All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.vertx.ext.web.handler.impl.OAuth2AuthHandlerImpl Maven / Gradle / Ivy

The newest version!
/*
 * Copyright 2014 Red Hat, Inc.
 *
 *  All rights reserved. This program and the accompanying materials
 *  are made available under the terms of the Eclipse Public License v1.0
 *  and Apache License v2.0 which accompanies this distribution.
 *
 *  The Eclipse Public License is available at
 *  http://www.eclipse.org/legal/epl-v10.html
 *
 *  The Apache License v2.0 is available at
 *  http://www.opensource.org/licenses/apache2.0.php
 *
 *  You may elect to redistribute this code under either of these licenses.
 */

package io.vertx.ext.web.handler.impl;

import io.vertx.core.Future;
import io.vertx.core.Vertx;
import io.vertx.core.VertxException;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.HttpMethod;
import io.vertx.core.internal.logging.Logger;
import io.vertx.core.internal.logging.LoggerFactory;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.prng.VertxContextPRNG;
import io.vertx.ext.auth.audit.Marker;
import io.vertx.ext.auth.audit.SecurityAudit;
import io.vertx.ext.auth.authentication.Credentials;
import io.vertx.ext.auth.authentication.TokenCredentials;
import io.vertx.ext.auth.oauth2.OAuth2Auth;
import io.vertx.ext.auth.oauth2.OAuth2AuthorizationURL;
import io.vertx.ext.auth.oauth2.OAuth2FlowType;
import io.vertx.ext.auth.oauth2.Oauth2Credentials;
import io.vertx.ext.web.Route;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.Session;
import io.vertx.ext.web.handler.HttpException;
import io.vertx.ext.web.handler.OAuth2AuthHandler;
import io.vertx.ext.web.impl.*;
import io.vertx.ext.web.internal.handler.ScopedAuthentication;

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.*;

/**
 * @author Paulo Lopes
 */
public class OAuth2AuthHandlerImpl extends HTTPAuthorizationHandler implements OAuth2AuthHandler, ScopedAuthentication, OrderListener {

  private static final Logger LOG = LoggerFactory.getLogger(OAuth2AuthHandlerImpl.class);

  private final VertxContextPRNG prng;
  private final Origin callbackURL;
  private final MessageDigest sha256;

  private final List scopes;
  private JsonObject extraParams;
  private String prompt;
  private int pkce = -1;
  // explicit signal that tokens are handled as bearer only (meaning, no backend server known)
  private boolean bearerOnly = true;

  private int order = -1;
  private Route callback;

  public OAuth2AuthHandlerImpl(Vertx vertx, OAuth2Auth authProvider, String callbackURL) {
    this(vertx, authProvider, callbackURL, null);
  }

  public OAuth2AuthHandlerImpl(Vertx vertx, OAuth2Auth authProvider, String callbackURL, String realm) {
    super(authProvider, Type.BEARER, realm);
    // get a reference to the prng
    this.prng = VertxContextPRNG.current(vertx);
    // get a reference to the sha-256 digest
    try {
      sha256 = MessageDigest.getInstance("SHA-256");
    } catch (NoSuchAlgorithmException e) {
      throw new IllegalStateException("Cannot get instance of SHA-256 MessageDigest", e);
    }
    // process callback
    if (callbackURL != null) {
      this.callbackURL = Origin.parse(callbackURL);
    } else {
      this.callbackURL = null;
    }
    // scopes are empty by default
    this.scopes = Collections.emptyList();
  }

  private OAuth2AuthHandlerImpl(OAuth2AuthHandlerImpl base, List scopes) {
    super(base.authProvider, Type.BEARER, base.realm);
    this.prng = base.prng;
    this.callbackURL = base.callbackURL;
    this.prompt = base.prompt;
    this.pkce = base.pkce;
    this.bearerOnly = base.bearerOnly;

    // get a new reference to the sha-256 digest
    try {
      sha256 = MessageDigest.getInstance("SHA-256");
    } catch (NoSuchAlgorithmException e) {
      throw new IllegalStateException("Cannot get instance of SHA-256 MessageDigest", e);
    }
    // state copy
    if (base.extraParams != null) {
      extraParams = base.extraParams.copy();
    }
    this.callback = base.callback;
    this.order = base.order;
    // apply the new scopes
    Objects.requireNonNull(scopes, "scopes cannot be null");
    this.scopes = scopes;
  }

