All Downloads are FREE. Search and download functionalities are using the official Maven repository.

no.nav.brukerdialog.isso.RelyingPartyCallback Maven / Gradle / Ivy

package no.nav.brukerdialog.isso;

import no.nav.brukerdialog.filter.DoNotCache;
import no.nav.brukerdialog.security.domain.IdTokenAndRefreshToken;
import no.nav.brukerdialog.security.domain.OidcCredential;
import no.nav.brukerdialog.security.oidc.IdTokenAndRefreshTokenProvider;
import no.nav.brukerdialog.security.oidc.OidcTokenValidator;
import no.nav.brukerdialog.security.oidc.OidcTokenValidatorResult;
import no.nav.brukerdialog.security.oidc.provider.IssoOidcProvider;
import no.nav.brukerdialog.tools.HostUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.*;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URLDecoder;

import static javax.ws.rs.core.Response.Status.BAD_REQUEST;
import static javax.ws.rs.core.Response.Status.FORBIDDEN;
import static no.nav.brukerdialog.security.Constants.ID_TOKEN_COOKIE_NAME;
import static no.nav.brukerdialog.security.Constants.REFRESH_TOKEN_COOKIE_NAME;

@Path("login")
@DoNotCache
public class RelyingPartyCallback {
    private static final Logger log = LoggerFactory.getLogger(RelyingPartyCallback.class);

    private IdTokenAndRefreshTokenProvider tokenProvider = new IdTokenAndRefreshTokenProvider();
    private OidcTokenValidator oidcTokenValidator = new OidcTokenValidator();
    private IssoOidcProvider oidcProvider = new IssoOidcProvider();

    @GET
    @Produces(MediaType.APPLICATION_JSON)
    public Response getLogin(@QueryParam("code") String authorizationCode, @QueryParam("state") String state, @Context UriInfo uri, @Context HttpHeaders headers) {
        if (authorizationCode == null) {
            log.error("URL parameter 'code' is missing");
            return Response.status(BAD_REQUEST).build();
        }
        if (state == null) {
            log.error("URL parameter 'state' is missing");
            return Response.status(BAD_REQUEST).build();
        }

        Cookie redirect = headers.getCookies().get(state);
        if (redirect == null || redirect.getValue() == null || redirect.getValue().isEmpty()) {
            log.error("Cookie for redirectionURL is missing or empty");
            return Response.status(BAD_REQUEST).build();
        }

        IdTokenAndRefreshToken tokens = tokenProvider.getToken(authorizationCode, uri.getAbsolutePath().toString());
        OidcCredential token = tokens.getIdToken();
        String refreshToken = tokens.getRefreshToken();

        OidcTokenValidatorResult result = oidcTokenValidator.validate(token.getToken(), oidcProvider);

        if (!result.isValid()) {
            return Response.status(FORBIDDEN).build();
        }

        boolean sslOnlyCookie = !Boolean.valueOf(System.getProperty("develop-local", "false"));
        String cookieDomain = HostUtils.cookieDomain(uri);
        NewCookie tokenCookie = new NewCookie(ID_TOKEN_COOKIE_NAME, token.getToken(), "/", cookieDomain, "", NewCookie.DEFAULT_MAX_AGE, sslOnlyCookie, true);
        NewCookie refreshTokenCookie = new NewCookie(REFRESH_TOKEN_COOKIE_NAME, refreshToken, "/", cookieDomain, "", NewCookie.DEFAULT_MAX_AGE, sslOnlyCookie, true);
        NewCookie deleteOldStateCookie = new NewCookie(state, "", "/", null, "", 0, sslOnlyCookie, true);

        Response.ResponseBuilder responseBuilder;
        //TODO CSRF attack protection. See RFC-6749 section 10.12 (the state-cookie containing redirectURL shold be encrypted to avoid tampering)
        String originalUrl = urlDecode(redirect.getValue());
        responseBuilder = Response.temporaryRedirect(URI.create(originalUrl));
        responseBuilder.cookie(tokenCookie);
        responseBuilder.cookie(refreshTokenCookie);
        responseBuilder.cookie(deleteOldStateCookie);
        return responseBuilder.build();
    }


    private static String urlDecode(String urlEncoded) {
        try {
            return URLDecoder.decode(urlEncoded, "UTF-8");
        } catch (UnsupportedEncodingException e) {
            throw new IllegalArgumentException("Could not URLdecode: " + urlEncoded);
        }
    }

}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy