All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.nimbusds.openid.connect.sdk.AuthenticationErrorResponse Maven / Gradle / Ivy

Go to download

OAuth 2.0 SDK with OpenID Connection extensions for developing client and server applications.

There is a newer version: 11.20.1
Show newest version
/*
 * oauth2-oidc-sdk
 *
 * Copyright 2012-2016, Connect2id Ltd and contributors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
 * this file except in compliance with the License. You may obtain a copy of the
 * License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed
 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
 * specific language governing permissions and limitations under the License.
 */

package com.nimbusds.openid.connect.sdk;


import java.net.URI;
import java.util.*;

import net.jcip.annotations.Immutable;

import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.*;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.id.State;


/**
 * OpenID Connect authentication error response. Intended only for errors which
 * are allowed to be communicated back to the requesting OAuth 2.0 client, such
 * as {@code access_denied}. For a complete list see OAuth 2.0 (RFC 6749),
 * sections 4.1.2.1 and 4.2.2.1, OpenID Connect Core 1.0 section 3.1.2.6.
 *
 * 

If the authorisation request fails due to a missing, invalid, or * mismatching {@code redirect_uri}, or if the {@code client_id} is missing or * invalid, a response must not be sent back to the requesting * client. Instead, the OpenID provider should simply display the error to the * end-user. * *

Standard errors: * *

    *
  • OAuth 2.0 authorisation errors: *
      *
    • {@link com.nimbusds.oauth2.sdk.OAuth2Error#INVALID_REQUEST} *
    • {@link com.nimbusds.oauth2.sdk.OAuth2Error#UNAUTHORIZED_CLIENT} *
    • {@link com.nimbusds.oauth2.sdk.OAuth2Error#ACCESS_DENIED} *
    • {@link com.nimbusds.oauth2.sdk.OAuth2Error#UNSUPPORTED_RESPONSE_TYPE} *
    • {@link com.nimbusds.oauth2.sdk.OAuth2Error#INVALID_SCOPE} *
    • {@link com.nimbusds.oauth2.sdk.OAuth2Error#SERVER_ERROR} *
    • {@link com.nimbusds.oauth2.sdk.OAuth2Error#TEMPORARILY_UNAVAILABLE} *
    *
  • OpenID Connect specific errors: *
      *
    • {@link OIDCError#INTERACTION_REQUIRED} *
    • {@link OIDCError#LOGIN_REQUIRED} *
    • {@link OIDCError#ACCOUNT_SELECTION_REQUIRED} *
    • {@link OIDCError#CONSENT_REQUIRED} *
    • {@link OAuth2Error#INVALID_REQUEST_URI} *
    • {@link OAuth2Error#INVALID_REQUEST_OBJECT} *
    • {@link OIDCError#REGISTRATION_NOT_SUPPORTED} *
    • {@link OAuth2Error#REQUEST_NOT_SUPPORTED} *
    • {@link OAuth2Error#REQUEST_URI_NOT_SUPPORTED} *
    *
  • *
* *

Example HTTP response: * *

 * HTTP/1.1 302 Found
 * Location: https://client.example.org/cb?
 *           error=invalid_request
 *           &error_description=the%20request%20is%20not%20valid%20or%20malformed
 *           &state=af0ifjsldkj
 * 
* *

