Skip to content

Commit

Permalink
Enable nonce validation and alter property keys as authenticator based
Browse files Browse the repository at this point in the history
  • Loading branch information
@ZiyamSanthosh
ZiyamSanthosh committed Jul 3, 2024
1 parent 49bf38f commit a840931
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 24 deletions.
44 changes: 22 additions & 22 deletions ...a/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -550,9 +550,9 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont
String callbackurl = getCallbackUrl(authenticatorProperties, context);

String state = getStateParameter(request, context, authenticatorProperties);
context.setProperty(OIDCAuthenticatorConstants.AUTHENTICATOR_NAME + STATE_PARAM_SUFFIX, state);
context.setProperty(getName() + STATE_PARAM_SUFFIX, state);
String nonce = UUID.randomUUID().toString();
context.setProperty(OIDC_FEDERATION_NONCE, nonce);
context.setProperty(getName() + OIDC_FEDERATION_NONCE, nonce);
boolean isPKCEEnabled = Boolean.parseBoolean(
authenticatorProperties.get(OIDCAuthenticatorConstants.IS_PKCE_ENABLED));

Expand Down Expand Up @@ -591,7 +591,7 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont

String scope = paramValueMap.get(OAuthConstants.OAuth20Params.SCOPE);
scope = getScope(scope, authenticatorProperties);
context.setProperty(OIDCAuthenticatorConstants.AUTHENTICATOR_NAME + SCOPE_PARAM_SUFFIX, scope);
context.setProperty(getName() + SCOPE_PARAM_SUFFIX, scope);

if (StringUtils.isNotBlank(queryString) && queryString.toLowerCase().contains("scope=") && queryString
.toLowerCase().contains("redirect_uri=")) {
Expand Down Expand Up @@ -642,7 +642,7 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont
loginPage = loginPage + queryString;
}
}
context.setProperty(OIDCAuthenticatorConstants.AUTHENTICATOR_NAME + REDIRECT_URL_SUFFIX, loginPage);
context.setProperty(getName() + REDIRECT_URL_SUFFIX, loginPage);
return loginPage;
} else {
if (LOG.isDebugEnabled()) {
Expand All @@ -668,6 +668,15 @@ protected String prepareLoginPage(HttpServletRequest request, AuthenticationCont
}
}

protected static void setAuthenticatorMessageToContext(ErrorMessages errorMessage,
AuthenticationContext context) {

AuthenticatorMessage authenticatorMessage = new AuthenticatorMessage(FrameworkConstants.
AuthenticatorMessageType.ERROR, errorMessage.
getCode(), errorMessage.getMessage(), null);
context.setProperty(AUTHENTICATOR_MESSAGE, authenticatorMessage);
}

/**
* This method is used to append the application side requested scopes after validating.
* The application can request the scopes for federated token sharing either via adaptive scripts
Expand Down Expand Up @@ -925,15 +934,6 @@ private String getQueryParameter(AuthenticationContext context, String queryPara
return null;
}

private static void setAuthenticatorMessageToContext(ErrorMessages errorMessage,
AuthenticationContext context) {

AuthenticatorMessage authenticatorMessage = new AuthenticatorMessage(FrameworkConstants.
AuthenticatorMessageType.ERROR, errorMessage.
getCode(), errorMessage.getMessage(), null);
context.setProperty(AUTHENTICATOR_MESSAGE, authenticatorMessage);
}

private String getStateParameter(HttpServletRequest request, AuthenticationContext context,
Map<String, String> authenticatorProperties) {

Expand Down Expand Up @@ -1047,12 +1047,13 @@ protected void processAuthenticationResponse(HttpServletRequest request, HttpSer
LOG.debug("Retrieved the User Information:" + jwtAttributeMap);
}

if (StringUtils.isNotBlank((String) context.getProperty(OIDC_FEDERATION_NONCE))) {
String nonceKey = getName() + OIDC_FEDERATION_NONCE;
if (StringUtils.isNotBlank((String) context.getProperty(nonceKey))) {
String nonce = (String) jwtAttributeMap.get(NONCE);
if (nonce == null) {
LOG.debug("OIDC provider does not support nonce claim in id_token.");
}
if (nonce != null && !nonce.equals(context.getProperty(OIDC_FEDERATION_NONCE))) {
if (nonce != null && !nonce.equals(context.getProperty(nonceKey))) {
setAuthenticatorMessageToContext(ErrorMessages.NONCE_MISMATCH, context);

throw new AuthenticationFailedException(ErrorMessages.NONCE_MISMATCH.getCode(),
Expand Down Expand Up @@ -1829,26 +1830,25 @@ private static AdditionalData getAdditionalData(
AuthenticationContext context, boolean isNativeSDKBasedFederationCall) {

