Package org.forgerock.oauth.clients.oauth2

Class OAuth2Client<T extends OAuth2ClientConfiguration>

java.lang.Object
org.forgerock.oauth.clients.oauth2.OAuth2Client<T>
Type Parameters:
T - type of OAuth client configuration to be used.
All Implemented Interfaces:
OAuthClient
Direct Known Subclasses:
FacebookClient, LinkedInClient, OpenIDConnectClient
public class OAuth2Client<T extends OAuth2ClientConfiguration> extends Object implements OAuthClient
OAuth 2.0 Client Implementation that supports the Authorization Code Grant Flow.

  • Field Details

  • Constructor Details

    • OAuth2Client

      public OAuth2Client(Handler httpHandler, T config, Clock clock, SecureRandom random)
      Constructs an OAuth2Client using a provided Handler and OAuthClientConfiguration.
      Parameters:
      httpHandler - Handler used to make Http calls to auth and resource servers.
      config - configuration that will be used to drive oauth flow.
      clock - clock instance
      random - used to generate opaque, cryptographically secure strings.

  • Method Details

    • mapToJsonValue

      protected static AsyncFunction<Response,JsonValue,OAuthException> mapToJsonValue()
      An AsyncFunction that handles a Response from an Auth Server that returns the HTTP entity content as JsonValue, and throws an OAuthException if the response is not successful (200 family status code), or if the content is not a valid JSON.
      Returns:
      response entity as a JsonValue.

    • getAccessToken

      protected static final String getAccessToken(JsonValue data) throws OAuthException
      Retrieves an access token from a JsonValue.
      Parameters:
      data - the JsonValue that may contain an access token.
      Returns:
      the access token.
      Throws:
      OAuthException - if no access token is found in the JsonValue.

    • getAccessTokenInfo

      protected Promise<JsonValue,OAuthException> getAccessTokenInfo(Context context, String accessToken)
      Retrieves the access token information as a JsonValue. Invokes the introspection endpoint to validate the access token and returns a JSON [RFC7159] document representing the meta information surrounding the token, including whether this token is currently active. See RFC 7662.
      Parameters:
      context - Context chain used to keep a relationship between requests (tracking).
      accessToken - the accessToken to be submitted.
      Returns:
      the meta information associated with the access token.

    • getFirstValueOrNull

      protected static final String getFirstValueOrNull(List<String> values)
      Gets the first value out of the List.
      Parameters:
      values - List<String>
      Returns:
      The first value, or null if none exist.

    • mapToUserInfo

      protected final Function<JsonValue,UserInfo,OAuthException> mapToUserInfo()
      Creates a OAuth2UserInfo using a users raw profile.
      Returns:
      OAuth2UserInfo

    • getAuthRedirect

      public Promise<URI,OAuthException> getAuthRedirect(DataStore dataStore, String data, URI landingPage)
      Description copied from interface: OAuthClient
      Return the URI that the user agent should be redirected to, to authenticate and authorize access.
      Specified by:
      getAuthRedirect in interface OAuthClient
      Parameters:
      dataStore - The data store that contains information about the OAuth interaction.
      data - A value which will be stored in the data store to be returned as part of the final landing page redirect response, this MUST be URI safe.
      landingPage - The final page a user agent should be sent following successful authentication.
      Returns:
      Promise, with a type of URI, suitable for redirecting the user agent for external authentication and authorization and an Promise, with a type of OAuthException, when an error occurs.