  @Override
  public Future authenticate(RoutingContext context) {
    // when the handler is working as bearer only, then the `Authorization` header is required
    return parseAuthorization(context, !bearerOnly)
      .compose(token -> {
      // Authorization header can be null when in not in bearerOnly mode
      if (token == null) {
        // redirect request to the oauth2 server as we know nothing about this request
        if (bearerOnly) {
          // it's a failure both cases but the cause is not the same
          return Future.failedFuture("callback route is not configured.");
        }
        // when this handle is mounted as a catch all, the callback route must be configured before,
        // as it would shade the callback route. When a request matches the callback path and has the
        // method GET the exceptional case should not redirect to the oauth2 server as it would become
        // an infinite redirect loop. In this case an exception must be raised.
        if (context.request().method() == HttpMethod.GET && context.normalizedPath().equals(callbackURL.resource())) {
          LOG.warn("The callback route is shaded by the OAuth2AuthHandler, ensure the callback route is added BEFORE the OAuth2AuthHandler route!");
          return Future.failedFuture(new HttpException(500, "Infinite redirect loop [oauth2 callback]"));
        } else {
          if (context.request().method() != HttpMethod.GET) {
            // we can only redirect GET requests
            LOG.error("OAuth2 redirect attempt to non GET resource");
            return Future.failedFuture(new HttpException(405, new IllegalStateException("OAuth2 redirect attempt to non GET resource")));
          }

          // the redirect is processed as a failure to abort the chain
          String redirectUri = context.request().uri();
          try {
            return Future.failedFuture(new HttpException(302, authURI(context, redirectUri)));
          } catch (IllegalStateException e) {
            return Future.failedFuture(e);
          }
        }
      } else {
        // continue
        final List scopes = getScopesOrSearchMetadata(this.scopes, context);

        final Credentials credentials =
          scopes.size() > 0 ? new TokenCredentials(token).setScopes(scopes) : new TokenCredentials(token);

        final SecurityAudit audit = ((RoutingContextInternal) context).securityAudit();
        audit.credentials(credentials);

        return authProvider.authenticate(credentials)
          .andThen(op -> audit.audit(Marker.AUTHENTICATION, op.succeeded()))
          .recover(err -> Future.failedFuture(new HttpException(401, err)));
      }
    });
  }

  private String authURI(RoutingContext context, String redirectURL) {

    String state = null;
    String codeVerifier = null;
    String loginHint = null;

    final Session session = context.session();

    if (session == null) {
      if (pkce > 0) {
        // we can only handle PKCE with a session
        throw new IllegalStateException("OAuth2 PKCE requires a session to be present");
      }
    } else {
      // there's a session we can make this request comply to the Oauth2 spec and add an opaque state

      loginHint = session.get("login_hint");
      // hint will be considered at least once
      session.remove("login_hint");

      session
        .put("redirect_uri", redirectURL);

      // create a state value to mitigate replay attacks
      state = prng.nextString(6);
      // store the state in the session
      session
        .put("state", state);

      if (pkce > 0) {
        codeVerifier = prng.nextString(pkce);
        // store the code verifier in the session
        session
          .put("pkce", codeVerifier);
      }
    }

    final OAuth2AuthorizationURL config = new OAuth2AuthorizationURL();

    if (extraParams != null) {
      for (Map.Entry entry : extraParams) {
        if (entry.getValue() != null) {
          config.putAdditionalParameter(entry.getKey(), entry.getValue().toString());
        }
      }
    }

    config
      .setState(state != null ? state : redirectURL)
      .setLoginHint(loginHint)
      .setPrompt(prompt);

    if (callbackURL != null) {
      config.setRedirectUri(callbackURL.href());
    }

    final List scopes = getScopesOrSearchMetadata(this.scopes, context);

    if (scopes.size() > 0) {
      config.setScopes(scopes);
    }

    if (codeVerifier != null) {
      synchronized (sha256) {
        sha256.update(codeVerifier.getBytes(StandardCharsets.US_ASCII));
        config
          .setCodeChallenge(Utils.base64UrlEncode(sha256.digest()))
          .setCodeChallengeMethod("S256");
      }
    }

    return authProvider.authorizeURL(new OAuth2AuthorizationURL(config));
  }

  @Override
  public OAuth2AuthHandler extraParams(JsonObject extraParams) {
    this.extraParams = extraParams;
    return this;
  }

