You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/01/21 14:02:27 UTC
cxf git commit: [CXF-6753] OAuth2 audience related changes,
more likely to follow
Repository: cxf
Updated Branches:
refs/heads/master 170494e1f -> 386805560
[CXF-6753] OAuth2 audience related changes, more likely to follow
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/38680556
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/38680556
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/38680556
Branch: refs/heads/master
Commit: 386805560479b35276d88605c5acf805e3004aa5
Parents: 170494e
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Thu Jan 21 13:02:09 2016 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Thu Jan 21 13:02:09 2016 +0000
----------------------------------------------------------------------
.../oauth2/common/AccessTokenRegistration.java | 13 +++--
.../oauth2/common/AccessTokenValidation.java | 20 ++++----
.../rs/security/oauth2/common/OAuthContext.java | 12 ++---
.../oauth2/common/ServerAccessToken.java | 14 +++---
.../oauth2/common/TokenIntrospection.java | 7 +--
.../filters/AccessTokenIntrospectionClient.java | 2 +-
.../oauth2/filters/OAuthRequestFilter.java | 52 +++++++++++++++-----
.../oauth2/grants/AbstractGrantHandler.java | 30 ++++++++---
.../code/AuthorizationCodeGrantHandler.java | 31 +++++++++---
.../code/ServerAuthorizationCodeGrant.java | 9 ----
.../provider/AbstractOAuthDataProvider.java | 6 +--
.../oauth2/provider/OAuthJSONProvider.java | 35 +++++++++++--
.../services/AbstractAccessTokenValidator.java | 19 +------
.../services/AbstractImplicitGrantService.java | 3 +-
.../oauth2/services/AccessTokenService.java | 31 ++----------
.../services/RedirectionBasedGrantService.java | 8 ++-
.../services/TokenIntrospectionService.java | 5 +-
.../rs/security/oauth2/utils/OAuthUtils.java | 12 ++++-
.../utils/crypto/ModelEncryptionSupport.java | 4 +-
.../oauth2/utils/crypto/CryptoUtilsTest.java | 4 +-
.../utils/crypto/EncryptingDataProvider.java | 2 +-
21 files changed, 185 insertions(+), 134 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java
index db443da..a4a4a2c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenRegistration.java
@@ -30,7 +30,7 @@ public class AccessTokenRegistration {
private List<String> approvedScope = new LinkedList<String>();
private String grantType;
private UserSubject subject;
- private String audience;
+ private List<String> audiences = new LinkedList<String>();
private String nonce;
private String clientCodeVerifier;
@@ -115,14 +115,14 @@ public class AccessTokenRegistration {
return grantType;
}
- public String getAudience() {
- return audience;
+ public List<String> getAudiences() {
+ return audiences;
}
- public void setAudience(String audience) {
- this.audience = audience;
+ public void setAudiences(List<String> audiences) {
+ this.audiences = audiences;
}
-
+
public String getClientCodeVerifier() {
return clientCodeVerifier;
}
@@ -138,5 +138,4 @@ public class AccessTokenRegistration {
public void setNonce(String nonce) {
this.nonce = nonce;
}
-
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
index 508b37f..6a33e2b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/AccessTokenValidation.java
@@ -55,7 +55,7 @@ public class AccessTokenValidation {
private long tokenLifetime;
private UserSubject tokenSubject;
private List<OAuthPermission> tokenScopes = new LinkedList<OAuthPermission>();
- private String audience;
+ private List<String> audiences = new LinkedList<String>();
private String clientCodeVerifier;
private Map<String, String> extraProps = new HashMap<String, String>();
@@ -76,7 +76,7 @@ public class AccessTokenValidation {
this.tokenSubject = token.getSubject();
this.tokenScopes = token.getScopes();
- this.audience = token.getAudience();
+ this.setAudiences(token.getAudiences());
this.clientCodeVerifier = token.getClientCodeVerifier();
}
@@ -137,14 +137,6 @@ public class AccessTokenValidation {
this.tokenType = tokenType;
}
- public String getAudience() {
- return audience;
- }
-
- public void setAudience(String audience) {
- this.audience = audience;
- }
-
public String getClientIpAddress() {
return clientIpAddress;
}
@@ -183,5 +175,13 @@ public class AccessTokenValidation {
public void setInitialValidationSuccessful(boolean localValidationSuccessful) {