AdditionalData additionalData = new AdditionalData();
String currentAuthenticator = StringUtils.isNotBlank(context.getCurrentAuthenticator()) ?
context.getCurrentAuthenticator() : OIDCAuthenticatorConstants.AUTHENTICATOR_NAME;

if (isNativeSDKBasedFederationCall) {
Map<String, String> additionalAuthenticationParams = new HashMap<>();

String nonce = (String) context.getProperty(OIDC_FEDERATION_NONCE);
String nonce = (String) context.getProperty(currentAuthenticator + OIDC_FEDERATION_NONCE);
if (StringUtils.isNotBlank(nonce)) {
additionalAuthenticationParams.put(NONCE, nonce);
}
additionalAuthenticationParams.put(OIDCAuthenticatorConstants.CLIENT_ID_PARAM,
context.getAuthenticatorProperties().get(OIDCAuthenticatorConstants.CLIENT_ID));
String scope = (String) context.getProperty(OIDCAuthenticatorConstants.AUTHENTICATOR_NAME +
SCOPE_PARAM_SUFFIX);
String scope = (String) context.getProperty(currentAuthenticator + SCOPE_PARAM_SUFFIX);
additionalAuthenticationParams.put(OIDCAuthenticatorConstants.SCOPE, scope);
additionalData.setAdditionalAuthenticationParams(additionalAuthenticationParams);
} else {
additionalData.setRedirectUrl((String) context.getProperty(OIDCAuthenticatorConstants.AUTHENTICATOR_NAME +
REDIRECT_URL_SUFFIX));
additionalData.setRedirectUrl((String) context.getProperty(currentAuthenticator + REDIRECT_URL_SUFFIX));
Map<String, String> additionalAuthenticationParams = new HashMap<>();
String state = (String) context.getProperty(OIDCAuthenticatorConstants.AUTHENTICATOR_NAME +
STATE_PARAM_SUFFIX);
String state = (String) context.getProperty(currentAuthenticator + STATE_PARAM_SUFFIX);
additionalAuthenticationParams.put(OIDCAuthenticatorConstants.OAUTH2_PARAM_STATE, state);
additionalData.setAdditionalAuthenticationParams(additionalAuthenticationParams);
}
Expand Down
6 changes: 4 additions & 2 deletions ...g/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticatorTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -629,7 +629,8 @@ public void testFailProcessAuthenticationWhenNonceMisMatch() throws Exception {
when(identityProvider.getIdpProperties()).thenReturn(identityProviderProperties);
whenNew(OAuthClient.class).withAnyArguments().thenReturn(mockOAuthClient);
when(mockOAuthClient.accessToken(any())).thenReturn(mockOAuthJSONAccessTokenResponse);
when(mockAuthenticationContext.getProperty(OIDC_FEDERATION_NONCE)).thenReturn(invalidNonce);
String nonceKey = openIDConnectAuthenticator.getName() + OIDC_FEDERATION_NONCE;
when(mockAuthenticationContext.getProperty(nonceKey)).thenReturn(invalidNonce);
when(mockOAuthJSONAccessTokenResponse.getParam(anyString())).thenReturn(idToken);

Assert.assertThrows(
Expand Down Expand Up @@ -1082,7 +1083,8 @@ public void testGetAuthInitiationDataForNativeSDKBasedFederation() {
when(externalIdPConfig.getIdentityProvider()).thenReturn(identityProvider);
when(identityProvider.getIdpProperties()).thenReturn(identityProviderProperties);
when(mockAuthenticationContext.getAuthenticationRequest()).thenReturn(mockAuthenticationRequest);
when(mockAuthenticationContext.getProperty(OIDC_FEDERATION_NONCE)).thenReturn(nonce);
String nonceKey = openIDConnectAuthenticator.getName() + OIDC_FEDERATION_NONCE;
when(mockAuthenticationContext.getProperty(nonceKey)).thenReturn(nonce);
when(mockAuthenticationContext.getAuthenticatorProperties()).thenReturn(authenticatorProperties);
authenticatorProperties.put(OIDCAuthenticatorConstants.CLIENT_ID, clientId);

Expand Down

0 comments on commit a840931

Please sign in to comment.