Skip to content

Commit

Permalink
Merge pull request #159 from dhaura/DP-add-unit-tests
Browse files Browse the repository at this point in the history 
Improve Exception Handling and Add Unit Tests for API based Authentication
  • Loading branch information
@DMHP
DMHP authored Nov 6, 2023
2 parents f36c411 + 616123e commit 6a0b088
Show file tree
Hide file tree
Showing 6 changed files with 331 additions and 43 deletions.
13 changes: 9 additions & 4 deletions ...a/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.common.OAuthConstants;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;
Expand Down Expand Up @@ -746,8 +747,12 @@ protected OAuthClientResponse requestAccessToken(HttpServletRequest request, Aut
String accessToken = request.getParameter(ACCESS_TOKEN_PARAM);
try {
validateJWTToken(context, idToken);
} catch (ParseException | IdentityOAuth2Exception | JOSEException e) {
throw new AuthenticationFailedException("JWT Token validation Failed.");
} catch (ParseException | IdentityOAuth2ClientException | JOSEException e) {
throw new AuthenticationFailedException(ErrorMessages.INVALID_JWT_TOKEN.getCode(),
ErrorMessages.INVALID_JWT_TOKEN.getMessage());
} catch (IdentityOAuth2Exception e) {
throw new AuthenticationFailedException(ErrorMessages.JWT_TOKEN_VALIDATION_FAILED.getCode(),
ErrorMessages.JWT_TOKEN_VALIDATION_FAILED.getMessage(), e);
}
NativeSDKBasedFederatedOAuthClientResponse nativeSDKBasedFederatedOAuthClientResponse
= new NativeSDKBasedFederatedOAuthClientResponse();
Expand Down Expand Up @@ -784,7 +789,7 @@ private void validateJWTToken(AuthenticationContext context, String idToken) thr
IdentityProvider identityProvider = getIdentityProvider(idpIdentifier, tenantDomain);

OIDCTokenValidationUtil.validateSignature(signedJWT, identityProvider);
OIDCTokenValidationUtil.validateAudience(claimsSet.getAudience(), identityProvider , tenantDomain);
OIDCTokenValidationUtil.validateAudience(claimsSet.getAudience(), identityProvider, tenantDomain);
}

/**
Expand Down Expand Up @@ -1645,7 +1650,7 @@ private boolean isTrustedTokenIssuer(AuthenticationContext context) {

IdentityProviderProperty[] identityProviderProperties = externalIdentityProvider.getIdpProperties();
for (IdentityProviderProperty identityProviderProperty: identityProviderProperties) {
if (identityProviderProperty.getName().equals(IdPManagementConstants.IS_TRUSTED_TOKEN_ISSUER)) {
if (IdPManagementConstants.IS_TRUSTED_TOKEN_ISSUER.equals(identityProviderProperty.getName())) {
return Boolean.parseBoolean(identityProviderProperty.getValue());
}
}
Expand Down
10 changes: 6 additions & 4 deletions ...java/org/wso2/carbon/identity/application/authenticator/oidc/util/OIDCErrorConstants.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ public enum ErrorMessages {
"Cannot find the userId from the id_token sent by the federated IDP."),
NONCE_MISMATCH("OID-60016", "The nonce claim of the ID token is not equal to the nonce value " +
"sent in the authentication request"),
INVALID_JWT_TOKEN("OID-60017", "JWT token is invalid."),
JWT_TOKEN_AUD_CLAIM_VALIDATION_FAILED("OID-60018",
"None of the audience values matched the token endpoint alias: %s."),
// Federated IdP initiated back-channel logout client errors.
LOGOUT_TOKEN_EMPTY_OR_NULL("OID-60006",
"Logout token is empty or null. Pass a valid logout token"),
Expand Down Expand Up @@ -93,10 +96,9 @@ public enum ErrorMessages {
LOGOUT_SERVER_EXCEPTION("OID-65015", "Back channel logout failed due to server error"),
JWT_TOKEN_ISS_CLAIM_VALIDATION_FAILED(
"OID-65016", "Error while validating the iss claim in the jwt token"),
JWT_TOKEN_SIGNATURE_VALIDATION_FAILED("OID-65016",
"Error while validating the JWT token signature"),
JWT_TOKEN_AUD_CLAIM_VALIDATION_FAILED("OID-65017",
"Audience claim validation failed.");
JWT_TOKEN_VALIDATION_FAILED("OID-65016", "JWT token validation Failed."),
JWT_TOKEN_SIGNATURE_VALIDATION_FAILED("OID-65017",
"Error while validating the JWT token signature");

private final String code;
private final String message;
Expand Down
10 changes: 7 additions & 3 deletions ...org/wso2/carbon/identity/application/authenticator/oidc/util/OIDCTokenValidationUtil.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,9 @@ public static String getIssuer(JWTClaimsSet claimsSet) throws AuthenticationFail
*
* @param audienceList - list containing audience values.
* @param idp - identity provider.
* @Param tenantDomain - the tenant domain
* @param tenantDomain - the tenant domain
*
* @throws AuthenticationFailedException if none of the audience values matched the tokenEndpoint alias
*/
public static void validateAudience(List<String> audienceList, IdentityProvider idp, String tenantDomain)
throws AuthenticationFailedException {
Expand All @@ -78,8 +80,10 @@ public static void validateAudience(List<String> audienceList, IdentityProvider
}
}
if (!audienceFound) {
throw new AuthenticationFailedException ("None of the audience values matched the tokenEndpoint Alias "
+ tokenEndPointAlias);
throw new AuthenticationFailedException (
OIDCErrorConstants.ErrorMessages.JWT_TOKEN_AUD_CLAIM_VALIDATION_FAILED.getCode(),
String.format(OIDCErrorConstants.ErrorMessages.JWT_TOKEN_AUD_CLAIM_VALIDATION_FAILED.getMessage(),
tokenEndPointAlias));
}
}

Expand Down
Loading

0 comments on commit 6a0b088

Please sign in to comment.