Resolve token validation issue in OktaAuthenticationProvider

Author: bdemers

api/src/main/java/com/stormpath/sdk/authc/OktaAuthNAuthenticator.java

@@ -0,0 +1,13 @@
+package com.stormpath.sdk.authc;
+
+import com.stormpath.sdk.resource.Resource;
+
+/**
+ *
+ */
+public interface OktaAuthNAuthenticator extends Resource {
+
+    AuthenticationResult authenticate(AuthenticationRequest request);
+    
+    void assertValidAccessToken(String accessToken);
+}

extensions/spring/stormpath-spring-security/src/main/java/com/stormpath/spring/config/AbstractStormpathSpringSecurityConfiguration.java

@@ -16,6 +16,8 @@
 package com.stormpath.spring.config;
 
 import com.stormpath.sdk.application.Application;
+import com.stormpath.sdk.authc.OktaAuthNAuthenticator;
+import com.stormpath.sdk.client.Client;
 import com.stormpath.spring.security.provider.AccountCustomDataPermissionResolver;
 import com.stormpath.spring.security.provider.AccountGrantedAuthorityResolver;
 import com.stormpath.spring.security.provider.AccountPermissionResolver;
@@ -47,6 +49,9 @@ public abstract class AbstractStormpathSpringSecurityConfiguration {
     @Autowired
     private Application application;
 
+    @Autowired
+    private Client client;
+
     public GroupGrantedAuthorityResolver stormpathGroupGrantedAuthorityResolver() {
         return new DefaultGroupGrantedAuthorityResolver();
     }
@@ -72,7 +77,7 @@ public AuthenticationProvider stormpathAuthenticationProvider() {
         StormpathAuthenticationProvider provider;
 
         if (oktaEnabled) {
-            provider = new OktaAuthenticationProvider(application);
+            provider = new OktaAuthenticationProvider(application, client);
         }
         else {
             provider = new StormpathAuthenticationProvider(application);

extensions/spring/stormpath-spring-security/src/main/java/com/stormpath/spring/security/provider/OktaAuthenticationProvider.java

@@ -3,28 +3,30 @@
 import com.stormpath.sdk.account.Account;
 import com.stormpath.sdk.application.Application;
 import com.stormpath.sdk.authc.AuthenticationRequest;
+import com.stormpath.sdk.authc.OktaAuthNAuthenticator;
+import com.stormpath.sdk.client.Client;
 import com.stormpath.sdk.lang.Strings;
 import com.stormpath.sdk.oauth.AccessTokenResult;
 import com.stormpath.sdk.resource.ResourceException;
 import com.stormpath.spring.security.token.JwtProviderAuthenticationToken;
 import com.stormpath.spring.security.token.ProviderAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationServiceException;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
 
 /**
  *
  */
 public class OktaAuthenticationProvider extends StormpathAuthenticationProvider {
 
     private final Application application;
+    private final Client client;
 
-    public OktaAuthenticationProvider(Application application) {
+    public OktaAuthenticationProvider(Application application, Client client) {
         super(application);
         this.application = application;
+        this.client = client;
     }
 
     @Override
@@ -38,7 +40,9 @@ public Authentication authenticate(Authentication authentication) throws Authent
                 returnToken = authentication;
             }
             else if (authentication instanceof JwtProviderAuthenticationToken) {
-                // FIXME: validate / exchange token
+                // TODO: add tests around this flow
+                OktaAuthNAuthenticator authNAuthenticator = client.instantiate(OktaAuthNAuthenticator.class);
+                authNAuthenticator.assertValidAccessToken(((JwtProviderAuthenticationToken) authentication).getAccessToken());
                 return authentication;
             }
             else {
@@ -72,13 +76,10 @@ else if (authentication instanceof JwtProviderAuthenticationToken) {
         return returnToken;
     }
 
