You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kw...@apache.org on 2016/02/12 14:13:13 UTC

svn commit: r1730019 - /qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java

Author: kwall
Date: Fri Feb 12 13:13:13 2016
New Revision: 1730019

URL: http://svn.apache.org/viewvc?rev=1730019&view=rev
Log:
QPID-7028: [Java Broker] OAuth2 - ensure that errors reported by the authentication endpoint are propagated to the client

Modified:
    qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java

Modified: qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java?rev=1730019&r1=1730018&r2=1730019&view=diff
==============================================================================
--- qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java (original)
+++ qpid/java/trunk/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/auth/OAuth2InteractiveAuthenticator.java Fri Feb 12 13:13:13 2016
@@ -23,6 +23,7 @@ import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.security.SecureRandom;
+import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.Map;
@@ -58,6 +59,23 @@ public class OAuth2InteractiveAuthentica
     private static final String ORIGINAL_REQUEST_URI_SESSION_ATTRIBUTE = "originalRequestURI";
     private static final String REDIRECT_URI_SESSION_ATTRIBUTE = "redirectURI";
 
+    /** Authentication Endpoint error responses https://tools.ietf.org/html/rfc6749#section-4.2.1 */
+    private static final Map<String, Integer> ERROR_RESPONSES;
+
+    static
+    {
+        // Authentication Enpoint
+        Map<String, Integer> errorResponses = new HashMap<>();
+        errorResponses.put("invalid_request", 400);
+        errorResponses.put("unauthorized_client", 400);
+        errorResponses.put("unsupported_response_type", 400);
+        errorResponses.put("invalid_scope", 400);
+        errorResponses.put("access_denied", 403);
+        errorResponses.put("server_error", 500);
+        errorResponses.put("temporarily_unavailable", 503);
+        ERROR_RESPONSES = Collections.unmodifiableMap(errorResponses);
+    }
+
     private SecureRandom _random = new SecureRandom();
 
     @Override
@@ -84,6 +102,25 @@ public class OAuth2InteractiveAuthentica
                 return new FailedAuthenticationHandler(400, "Some request parameters are included more than once " + request, e);
             }
 
+            String error = requestParameters.get("error");
+            if (error != null)
+            {
+                int responseCode = decodeErrorAsResponseCode(error);
+                String errorDescription = requestParameters.get("error_description");
+                if (responseCode == 403)
+                {
+                    LOGGER.debug("Resource owner denies the access request");
+                    return new FailedAuthenticationHandler(responseCode, "Resource owner denies the access request");
+
+                }
+                else
+                {
+                    LOGGER.warn("Authorization endpoint failed, error : '{}', error description '{}'",
+                                error, errorDescription);
+                    return new FailedAuthenticationHandler(responseCode, String.format("Authorization request failed :'%s'", error));
+                }
+            }
+
             final String authorizationCode = requestParameters.get("code");
             if (authorizationCode == null)
             {
@@ -106,7 +143,7 @@ public class OAuth2InteractiveAuthentica
                 if (state == null)
                 {
                     LOGGER.warn("Deny login attempt with wrong state: {}", state);
-                    return new FailedAuthenticationHandler(400, "no state set on request with authorization code grant: "
+                    return new FailedAuthenticationHandler(400, "No state set on request with authorization code grant: "
                                                            + request);
                 }
                 if (!checkState(httpSession, state))
@@ -272,6 +309,11 @@ public class OAuth2InteractiveAuthentica
         return state != null && state.equals(nonce);
     }
 
+    private int decodeErrorAsResponseCode(final String error)
+    {
+        return ERROR_RESPONSES.containsKey(error) ? ERROR_RESPONSES.get(error) : 500;
+    }
+
     class FailedAuthenticationHandler implements AuthenticationHandler
     {
         private final int _errorCode;



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org