Package org.mitre.openid.connect.exception

Examples of org.mitre.openid.connect.exception.ValidationException

427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
        // no secret yet, we need to generate a secret
        newClient = clientService.generateClientSecret(newClient);
      }
    } else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.PRIVATE_KEY) {
      if (Strings.isNullOrEmpty(newClient.getJwksUri())) {
        throw new ValidationException("invalid_client_metadata", "JWK Set URI required when using private key authentication", HttpStatus.BAD_REQUEST);
      }
     
      newClient.setClientSecret(null);
    } else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.NONE) {
      newClient.setClientSecret(null);
    } else {
      throw new ValidationException("invalid_client_metadata", "Unknown authentication method", HttpStatus.BAD_REQUEST);
    }
    return newClient;
  }
View Full Code Here
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
              "urn:ietf:params:oauth:grant_type:redelegate"));
   
    // don't allow "password" grant type for dynamic registration
    if (newClient.getGrantTypes().contains("password")) {
      // return an error, you can't dynamically register for the password grant
      throw new ValidationException("invalid_client_metadata", "The password grant type is not allowed in dynamic registration on this server.", HttpStatus.BAD_REQUEST);
    }

    // don't allow clients to have multiple incompatible grant types and scopes
    if (newClient.getGrantTypes().contains("authorization_code")) {

      // check for incompatible grants
      if (newClient.getGrantTypes().contains("implicit") ||
          newClient.getGrantTypes().contains("client_credentials")) {
        // return an error, you can't have these grant types together
        throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
      }

      if (newClient.getResponseTypes().contains("token")) {
        // return an error, you can't have this grant type and response type together
        throw new ValidationException("invalid_client_metadata", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes(), HttpStatus.BAD_REQUEST);
      }
     
      newClient.getResponseTypes().add("code");
     
   
    }
   
    if (newClient.getGrantTypes().contains("implicit")) {

      // check for incompatible grants
      if (newClient.getGrantTypes().contains("authorization_code") ||
          newClient.getGrantTypes().contains("client_credentials")) {
        // return an error, you can't have these grant types together
        throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
      }
     
      if (newClient.getResponseTypes().contains("code")) {
        // return an error, you can't have this grant type and response type together
        throw new ValidationException("invalid_client_metadata", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes(), HttpStatus.BAD_REQUEST);
      }
     
      newClient.getResponseTypes().add("token");
     
      // don't allow refresh tokens in implicit clients
      newClient.getGrantTypes().remove("refresh_token");
      newClient.getScope().remove("offline_access");
    }
   
    if (newClient.getGrantTypes().contains("client_credentials")) {

      // check for incompatible grants
      if (newClient.getGrantTypes().contains("authorization_code") ||
          newClient.getGrantTypes().contains("implicit")) {
        // return an error, you can't have these grant types together
        throw new ValidationException("invalid_client_metadata", "Incompatible grant types requested: " + newClient.getGrantTypes(), HttpStatus.BAD_REQUEST);
      }
     
      if (!newClient.getResponseTypes().isEmpty()) {
        // return an error, you can't have this grant type and response type together
        throw new ValidationException("invalid_client_metadata", "Incompatible response types requested: " + newClient.getGrantTypes() + " / " + newClient.getResponseTypes(), HttpStatus.BAD_REQUEST);
      }
     
      // don't allow refresh tokens or id tokens in client_credentials clients
      newClient.getGrantTypes().remove("refresh_token");
      newClient.getScope().remove("offline_access");
      newClient.getScope().remove("openid");
    }
   
    if (newClient.getGrantTypes().isEmpty()) {
      // return an error, you need at least one grant type selected
      throw new ValidationException("invalid_client_metadata", "Clients must register at least one grant type.", HttpStatus.BAD_REQUEST);
    }   
    return newClient;
  }
View Full Code Here
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
  private ClientDetailsEntity validateRedirectUris(ClientDetailsEntity newClient) throws ValidationException {
    // check to make sure this client registered a redirect URI if using a redirect flow
    if (newClient.getGrantTypes().contains("authorization_code") || newClient.getGrantTypes().contains("implicit")) {
      if (newClient.getRedirectUris() == null || newClient.getRedirectUris().isEmpty()) {
        // return an error
        throw new ValidationException("invalid_redirect_uri", "Clients using a redirect-based grant type must register at least one redirect URI.", HttpStatus.BAD_REQUEST);
      }

      for (String uri : newClient.getRedirectUris()) {
        if (blacklistService.isBlacklisted(uri)) {
          // return an error
          throw new ValidationException("invalid_redirect_uri", "Redirect URI is not allowed: " + uri, HttpStatus.BAD_REQUEST);
        }
       
        if (uri.contains("#")) {
          // if it contains the hash symbol then it has a fragment, which isn't allowed
          throw new ValidationException("invalid_redirect_uri", "Redirect URI can not have a fragment", HttpStatus.BAD_REQUEST);
        }
      }
    }
   
    return newClient;
View Full Code Here
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
        // no secret yet, we need to generate a secret
        newClient = clientService.generateClientSecret(newClient);
      }
    } else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.PRIVATE_KEY) {
      if (Strings.isNullOrEmpty(newClient.getJwksUri())) {
        throw new ValidationException("invalid_client_metadata", "JWK Set URI required when using private key authentication", HttpStatus.BAD_REQUEST);
      }
     
      newClient.setClientSecret(null);
    } else if (newClient.getTokenEndpointAuthMethod() == AuthMethod.NONE) {
      newClient.setClientSecret(null);
    } else {
      throw new ValidationException("invalid_client_metadata", "Unknown authentication method", HttpStatus.BAD_REQUEST);
    }
    return newClient;
  }
View Full Code Here
TOP

Related Classes of org.mitre.openid.connect.exception.ValidationException

  • org.mitre.openid.connect.web.ClientDynamicRegistrationEndpoint
  • org.mitre.openid.connect.web.ProtectedResourceRegistrationEndpoint
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.