  @Override
  public OAuth2AuthHandler withScope(String scope) {
    Objects.requireNonNull(scope, "scope cannot be null");

    List updatedScopes = new ArrayList<>(this.scopes);
    updatedScopes.add(scope);
    return new OAuth2AuthHandlerImpl(this, updatedScopes);
  }

  @Override
  public OAuth2AuthHandler withScopes(List scopes) {
    Objects.requireNonNull(scopes, "scopes cannot be null");
    return new OAuth2AuthHandlerImpl(this, scopes);
  }

  @Override
  public OAuth2AuthHandler prompt(String prompt) {
    this.prompt = prompt;
    return this;
  }

  @Override
  public OAuth2AuthHandler pkceVerifierLength(int length) {
    if (length >= 0) {
      // requires verification
      if (length < 43 || length > 128) {
        throw new IllegalArgumentException("Length must be between 43 and 128");
      }
    }
    this.pkce = length;
    return this;
  }

  @Override
  public OAuth2AuthHandler setupCallback(final Route route) {

    if (callbackURL == null) {
      // warn that the setup is probably wrong
      throw new IllegalStateException("OAuth2AuthHandler was created without a origin/callback URL");
    }

    final String routePath = route.getPath();

    if (routePath == null) {
      // warn that the setup is probably wrong
      throw new IllegalStateException("OAuth2AuthHandler callback route created without a path");
    }

    final String callbackPath = callbackURL.resource();

    if (callbackPath != null && !"".equals(callbackPath)) {
      if (!callbackPath.endsWith(routePath)) {
        if (LOG.isWarnEnabled()) {
          LOG.warn("callback route doesn't match OAuth2AuthHandler origin configuration");
        }
      }
    }

    this.callback = route;
    // order was already known, but waiting for the callback
    if (this.order != -1) {
      mountCallback();
    }

    // the redirect handler has been setup so we can process this
    // handler has full oauth2 support, not just basic JWT
    bearerOnly = false;
    return this;
  }

  private static final Set OPENID_SCOPES = new HashSet<>();

  static {
    OPENID_SCOPES.add("openid");
    OPENID_SCOPES.add("profile");
    OPENID_SCOPES.add("email");
    OPENID_SCOPES.add("phone");
    OPENID_SCOPES.add("offline");
  }

  /**
   * The default behavior for post-authentication
   */
  @Override
  public void postAuthentication(RoutingContext ctx) {
    // the user is authenticated, however the user may not have all the required scopes
    final List scopes = getScopesOrSearchMetadata(this.scopes, ctx);

    if (scopes.size() > 0) {
      final User user = ctx.user().get();
      if (user == null) {
        // bad state
        ctx.fail(403, new VertxException("no user in the context", true));
        return;
      }

      if (user.principal().containsKey("scope")) {
        final String userScopes = user.principal().getString("scope");
        if (userScopes != null) {
          // user principal contains scope, a basic assertion is required to ensure that
          // the scopes present match the required ones

          // check if openid is active
          final boolean openId = userScopes.contains("openid");

          for (String scope : scopes) {
            // do not assert openid scopes if openid is active
            if (openId && OPENID_SCOPES.contains(scope)) {
              continue;
            }

            int idx = userScopes.indexOf(scope);
            if (idx != -1) {
              // match, but is it valid?
              if (
                (idx != 0 && userScopes.charAt(idx -1) != ' ') ||
                  (idx + scope.length() != userScopes.length() && userScopes.charAt(idx + scope.length()) != ' ')) {
                // invalid scope assignment
                ctx.fail(403, new VertxException("principal scope != handler scopes", true));
                return;
              }
            } else {
              // invalid scope assignment
              ctx.fail(403, new VertxException("principal scope != handler scopes", true));
              return;
            }
          }
        }
      }
    }
    ctx.next();
  }

  @Override
  public boolean performsRedirect() {
    // depending on the time this method is invoked
    // we can deduct with more accuracy if a redirect is possible or not
    if (!bearerOnly) {
      // we know that a redirect is definitely possible
      // as the callback handler has been created
      return true;
    } else {
      // the callback hasn't been mounted so we need to assume
      // that if no callbackURL is provided, then there isn't
      // a redirect happening in this application
      return callbackURL != null;
    }
  }