this.initialValidationSuccessful = localValidationSuccessful;
}
+
+ public List<String> getAudiences() {
+ return audiences;
+ }
+
+ public void setAudiences(List<String> audiences) {
+ this.audiences = audiences;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
index 492ca25..6e83e08 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthContext.java
@@ -35,7 +35,7 @@ public class OAuthContext {
private String clientId;
private boolean isClientConfidential;
private String tokenKey;
- private String tokenAudience;
+ private List<String> tokenAudiences;
private String[] tokenRequestParts;
public OAuthContext(UserSubject resourceOwnerSubject,
@@ -113,14 +113,14 @@ public class OAuthContext {
this.tokenKey = tokenKey;
}
- public String getTokenAudience() {
- return tokenAudience;
+ public List<String> getTokenAudiences() {
+ return tokenAudiences;
}
- public void setTokenAudience(String tokenAudience) {
- this.tokenAudience = tokenAudience;
+ public void setTokenAudiences(List<String> audiences) {
+ this.tokenAudiences = audiences;
}
-
+
public String[] getTokenRequestParts() {
return tokenRequestParts;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
index 7c64a51..89220f3 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
@@ -35,7 +35,7 @@ public abstract class ServerAccessToken extends AccessToken {
private Client client;
private List<OAuthPermission> scopes = new LinkedList<OAuthPermission>();
private UserSubject subject;
- private String audience;
+ private List<String> audiences = new LinkedList<String>();
private String clientCodeVerifier;
private String nonce;
@@ -69,7 +69,7 @@ public abstract class ServerAccessToken extends AccessToken {
this.client = token.getClient();
this.grantType = token.getGrantType();
this.scopes = token.getScopes();
- this.audience = token.getAudience();
+ this.audiences = token.getAudiences();
this.subject = token.getSubject();
}
@@ -137,14 +137,14 @@ public abstract class ServerAccessToken extends AccessToken {
return grantType;
}
- public String getAudience() {
- return audience;
+ public List<String> getAudiences() {
+ return audiences;
}
- public void setAudience(String audience) {
- this.audience = audience;
+ public void setAudiences(List<String> audiences) {
+ this.audiences = audiences;
}
-
+
protected static ServerAccessToken validateTokenType(ServerAccessToken token, String expectedType) {
if (!token.getTokenType().equals(expectedType)) {
throw new OAuthServiceException(OAuthConstants.SERVER_ERROR);
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java
index 4e3911f..1a172a9 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/TokenIntrospection.java
@@ -19,6 +19,7 @@
package org.apache.cxf.rs.security.oauth2.common;
import java.util.HashMap;
+import java.util.List;
import java.util.Map;
// RFC 7622 Introspection Response
@@ -32,7 +33,7 @@ public class TokenIntrospection {
private Long exp;
private Long nbf;
private String sub;
- private String aud;
+ private List<String> aud;
private String iss;
private String jti;
@@ -100,10 +101,10 @@ public class TokenIntrospection {
public void setSub(String sub) {
this.sub = sub;
}
- public String getAud() {
+ public List<String> getAud() {
return aud;
}
- public void setAud(String aud) {
+ public void setAud(List<String> aud) {
this.aud = aud;
}
public String getIss() {
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
index c730c9c..0b1a267 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/AccessTokenIntrospectionClient.java
@@ -68,7 +68,7 @@ public class AccessTokenIntrospectionClient implements AccessTokenValidator {
atv.setClientId(response.getClientId());
atv.setTokenIssuedAt(response.getIat());
atv.setTokenLifetime(response.getExp() - response.getIat());
- atv.setAudience(response.getAud());
+ atv.setAudiences(response.getAud());
if (response.getScope() != null) {
String[] scopes = response.getScope().split(" ");
List<OAuthPermission> perms = new LinkedList<OAuthPermission>();
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
index 3963a1f..498dd02 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/filters/OAuthRequestFilter.java
@@ -38,6 +38,7 @@ import javax.ws.rs.ext.Provider;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.security.SimplePrincipal;
+import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.provider.FormEncodingProvider;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.FormUtils;
@@ -68,7 +69,9 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
private static final Logger LOG = LogUtils.getL7dLogger(OAuthRequestFilter.class);
private boolean useUserSubject;
- private boolean audienceIsEndpointAddress;
+ private String audience;
+ private boolean completeAudienceMatch;
+
private boolean checkFormData;
private List<String> requiredScopes = Collections.emptyList();
private boolean allPermissionsMatch;
@@ -98,6 +101,10 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
if (!accessTokenV.isInitialValidationSuccessful()) {
throw ExceptionUtils.toNotAuthorizedException(null, null);
}
+ // Check audiences
+ if (!validateAudiences(accessTokenV.getAudiences())) {
+ AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
+ }
// Find the scopes which match the current request
List<OAuthPermission> permissions = accessTokenV.getTokenScopes();
@@ -155,7 +162,7 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
oauthContext.setClientId(accessTokenV.getClientId());
oauthContext.setClientConfidential(accessTokenV.isClientConfidential());
oauthContext.setTokenKey(accessTokenV.getTokenKey());
- oauthContext.setTokenAudience(accessTokenV.getAudience());
+ oauthContext.setTokenAudiences(accessTokenV.getAudiences());
oauthContext.setTokenRequestParts(authParts);
m.setContent(OAuthContext.class, oauthContext);
}
@@ -234,21 +241,24 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
return MessageUtils.isTrue(m.get("local_preflight"));
}
- protected boolean validateAudience(String audience) {
- if (audience == null) {
+ protected boolean validateAudiences(List<String> audiences) {
+ if (StringUtils.isEmpty(audiences) && audience == null) {
return true;
}
+ if (audience != null) {
+ return audiences.contains(audience);
+ }
- boolean isValid = super.validateAudience(audience);
- if (isValid && audienceIsEndpointAddress) {
- String requestPath = (String)PhaseInterceptorChain.getCurrentMessage().get(Message.REQUEST_URL);
- isValid = requestPath.startsWith(audience);
+ boolean matched = false;
+ String requestPath = (String)PhaseInterceptorChain.getCurrentMessage().get(Message.REQUEST_URL);
+ for (String s : audiences) {
+ matched = completeAudienceMatch ? requestPath.equals(s) : requestPath.startsWith(s);
+ if (matched) {
+ break;
+ }
}
- return isValid;
- }
-
- public void setAudienceIsEndpointAddress(boolean audienceIsEndpointAddress) {
- this.audienceIsEndpointAddress = audienceIsEndpointAddress;
+ return matched;
+
}
public void setCheckFormData(boolean checkFormData) {
@@ -299,5 +309,21 @@ public class OAuthRequestFilter extends AbstractAccessTokenValidator
public void setTokenSubjectAuthenticationMethod(AuthenticationMethod method) {
this.am = method;
}
+
+ public String getAudience() {
+ return audience;
+ }
+
+ public void setAudience(String audience) {
+ this.audience = audience;
+ }
+
+ public boolean isCompleteAudienceMatch() {
+ return completeAudienceMatch;
+ }
+
+ public void setCompleteAudienceMatch(boolean completeAudienceMatch) {
+ this.completeAudienceMatch = completeAudienceMatch;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
index f107de7..1c552cb 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
@@ -100,7 +100,7 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
return doCreateAccessToken(client,
subject,
OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE)),
- params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
+ getAudiences(client, params.getFirst(OAuthConstants.CLIENT_AUDIENCE)));
}
protected ServerAccessToken doCreateAccessToken(Client client,
@@ -113,10 +113,10 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
protected ServerAccessToken doCreateAccessToken(Client client,
UserSubject subject,
List<String> requestedScopes,
- String audience) {
+ List<String> audiences) {
return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScopes,
- audience);
+ audiences);
}
protected ServerAccessToken doCreateAccessToken(Client client,
@@ -130,9 +130,9 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
UserSubject subject,
String requestedGrant,
List<String> requestedScopes,
