You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/12/11 16:42:05 UTC
[1/3] cxf git commit: Store the nonce + include it in the IdToken
Repository: cxf
Updated Branches:
refs/heads/3.1.x-fixes 358589c33 -> 6a328a5c0
Store the nonce + include it in the IdToken
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/86830481
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/86830481
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/86830481
Branch: refs/heads/3.1.x-fixes
Commit: 868304818c7b687d33cdf0ae1a620d06f2b9028f
Parents: 358589c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Dec 11 11:55:52 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Dec 11 15:24:41 2015 +0000
----------------------------------------------------------------------
.../oauth2/common/ServerAccessToken.java | 9 +++
.../oauth2/grants/AbstractGrantHandler.java | 66 +++++++++++---------
.../grants/code/AbstractCodeDataProvider.java | 1 +
.../code/AuthorizationCodeGrantHandler.java | 38 ++++++++---
.../code/ServerAuthorizationCodeGrant.java | 9 +++
.../provider/AbstractOAuthDataProvider.java | 1 +
.../oidc/idp/IdTokenResponseFilter.java | 3 +
7 files changed, 90 insertions(+), 37 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
index d5cc449..7c64a51 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
@@ -37,6 +37,7 @@ public abstract class ServerAccessToken extends AccessToken {
private UserSubject subject;
private String audience;
private String clientCodeVerifier;
+ private String nonce;
protected ServerAccessToken() {
@@ -158,4 +159,12 @@ public abstract class ServerAccessToken extends AccessToken {
public void setClientCodeVerifier(String clientCodeVerifier) {
this.clientCodeVerifier = clientCodeVerifier;
}
+
+ public String getNonce() {
+ return nonce;
+ }
+
+ public void setNonce(String nonce) {
+ this.nonce = nonce;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
index 38ab690..f107de7 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
@@ -100,51 +100,39 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
return doCreateAccessToken(client,
subject,
OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE)),
- null,
params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
}
protected ServerAccessToken doCreateAccessToken(Client client,
UserSubject subject,
- List<String> requestedScope) {
+ List<String> requestedScopes) {
- return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScope);
+ return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScopes);
}
protected ServerAccessToken doCreateAccessToken(Client client,
UserSubject subject,
- List<String> requestedScope,
- List<String> approvedScope,
+ List<String> requestedScopes,
String audience) {
- return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScope,
- approvedScope, audience, null);
+ return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScopes,
+ audience);
}
protected ServerAccessToken doCreateAccessToken(Client client,
UserSubject subject,
String requestedGrant,
- List<String> requestedScope) {
- return doCreateAccessToken(client, subject, requestedGrant, requestedScope, null, null, null);
+ List<String> requestedScopes) {
+ return doCreateAccessToken(client, subject, requestedGrant, requestedScopes, null);
}
+
protected ServerAccessToken doCreateAccessToken(Client client,
UserSubject subject,
String requestedGrant,
- List<String> requestedScope,
- List<String> approvedScope,
- String audience,
- String codeVerifier) {
- if (!OAuthUtils.validateScopes(requestedScope, client.getRegisteredScopes(),
- partialMatchScopeValidation)) {
- throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE));
- }
- if (!OAuthUtils.validateAudience(audience, client.getRegisteredAudiences())) {
- throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_GRANT));
- }
-
- // Check if a pre-authorized token available
- ServerAccessToken token = dataProvider.getPreauthorizedToken(
- client, requestedScope, subject, requestedGrant);
+ List<String> requestedScopes,
+ String audience) {
+ ServerAccessToken token = getPreAuthorizedToken(client, subject, requestedGrant,
+ requestedScopes, audience);
if (token != null) {
return token;
}
@@ -154,16 +142,34 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
reg.setClient(client);
reg.setGrantType(requestedGrant);
reg.setSubject(subject);
- reg.setRequestedScope(requestedScope);
- if (approvedScope == null) {
- approvedScope = Collections.emptyList();
- }
- reg.setApprovedScope(approvedScope);
+ reg.setRequestedScope(requestedScopes);
+ reg.setApprovedScope(Collections.emptyList());
reg.setAudience(audience);
- reg.setClientCodeVerifier(codeVerifier);
return dataProvider.createAccessToken(reg);
}
+ protected ServerAccessToken getPreAuthorizedToken(Client client,
+ UserSubject subject,
+ String requestedGrant,
+ List<String> requestedScopes,
+ String audience) {
+ if (!OAuthUtils.validateScopes(requestedScopes, client.getRegisteredScopes(),
+ partialMatchScopeValidation)) {
+ throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE));
+ }
+ if (!OAuthUtils.validateAudience(audience, client.getRegisteredAudiences())) {
+ throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_GRANT));
+ }
+
+ // Get a pre-authorized token if available
+ return dataProvider.getPreauthorizedToken(
+ client, requestedScopes, subject, requestedGrant);
+ }
+
+ public boolean isPartialMatchScopeValidation() {
+ return partialMatchScopeValidation;
+ }
+
public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) {
this.partialMatchScopeValidation = partialMatchScopeValidation;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
index 6bed976..1b63bb3 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
@@ -55,6 +55,7 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider
grant.setApprovedScopes(reg.getApprovedScope());
grant.setAudience(reg.getAudience());
grant.setClientCodeChallenge(reg.getClientCodeChallenge());
+ grant.setNonce(reg.getNonce());
return grant;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
index 9a6888a..6d7fc1a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
@@ -19,8 +19,11 @@
package org.apache.cxf.rs.security.oauth2.grants.code;
+import java.util.Collections;
+
import javax.ws.rs.core.MultivaluedMap;
+import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
@@ -78,13 +81,34 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
- return doCreateAccessToken(client,
- grant.getSubject(),
- getSingleGrantType(),
- grant.getRequestedScopes(),
- grant.getApprovedScopes(),
- grant.getAudience(),
- clientCodeVerifier);
+ return doCreateAccessToken(client, grant, getSingleGrantType(), clientCodeVerifier);
+ }
+
+ private ServerAccessToken doCreateAccessToken(Client client,
+ ServerAuthorizationCodeGrant grant,
+ String requestedGrant,
+ String codeVerifier) {
+ ServerAccessToken token = getPreAuthorizedToken(client, grant.getSubject(), requestedGrant,
+ grant.getRequestedScopes(), grant.getAudience());
+ if (token != null) {
+ return token;
+ }
+
+ // Delegate to the data provider to create the one
+ AccessTokenRegistration reg = new AccessTokenRegistration();
+ reg.setClient(client);
+ reg.setGrantType(requestedGrant);
+ reg.setSubject(grant.getSubject());
+ reg.setRequestedScope(grant.getRequestedScopes());
+ reg.setNonce(grant.getNonce());
+ if (grant.getApprovedScopes() != null) {
+ reg.setApprovedScope(grant.getApprovedScopes());
+ } else {
+ reg.setApprovedScope(Collections.emptyList());
+ }
+ reg.setAudience(grant.getAudience());
+ reg.setClientCodeVerifier(codeVerifier);
+ return getDataProvider().createAccessToken(reg);
}
private boolean compareCodeVerifierWithChallenge(Client c, String clientCodeVerifier,
http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
index a1aba9f..5b8bca9 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
@@ -40,6 +40,7 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant {
private UserSubject subject;
private String audience;
private String clientCodeChallenge;
+ private String nonce;
public ServerAuthorizationCodeGrant() {
@@ -165,4 +166,12 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant {
public void setRequestedScopes(List<String> requestedScopes) {
this.requestedScopes = requestedScopes;
}
+
+ public String getNonce() {
+ return nonce;
+ }
+
+ public void setNonce(String nonce) {
+ this.nonce = nonce;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 149bff1..9bb52ed 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -67,6 +67,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
at.setScopes(thePermissions);
at.setSubject(accessToken.getSubject());
at.setClientCodeVerifier(accessToken.getClientCodeVerifier());
+ at.setNonce(accessToken.getNonce());
return at;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index b8ab2b2..f7d6b9a 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -49,6 +49,9 @@ public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer im
if (userInfoProvider != null) {
IdToken idToken =
userInfoProvider.getIdToken(st.getClient().getClientId(), st.getSubject(), st.getScopes());
+ if (st.getNonce() != null) {
+ idToken.setNonce(st.getNonce());
+ }
setAtHash(idToken, st);
return super.processJwt(new JwtToken(idToken), st.getClient());
} else if (st.getSubject().getProperties().containsKey(OidcUtils.ID_TOKEN)) {
[3/3] cxf git commit: Fixing merge
Posted by co...@apache.org.