  @Override
  public void onOrder(int order) {
    // order isn't known yet, we can attempt to mount
    if (this.order == -1) {
      this.order = order;
      // callback route already known, but waiting for order
      if (callback != null) {
        mountCallback();
      }
    }
  }

  private void mountCallback() {

    callback
      .method(HttpMethod.GET)
      // we want the callback before this handler
      .order(order - 1);

    callback.handler(ctx -> {
      // Some IdP's (e.g.: AWS Cognito) returns errors as query arguments
      String error = ctx.request().getParam("error");

      if (error != null) {
        int errorCode;
        // standard error's from the Oauth2 RFC
        switch (error) {
          case "invalid_token":
            errorCode = 401;
            break;
          case "insufficient_scope":
            errorCode = 403;
            break;
          case "invalid_request":
          default:
            errorCode = 400;
            break;
        }

        String errorDescription = ctx.request().getParam("error_description");
        if (errorDescription != null) {
          ctx.fail(errorCode, new VertxException(error + ": " + errorDescription, true));
        } else {
          ctx.fail(errorCode, new VertxException(error, true));
        }
        return;
      }

      // Handle the callback of the flow
      final String code = ctx.request().getParam("code");

      // code is a require value
      if (code == null) {
        ctx.fail(400, new VertxException("Missing code parameter", true));
        return;
      }

      final Oauth2Credentials credentials = new Oauth2Credentials()
        .setFlow(OAuth2FlowType.AUTH_CODE)
        .setCode(code);

      // the state that was passed to the IdP server. The state can be
      // an opaque random string (to protect against replay attacks)
      // or if there was no session available the target resource to
      // server after validation
      final String state = ctx.request().getParam("state");

      // state is a required field
      if (state == null) {
        ctx.fail(400, new VertxException("Missing IdP state parameter to the callback endpoint", true));
        return;
      }

      final String resource;
      final Session session = ctx.session();

      if (session != null) {
        // validate the state. Here we are a bit lenient, if there is no session
        // we always assume valid, however if there is session it must match
        String ctxState = session.remove("state");
        // if there's a state in the context they must match
        if (!state.equals(ctxState)) {
          // forbidden, the state is not valid (this is a replay attack)
          ctx.fail(401, new VertxException("Invalid oauth2 state", true));
          return;
        }

        // remove the code verifier, from the session as it will be trade for the
        // token during the final leg of the oauth2 handshake
        String codeVerifier = session.remove("pkce");
        credentials.setCodeVerifier(codeVerifier);
        // state is valid, extract the redirectUri from the session
        resource = session.get("redirect_uri");
      } else {
        resource = state;
      }

      // The valid callback URL set in your IdP application settings.
      // This must exactly match the redirect_uri passed to the authorization URL in the previous step.
      credentials.setRedirectUri(callbackURL.href());

      final SecurityAudit audit = ((RoutingContextInternal) ctx).securityAudit();
      audit.credentials(credentials);

      authProvider
        .authenticate(credentials)
        .andThen(op -> audit.audit(Marker.AUTHENTICATION, op.succeeded()))
        .onFailure(ctx::fail)
        .onSuccess(user -> {
          ((UserContextInternal) ctx.user())
            .setUser(user);
          String location = resource != null ? resource : "/";
          if (session != null) {
            // the user has upgraded from unauthenticated to authenticated
            // session should be upgraded as recommended by owasp
            session.regenerateId();
          } else {
            // there is no session object so we cannot keep state.
            // if there is no session and the resource is relative
            // we will reroute to "location"
            if (location.length() != 0 && location.charAt(0) == '/') {
              ctx.reroute(location);
              return;
            }
          }

          // we should redirect the UA so this link becomes invalid
          ctx.response()
            // disable all caching
            .putHeader(HttpHeaders.CACHE_CONTROL, "no-cache, no-store, must-revalidate")
            .putHeader("Pragma", "no-cache")
            .putHeader(HttpHeaders.EXPIRES, "0")
            // redirect (when there is no state, redirect to home
            .putHeader(HttpHeaders.LOCATION, location)
            .setStatusCode(302)
            .end("Redirecting to " + location + ".");
      });
    });
  }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy