Merge pull request #9 from ZiyamSanthosh/main-enable-api-auth

Modify apple authenticator to enable federation flow in API based Authentication and Nonce validation

Author: ZiyamSanthosh

components/org.wso2.carbon.identity.application.authenticator.apple/src/main/java/org/wso2/carbon/identity/application/authenticator/apple/AppleAuthenticator.java

@@ -78,15 +78,25 @@
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
+import java.util.UUID;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import static org.wso2.carbon.identity.application.authenticator.apple.AppleAuthenticatorConstants.AUTHENTICATOR_APPLE;
+import static org.wso2.carbon.identity.application.authenticator.apple.AppleAuthenticatorConstants.COMMA_SEPARATOR;
 import static org.wso2.carbon.identity.application.authenticator.apple.AppleAuthenticatorConstants.LogConstants.ActionIDs.PROCESS_AUTHENTICATION_RESPONSE;
 import static org.wso2.carbon.identity.application.authenticator.apple.AppleAuthenticatorConstants.LogConstants.ActionIDs.VALIDATE_OUTBOUND_AUTH_REQUEST;
+import static org.wso2.carbon.identity.application.authenticator.apple.AppleAuthenticatorConstants.PLUS_SEPARATOR;
+import static org.wso2.carbon.identity.application.authenticator.apple.AppleAuthenticatorConstants.SPACE_SEPARATOR;
+import static org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants.Claim.NONCE;
+import static org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants.OIDC_FEDERATION_NONCE;
+import static org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants.REDIRECT_URL_SUFFIX;
+import static org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants.SCOPE_PARAM_SUFFIX;
+import static org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants.STATE_PARAM_SUFFIX;
 import static org.wso2.carbon.identity.base.IdentityConstants.FEDERATED_IDP_SESSION_ID;
 
 /**
@@ -144,9 +154,13 @@ protected void initiateAuthenticationRequest(HttpServletRequest request, HttpSer
 
                 String clientId = authenticatorProperties.get(OIDCAuthenticatorConstants.CLIENT_ID);
                 String authorizationEP = getAuthorizationServerEndpoint(authenticatorProperties);
-                String callbackUrl = getCallbackUrl(authenticatorProperties);
-                String state = getStateParameter(context, authenticatorProperties);
+                String callbackUrl = getCallbackUrl(authenticatorProperties, context);
+                String state = getStateParameter(request, context, authenticatorProperties);
+                context.setProperty(getName() + STATE_PARAM_SUFFIX, state);
+                String nonce = UUID.randomUUID().toString();
+                context.setProperty(getName() + OIDC_FEDERATION_NONCE, nonce);
                 String scopes = getScope(authenticatorProperties);
+                context.setProperty(getName() + SCOPE_PARAM_SUFFIX, scopes);
                 String queryString = getQueryString(authenticatorProperties);
 
                 // If scopes are present, Apple requires sending response_mode as form_post.
@@ -174,7 +188,8 @@ protected void initiateAuthenticationRequest(HttpServletRequest request, HttpSer
                 OAuthClientRequest.AuthenticationRequestBuilder requestBuilder =
                         OAuthClientRequest.authorizationLocation(authorizationEP).setClientId(clientId)
                                 .setResponseType(OIDCAuthenticatorConstants.OAUTH2_GRANT_TYPE_CODE)
-                                .setState(state);
+                                .setState(state)
+                                .setParameter(NONCE, nonce);
                 if (LoggerUtils.isDiagnosticLogsEnabled() && diagnosticLogBuilder != null) {
                     diagnosticLogBuilder.inputParam("scopes", scope);
                 }
@@ -200,6 +215,7 @@ protected void initiateAuthenticationRequest(HttpServletRequest request, HttpSer
                         loginPage = loginPage + queryString;
                     }
                 }
+                context.setProperty(getName() + REDIRECT_URL_SUFFIX, loginPage);
                 response.sendRedirect(response.encodeRedirectURL(loginPage.replace("\r\n", "")));
                 if (LoggerUtils.isDiagnosticLogsEnabled() && diagnosticLogBuilder != null) {
                     diagnosticLogBuilder.resultMessage("Redirected to the Apple Id login page.");
@@ -341,6 +357,21 @@ protected void processAuthenticationResponse(HttpServletRequest request, HttpSer
                 }
             }
 
+            // Nonce validation.
+            String nonceKey = getName() + OIDC_FEDERATION_NONCE;
+            if (StringUtils.isNotBlank((String) context.getProperty(nonceKey))) {
+                String nonce = (String) jwtAttributeMap.get(NONCE);
+                if (nonce == null) {
+                    log.debug("OIDC provider does not support nonce claim in id_token.");
+                }
+                if (nonce != null && !nonce.equals(context.getProperty(nonceKey))) {
+                    setAuthenticatorMessageToContext(OIDCErrorConstants.ErrorMessages.NONCE_MISMATCH, context);
+
+                    throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.NONCE_MISMATCH.getCode(),
+                            OIDCErrorConstants.ErrorMessages.NONCE_MISMATCH.getMessage());
+                }
+            }
+
             String authenticatedUserId = getAuthenticatedUserId(context, oAuthResponse, jwtAttributeMap);
             String attributeSeparator = getMultiAttributeSeparator(context, authenticatedUserId);
 