Fixing merge
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6a328a5c
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6a328a5c
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6a328a5c
Branch: refs/heads/3.1.x-fixes
Commit: 6a328a5c03cf04330293221fb1bb44173afa790f
Parents: 3d373ea
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Dec 11 15:41:56 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Dec 11 15:41:56 2015 +0000
----------------------------------------------------------------------
.../cxf/rs/security/oauth2/grants/AbstractGrantHandler.java | 3 ++-
.../oauth2/grants/code/AuthorizationCodeGrantHandler.java | 4 +++-
2 files changed, 5 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/6a328a5c/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
index f107de7..c3c34af 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
@@ -143,7 +143,8 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
reg.setGrantType(requestedGrant);
reg.setSubject(subject);
reg.setRequestedScope(requestedScopes);
- reg.setApprovedScope(Collections.emptyList());
+ List<String> approvedScopes = Collections.emptyList();
+ reg.setApprovedScope(approvedScopes);
reg.setAudience(audience);
return dataProvider.createAccessToken(reg);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/6a328a5c/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
index 6d7fc1a..72021f0 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
@@ -20,6 +20,7 @@
package org.apache.cxf.rs.security.oauth2.grants.code;
import java.util.Collections;
+import java.util.List;
import javax.ws.rs.core.MultivaluedMap;
@@ -104,7 +105,8 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
if (grant.getApprovedScopes() != null) {
reg.setApprovedScope(grant.getApprovedScopes());
} else {
- reg.setApprovedScope(Collections.emptyList());
+ List<String> approvedScopes = Collections.emptyList();
+ reg.setApprovedScope(approvedScopes);
}
reg.setAudience(grant.getAudience());
reg.setClientCodeVerifier(codeVerifier);
[2/3] cxf git commit: Make sure the State is always returned to the
client on an error
Posted by co...@apache.org.
Make sure the State is always returned to the client on an error
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3d373ea9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3d373ea9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3d373ea9
Branch: refs/heads/3.1.x-fixes
Commit: 3d373ea991a8415f6161468f36947143411e2cf1
Parents: 8683048
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Dec 11 15:10:31 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Dec 11 15:24:43 2015 +0000
----------------------------------------------------------------------
.../oauth2/client/OAuthClientUtils.java | 11 +--
.../oauth2/services/AbstractOAuthService.java | 9 ++-
.../oauth2/services/AbstractTokenService.java | 81 ++++++++++++--------
.../oauth2/services/AccessTokenService.java | 3 +-
.../services/DirectAuthorizationService.java | 41 ++++++----
.../services/RedirectionBasedGrantService.java | 79 ++++++++++---------
.../oauth2/services/TokenRevocationService.java | 3 +-
7 files changed, 132 insertions(+), 95 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/3d373ea9/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
index e00ce0b..0f6807d 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
@@ -68,18 +68,11 @@ public final class OAuthClientUtils {
String redirectUri,
String state,
String scope) {
- UriBuilder ub = getAuthorizationURIBuilder(authorizationServiceURI,
+ return getAuthorizationURIBuilder(authorizationServiceURI,
clientId,
redirectUri,
state,
- scope);
- if (redirectUri != null) {
- ub.queryParam(OAuthConstants.REDIRECT_URI, redirectUri);
- }
- if (state != null) {
- ub.queryParam(OAuthConstants.STATE, state);
- }
- return ub.build();
+ scope).build();
}
public static UriBuilder getAuthorizationURIBuilder(String authorizationServiceURI,
http://git-wip-us.apache.org/repos/asf/cxf/blob/3d373ea9/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java
index 994f0d7..56121d3 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractOAuthService.java
@@ -123,13 +123,14 @@ public abstract class AbstractOAuthService {
}
}
- protected void reportInvalidRequestError(String errorDescription) {