-
     @Override
     public boolean supports(Class<?> authentication) {
         if (super.supports(authentication)) return true;
         if (JwtProviderAuthenticationToken.class.isAssignableFrom(authentication)) return true;
         return false;
     }
-
-
 }

impl/src/main/java/com/stormpath/sdk/impl/application/okta/OktaApplication.java

@@ -42,7 +42,7 @@
 import com.stormpath.sdk.impl.application.DefaultApplicationAccountStoreMapping;
 import com.stormpath.sdk.impl.application.DefaultApplicationAccountStoreMappingList;
 import com.stormpath.sdk.impl.authc.DefaultUsernamePasswordRequest;
-import com.stormpath.sdk.impl.authc.OktaAuthNAuthenticator;
+import com.stormpath.sdk.impl.authc.DefaultOktaAuthNAuthenticator;
 import com.stormpath.sdk.impl.directory.OktaDirectory;
 import com.stormpath.sdk.impl.ds.InternalDataStore;
 import com.stormpath.sdk.impl.oauth.DefaultIdSiteAuthenticator;
@@ -264,7 +264,7 @@ public Account resetPassword(String passwordResetToken, String newPassword) {
     @Override
     public AuthenticationResult authenticateAccount(AuthenticationRequest request) throws ResourceException {
 
-        return new OktaAuthNAuthenticator(getDataStore()).authenticate((DefaultUsernamePasswordRequest)request);
+        return new DefaultOktaAuthNAuthenticator(getDataStore()).authenticate((DefaultUsernamePasswordRequest)request);
     }
 
     @Override

impl/src/main/java/com/stormpath/sdk/impl/authc/OktaAuthNAuthenticator.java renamed to impl/src/main/java/com/stormpath/sdk/impl/authc/DefaultOktaAuthNAuthenticator.java

@@ -2,13 +2,13 @@
 
 import com.stormpath.sdk.account.Account;
 import com.stormpath.sdk.api.ApiKey;
-import com.stormpath.sdk.api.ApiKeys;
 import com.stormpath.sdk.application.okta.OktaTokenResponse;
 import com.stormpath.sdk.application.okta.OktaTokenRequest;
+import com.stormpath.sdk.authc.AuthenticationRequest;
 import com.stormpath.sdk.authc.AuthenticationResult;
 import com.stormpath.sdk.authc.AuthenticationResultVisitor;
+import com.stormpath.sdk.authc.OktaAuthNAuthenticator;
 import com.stormpath.sdk.error.Error;
-import com.stormpath.sdk.impl.application.okta.DefaultOktaSigningKeyResolver;
 import com.stormpath.sdk.impl.application.okta.OktaSigningKeyResolver;
 import com.stormpath.sdk.impl.ds.InternalDataStore;
 import com.stormpath.sdk.impl.http.HttpHeaders;
@@ -21,7 +21,6 @@
 import io.jsonwebtoken.Jwt;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SigningKeyResolver;
-import org.omg.CORBA.DynAnyPackage.Invalid;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -34,31 +33,29 @@
 /**
  * Uses Okta's /api/v1/authn endpoint to authenticate users.
  */
-public class OktaAuthNAuthenticator {
+public class DefaultOktaAuthNAuthenticator implements OktaAuthNAuthenticator {
 
-    private static final Logger log = LoggerFactory.getLogger(OktaAuthNAuthenticator.class);
+    private static final Logger log = LoggerFactory.getLogger(DefaultOktaAuthNAuthenticator.class);
 
     private final InternalDataStore dataStore;
 
-    public OktaAuthNAuthenticator(InternalDataStore dataStore) {
-        Assert.notNull(dataStore);
+    public DefaultOktaAuthNAuthenticator(InternalDataStore dataStore) {
         Assert.notNull(dataStore);
         this.dataStore = dataStore;
     }
 
+    @Override
+    public AuthenticationResult authenticate(AuthenticationRequest request) {
 
-    public AuthenticationResult authenticate(DefaultUsernamePasswordRequest request) {
+        Assert.isInstanceOf(DefaultUsernamePasswordRequest.class, request, "Only 'DefaultUsernamePasswordRequest' requests are supported.");
+        DefaultUsernamePasswordRequest usernamePasswordRequest = (DefaultUsernamePasswordRequest) request;
 
-        final OktaTokenResponse oktaTokenResponse = doAuthRequest(request);
+        final OktaTokenResponse oktaTokenResponse = doAuthRequest(usernamePasswordRequest);
 