    • handlePostAuth

      public Promise<JsonValue,OAuthException> handlePostAuth(DataStore dataStore, Map<String,List<String>> requestParameters)
      Description copied from interface: OAuthClient
      Handle the data produced by the Auth Server as a result of a successful authentication and return the final redirect to the landing page specified in the OAuthClient.getAuthRedirect(DataStore, String, URI) call. Validate the request as secure. The returned JsonValue response will also contain the data passed to OAuthClient.getAuthRedirect(DataStore, String, URI).
      Specified by:
      handlePostAuth in interface OAuthClient
      Parameters:
      dataStore - The data store that contains information about the OAuth interaction.
      requestParameters - The request parameters containing the data produced by the external authentication server.
      Returns:
      Promise, with a type of JsonValue, containing the landing page and the data value that was stored in the data store during the OAuthClient.getAuthRedirect(DataStore, String, URI) call; Promise, with a type of OAuthException, when an error occurs.

    • handleNativePostAuth

      public Promise<JsonValue,OAuthException> handleNativePostAuth(Context context, DataStore dataStore, Map<String,List<String>> parameters)
      Description copied from interface: OAuthClient
      Handle the data produced by the Auth Server as a result of a successful authentication and return the final redirect to the mobile device. Validate the request as secure. The returned JsonValue response will also contain the data passed to OAuthClient.getAuthRedirect(DataStore, String, URI).
      Specified by:
      handleNativePostAuth in interface OAuthClient
      Parameters:
      context - Context chain used to keep a relationship between requests (tracking)
      dataStore - The data store that contains information about the OAuth interaction.
      parameters - The parameters containing the data sent by the external mobile device.
      Returns:
      Promise, with a type of JsonValue, containing the data value that was stored in the data store during the OAuthClient.getAuthRedirect(DataStore, String, URI) call; Promise, with a type of OAuthException, when an error occurs.

    • validateClientId

      protected Function<JsonValue,JsonValue,OAuthException> validateClientId(DataStore dataStore, JsonValue storedData, String inputToken)
      Compare client_id from access token associated data with configured client_id.
      Parameters:
      dataStore - data store in which to store the information.
      storedData - data that is in the storage implementation of DataStore.
      inputToken - the token that needs to be inspected.
      Returns:
      result of the access token validation.

    • getSessionInfo

      public Promise<? extends OAuth2SessionInfo,OAuthException> getSessionInfo(DataStore dataStore)
      Description copied from interface: OAuthClient
      Validate whether an Auth Server session is still active and valid.
      Specified by:
      getSessionInfo in interface OAuthClient
      Parameters:
      dataStore - The data store that contains information about the OAuth interaction.
      Returns:
      Promise, with a type of SessionInfo, representing information about the session. Promise, with a type of OAuthException, when an error occurs.

    • getUserInfo

      public Promise<UserInfo,OAuthException> getUserInfo(DataStore dataStore)
      Description copied from interface: OAuthClient
      Return the authenticated user's info from the external authentication server.
      Specified by:
      getUserInfo in interface OAuthClient
      Parameters:
      dataStore - The data store that contains information about the OAuth interaction.
      Returns:
      Promise, with a type of UserInfo, containing the available user info. Promise, with a type of OAuthException, when an error occurs.

    • refresh

      public Promise<Void,OAuthException> refresh(DataStore dataStore)
      Description copied from interface: OAuthClient
      Refreshes a token if it has expired.
      Specified by:
      refresh in interface OAuthClient
      Parameters:
      dataStore - The data store that contains information about the OAuth interaction.
      Returns:
      Promise If a new token has been retrieved, update the data store with the new token. OAuthException when an error occurs.

    • getTokenEndpointHandler

      protected Handler getTokenEndpointHandler()
      The token endpoint handler which wraps the client authentication filter which is capable of adding the client credentials to the request.
      Returns:
      the token end point handler.