- reportInvalidRequestError(errorDescription, MediaType.APPLICATION_JSON_TYPE);
+ protected void reportInvalidRequestError(String errorDescription, String state) {
+ reportInvalidRequestError(errorDescription, state, MediaType.APPLICATION_JSON_TYPE);
}
- protected void reportInvalidRequestError(String errorDescription, MediaType mt) {
+ protected void reportInvalidRequestError(String errorDescription, String state, MediaType mt) {
OAuthError error =
new OAuthError(OAuthConstants.INVALID_REQUEST, errorDescription);
+ error.setState(state);
reportInvalidRequestError(error, mt);
}
@@ -144,7 +145,7 @@ public abstract class AbstractOAuthService {
}
throw ExceptionUtils.toBadRequestException(null, rb.entity(entity).build());
}
-
+
/**
* HTTPS is the default transport for OAuth 2.0 services, this property
* can be used to block all the requests issued over HTTP
http://git-wip-us.apache.org/repos/asf/cxf/blob/3d373ea9/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
index a31fb5d..7fd1ed9 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.java
@@ -63,29 +63,30 @@ public class AbstractTokenService extends AbstractOAuthService {
String clientId = retrieveClientId(params);
if (clientId != null) {
client = getAndValidateClientFromIdAndSecret(clientId,
- params.getFirst(OAuthConstants.CLIENT_SECRET));
+ params.getFirst(OAuthConstants.CLIENT_SECRET),
+ params);
}
} else {
String clientId = retrieveClientId(params);
if (clientId != null) {
- client = getClient(clientId);
+ client = getClient(clientId, params);
} else if (principal.getName() != null) {
- client = getClient(principal.getName());
+ client = getClient(principal.getName(), params);
}
}
if (client == null) {
- client = getClientFromTLSCertificates(sc, getTlsSessionInfo());
+ client = getClientFromTLSCertificates(sc, getTlsSessionInfo(), params);
if (client == null) {
// Basic Authentication is expected by default
- client = getClientFromBasicAuthScheme();
+ client = getClientFromBasicAuthScheme(params);
}
}
if (client != null && !client.getApplicationCertificates().isEmpty()) {
// Validate the client application certificates
- compareTlsCertificates(getTlsSessionInfo(), client.getApplicationCertificates());
+ compareTlsCertificates(getTlsSessionInfo(), client.getApplicationCertificates(), params);
}
if (client == null) {
- reportInvalidClient();
+ reportInvalidClient(params.getFirst(OAuthConstants.STATE));
}
return client;
}
@@ -107,21 +108,22 @@ public class AbstractTokenService extends AbstractOAuthService {
}
// Get the Client and check the id and secret
- protected Client getAndValidateClientFromIdAndSecret(String clientId, String providedClientSecret) {
- Client client = getClient(clientId);
+ protected Client getAndValidateClientFromIdAndSecret(String clientId, String providedClientSecret,
+ MultivaluedMap<String, String> params) {
+ Client client = getClient(clientId, params);
if (!client.getClientId().equals(clientId)) {
- reportInvalidClient();
+ reportInvalidClient(params.getFirst(OAuthConstants.STATE));
}
if (isValidPublicClient(client, clientId, providedClientSecret)) {
return client;
}
if (!client.isConfidential()
- || !isConfidenatialClientSecretValid(client, providedClientSecret)) {
- reportInvalidClient();
+ || !isConfidentialClientSecretValid(client, providedClientSecret)) {
+ reportInvalidClient(params.getFirst(OAuthConstants.STATE));
}
return client;
}
- protected boolean isConfidenatialClientSecretValid(Client client, String providedClientSecret) {
+ protected boolean isConfidentialClientSecretValid(Client client, String providedClientSecret) {
if (clientSecretVerifier != null) {
return clientSecretVerifier.validateClientSecret(client, providedClientSecret);
} else {
@@ -136,22 +138,23 @@ public class AbstractTokenService extends AbstractOAuthService {
&& clientSecret == null;
}
- protected Client getClientFromBasicAuthScheme() {
+ protected Client getClientFromBasicAuthScheme(MultivaluedMap<String, String> params) {
String[] userInfo = AuthorizationUtils.getBasicAuthUserInfo(getMessageContext());
if (userInfo != null && userInfo.length == 2) {
- return getAndValidateClientFromIdAndSecret(userInfo[0], userInfo[1]);