         // validate the key we just received
-        SigningKeyResolver keyResolver = dataStore.instantiate(OktaSigningKeyResolver.class);
-        final Jwt<Header, Claims> jwt = Jwts.parser()
-                .setSigningKeyResolver(keyResolver)
-                .parse(oktaTokenResponse.getAccessToken());
+        final Jwt<Header, Claims> jwt = parseJwt(oktaTokenResponse.getAccessToken());
         String userId = jwt.getBody().get("uid", String.class);
 
-
         final String userHref = "/api/v1/users/" + userId;
 
         Map<String, Object> authMap = new LinkedHashMap<>();
@@ -101,6 +98,19 @@ public String getHref() {
         };
     }
 
+    @Override
+    public void assertValidAccessToken(String accessToken) {
+        parseJwt(accessToken);
+    }
+
+    private Jwt<Header, Claims> parseJwt(String accessToken) {
+
+        SigningKeyResolver keyResolver = dataStore.instantiate(OktaSigningKeyResolver.class);
+        return Jwts.parser()
+                .setSigningKeyResolver(keyResolver)
+                .parse(accessToken);
+    }
+
     private OktaTokenResponse doAuthRequest(DefaultUsernamePasswordRequest request) {
         HttpHeaders httpHeaders = new HttpHeaders();
         httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
@@ -118,6 +128,8 @@ private OktaTokenResponse doAuthRequest(DefaultUsernamePasswordRequest request)
         }
         catch (final ResourceException e) {
 
+            log.debug("Exception thrown while requesting token, assuming this is an Invalid username or password", e);
+
             throw  new ResourceException(new Error() {
                 @Override
                 public int getStatus() {
@@ -153,4 +165,8 @@ public String getRequestId() {
         }
     }
 
+    @Override
+    public String getHref() {
+        return null;
+    }
 }

impl/src/main/java/com/stormpath/sdk/impl/oauth/DefaultIdSiteAuthenticatorFactory.java

@@ -32,25 +32,6 @@ public class DefaultIdSiteAuthenticatorFactory implements IdSiteAuthenticatorFac
 
     @Override
     public IdSiteAuthenticator forApplication(Application application) {
-
-        if (application instanceof OAuthApplication) {
-            return ((OAuthApplication) application).createIdSiteAuthenticator();
-        }
-
-        // FIXME: ugly ugly ugly
-        try {
-            Method dataStoreMethod = AbstractResource.class.getDeclaredMethod("getDataStore");
-            dataStoreMethod.setAccessible(true);
-            InternalDataStore internalDataStore = (InternalDataStore) dataStoreMethod.invoke(application);
-
-            return new DefaultIdSiteAuthenticator(application, internalDataStore);
-
-        } catch (NoSuchMethodException e) {
-            throw new UnsupportedOperationException("Could not get access to Application's 'dataStore'", e);
-        } catch (IllegalAccessException e) {
-            throw new UnsupportedOperationException("Could not get access to Application's 'dataStore'", e);
-        } catch (InvocationTargetException e) {
-            throw new UnsupportedOperationException("Could not get access to Application's 'dataStore'", e);
-        }
+        return ((OAuthApplication) application).createIdSiteAuthenticator();
     }
 }

impl/src/test/groovy/com/stormpath/sdk/impl/authc/OktaAuthNAuthenticatorTest.groovy

@@ -23,7 +23,7 @@ import static org.hamcrest.Matchers.*
 import static org.hamcrest.MatcherAssert.*
 
 /**
- * Tests for {@link OktaAuthNAuthenticator}.
+ * Tests for {@link DefaultOktaAuthNAuthenticator}.
  */
 class OktaAuthNAuthenticatorTest {
 
@@ -69,7 +69,7 @@ class OktaAuthNAuthenticatorTest {
 
         replay mockDataStore, oktaTokenRequest, oktaTokenResponse, signingKeyResolver
 
-        def authResult = new OktaAuthNAuthenticator(mockDataStore).authenticate(authRequest)
+        def authResult = new DefaultOktaAuthNAuthenticator(mockDataStore).authenticate(authRequest)
         assertThat authResult.getHref(), nullValue()
         assertThat authResult.getAccount(), sameInstance(account)