- String audience) {
+ List<String> audiences) {
ServerAccessToken token = getPreAuthorizedToken(client, subject, requestedGrant,
- requestedScopes, audience);
+ requestedScopes, audiences);
if (token != null) {
return token;
}
@@ -144,7 +144,7 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
reg.setSubject(subject);
reg.setRequestedScope(requestedScopes);
reg.setApprovedScope(Collections.emptyList());
- reg.setAudience(audience);
+ reg.setAudiences(audiences);
return dataProvider.createAccessToken(reg);
}
@@ -152,12 +152,12 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
UserSubject subject,
String requestedGrant,
List<String> requestedScopes,
- String audience) {
+ List<String> audiences) {
if (!OAuthUtils.validateScopes(requestedScopes, client.getRegisteredScopes(),
partialMatchScopeValidation)) {
throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE));
}
- if (!OAuthUtils.validateAudience(audience, client.getRegisteredAudiences())) {
+ if (!OAuthUtils.validateAudiences(audiences, client.getRegisteredAudiences())) {
throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_GRANT));
}
@@ -181,4 +181,18 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
public boolean isCanSupportPublicClients() {
return canSupportPublicClients;
}
+ protected List<String> getAudiences(Client client, String clientAudience) {
+ if (client.getRegisteredAudiences().isEmpty() && clientAudience == null) {
+ return Collections.emptyList();
+ }
+ if (clientAudience != null) {
+ List<String> audiences = Collections.singletonList(clientAudience);
+ if (!OAuthUtils.validateAudiences(audiences, client.getRegisteredAudiences())) {
+ throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
+ }
+ return audiences;
+ } else {
+ return client.getRegisteredAudiences();
+ }
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
index 7e5aab3..a490812 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
@@ -20,6 +20,7 @@
package org.apache.cxf.rs.security.oauth2.grants.code;
import java.util.Collections;
+import java.util.List;
import javax.ws.rs.core.MultivaluedMap;
@@ -80,16 +81,34 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
if (!compareCodeVerifierWithChallenge(client, clientCodeVerifier, clientCodeChallenge)) {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
-
- return doCreateAccessToken(client, grant, getSingleGrantType(), clientCodeVerifier);
+ List<String> audiences = getAudiences(client, params, grant.getAudience());
+ return doCreateAccessToken(client, grant, getSingleGrantType(), clientCodeVerifier, audiences);
}
+ protected List<String> getAudiences(Client client, MultivaluedMap<String, String> params,
+ String grantAudience) {
+ String clientAudience = params.getFirst(OAuthConstants.CLIENT_AUDIENCE);
+ if (client.getRegisteredAudiences().isEmpty() && clientAudience == null && grantAudience == null) {
+ return Collections.emptyList();
+ }
+ // if the audience was approved at the grant creation time and the audience is also
+ // sent to the token endpoint then both values must match
+ if (grantAudience != null && clientAudience != null && !grantAudience.equals(clientAudience)) {
+ throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
+ }
+ return getAudiences(client, clientAudience == null ? grantAudience : clientAudience);
+ }
+
private ServerAccessToken doCreateAccessToken(Client client,
ServerAuthorizationCodeGrant grant,
String requestedGrant,
- String codeVerifier) {
- ServerAccessToken token = getPreAuthorizedToken(client, grant.getSubject(), requestedGrant,
- grant.getRequestedScopes(), grant.getAudience());
+ String codeVerifier,
+ List<String> audiences) {
+ ServerAccessToken token = getPreAuthorizedToken(client,
+ grant.getSubject(),
+ requestedGrant,
+ grant.getRequestedScopes(),
+ getAudiences(client, grant.getAudience()));
if (token != null) {
return token;
}
@@ -106,7 +125,7 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
} else {
reg.setApprovedScope(Collections.emptyList());
}
- reg.setAudience(grant.getAudience());
+ reg.setAudiences(audiences);
reg.setClientCodeVerifier(codeVerifier);
return getDataProvider().createAccessToken(reg);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
index 5b8bca9..026a835 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
