Package org.forgerock.oauth.clients.oauth2

Class OAuth2Client<T extends OAuth2ClientConfiguration>

    • Constructor Detail

      • OAuth2Client

        public OAuth2Client​(Handler httpHandler,
                    T config,
                    Clock clock,
                    SecureRandom random)
        Constructs an OAuth2Client using a provided Handler and OAuthClientConfiguration.
        Parameters:
        httpHandler - Handler used to make Http calls to auth and resource servers.
        config - configuration that will be used to drive oauth flow.
        clock - clock instance
        random - used to generate opaque, cryptographically secure strings.

    • Method Detail

      • getAccessToken

        protected static final String getAccessToken​(JsonValue data)
                                      throws OAuthException
        Retrieves an access token from a JsonValue.
        Parameters:
        data - the JsonValue that may contain an access token.
        Returns:
        the access token.
        Throws:
        OAuthException - if no access token is found in the JsonValue.

      • getAccessTokenInfo

        protected Promise<JsonValue,​OAuthException> getAccessTokenInfo​(Context context,
                                                                     String accessToken)
        Retrieves the access token information as a JsonValue. Invokes the introspection endpoint to validate the access token and returns a JSON [RFC7159] document representing the meta information surrounding the token, including whether this token is currently active. See RFC 7662.
        Parameters:
        context - Context chain used to keep a relationship between requests (tracking).
        accessToken - the accessToken to be submitted.
        Returns:
        the meta information associated with the access token.

      • getFirstValueOrNull

        protected static final String getFirstValueOrNull​(List<String> values)
        Gets the first value out of the List.
        Parameters:
        values - List<String>
        Returns:
        The first value, or null if none exist.

      • getAuthRedirect

        public Promise<URI,​OAuthException> getAuthRedirect​(DataStore dataStore,
                                                         String data,
                                                         URI landingPage)
        Description copied from interface: OAuthClient
        Return the URI that the user agent should be redirected to, to authenticate and authorize access.
        Specified by:
        getAuthRedirect in interface OAuthClient
        Parameters:
        dataStore - The data store that contains information about the OAuth interaction.
        data - A value which will be stored in the data store to be returned as part of the final landing page redirect response, this MUST be URI safe.
        landingPage - The final page a user agent should be sent following successful authentication.
        Returns:
        Promise, with a type of URI, suitable for redirecting the user agent for external authentication and authorization and an Promise, with a type of OAuthException, when an error occurs.

      • validateClientId

        protected Function<JsonValue,​JsonValue,​OAuthException> validateClientId​(DataStore dataStore,
                                                                                    JsonValue storedData,
                                                                                    String inputToken)
        Compare client_id from access token associated data with configured client_id.
        Parameters:
        dataStore - data store in which to store the information.
        storedData - data that is in the storage implementation of DataStore.
        inputToken - the token that needs to be inspected.
        Returns:
        result of the access token validation.

      • getSessionInfo

        public Promise<? extends OAuth2SessionInfo,​OAuthException> getSessionInfo​(DataStore dataStore)
        Description copied from interface: OAuthClient
        Validate whether an Auth Server session is still active and valid.
        Specified by:
        getSessionInfo in interface OAuthClient
        Parameters:
        dataStore - The data store that contains information about the OAuth interaction.
        Returns:
        Promise, with a type of SessionInfo, representing information about the session. Promise, with a type of OAuthException, when an error occurs.

      • getUserInfo

        public Promise<UserInfo,​OAuthException> getUserInfo​(DataStore dataStore)
        Description copied from interface: OAuthClient
        Return the authenticated user's info from the external authentication server.
        Specified by:
        getUserInfo in interface OAuthClient
        Parameters:
        dataStore - The data store that contains information about the OAuth interaction.
        Returns:
        Promise, with a type of UserInfo, containing the available user info. Promise, with a type of OAuthException, when an error occurs.

      • refresh

        public Promise<Void,​OAuthException> refresh​(DataStore dataStore)
        Description copied from interface: OAuthClient
        Refreshes a token if it has expired.
        Specified by:
        refresh in interface OAuthClient
        Parameters:
        dataStore - The data store that contains information about the OAuth interaction.
        Returns:
        Promise If a new token has been retrieved, update the data store with the new token. OAuthException when an error occurs.