@@ -636,6 +667,44 @@ protected String getComponentId() {
         return AppleAuthenticatorConstants.LogConstants.OUTBOUND_AUTH_APPLE_SERVICE;
     }
 
+    /**
+     * Get the i18n key defined to represent the authenticator name.
+     *
+     * @return the 118n key.
+     */
+    @Override
+    public String getI18nKey() {
+
+        return AUTHENTICATOR_APPLE;
+    }
+
+    /**
+     * This method is responsible for validating whether the authenticator is supported for API Based Authentication.
+     *
+     * @return true if the authenticator is supported for API Based Authentication.
+     */
+    @Override
+    public boolean isAPIBasedAuthenticationSupported() {
+
+        return true;
+    }
+
+    /**
+     * This method is responsible to return the scopes as space separated string.
+     *
+     * @param authenticatorProperties   Authenticator properties.
+     * @return Scopes string
+     */
+    @Override
+    protected String getScope(Map<String, String> authenticatorProperties) {
+
+        String scopes = authenticatorProperties.get(IdentityApplicationConstants.Authenticator.OIDC.SCOPES);
+        if (StringUtils.isNotBlank(scopes)) {
+            return scopes.replace(COMMA_SEPARATOR, SPACE_SEPARATOR).replace(PLUS_SEPARATOR, SPACE_SEPARATOR);
+        }
+        return scopes;
+    }
+
     /**
      * Evaluates if the client secret should be generated and if required, generate and store the secret.
      *
@@ -811,13 +880,20 @@ private void initTokenEndpoint() {
     /**
      * Get state parameter.
      *
+     * @param request                   Authentication request.
      * @param context                   Authentication context.
      * @param authenticatorProperties   Authenticator properties.
      * @return State.
      */
-    private String getStateParameter(AuthenticationContext context, Map<String, String> authenticatorProperties) {
+    private String getStateParameter(HttpServletRequest request, AuthenticationContext context,
+                                     Map<String, String> authenticatorProperties) {
 
-        String state = context.getContextIdentifier() + "," + OIDCAuthenticatorConstants.LOGIN_TYPE;
+        String state;
+        if (FrameworkUtils.isAPIBasedAuthenticationFlow(request)) {
+            state = UUID.randomUUID() + "," + OIDCAuthenticatorConstants.LOGIN_TYPE;
+        } else {
+            state = context.getContextIdentifier() + "," + OIDCAuthenticatorConstants.LOGIN_TYPE;
+        }
         return getState(state, authenticatorProperties);
     }
 
@@ -1014,22 +1090,6 @@ private String getMultiAttributeSeparator(AuthenticationContext context, String
         return attributeSeparator;
     }
 
-    /**
-     * Get application details from the authentication context.
-     * @param context Authentication context.
-     * @return Map of application details.
-     */
-    private Map<String, String> getApplicationDetails(AuthenticationContext context) {
-
-        Map<String, String> applicationDetailsMap = new HashMap<>();
-        FrameworkUtils.getApplicationResourceId(context).ifPresent(applicationId ->
-                applicationDetailsMap.put(LogConstants.InputKeys.APPLICATION_ID, applicationId));
-        FrameworkUtils.getApplicationName(context).ifPresent(applicationName ->
-                applicationDetailsMap.put(LogConstants.InputKeys.APPLICATION_NAME,
-                        applicationName));
-        return applicationDetailsMap;
-    }
-
     private static List<String> getUserAttributeClaimMappingList(AuthenticatedUser authenticatedUser) {
 
         return authenticatedUser.getUserAttributes().keySet().stream()

components/org.wso2.carbon.identity.application.authenticator.apple/src/main/java/org/wso2/carbon/identity/application/authenticator/apple/AppleAuthenticatorConstants.java

@@ -49,6 +49,12 @@ private AppleAuthenticatorConstants() {
     public static final String APPLE_USER_INFO_KEY = "user";
     public static final String CLAIM_DIALECT_URI_PARAMETER = "ClaimDialectUri";
 
+    public static final String AUTHENTICATOR_APPLE = "authenticator.apple";
+
+    public static final String COMMA_SEPARATOR = ",";
+    public static final String PLUS_SEPARATOR = "+";
+    public static final String SPACE_SEPARATOR = " ";
+
     /**
      * Constants related to log management.
      */

components/org.wso2.carbon.identity.application.authenticator.apple/src/test/java/org/wso2/carbon/identity/application/authenticator/apple/AppleAuthenticatorTest.java

@@ -36,6 +36,7 @@
 import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
 import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
 import org.wso2.carbon.identity.application.authentication.framework.model.CommonAuthResponseWrapper;
+import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkConstants;
 import org.wso2.carbon.identity.application.authenticator.apple.internal.AppleAuthenticatorDataHolder;
 import org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants;
 import org.wso2.carbon.identity.application.authenticator.oidc.model.OIDCStateInfo;
@@ -77,6 +78,9 @@
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static org.mockito.MockitoAnnotations.openMocks;
+import static org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants.REDIRECT_URL_SUFFIX;
+import static org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants.SCOPE_PARAM_SUFFIX;
+import static org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants.STATE_PARAM_SUFFIX;
 
 /**
  * Unit tests for the Apple authenticator class.
@@ -87,6 +91,7 @@ public class AppleAuthenticatorTest {
     private static Map<String, String> testAuthenticatorProperties;
     private static AuthenticatorConfig authenticatorConfig;
     private static AuthenticationContext authenticationContext;
+    private static boolean isAPIBased;
 
     private AutoCloseable autoCloseable;
     @Mock
@@ -228,6 +233,28 @@ public void testInitiateAuthenticationRequest(String secretGenerateCondition)
         Assert.assertTrue(redirectUrl.contains("client_id=testClientId"));
         Assert.assertTrue(redirectUrl.contains("scope=name%20email"));
         Assert.assertTrue(redirectUrl.contains("response_mode=form_post"));
+
+        if (isAPIBased) {
+            Assert.assertTrue(Boolean.parseBoolean(
+                    (String) authenticationContext.getProperty(FrameworkConstants.IS_API_BASED)));
+            Assert.assertNotNull(authenticationContext.getProperty(appleAuthenticator.getName()
+                    + STATE_PARAM_SUFFIX));
+            Assert.assertNotNull(authenticationContext.getProperty(appleAuthenticator.getName()
+                    + SCOPE_PARAM_SUFFIX));
+            String redirectUrlPropertyKey = appleAuthenticator.getName() + REDIRECT_URL_SUFFIX;
+            Assert.assertNotNull(authenticationContext.getProperty(redirectUrlPropertyKey));
+            // For API based auth flow, the redirect URL should not be equal to commonauth endpoint.
+            Assert.assertFalse(redirectUrl.contains("https://localhost:9443/commonauth"));
+        }
+    }
+
+    @Test(dataProvider = "initiateAuthenticationRequestDataProvider",
+            dependsOnMethods = {"testInitiateAuthenticationRequest"})
+    public void testInitiateAuthenticationRequestForAPIBased(String secretGenerateCondition)
+            throws AuthenticationFailedException, IOException, IdentityProviderManagementException {
+
+        isAPIBased = true;
+        testInitiateAuthenticationRequest(secretGenerateCondition);
     }
 
     @DataProvider(name = "initiateAuthenticationRequestExceptionDataProvider")
@@ -522,6 +549,20 @@ public void testGetConfigurationProperties() {
         });
     }
 
+    @Test
+    public void testGetI18nKey() {
+
+        String facebookI18nKey = appleAuthenticator.getI18nKey();
+        Assert.assertEquals(facebookI18nKey, AppleAuthenticatorConstants.AUTHENTICATOR_APPLE);
+    }
+
+    @Test
+    public void testIsAPIBasedAuthenticationSupported() {
+
+        boolean isAPIBasedAuthenticationSupported = appleAuthenticator.isAPIBasedAuthenticationSupported();
+        Assert.assertTrue(isAPIBasedAuthenticationSupported);
+    }
+
     private void initAuthenticatorProperties() {
 
         testAuthenticatorProperties = new HashMap<>();
@@ -569,5 +610,9 @@ private void initAuthenticationContext() {
         authenticationContext.setTenantDomain(TEST_TENANT);
         authenticationContext.setExternalIdP(externalIdPConfig);
         authenticationContext.setContextIdentifier(CONTEXT_IDENTIFIER);
+
+        if (isAPIBased) {
+            authenticationContext.setProperty(FrameworkConstants.IS_API_BASED, "true");
+        }
     }
 }

pom.xml

@@ -326,11 +326,11 @@
         <carbon.kernel.package.import.version.range>[4.9.10, 5.0.0)</carbon.kernel.package.import.version.range>
         <carbon.user.api.imp.pkg.version.range>[1.0.1, 2.0.0)</carbon.user.api.imp.pkg.version.range>
         <carbon.base.imp.pkg.version.range>[1.0.0, 2.0.0)</carbon.base.imp.pkg.version.range>
-        <carbon.identity.framework.version>5.25.260</carbon.identity.framework.version>
+        <carbon.identity.framework.version>5.25.560</carbon.identity.framework.version>
         <identity.framework.package.import.version.range>[5.25.260, 8.0.0)</identity.framework.package.import.version.range>
 
         <!-- other wso2 dependencies -->
-        <identity.outbound.auth.oidc.version>5.11.18</identity.outbound.auth.oidc.version>
+        <identity.outbound.auth.oidc.version>5.12.11</identity.outbound.auth.oidc.version>
         <carbon.identity.outbound.oidc.package.import.version.range>[5.11.18, 6.0.0)</carbon.identity.outbound.oidc.package.import.version.range>
         <carbon.identity.oauth.version>6.11.97</carbon.identity.oauth.version>
         <carbon.identity.oauth.package.import.version.range>[6.2.0, 8.0.0)</carbon.identity.oauth.package.import.version.range>