@@ -78,15 +78,6 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant {
* Returns the number of seconds this grant can be valid after it was issued
* @return the seconds this grant will be valid for
*/
- @Deprecated
- public long getLifetime() {
- return expiresIn;
- }
-
- /**
- * Returns the number of seconds this grant can be valid after it was issued
- * @return the seconds this grant will be valid for
- */
public long getExpiresIn() {
return expiresIn;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index ac7a11b..01525b8 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -62,7 +62,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration accessToken) {
ServerAccessToken at = createNewAccessToken(accessToken.getClient());
- at.setAudience(accessToken.getAudience());
+ at.setAudiences(accessToken.getAudiences());
at.setGrantType(accessToken.getGrantType());
List<String> theScopes = accessToken.getApprovedScope();
List<OAuthPermission> thePermissions =
@@ -201,7 +201,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
}
protected RefreshToken doCreateNewRefreshToken(ServerAccessToken at) {
RefreshToken rt = new RefreshToken(at.getClient(), refreshTokenLifetime);
- rt.setAudience(at.getAudience());
+ rt.setAudiences(at.getAudiences());
rt.setGrantType(at.getGrantType());
rt.setScopes(at.getScopes());
rt.setSubject(at.getSubject());
@@ -219,7 +219,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
RefreshToken oldRefreshToken,
List<String> restrictedScopes) {
ServerAccessToken at = createNewAccessToken(client);
- at.setAudience(oldRefreshToken.getAudience());
+ at.setAudiences(oldRefreshToken.getAudiences());
at.setGrantType(oldRefreshToken.getGrantType());
at.setSubject(oldRefreshToken.getSubject());
if (restrictedScopes.isEmpty()) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
index fb02230..d2a6766 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthJSONProvider.java
@@ -26,6 +26,8 @@ import java.lang.reflect.Type;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import java.util.LinkedHashMap;
+import java.util.LinkedList;
+import java.util.List;
import java.util.Map;
import javax.ws.rs.Consumes;
@@ -37,6 +39,7 @@ import javax.ws.rs.ext.MessageBodyReader;
import javax.ws.rs.ext.MessageBodyWriter;
import javax.ws.rs.ext.Provider;
+import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.IOUtils;
import org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
@@ -91,9 +94,24 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
sb.append(",");
appendJsonPair(sb, OAuthConstants.SCOPE, obj.getScope());
}
- if (obj.getAud() != null) {
+ if (StringUtils.isEmpty(obj.getAud())) {
sb.append(",");
- appendJsonPair(sb, "aud", obj.getAud());
+ if (obj.getAud().size() == 1) {
+ appendJsonPair(sb, "aud", obj.getAud());
+ } else {
+ sb.append("[");
+ StringBuilder arr = new StringBuilder();
+ List<String> auds = obj.getAud();
+ for (int i = 0; i < auds.size(); i++) {
+ if (i > 0) {
+ arr.append(",");
+ }
+ arr.append("\"").append(auds.get(i)).append("\"");
+ }
+ sb.append("]");
+ appendJsonPair(sb, "aud", arr.toString(), false);
+
+ }
}
sb.append(",");
appendJsonPair(sb, "iat", obj.getIat(), false);
@@ -219,7 +237,18 @@ public class OAuthJSONProvider implements MessageBodyWriter<Object>,
}
String aud = params.get("aud");
if (aud != null) {
- resp.setAud(aud);
+ if (aud.startsWith("[") && aud.endsWith("]")) {
+ String[] auds = aud.substring(1, aud.length() - 1).split(",");
+ List<String> list = new LinkedList<String>();
+ for (String s : auds) {
+ if (!s.trim().isEmpty()) {
+ list.add(s.trim());
+ }
+ }
+ resp.setAud(list);
+ } else {
+ resp.setAud(Collections.singletonList(aud));
+ }
}
String iat = params.get("iat");
if (iat != null) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
index 95257d4..df45580 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractAccessTokenValidator.java
@@ -20,7 +20,6 @@ package org.apache.cxf.rs.security.oauth2.services;
import java.util.Collections;
import java.util.HashSet;
-import java.util.LinkedList;
import java.util.List;
import java.util.Set;
@@ -50,7 +49,6 @@ public abstract class AbstractAccessTokenValidator {
private MessageContext mc;
private List<AccessTokenValidator> tokenHandlers = Collections.emptyList();