Related specifications: * *

    *
  • OpenID Connect Core 1.0 *
  • OpenID Connect Core Unmet Authentication Requirements 1.0 *
  • OAuth 2.0 (RFC 6749) *
  • OAuth 2.0 Multiple Response Type Encoding Practices 1.0 *
  • OAuth 2.0 Form Post Response Mode 1.0 *
  • Financial-grade API: JWT Secured Authorization Response Mode for * OAuth 2.0 (JARM) *
  • OAuth 2.0 Authorization Server Issuer Identification (RFC 9207) *
*/ @Immutable public class AuthenticationErrorResponse extends AuthorizationErrorResponse implements AuthenticationResponse { /** * The standard errors for an OpenID Connect authentication error * response. */ private static final Set stdErrors = new HashSet<>(); static { stdErrors.addAll(AuthorizationErrorResponse.getStandardErrors()); stdErrors.add(OIDCError.INTERACTION_REQUIRED); stdErrors.add(OIDCError.LOGIN_REQUIRED); stdErrors.add(OIDCError.ACCOUNT_SELECTION_REQUIRED); stdErrors.add(OIDCError.CONSENT_REQUIRED); stdErrors.add(OIDCError.UNMET_AUTHENTICATION_REQUIREMENTS); stdErrors.add(OIDCError.REGISTRATION_NOT_SUPPORTED); } /** * Gets the standard errors for an OpenID Connect authentication error * response. * * @return The standard errors, as a read-only set. */ public static Set getStandardErrors() { return Collections.unmodifiableSet(stdErrors); } /** * Creates a new OpenID Connect authentication error response. * * @param redirectURI The base redirection URI. Must not be * {@code null}. * @param error The error. Should match one of the * {@link #getStandardErrors standard errors} for an * OpenID Connect authentication error response. * Must not be {@code null}. * @param state The state, {@code null} if not requested. * @param rm The implied response mode, {@code null} if * unknown. */ public AuthenticationErrorResponse(final URI redirectURI, final ErrorObject error, final State state, final ResponseMode rm) { this(redirectURI, error, state, null, rm); } /** * Creates a new OpenID Connect authentication error response. * * @param redirectURI The base redirection URI. Must not be * {@code null}. * @param error The error. Should match one of the * {@link #getStandardErrors standard errors} for an * OpenID Connect authentication error response. * Must not be {@code null}. * @param state The state, {@code null} if not requested. * @param issuer The issuer, {@code null} if not specified. * @param rm The implied response mode, {@code null} if * unknown. */ public AuthenticationErrorResponse(final URI redirectURI, final ErrorObject error, final State state, final Issuer issuer, final ResponseMode rm) { super(redirectURI, error, state, issuer, rm); } /** * Creates a new JSON Web Token (JWT) secured OpenID Connect * authentication error response. * * @param redirectURI The base redirection URI. Must not be * {@code null}. * @param jwtResponse The JWT-secured response. Must not be * {@code null}. * @param rm The implied response mode, {@code null} if * unknown. */ public AuthenticationErrorResponse(final URI redirectURI, final JWT jwtResponse, final ResponseMode rm) { super(redirectURI, jwtResponse, rm); } @Override public AuthenticationSuccessResponse toSuccessResponse() { throw new ClassCastException("Cannot cast to AuthenticationSuccessResponse"); } @Override public AuthenticationErrorResponse toErrorResponse() { return this; } /** * Converts the specified general OAuth 2.0 authorisation error * response instance to an OpenID authentication error instance. * * @param errorResponse The OAuth 2.0 authorisation error response. * Must not be {@code null}. * * @return The OpenID authentication error instance. */ private static AuthenticationErrorResponse toAuthenticationErrorResponse(final AuthorizationErrorResponse errorResponse) { if (errorResponse.getJWTResponse() != null) { // JARM return new AuthenticationErrorResponse( errorResponse.getRedirectionURI(), errorResponse.getJWTResponse(), errorResponse.getResponseMode()); } return new AuthenticationErrorResponse( errorResponse.getRedirectionURI(), errorResponse.getErrorObject(), errorResponse.getState(), errorResponse.getIssuer(), errorResponse.getResponseMode()); } /** * Parses an OpenID Connect authentication error response. * * @param redirectURI The base redirection URI. Must not be * {@code null}. * @param params The response parameters to parse. Must not be * {@code null}. * * @return The OpenID Connect authentication error response. * * @throws ParseException If the parameters couldn't be parsed to an * OpenID Connect authentication error response. */ public static AuthenticationErrorResponse parse(final URI redirectURI, final Map> params) throws ParseException { return toAuthenticationErrorResponse(AuthorizationErrorResponse.parse(redirectURI, params)); } /** * Parses an OpenID Connect authentication error response. * *

Use a relative URI if the host, port and path details are not * known: * *

	 * URI relUrl = new URI("https:///?error=invalid_request");
	 * 
* *

Example URI: * *

	 * https://client.example.com/cb?
	 * error=invalid_request
	 * &error_description=the%20request%20is%20not%20valid%20or%20malformed
	 * &state=af0ifjsldkj
	 * 
* * @param uri The URI to parse. Can be absolute or relative, with a * fragment or query string containing the authorisation * response parameters. Must not be {@code null}. * * @return The OpenID Connect authentication error response. * * @throws ParseException If the URI couldn't be parsed to an OpenID * Connect authentication error response. */ public static AuthenticationErrorResponse parse(final URI uri) throws ParseException { return toAuthenticationErrorResponse(AuthorizationErrorResponse.parse(uri)); } /** * Parses an OpenID Connect authentication error response from the * specified initial HTTP 302 redirect response generated at the * authorisation endpoint. * *

Example HTTP response: * *

	 * HTTP/1.1 302 Found
	 * Location: https://client.example.com/cb?error=invalid_request&state=af0ifjsldkj
	 * 
* * @param httpResponse The HTTP response to parse. Must not be * {@code null}. * * @return The OpenID Connect authentication error response. * * @throws ParseException If the HTTP response couldn't be parsed to an * OpenID Connect authentication error response. */ public static AuthenticationErrorResponse parse(final HTTPResponse httpResponse) throws ParseException { return toAuthenticationErrorResponse(AuthorizationErrorResponse.parse(httpResponse)); } /** * Parses an OpenID Connect authentication error response from the * specified HTTP request at the client redirection (callback) URI. * Applies to {@code query}, {@code fragment} and {@code form_post} * response modes. * *

Example HTTP request (authorisation success): * *

	 * GET /cb?error=invalid_request&state=af0ifjsldkj HTTP/1.1
	 * Host: client.example.com
	 * 
* * @see #parse(HTTPResponse) * * @param httpRequest The HTTP request to parse. Must not be * {@code null}. * * @return The authentication error response. * * @throws ParseException If the HTTP request couldn't be parsed to an * OpenID Connect authentication error response. */ public static AuthenticationErrorResponse parse(final HTTPRequest httpRequest) throws ParseException { return parse(httpRequest.getURI(), parseResponseParameters(httpRequest)); } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy