feat(jans-auth-server): added validation of subject token type and ac…

…tor token type

Native SSO

#2518

jans-auth-server/model/src/main/java/io/jans/as/model/config/Constants.java

@@ -49,6 +49,8 @@ private Constants() {
     public static final String NO_CACHE = "no-cache";
     public static final String X_CLIENTCERT = "X-ClientCert";
     public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
+    public static final String SUBJECT_TOKEN_TYPE_ID_TOKEN = "urn:ietf:params:oauth:token-type:id_token";
+    public static final String ACTOR_TOKEN_TYPE_DEVICE_SECRET = "urn:x-oath:params:oauth:token-type:device-secret";
 
     public static final String CONTENT_TYPE_APPLICATION_JSON_UTF_8 = "application/json;charset=UTF-8";
 

jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenRestWebServiceImpl.java

@@ -201,7 +201,7 @@ public Response requestAccessToken(String grantType, String code,
             } else if (gt == GrantType.DEVICE_CODE) {
                 return processDeviceCodeGrantType(executionContext, deviceCode, scope);
             } else if (gt == GrantType.TOKEN_EXCHANGE) {
-                return processTokenExchange(code, scope, executionContext);
+                return processTokenExchange(scope, executionContext);
             }
         } catch (WebApplicationException e) {
             throw e;
@@ -213,7 +213,17 @@ public Response requestAccessToken(String grantType, String code,
         throw new WebApplicationException(tokenRestWebServiceValidator.error(400, TokenErrorResponseType.UNSUPPORTED_GRANT_TYPE, "Unsupported Grant Type.").build());
     }
 
-    private Response processTokenExchange(String code, String scope, ExecutionContext executionContext) {
+    private Response processTokenExchange(String scope, ExecutionContext executionContext) {
+        final HttpServletRequest httpRequest = executionContext.getHttpRequest();
+
+        String audience = httpRequest.getParameter("audience");
+        String subjectToken = httpRequest.getParameter("subject_token");
+        String subjectTokenType = httpRequest.getParameter("subject_token_type");
+        String actorToken = httpRequest.getParameter("actor_token");
+        String actorTokenType = httpRequest.getParameter("actor_token_type");
+
+        tokenRestWebServiceValidator.validateSubjectTokenType(subjectTokenType, executionContext.getAuditLog());
+        tokenRestWebServiceValidator.validateActorTokenType(actorTokenType, executionContext.getAuditLog());
         // todo
         return null;
     }

jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TokenRestWebServiceValidator.java

@@ -26,7 +26,7 @@
 import java.util.List;
 import java.util.function.Consumer;
 
-import static io.jans.as.model.config.Constants.REASON_CLIENT_NOT_AUTHORIZED;
+import static io.jans.as.model.config.Constants.*;
 
 /**
  * @author Yuriy Zabrovarnyy
@@ -171,4 +171,20 @@ public void validateUser(User user, OAuth2AuditLog auditLog) {
             throw new WebApplicationException(response(error(401, TokenErrorResponseType.INVALID_CLIENT, "Invalid user."), auditLog));
         }
     }
+
+    public void validateSubjectTokenType(String subjectTokenType, OAuth2AuditLog auditLog) {
+        if (!SUBJECT_TOKEN_TYPE_ID_TOKEN.equalsIgnoreCase(subjectTokenType)) {
+            String msg = String.format("Unsupported subject_token_type: %s", subjectTokenType);
+            log.trace(msg);
+            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_REQUEST, msg), auditLog));
+        }
+    }
+
+    public void validateActorTokenType(String actorTokenType, OAuth2AuditLog auditLog) {
+        if (!ACTOR_TOKEN_TYPE_DEVICE_SECRET.equalsIgnoreCase(actorTokenType)) {
+            String msg = String.format("Unsupported actor_token_type: %s", actorTokenType);
+            log.trace(msg);
+            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_REQUEST, msg), auditLog));
+        }
+    }
 }

jans-auth-server/server/src/test/java/io/jans/as/server/token/ws/rs/TokenRestWebServiceValidatorTest.java

@@ -3,6 +3,7 @@
 import io.jans.as.common.model.common.User;
 import io.jans.as.common.model.registration.Client;
 import io.jans.as.model.common.GrantType;
+import io.jans.as.model.config.Constants;
 import io.jans.as.model.configuration.AppConfiguration;
 import io.jans.as.model.error.ErrorResponseFactory;
 import io.jans.as.server.audit.ApplicationAuditLogger;
@@ -49,6 +50,39 @@ public class TokenRestWebServiceValidatorTest {
     @InjectMocks
     private TokenRestWebServiceValidator validator;
 
+    @Test
+    public void validateSubjectTokenType_withInvalidTokenType_shouldThrowError() {
+        try {
+            validator.validateSubjectTokenType("urn:mytype", AUDIT_LOG);
+        } catch (WebApplicationException e) {
+            assertBadRequest(e.getResponse());
+            return;
+        }
+        fail("No error for invalid subject token type.");
+    }
+
+    @Test
+    public void validateSubjectTokenType_withValidTokenType_shouldPassSuccessfully() {
+        validator.validateSubjectTokenType(Constants.SUBJECT_TOKEN_TYPE_ID_TOKEN, AUDIT_LOG);
+    }
+
+    @Test
+    public void validateActorTokenType_withInvalidTokenType_shouldThrowError() {
+        try {
+            validator.validateActorTokenType("urn:mytype", AUDIT_LOG);
+        } catch (WebApplicationException e) {
+            assertBadRequest(e.getResponse());
+            return;
+        }
+        fail("No error for invalid actor token type.");
+    }
+
+    @Test
+    public void validateActorTokenType_withValidTokenType_shouldPassSuccessfully() {
+        validator.validateActorTokenType(Constants.ACTOR_TOKEN_TYPE_DEVICE_SECRET, AUDIT_LOG);
+    }
+
+
     @Test
     public void validateParams_whenGrantTypeIsBlank_shouldRaiseError() {
         try {