io.vertx.ext.web.handler.impl.OAuth2AuthHandlerImpl Maven / Gradle / Ivy
The newest version!
* Copyright 2014 Red Hat, Inc.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* and Apache License v2.0 which accompanies this distribution.
* The Eclipse Public License is available at
* The Apache License v2.0 is available at
* You may elect to redistribute this code under either of these licenses.
package io.vertx.ext.web.handler.impl;
import io.vertx.core.Future;
import io.vertx.core.Vertx;
import io.vertx.core.VertxException;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.HttpMethod;
import io.vertx.core.internal.logging.Logger;
import io.vertx.core.internal.logging.LoggerFactory;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.prng.VertxContextPRNG;
import io.vertx.ext.auth.audit.Marker;
import io.vertx.ext.auth.audit.SecurityAudit;
import io.vertx.ext.auth.authentication.Credentials;
import io.vertx.ext.auth.authentication.TokenCredentials;
import io.vertx.ext.auth.oauth2.OAuth2Auth;
import io.vertx.ext.auth.oauth2.OAuth2AuthorizationURL;
import io.vertx.ext.auth.oauth2.OAuth2FlowType;
import io.vertx.ext.auth.oauth2.Oauth2Credentials;
import io.vertx.ext.web.Route;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.Session;
import io.vertx.ext.web.handler.HttpException;
import io.vertx.ext.web.handler.OAuth2AuthHandler;
import io.vertx.ext.web.impl.*;
import io.vertx.ext.web.internal.handler.ScopedAuthentication;
import java.nio.charset.StandardCharsets;
import java.util.*;
* @author Paulo Lopes
public class OAuth2AuthHandlerImpl extends HTTPAuthorizationHandler implements OAuth2AuthHandler, ScopedAuthentication, OrderListener {
private static final Logger LOG = LoggerFactory.getLogger(OAuth2AuthHandlerImpl.class);
private final VertxContextPRNG prng;
private final Origin callbackURL;
private final MessageDigest sha256;
private final List scopes;
private JsonObject extraParams;
private String prompt;
private int pkce = -1;
// explicit signal that tokens are handled as bearer only (meaning, no backend server known)
private boolean bearerOnly = true;
private int order = -1;
private Route callback;
public OAuth2AuthHandlerImpl(Vertx vertx, OAuth2Auth authProvider, String callbackURL) {
this(vertx, authProvider, callbackURL, null);
public OAuth2AuthHandlerImpl(Vertx vertx, OAuth2Auth authProvider, String callbackURL, String realm) {
super(authProvider, Type.BEARER, realm);
// get a reference to the prng
this.prng = VertxContextPRNG.current(vertx);
// get a reference to the sha-256 digest
try {
sha256 = MessageDigest.getInstance("SHA-256");
} catch (NoSuchAlgorithmException e) {
throw new IllegalStateException("Cannot get instance of SHA-256 MessageDigest", e);
// process callback
if (callbackURL != null) {
this.callbackURL = Origin.parse(callbackURL);
} else {
this.callbackURL = null;
// scopes are empty by default
this.scopes = Collections.emptyList();
private OAuth2AuthHandlerImpl(OAuth2AuthHandlerImpl base, List scopes) {
super(base.authProvider, Type.BEARER, base.realm);
this.prng = base.prng;
this.callbackURL = base.callbackURL;
this.prompt = base.prompt;
this.pkce = base.pkce;
this.bearerOnly = base.bearerOnly;
// get a new reference to the sha-256 digest
try {
sha256 = MessageDigest.getInstance("SHA-256");
} catch (NoSuchAlgorithmException e) {
throw new IllegalStateException("Cannot get instance of SHA-256 MessageDigest", e);
// state copy
if (base.extraParams != null) {
extraParams = base.extraParams.copy();
this.callback = base.callback;
this.order = base.order;
// apply the new scopes
Objects.requireNonNull(scopes, "scopes cannot be null");
this.scopes = scopes;
public Future authenticate(RoutingContext context) {
// when the handler is working as bearer only, then the `Authorization` header is required
return parseAuthorization(context, !bearerOnly)
.compose(token -> {
// Authorization header can be null when in not in bearerOnly mode
if (token == null) {
// redirect request to the oauth2 server as we know nothing about this request
if (bearerOnly) {
// it's a failure both cases but the cause is not the same
return Future.failedFuture("callback route is not configured.");
// when this handle is mounted as a catch all, the callback route must be configured before,
// as it would shade the callback route. When a request matches the callback path and has the
// method GET the exceptional case should not redirect to the oauth2 server as it would become
// an infinite redirect loop. In this case an exception must be raised.
if (context.request().method() == HttpMethod.GET && context.normalizedPath().equals(callbackURL.resource())) {
LOG.warn("The callback route is shaded by the OAuth2AuthHandler, ensure the callback route is added BEFORE the OAuth2AuthHandler route!");
return Future.failedFuture(new HttpException(500, "Infinite redirect loop [oauth2 callback]"));
} else {
if (context.request().method() != HttpMethod.GET) {
// we can only redirect GET requests
LOG.error("OAuth2 redirect attempt to non GET resource");
return Future.failedFuture(new HttpException(405, new IllegalStateException("OAuth2 redirect attempt to non GET resource")));
// the redirect is processed as a failure to abort the chain
String redirectUri = context.request().uri();
try {
return Future.failedFuture(new HttpException(302, authURI(context, redirectUri)));
} catch (IllegalStateException e) {
return Future.failedFuture(e);
} else {
// continue
final List scopes = getScopesOrSearchMetadata(this.scopes, context);
final Credentials credentials =
scopes.size() > 0 ? new TokenCredentials(token).setScopes(scopes) : new TokenCredentials(token);
final SecurityAudit audit = ((RoutingContextInternal) context).securityAudit();
return authProvider.authenticate(credentials)
.andThen(op -> audit.audit(Marker.AUTHENTICATION, op.succeeded()))
.recover(err -> Future.failedFuture(new HttpException(401, err)));
private String authURI(RoutingContext context, String redirectURL) {
String state = null;
String codeVerifier = null;
String loginHint = null;
final Session session = context.session();
if (session == null) {
if (pkce > 0) {
// we can only handle PKCE with a session
throw new IllegalStateException("OAuth2 PKCE requires a session to be present");
} else {
// there's a session we can make this request comply to the Oauth2 spec and add an opaque state
loginHint = session.get("login_hint");
// hint will be considered at least once
.put("redirect_uri", redirectURL);
// create a state value to mitigate replay attacks
state = prng.nextString(6);
// store the state in the session
.put("state", state);
if (pkce > 0) {
codeVerifier = prng.nextString(pkce);
// store the code verifier in the session
.put("pkce", codeVerifier);
final OAuth2AuthorizationURL config = new OAuth2AuthorizationURL();
if (extraParams != null) {
for (Map.Entry entry : extraParams) {
if (entry.getValue() != null) {
config.putAdditionalParameter(entry.getKey(), entry.getValue().toString());
.setState(state != null ? state : redirectURL)
if (callbackURL != null) {
final List scopes = getScopesOrSearchMetadata(this.scopes, context);
if (scopes.size() > 0) {
if (codeVerifier != null) {
synchronized (sha256) {
return authProvider.authorizeURL(new OAuth2AuthorizationURL(config));
public OAuth2AuthHandler extraParams(JsonObject extraParams) {
this.extraParams = extraParams;
return this;
public OAuth2AuthHandler withScope(String scope) {
Objects.requireNonNull(scope, "scope cannot be null");
List updatedScopes = new ArrayList<>(this.scopes);
return new OAuth2AuthHandlerImpl(this, updatedScopes);
public OAuth2AuthHandler withScopes(List scopes) {
Objects.requireNonNull(scopes, "scopes cannot be null");
return new OAuth2AuthHandlerImpl(this, scopes);
public OAuth2AuthHandler prompt(String prompt) {
this.prompt = prompt;
return this;
public OAuth2AuthHandler pkceVerifierLength(int length) {
if (length >= 0) {
// requires verification
if (length < 43 || length > 128) {
throw new IllegalArgumentException("Length must be between 43 and 128");
this.pkce = length;
return this;
public OAuth2AuthHandler setupCallback(final Route route) {
if (callbackURL == null) {
// warn that the setup is probably wrong
throw new IllegalStateException("OAuth2AuthHandler was created without a origin/callback URL");
final String routePath = route.getPath();
if (routePath == null) {
// warn that the setup is probably wrong
throw new IllegalStateException("OAuth2AuthHandler callback route created without a path");
final String callbackPath = callbackURL.resource();
if (callbackPath != null && !"".equals(callbackPath)) {
if (!callbackPath.endsWith(routePath)) {
if (LOG.isWarnEnabled()) {
LOG.warn("callback route doesn't match OAuth2AuthHandler origin configuration");
this.callback = route;
// order was already known, but waiting for the callback
if (this.order != -1) {
// the redirect handler has been setup so we can process this
// handler has full oauth2 support, not just basic JWT
bearerOnly = false;
return this;
private static final Set OPENID_SCOPES = new HashSet<>();
static {
* The default behavior for post-authentication
public void postAuthentication(RoutingContext ctx) {
// the user is authenticated, however the user may not have all the required scopes
final List scopes = getScopesOrSearchMetadata(this.scopes, ctx);
if (scopes.size() > 0) {
final User user = ctx.user().get();
if (user == null) {
// bad state, new VertxException("no user in the context", true));
if (user.principal().containsKey("scope")) {
final String userScopes = user.principal().getString("scope");
if (userScopes != null) {
// user principal contains scope, a basic assertion is required to ensure that
// the scopes present match the required ones
// check if openid is active
final boolean openId = userScopes.contains("openid");
for (String scope : scopes) {
// do not assert openid scopes if openid is active
if (openId && OPENID_SCOPES.contains(scope)) {
int idx = userScopes.indexOf(scope);
if (idx != -1) {
// match, but is it valid?
if (
(idx != 0 && userScopes.charAt(idx -1) != ' ') ||
(idx + scope.length() != userScopes.length() && userScopes.charAt(idx + scope.length()) != ' ')) {
// invalid scope assignment, new VertxException("principal scope != handler scopes", true));
} else {
// invalid scope assignment, new VertxException("principal scope != handler scopes", true));
public boolean performsRedirect() {
// depending on the time this method is invoked
// we can deduct with more accuracy if a redirect is possible or not
if (!bearerOnly) {
// we know that a redirect is definitely possible
// as the callback handler has been created
return true;
} else {
// the callback hasn't been mounted so we need to assume
// that if no callbackURL is provided, then there isn't
// a redirect happening in this application
return callbackURL != null;
public void onOrder(int order) {
// order isn't known yet, we can attempt to mount
if (this.order == -1) {
this.order = order;
// callback route already known, but waiting for order
if (callback != null) {
private void mountCallback() {
// we want the callback before this handler
.order(order - 1);
callback.handler(ctx -> {
// Some IdP's (e.g.: AWS Cognito) returns errors as query arguments
String error = ctx.request().getParam("error");
if (error != null) {
int errorCode;
// standard error's from the Oauth2 RFC
switch (error) {
case "invalid_token":
errorCode = 401;
case "insufficient_scope":
errorCode = 403;
case "invalid_request":
errorCode = 400;
String errorDescription = ctx.request().getParam("error_description");
if (errorDescription != null) {, new VertxException(error + ": " + errorDescription, true));
} else {, new VertxException(error, true));
// Handle the callback of the flow
final String code = ctx.request().getParam("code");
// code is a require value
if (code == null) {, new VertxException("Missing code parameter", true));
final Oauth2Credentials credentials = new Oauth2Credentials()
// the state that was passed to the IdP server. The state can be
// an opaque random string (to protect against replay attacks)
// or if there was no session available the target resource to
// server after validation
final String state = ctx.request().getParam("state");
// state is a required field
if (state == null) {, new VertxException("Missing IdP state parameter to the callback endpoint", true));
final String resource;
final Session session = ctx.session();
if (session != null) {
// validate the state. Here we are a bit lenient, if there is no session
// we always assume valid, however if there is session it must match
String ctxState = session.remove("state");
// if there's a state in the context they must match
if (!state.equals(ctxState)) {
// forbidden, the state is not valid (this is a replay attack), new VertxException("Invalid oauth2 state", true));
// remove the code verifier, from the session as it will be trade for the
// token during the final leg of the oauth2 handshake
String codeVerifier = session.remove("pkce");
// state is valid, extract the redirectUri from the session
resource = session.get("redirect_uri");
} else {
resource = state;
// The valid callback URL set in your IdP application settings.
// This must exactly match the redirect_uri passed to the authorization URL in the previous step.
final SecurityAudit audit = ((RoutingContextInternal) ctx).securityAudit();
.andThen(op -> audit.audit(Marker.AUTHENTICATION, op.succeeded()))
.onSuccess(user -> {
((UserContextInternal) ctx.user())
String location = resource != null ? resource : "/";
if (session != null) {
// the user has upgraded from unauthenticated to authenticated
// session should be upgraded as recommended by owasp
} else {
// there is no session object so we cannot keep state.
// if there is no session and the resource is relative
// we will reroute to "location"
if (location.length() != 0 && location.charAt(0) == '/') {
// we should redirect the UA so this link becomes invalid
// disable all caching
.putHeader(HttpHeaders.CACHE_CONTROL, "no-cache, no-store, must-revalidate")
.putHeader("Pragma", "no-cache")
.putHeader(HttpHeaders.EXPIRES, "0")
// redirect (when there is no state, redirect to home
.putHeader(HttpHeaders.LOCATION, location)
.end("Redirecting to " + location + ".");
© 2015 - 2025 Weber Informatics LLC | Privacy Policy