationRespond(userName,tenantDomain,isValid);
    }
 }
--- a/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/LocalOAuthValidator.java
+++ b/components/identity-extensions/backend-oauth-authenticator/src/main/java/org/wso2/carbon/identity/authenticator/backend/oauth/validator/impl/LocalOAuthValidator.java
@ -1,4 +1,3 @@
 /*
 *  Copyright (c) 2015 WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
 *
@ -38,19 +37,11 @@ public class LocalOAuthValidator implements OAuth2TokenValidator {
     * @return OAuthValidationRespond with the validated results.
     */
    public OAuthValidationRespond validateToken(String token) {
        // create an OAuth token validating request DTO
        OAuth2TokenValidationRequestDTO validationRequest = new OAuth2TokenValidationRequestDTO();
        // create access token object to validate and populate it
        OAuth2TokenValidationRequestDTO.OAuth2AccessToken accessToken =
                validationRequest.new OAuth2AccessToken();
        accessToken.setTokenType(OauthAuthenticatorConstants.BEARER_TOKEN_TYPE);
        accessToken.setIdentifier(token);
        //the workaround till the version is upgraded in both is and EMM to be the same.
        OAuth2TokenValidationRequestDTO.TokenValidationContextParam tokenValidationContextParam[] =
                new OAuth2TokenValidationRequestDTO.TokenValidationContextParam[1];
        //==
        validationRequest.setContext(tokenValidationContextParam);
        //set the token to the validation request
        validationRequest.setAccessToken(accessToken);
        OAuth2TokenValidationService validationService = new OAuth2TokenValidationService();
        OAuth2ClientApplicationDTO respond =  validationService.