+ return getAndValidateClientFromIdAndSecret(userInfo[0], userInfo[1], params);
} else {
return null;
}
}
- protected Client getClientFromTLSCertificates(SecurityContext sc, TLSSessionInfo tlsSessionInfo) {
+ protected Client getClientFromTLSCertificates(SecurityContext sc, TLSSessionInfo tlsSessionInfo,
+ MultivaluedMap<String, String> params) {
Client client = null;
if (tlsSessionInfo != null && StringUtils.isEmpty(sc.getAuthenticationScheme())) {
// Pure 2-way TLS authentication
String clientId = getClientIdFromTLSCertificates(sc, tlsSessionInfo);
if (!StringUtils.isEmpty(clientId)) {
- client = getClient(clientId);
+ client = getClient(clientId, params);
}
}
return client;
@@ -167,7 +170,8 @@ public class AbstractTokenService extends AbstractOAuthService {
}
protected void compareTlsCertificates(TLSSessionInfo tlsInfo,
- List<String> base64EncodedCerts) {
+ List<String> base64EncodedCerts,
+ MultivaluedMap<String, String> params) {
if (tlsInfo != null) {
Certificate[] clientCerts = tlsInfo.getPeerCertificates();
if (clientCerts.length == base64EncodedCerts.size()) {
@@ -177,7 +181,7 @@ public class AbstractTokenService extends AbstractOAuthService {
byte[] encodedKey = x509Cert.getEncoded();
byte[] clientKey = Base64Utility.decode(base64EncodedCerts.get(i));
if (!Arrays.equals(encodedKey, clientKey)) {
- reportInvalidClient();
+ reportInvalidClient(params.getFirst(OAuthConstants.STATE));
}
}
return;
@@ -186,23 +190,28 @@ public class AbstractTokenService extends AbstractOAuthService {
}
}
}
- reportInvalidClient();
+ reportInvalidClient(params.getFirst(OAuthConstants.STATE));
}
- protected Response handleException(OAuthServiceException ex, String error) {
+ protected Response handleException(OAuthServiceException ex, String error, String state) {
OAuthError customError = ex.getError();
if (writeCustomErrors && customError != null) {
+ customError.setState(state);
return createErrorResponseFromBean(customError);
} else {
- return createErrorResponseFromBean(new OAuthError(error));
+ OAuthError oauthError = new OAuthError(error);
+ oauthError.setState(state);
+ return createErrorResponseFromBean(oauthError);
}
}
protected Response createErrorResponse(MultivaluedMap<String, String> params,
String error) {
- return createErrorResponseFromBean(new OAuthError(error));
+ OAuthError oauthError = new OAuthError(error);
+ oauthError.setState(params.getFirst(OAuthConstants.STATE));
+ return createErrorResponseFromBean(oauthError);
}
protected Response createErrorResponseFromBean(OAuthError errorBean) {
@@ -211,32 +220,44 @@ public class AbstractTokenService extends AbstractOAuthService {
/**
* Get the {@link Client} reference
- * @param clientId the provided client id
+ * @param clientId The Client Id
+ * @param params request parameters
* @return Client the client reference
- * @throws {@link javax.ws.rs.WebApplicationException} if no matching Client is found
+ * @throws {@link javax.ws.rs.WebApplicationException} if no matching Client is found,
+ * the error is returned directly to the end user without
+ * following the redirect URI if any
*/
- protected Client getClient(String clientId) {
+ protected Client getClient(String clientId, MultivaluedMap<String, String> params) {
+ String state = null;
+ if (params != null) {
+ state = params.getFirst(OAuthConstants.STATE);
+ }
+
if (clientId == null) {
- reportInvalidRequestError("Client ID is null");
+ reportInvalidRequestError("Client ID is null", state);
return null;
}
+
Client client = null;
try {
client = getValidClient(clientId);
} catch (OAuthServiceException ex) {
if (ex.getError() != null) {
+ ex.getError().setState(state);
reportInvalidClient(ex.getError());
return null;
}
}
if (client == null) {
- reportInvalidClient();
+ reportInvalidClient(state);
}
return client;
}
- protected void reportInvalidClient() {
- reportInvalidClient(new OAuthError(OAuthConstants.INVALID_CLIENT));
+ protected void reportInvalidClient(String state) {
+ OAuthError error = new OAuthError(OAuthConstants.INVALID_CLIENT);
+ error.setState(state);
+ reportInvalidClient(error);
}
protected void reportInvalidClient(OAuthError error) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/3d373ea9/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
