Improve Exception Handling and Add Unit Tests for API based Authentication

components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java

@@ -73,6 +73,7 @@
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 import org.wso2.carbon.identity.oauth.common.OAuthConstants;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException;
 import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
 import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
 import org.wso2.carbon.idp.mgt.IdentityProviderManager;
@@ -746,8 +747,12 @@ protected OAuthClientResponse requestAccessToken(HttpServletRequest request, Aut
             String accessToken = request.getParameter(ACCESS_TOKEN_PARAM);
             try {
                 validateJWTToken(context, idToken);
-            } catch (ParseException | IdentityOAuth2Exception | JOSEException e) {
-                throw new AuthenticationFailedException("JWT Token validation Failed.");
+            } catch (ParseException | IdentityOAuth2ClientException | JOSEException e) {
+                throw new AuthenticationFailedException(ErrorMessages.INVALID_JWT_TOKEN.getCode(),
+                        ErrorMessages.INVALID_JWT_TOKEN.getMessage());
+            } catch (IdentityOAuth2Exception e) {
+                throw new AuthenticationFailedException(ErrorMessages.JWT_TOKEN_VALIDATION_FAILED.getCode(),
+                        ErrorMessages.JWT_TOKEN_VALIDATION_FAILED.getMessage(), e);
             }
             NativeSDKBasedFederatedOAuthClientResponse nativeSDKBasedFederatedOAuthClientResponse
                     = new NativeSDKBasedFederatedOAuthClientResponse();
@@ -784,7 +789,7 @@ private void validateJWTToken(AuthenticationContext context, String idToken) thr
         IdentityProvider identityProvider = getIdentityProvider(idpIdentifier, tenantDomain);
 
         OIDCTokenValidationUtil.validateSignature(signedJWT, identityProvider);
-        OIDCTokenValidationUtil.validateAudience(claimsSet.getAudience(), identityProvider , tenantDomain);
+        OIDCTokenValidationUtil.validateAudience(claimsSet.getAudience(), identityProvider, tenantDomain);
     }
 
     /**
@@ -1645,7 +1650,7 @@ private boolean isTrustedTokenIssuer(AuthenticationContext context) {
 
         IdentityProviderProperty[] identityProviderProperties = externalIdentityProvider.getIdpProperties();
         for (IdentityProviderProperty identityProviderProperty: identityProviderProperties) {
-            if (identityProviderProperty.getName().equals(IdPManagementConstants.IS_TRUSTED_TOKEN_ISSUER)) {
+            if (IdPManagementConstants.IS_TRUSTED_TOKEN_ISSUER.equals(identityProviderProperty.getName())) {
                 return Boolean.parseBoolean(identityProviderProperty.getValue());
             }
         }

components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/util/OIDCErrorConstants.java

@@ -40,6 +40,9 @@ public enum ErrorMessages {
                 "Cannot find the userId from the id_token sent by the federated IDP."),
         NONCE_MISMATCH("OID-60016", "The nonce claim of the ID token is not equal to the nonce value " +
                 "sent in the authentication request"),
+        INVALID_JWT_TOKEN("OID-60017", "JWT token is invalid."),
+        JWT_TOKEN_AUD_CLAIM_VALIDATION_FAILED("OID-60018",
+                "None of the audience values matched the token endpoint alias: %s."),
         // Federated IdP initiated back-channel logout client errors.
         LOGOUT_TOKEN_EMPTY_OR_NULL("OID-60006",
                 "Logout token is empty or null. Pass a valid logout token"),
@@ -93,10 +96,9 @@ public enum ErrorMessages {
         LOGOUT_SERVER_EXCEPTION("OID-65015", "Back channel logout failed due to server error"),
         JWT_TOKEN_ISS_CLAIM_VALIDATION_FAILED(
                 "OID-65016", "Error while validating the iss claim in the jwt token"),
-        JWT_TOKEN_SIGNATURE_VALIDATION_FAILED("OID-65016",
-                                                         "Error while validating the JWT token signature"),
-        JWT_TOKEN_AUD_CLAIM_VALIDATION_FAILED("OID-65017",
-                                                         "Audience claim validation failed.");
+        JWT_TOKEN_VALIDATION_FAILED("OID-65016", "JWT token validation Failed."),
+        JWT_TOKEN_SIGNATURE_VALIDATION_FAILED("OID-65017",
+                "Error while validating the JWT token signature");
 
         private final String code;
         private final String message;

components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/util/OIDCTokenValidationUtil.java

@@ -61,7 +61,9 @@ public static String getIssuer(JWTClaimsSet claimsSet) throws AuthenticationFail
      *
      * @param audienceList - list containing audience values.
      * @param idp - identity provider.
-     * @Param tenantDomain - the tenant domain
+     * @param tenantDomain - the tenant domain
+     *
+     * @throws AuthenticationFailedException if none of the audience values matched the tokenEndpoint alias
      */
     public static void validateAudience(List<String> audienceList, IdentityProvider idp, String tenantDomain)
             throws AuthenticationFailedException {
@@ -78,8 +80,10 @@ public static void validateAudience(List<String> audienceList, IdentityProvider
             }
         }
         if (!audienceFound) {
-            throw new AuthenticationFailedException ("None of the audience values matched the tokenEndpoint Alias "
-                    + tokenEndPointAlias);
+            throw new AuthenticationFailedException (
+                    OIDCErrorConstants.ErrorMessages.JWT_TOKEN_AUD_CLAIM_VALIDATION_FAILED.getCode(),
+                    String.format(OIDCErrorConstants.ErrorMessages.JWT_TOKEN_AUD_CLAIM_VALIDATION_FAILED.getMessage(),
+                            tokenEndPointAlias));
         }
     }