- private List<String> audiences = new LinkedList<String>();
private OAuthDataProvider dataProvider;
public void setTokenValidator(AccessTokenValidator validator) {
@@ -136,11 +134,6 @@ public abstract class AbstractAccessTokenValidator {
AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
}
- // Check audiences
- if (!validateAudience(accessTokenV.getAudience())) {
- AuthorizationUtils.throwAuthorizationFailure(supportedSchemes, realm);
- }
-
return accessTokenV;
}
@@ -150,19 +143,9 @@ public abstract class AbstractAccessTokenValidator {
OAuthConstants.ACCESS_TOKEN);
}
- protected boolean validateAudience(String audience) {
- return OAuthUtils.validateAudience(audience, audiences);
- }
-
public void setRealm(String realm) {
this.realm = realm;
}
- public List<String> getAudiences() {
- return audiences;
- }
-
- public void setAudiences(List<String> audiences) {
- this.audiences = audiences;
- }
+
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
index 5ee52cc..6f8a01f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
@@ -20,6 +20,7 @@
package org.apache.cxf.rs.security.oauth2.services;
import java.net.URI;
+import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
@@ -77,7 +78,7 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant
} else {
reg.setApprovedScope(approvedScope);
}
- reg.setAudience(state.getAudience());
+ reg.setAudiences(Collections.singletonList(state.getAudience()));
reg.setNonce(state.getNonce());
token = getDataProvider().createAccessToken(reg);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
index 8af601a..61bac1c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
@@ -19,8 +19,6 @@
package org.apache.cxf.rs.security.oauth2.services;
-import java.net.MalformedURLException;
-import java.net.URL;
import java.util.LinkedList;
import java.util.List;
@@ -52,7 +50,6 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
public class AccessTokenService extends AbstractTokenService {
private List<AccessTokenGrantHandler> grantHandlers = new LinkedList<AccessTokenGrantHandler>();
private List<AccessTokenResponseFilter> responseHandlers = new LinkedList<AccessTokenResponseFilter>();
- private List<String> audiences = new LinkedList<String>();
/**
* Sets the list of optional grant handlers
@@ -97,7 +94,7 @@ public class AccessTokenService extends AbstractTokenService {
}
try {
- checkAudience(params);
+ checkAudience(client, params);
} catch (OAuthServiceException ex) {
return super.createErrorResponseFromBean(ex.getError());
}
@@ -139,23 +136,9 @@ public class AccessTokenService extends AbstractTokenService {
filter.process(clientToken, serverToken);
}
}
- protected void checkAudience(MultivaluedMap<String, String> params) {
- if (audiences.isEmpty()) {
- return;
- }
-
+ protected void checkAudience(Client c, MultivaluedMap<String, String> params) {
String audienceParam = params.getFirst(OAuthConstants.CLIENT_AUDIENCE);
- if (audienceParam == null) {
- throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
- }
- // must be URL
- try {
- new URL(audienceParam);
- } catch (MalformedURLException ex) {
- throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
- }
-
- if (!audiences.contains(audienceParam)) {
+ if (!OAuthUtils.validateAudience(audienceParam, c.getRegisteredAudiences())) {
throw new OAuthServiceException(new OAuthError(OAuthConstants.ACCESS_DENIED));
}
@@ -185,12 +168,4 @@ public class AccessTokenService extends AbstractTokenService {
return null;
}
-
- public List<String> getAudiences() {
- return audiences;
- }
-
- public void setAudiences(List<String> audiences) {
- this.audiences = audiences;
- }
}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index 4d24346..5b050df 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -160,8 +160,10 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
return createErrorResponse(params, redirectUri, OAuthConstants.INVALID_SCOPE);
}
// Validate the audience
- if (!OAuthUtils.validateAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE),
- client.getRegisteredAudiences())) {
+ String clientAudience = params.getFirst(OAuthConstants.CLIENT_AUDIENCE);
+ // Right now if the audience parameter is set it is expected to be contained
+ // in the list of Client audiences set at the Client registration time.