index 8af601a..27cf21a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
@@ -119,7 +119,8 @@ public class AccessTokenService extends AbstractTokenService {
// restriction on a number of return statements
OAuthServiceException oauthEx = ex instanceof OAuthServiceException
? (OAuthServiceException)ex : new OAuthServiceException(ex);
- return handleException(oauthEx, OAuthConstants.INVALID_GRANT);
+ return handleException(oauthEx, OAuthConstants.INVALID_GRANT,
+ params.getFirst(OAuthConstants.STATE));
}
if (serverToken == null) {
return createErrorResponse(params, OAuthConstants.INVALID_GRANT);
http://git-wip-us.apache.org/repos/asf/cxf/blob/3d373ea9/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java
index 26212d8..5e0abe1 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/DirectAuthorizationService.java
@@ -52,7 +52,7 @@ public class DirectAuthorizationService extends AbstractOAuthService {
SecurityContext sc = getAndValidateSecurityContext(params);
// Create a UserSubject representing the end user
UserSubject userSubject = createUserSubject(sc);
- Client client = getClient(params);
+ Client client = getClient(params.getFirst(OAuthConstants.CLIENT_ID), params);
AccessTokenRegistration reg = new AccessTokenRegistration();
reg.setClient(client);
@@ -96,35 +96,48 @@ public class DirectAuthorizationService extends AbstractOAuthService {
return OAuthUtils.createSubject(securityContext);
}
}
-
- public SubjectCreator getSubjectCreator() {
- return subjectCreator;
- }
-
- public void setSubjectCreator(SubjectCreator subjectCreator) {
- this.subjectCreator = subjectCreator;
- }
- protected Client getClient(MultivaluedMap<String, String> params) {
- return getClient(params.getFirst(OAuthConstants.CLIENT_ID));
- }
- protected Client getClient(String clientId) {
+
+ /**
+ * Get the {@link Client} reference
+ * @param clientId The Client Id
+ * @param params request parameters
+ * @return Client the client reference
+ * @throws {@link javax.ws.rs.WebApplicationException} if no matching Client is found,
+ * the error is returned directly to the end user without
+ * following the redirect URI if any
+ */
+ protected Client getClient(String clientId, MultivaluedMap<String, String> params) {
Client client = null;
+ String state = null;
+
+ if (params != null) {
+ state = params.getFirst(OAuthConstants.STATE);
+ }
try {
client = getValidClient(clientId);
} catch (OAuthServiceException ex) {
if (ex.getError() != null) {
+ ex.getError().setState(state);
reportInvalidRequestError(ex.getError(), null);
}
}
if (client == null) {
- reportInvalidRequestError("Client ID is invalid", null);
+ reportInvalidRequestError("Client ID is invalid", state, null);
}
return client;
}
+ public SubjectCreator getSubjectCreator() {
+ return subjectCreator;
+ }
+
+ public void setSubjectCreator(SubjectCreator subjectCreator) {
+ this.subjectCreator = subjectCreator;
+ }
+
public boolean isPartialMatchScopeValidation() {
return partialMatchScopeValidation;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/3d373ea9/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index 53cedaf..442c625 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -118,7 +118,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
SecurityContext sc = getAndValidateSecurityContext(params);
// Create a UserSubject representing the end user
UserSubject userSubject = createUserSubject(sc);
- Client client = getClient(params);
+ Client client = getClient(params.getFirst(OAuthConstants.CLIENT_ID), params);
return startAuthorization(params, userSubject, client);
}
@@ -128,7 +128,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
// Validate the provided request URI, if any, against the ones Client provided
// during the registration
- String redirectUri = validateRedirectUri(client, params.getFirst(OAuthConstants.REDIRECT_URI));
+ String redirectUri = validateRedirectUri(client, params.getFirst(OAuthConstants.REDIRECT_URI),
+ params.getFirst(OAuthConstants.STATE));
// Enforce the client confidentiality requirements
if (!OAuthUtils.isGrantSupportedForClient(client, canSupportPublicClient(client), supportedGrantType)) {
@@ -286,8 +287,9 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
OAuthRedirectionState state =
