You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by vn...@apache.org on 2017/09/27 02:18:19 UTC

[27/29] incubator-guacamole-client git commit: GUACAMOLE-210: Re-request ID token if validation or username retrieval fails.

GUACAMOLE-210: Re-request ID token if validation or username retrieval fails.


Project: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/commit/4f8c853d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/tree/4f8c853d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/diff/4f8c853d

Branch: refs/heads/master
Commit: 4f8c853daa34d85b68e40c54b92a7f09e6eeac73
Parents: 1879035
Author: Michael Jumper <mj...@apache.org>
Authored: Sun Aug 27 22:58:12 2017 -0700
Committer: Michael Jumper <mj...@apache.org>
Committed: Mon Sep 25 13:06:45 2017 -0700

----------------------------------------------------------------------
 .../openid/AuthenticationProviderService.java   | 18 +++++----
 .../openid/token/TokenValidationService.java    | 41 ++++++++++++++------
 2 files changed, 40 insertions(+), 19 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/4f8c853d/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/AuthenticationProviderService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/AuthenticationProviderService.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/AuthenticationProviderService.java
index 10dea3d..1423b8d 100644
--- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/AuthenticationProviderService.java
+++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/AuthenticationProviderService.java
@@ -82,19 +82,23 @@ public class AuthenticationProviderService {
     public AuthenticatedUser authenticateUser(Credentials credentials)
             throws GuacamoleException {
 
-        String token = null;
+        String username = null;
 
-        // Pull OpenID token from request if present
+        // Validate OpenID token in request, if present, and derive username
         HttpServletRequest request = credentials.getRequest();
-        if (request != null)
-            token = request.getParameter(TokenField.PARAMETER_NAME);
+        if (request != null) {
+            String token = request.getParameter(TokenField.PARAMETER_NAME);
+            if (token != null)
+                username = tokenService.processUsername(token);
+        }
 
-        // If token provided, validate and produce authenticated user
-        if (token != null) {
+        // If the username was successfully retrieved from the token, produce
+        // authenticated user
+        if (username != null) {
 
             // Create corresponding authenticated user
             AuthenticatedUser authenticatedUser = authenticatedUserProvider.get();
-            authenticatedUser.init(tokenService.processUsername(token), credentials);
+            authenticatedUser.init(username, credentials);
             return authenticatedUser;
 
         }

http://git-wip-us.apache.org/repos/asf/incubator-guacamole-client/blob/4f8c853d/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
----------------------------------------------------------------------
diff --git a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
index b1a8a28..3e1a58d 100644
--- a/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
+++ b/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/token/TokenValidationService.java
@@ -31,6 +31,8 @@ import org.jose4j.jwt.consumer.InvalidJwtException;
 import org.jose4j.jwt.consumer.JwtConsumer;
 import org.jose4j.jwt.consumer.JwtConsumerBuilder;
 import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Service for validating ID tokens forwarded to us by the client, verifying
@@ -39,6 +41,11 @@ import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
 public class TokenValidationService {
 
     /**
+     * Logger for this class.
+     */
+    private final Logger logger = LoggerFactory.getLogger(TokenValidationService.class);
+
+    /**
      * Service for retrieving OpenID configuration information.
      */
     @Inject
@@ -48,17 +55,17 @@ public class TokenValidationService {
      * Validates and parses the given ID token, returning the username contained
      * therein, as defined by the username claim type given in
      * guacamole.properties. If the username claim type is missing or the ID
-     * token is invalid, an exception is thrown instead.
+     * token is invalid, null is returned.
      *
      * @param token
      *     The ID token to validate and parse.
      *
      * @return
-     *     The username contained within the given ID token.
+     *     The username contained within the given ID token, or null if the ID
+     *     token is not valid or the username claim type is missing,
      *
      * @throws GuacamoleException
-     *     If the ID token is not valid, the username claim type is missing, or
-     *     guacamole.properties could not be parsed.
+     *     If guacamole.properties could not be parsed.
      */
     public String processUsername(String token) throws GuacamoleException {
 
@@ -79,27 +86,37 @@ public class TokenValidationService {
 
         try {
 
+            String usernameClaim = confService.getUsernameClaimType();
+
             // Validate JWT
             JwtClaims claims = jwtConsumer.processToClaims(token);
 
             // Pull username from claims
-            String username = claims.getStringClaimValue(confService.getUsernameClaimType());
-            if (username == null)
-                throw new GuacamoleSecurityException("Username missing from token");
+            String username = claims.getStringClaimValue(usernameClaim);
+            if (username != null)
+                return username;
 
-            // Username successfully retrieved from the JWT
-            return username;
+            // Warn if username was not present in token, as it likely means
+            // the system is not set up correctly
+            logger.warn("Username claim \"{}\" missing from token. Perhaps the "
+                    + "OpenID scope and/or username claim type are "
+                    + "misconfigured?", usernameClaim);
 
         }
 
-        // Rethrow any failures to validate/parse the JWT
+        // Log any failures to validate/parse the JWT
         catch (InvalidJwtException e) {
-            throw new GuacamoleSecurityException("Invalid ID token.", e);
+            logger.info("Rejected invalid OpenID token: {}", e.getMessage());
+            logger.debug("Invalid JWT received.", e);
         }
         catch (MalformedClaimException e) {
-            throw new GuacamoleServerException("Unable to parse JWT claims.", e);
+            logger.info("Rejected OpenID token with malformed claim: {}", e.getMessage());
+            logger.debug("Malformed claim within received JWT.", e);
         }
 
+        // Could not retrieve username from JWT
+        return null;
+
     }
 
 }