+ if (!OAuthUtils.validateAudience(clientAudience, client.getRegisteredAudiences())) {
throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
}
@@ -256,6 +258,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
state.setClientId(params.getFirst(OAuthConstants.CLIENT_ID));
state.setRedirectUri(params.getFirst(OAuthConstants.REDIRECT_URI));
state.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
+ // or if no audience parameter is available, set the list of client
+ // audiences for the users to see ?
state.setProposedScope(params.getFirst(OAuthConstants.SCOPE));
state.setState(params.getFirst(OAuthConstants.STATE));
state.setNonce(params.getFirst(OAuthConstants.NONCE));
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
index 11485fe..645e3a4 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenIntrospectionService.java
@@ -31,6 +31,7 @@ import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.SecurityContext;
import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
@@ -64,8 +65,8 @@ public class TokenIntrospectionService {
if (at.getSubject() != null) {
response.setUsername(at.getSubject().getLogin());
}
- if (at.getAudience() != null) {
- response.setAud(at.getAudience());
+ if (!StringUtils.isEmpty(at.getAudiences())) {
+ response.setAud(at.getAudiences());
}
response.setIat(at.getIssuedAt());
response.setExp(at.getIssuedAt() + at.getExpiresIn());
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
index 066cec0..1857bf3 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
@@ -191,8 +191,16 @@ public final class OAuthUtils {
&& issuedAt + lifetime < System.currentTimeMillis() / 1000L;
}
- public static boolean validateAudience(String audience, List<String> audiences) {
- return audience == null || !audiences.isEmpty() && audiences.contains(audience);
+ public static boolean validateAudience(String providedAudience,
+ List<String> allowedAudiences) {
+ return providedAudience == null
+ || validateAudiences(Collections.singletonList(providedAudience), allowedAudiences);
+ }
+ public static boolean validateAudiences(List<String> providedAudiences,
+ List<String> allowedAudiences) {
+ return StringUtils.isEmpty(providedAudiences)
+ && StringUtils.isEmpty(allowedAudiences)
+ || allowedAudiences.contains(providedAudiences);
}
public static boolean checkRequestURI(String servletPath, String uri) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
index 2b3a798..c23f421 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/ModelEncryptionSupport.java
@@ -236,7 +236,7 @@ public final class ModelEncryptionSupport {
newToken.setRefreshToken(getStringPart(parts[5]));
newToken.setGrantType(getStringPart(parts[6]));
- newToken.setAudience(getStringPart(parts[7]));
+ newToken.setAudiences(parseSimpleList(parts[7]));
newToken.setParameters(parseSimpleMap(parts[8]));
// Permissions
@@ -289,7 +289,7 @@ public final class ModelEncryptionSupport {
state.append(tokenizeString(token.getGrantType()));
// 7: audience
state.append(SEP);
- state.append(tokenizeString(token.getAudience()));
+ state.append(token.getAudiences().toString());
// 8: other parameters
state.append(SEP);
// {key=value, key=value}
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java
index fd00e06..9df30fa 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/CryptoUtilsTest.java
@@ -228,7 +228,7 @@ public class CryptoUtilsTest extends Assert {
assertEquals(endUser1.getRoles(), endUser2.getRoles());
assertEquals(token.getRefreshToken(), token2.getRefreshToken());
- assertEquals(token.getAudience(), token2.getAudience());
+ assertEquals(token.getAudiences(), token2.getAudiences());
assertEquals(token.getGrantType(), token2.getGrantType());
assertEquals(token.getParameters(), token2.getParameters());
@@ -251,7 +251,7 @@ public class CryptoUtilsTest extends Assert {
Client regClient = p.getClient("1");
atr.setClient(regClient);
atr.setGrantType("code");
- atr.setAudience("http://localhost");
+ atr.setAudiences(Collections.singletonList("http://localhost"));
UserSubject endUser = new UserSubject("Barry", "BarryId");
atr.setSubject(endUser);
endUser.setRoles(Collections.singletonList("role1"));
http://git-wip-us.apache.org/repos/asf/cxf/blob/38680556/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java
index 55c9332..5d2f40d 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/utils/crypto/EncryptingDataProvider.java
@@ -119,7 +119,7 @@ public class EncryptingDataProvider implements OAuthDataProvider {
createRefreshToken(token);
token.setGrantType(accessTokenReg.getGrantType());
- token.setAudience(accessTokenReg.getAudience());
+ token.setAudiences(accessTokenReg.getAudiences());
token.setParameters(Collections.singletonMap("param", "value"));
token.setScopes(Collections.singletonList(
new OAuthPermission("read", "read permission")));