    • createAuthRedirectUri

      protected URI createAuthRedirectUri(String state, String pkceChallenge)
      Creates a URI that the user agent will be redirected to for authentication and authorization.
      Parameters:
      state - opaque value used to prevent CSRF attacks.
      pkceChallenge - opaque PKCE challenge used to prevent code interception/injection attacks.
      Returns:
      URI

    • createAuthRedirectUri

      @Deprecated protected URI createAuthRedirectUri(String state)
      Deprecated.
      Use createAuthRedirectUri(String, String) and specify a PKCE challenge.
      Creates a URI that the user agent will be redirected to for authentication and authorization.
      Parameters:
      state - opaque value used to prevent CSRF attacks.
      Returns:
      URI

    • createRequestForTokenRefresh

      protected Promise<Request,OAuthException> createRequestForTokenRefresh(JsonValue storedData)
      Creates a Request for the token refresh endpoint of an identity provider.
      Parameters:
      storedData - data that is in the storage implementation of DataStore.
      Returns:
      Request for the user token refresh endpoint.

    • createRequestForUserInfoEndpoint

      protected Request createRequestForUserInfoEndpoint(String accessToken)
      Creates a Request for the user information endpoint of an identity provider.
      Parameters:
      accessToken - token required to retrieve user information.
      Returns:
      Request for the user information endpoint.

    • createRequestForTokenEndpoint

      protected Promise<Request,OAuthException> createRequestForTokenEndpoint(String code, String pkceVerifier)
      Creates a Request for the token endpoint of an identity provider.
      Parameters:
      code - e.g authorization_code, received from identity provider during authentication and authorization phase.
      pkceVerifier - the PKCE verifier, or null if PKCE not being used.
      Returns:
      Request for the token endpoint.

    • createRequestForTokenEndpoint

      @Deprecated protected Promise<Request,OAuthException> createRequestForTokenEndpoint(String code)
      Deprecated.
      Use createAuthRedirectUri(String, String) and specify a PKCE verifier.
      Creates a Request for the token endpoint of an identity provider.
      Parameters:
      code - e.g authorization_code, received from identity provider during authentication and authorization phase.
      Returns:
      Request for the token endpoint.

    • createRequestForIntrospectEndpoint

      protected Promise<Request,OAuthException> createRequestForIntrospectEndpoint(String accessToken)
      Creates a Request for the introspect endpoint of an identity provider. See RFC 7662 Section 2.1.
      Parameters:
      accessToken - token required to retrieve user information.
      Returns:
      Request for the introspect endpoint.

    • storeResponse

      protected final Function<JsonValue,Void,OAuthException> storeResponse(DataStore dataStore)
      Stores all the information received from an authentication or authorization server.
      Parameters:
      dataStore - data store in which to store the information.
      Returns:
      Void when storage is complete.

    • throwIfNoClientSecret

      protected static <T> Function<NoSuchSecretException,T,OAuthException> throwIfNoClientSecret()
      Handles a missing client secret.
      Type Parameters:
      T - the expected return type.
      Returns:
      a function that will handle a missing client secret by throwing an OAuthConfigException.

    • createPostAuthResponse

      protected final Function<Void,JsonValue,OAuthException> createPostAuthResponse(JsonValue storedData)
      Creates the post auth response.
      Parameters:
      storedData - data store that contains information about the OAuth interaction.
      Returns:
      the 'landingPage' and the 'data' as a JsonValue.

    • createPostResponse

      protected Promise<JsonValue,OAuthException> createPostResponse(DataStore dataStore, JsonValue storedData) throws OAuthException
      Creates the post response.
      Parameters:
      dataStore - data store in which to store the information.
      storedData - data store that contains information about the OAuth interaction.
      Returns:
      the 'data' as a JsonValue.
      Throws:
      OAuthException - if could not retrieve data from DataStore

    • getConfig

      protected T getConfig()
      Gets the configuration for this OAuthClient.
      Returns:
      the configuration used to configure this client.

    • createAuthorizationState

      protected String createAuthorizationState()
      g Generates a SecureRandom BigInteger as a String.
      Returns:
      random BigInteger as a String.

    • createPkceVerifier

      protected String createPkceVerifier()
      Generates a secure opaque PKCE verifier value. See RFC 7636 Section 4.1
      Returns:
      the random PKCE verifier.