      • getTokenEndpointHandler

        protected Handler getTokenEndpointHandler()
        The token endpoint handler which wraps the client authentication filter which is capable of adding the client credentials to the request.
        Returns:
        the token end point handler.

      • createAuthRedirectUri

        protected URI createAuthRedirectUri​(String state,
                                    String pkceChallenge)
        Creates a URI that the user agent will be redirected to for authentication and authorization.
        Parameters:
        state - opaque value used to prevent CSRF attacks.
        pkceChallenge - opaque PKCE challenge used to prevent code interception/injection attacks.
        Returns:
        URI

      • createAuthRedirectUri

        @Deprecated
protected URI createAuthRedirectUri​(String state)
        Deprecated.
        Use createAuthRedirectUri(String, String) and specify a PKCE challenge.
        Creates a URI that the user agent will be redirected to for authentication and authorization.
        Parameters:
        state - opaque value used to prevent CSRF attacks.
        Returns:
        URI

      • createRequestForTokenRefresh

        protected Promise<Request,​OAuthException> createRequestForTokenRefresh​(JsonValue storedData)
        Creates a Request for the token refresh endpoint of an identity provider.
        Parameters:
        storedData - data that is in the storage implementation of DataStore.
        Returns:
        Request for the user token refresh endpoint.

      • createRequestForUserInfoEndpoint

        protected Request createRequestForUserInfoEndpoint​(String accessToken)
        Creates a Request for the user information endpoint of an identity provider.
        Parameters:
        accessToken - token required to retrieve user information.
        Returns:
        Request for the user information endpoint.

      • createRequestForTokenEndpoint

        protected Promise<Request,​OAuthException> createRequestForTokenEndpoint​(String code,
                                                                              String pkceVerifier)
        Creates a Request for the token endpoint of an identity provider.
        Parameters:
        code - e.g authorization_code, received from identity provider during authentication and authorization phase.
        pkceVerifier - the PKCE verifier, or null if PKCE not being used.
        Returns:
        Request for the token endpoint.

      • createRequestForIntrospectEndpoint

        protected Promise<Request,​OAuthException> createRequestForIntrospectEndpoint​(String accessToken)
        Creates a Request for the introspect endpoint of an identity provider. See RFC 7662 Section 2.1.
        Parameters:
        accessToken - token required to retrieve user information.
        Returns:
        Request for the introspect endpoint.

      • storeResponse

        protected final Function<JsonValue,​Void,​OAuthException> storeResponse​(DataStore dataStore)
        Stores all the information received from an authentication or authorization server.
        Parameters:
        dataStore - data store in which to store the information.
        Returns:
        Void when storage is complete.

      • throwIfNoClientSecret

        protected static <T> Function<NoSuchSecretException,​T,​OAuthException> throwIfNoClientSecret()
        Handles a missing client secret.
        Type Parameters:
        T - the expected return type.
        Returns:
        a function that will handle a missing client secret by throwing an OAuthConfigException.

      • createPostAuthResponse

        protected final Function<Void,​JsonValue,​OAuthException> createPostAuthResponse​(JsonValue storedData)
        Creates the post auth response.
        Parameters:
        storedData - data store that contains information about the OAuth interaction.
        Returns:
        the 'landingPage' and the 'data' as a JsonValue.

      • createPostResponse

        protected Promise<JsonValue,​OAuthException> createPostResponse​(DataStore dataStore,
                                                                     JsonValue storedData)
                                                              throws OAuthException
        Creates the post response.
        Parameters:
        dataStore - data store in which to store the information.
        storedData - data store that contains information about the OAuth interaction.
        Returns:
        the 'data' as a JsonValue.
        Throws:
        OAuthException - if could not retrieve data from DataStore

      • getConfig

        protected T getConfig()
        Gets the configuration for this OAuthClient.
        Returns:
        the configuration used to configure this client.

      • createAuthorizationState

        protected String createAuthorizationState()
        g Generates a SecureRandom BigInteger as a String.
        Returns:
        random BigInteger as a String.

      • createPkceVerifier

        protected String createPkceVerifier()
        Generates a secure opaque PKCE verifier value. See RFC 7636 Section 4.1
        Returns:
        the random PKCE verifier.