recreateRedirectionStateFromSession(userSubject, params, sessionToken);
- Client client = getClient(state.getClientId());
- String redirectUri = validateRedirectUri(client, state.getRedirectUri());
+ Client client = getClient(state.getClientId(), params);
+ String redirectUri = validateRedirectUri(client, state.getRedirectUri(),
+ params.getFirst(OAuthConstants.STATE));
// Get the end user decision value
String decision = params.getFirst(OAuthConstants.AUTHORIZATION_DECISION_KEY);
@@ -368,27 +370,60 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
return securityContext;
}
- protected String validateRedirectUri(Client client, String redirectUri) {
+ protected String validateRedirectUri(Client client, String redirectUri, String state) {
List<String> uris = client.getRedirectUris();
if (redirectUri != null) {
if (!uris.contains(redirectUri)) {
- reportInvalidRequestError("Client Redirect Uri is invalid");
+ reportInvalidRequestError("Client Redirect Uri is invalid", state);
}
} else if (uris.size() == 1 && useRegisteredRedirectUriIfPossible) {
redirectUri = uris.get(0);
}
if (redirectUri == null && uris.size() == 0 && !canRedirectUriBeEmpty(client)) {
- reportInvalidRequestError("Client Redirect Uri is invalid");
+ reportInvalidRequestError("Client Redirect Uri is invalid", state);
}
if (redirectUri != null && matchRedirectUriWithApplicationUri
&& client.getApplicationWebUri() != null
&& !redirectUri.startsWith(client.getApplicationWebUri())) {
- reportInvalidRequestError("Client Redirect Uri is invalid");
+ reportInvalidRequestError("Client Redirect Uri is invalid", state);
}
return redirectUri;
}
+ /**
+ * Get the {@link Client} reference
+ * @param clientId The Client Id
+ * @param params request parameters
+ * @return Client the client reference
+ * @throws {@link javax.ws.rs.WebApplicationException} if no matching Client is found,
+ * the error is returned directly to the end user without
+ * following the redirect URI if any
+ */
+ protected Client getClient(String clientId, MultivaluedMap<String, String> params) {
+ Client client = null;
+ String state = null;
+
+ if (params != null) {
+ state = params.getFirst(OAuthConstants.STATE);
+ }
+
+ try {
+ client = getValidClient(clientId);
+ } catch (OAuthServiceException ex) {
+ if (ex.getError() != null) {
+ ex.getError().setState(state);
+ reportInvalidRequestError(ex.getError(), null);
+ }
+ }
+
+ if (client == null) {
+ reportInvalidRequestError("Client ID is invalid", state, null);
+ }
+ return client;
+
+ }
+
private void addAuthenticityTokenToSession(OAuthAuthorizationData secData,
MultivaluedMap<String, String> params,
UserSubject subject) {
@@ -422,34 +457,6 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
}
}
- /**
- * Get the {@link Client} reference
- * @param params request parameters
- * @return Client the client reference
- * @throws {@link javax.ws.rs.WebApplicationException} if no matching Client is found,
- * the error is returned directly to the end user without
- * following the redirect URI if any
- */
- protected Client getClient(String clientId) {
- Client client = null;
-
- try {
- client = getValidClient(clientId);
- } catch (OAuthServiceException ex) {
- if (ex.getError() != null) {
- reportInvalidRequestError(ex.getError(), null);
- }
- }
-
- if (client == null) {
- reportInvalidRequestError("Client ID is invalid", null);
- }
- return client;
-
- }
- protected Client getClient(MultivaluedMap<String, String> params) {
- return this.getClient(params.getFirst(OAuthConstants.CLIENT_ID));
- }
protected String getSupportedGrantType() {
return this.supportedGrantType;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/3d373ea9/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java
index 092b9ec..16d6ce7 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/TokenRevocationService.java
@@ -56,7 +56,8 @@ public class TokenRevocationService extends AbstractTokenService {
try {
getDataProvider().revokeToken(client, token, tokenTypeHint);
} catch (OAuthServiceException ex) {
- return handleException(ex, OAuthConstants.UNSUPPORTED_TOKEN_TYPE);
+ return handleException(ex, OAuthConstants.UNSUPPORTED_TOKEN_TYPE,
+ params.getFirst(OAuthConstants.STATE));
}
return Response.ok().build();
}