You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/02/24 13:08:44 UTC
[1/2] cxf-fediz git commit: Updating the IdToken creation to have a
principal id set as 'sub' and name - as preferresUserName with the config
support to follow later
Repository: cxf-fediz
Updated Branches:
refs/heads/master 72f0c939b -> 47a23b88c
Updating the IdToken creation to have a principal id set as 'sub' and name - as preferresUserName with the config support to follow later
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/24339411
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/24339411
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/24339411
Branch: refs/heads/master
Commit: 243394119ef2eb8fdb70cd923f93593e0ce108fd
Parents: 48b9eed
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed Feb 24 12:08:20 2016 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed Feb 24 12:08:20 2016 +0000
----------------------------------------------------------------------
.../fediz/service/oidc/FedizSubjectCreator.java | 30 ++++++++++++++------
1 file changed, 21 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/24339411/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
index f134039..0568cd2 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
@@ -24,6 +24,7 @@ import javax.ws.rs.core.MultivaluedMap;
import org.w3c.dom.Element;
+import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.fediz.core.Claim;
import org.apache.cxf.fediz.core.ClaimCollection;
import org.apache.cxf.fediz.core.ClaimTypes;
@@ -34,6 +35,7 @@ import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.provider.SubjectCreator;
import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;
+import org.apache.cxf.rt.security.crypto.CryptoUtils;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.joda.time.DateTime;
@@ -58,30 +60,40 @@ public class FedizSubjectCreator implements SubjectCreator {
FedizPrincipal fedizPrincipal = (FedizPrincipal)principal;
// In the future FedizPrincipal will likely have JWT claims already prepared,
- // with IdToken being initialized here from those claims + client id
+ // with IdToken being initialized here from those claims
+ OidcUserSubject oidcSub = new OidcUserSubject();
+ oidcSub.setLogin(fedizPrincipal.getName());
+
+ // Subject ID - a locally unique and never reassigned identifier allocated to the end user
+ // REVISIT:
+ // Can it be allocated on per-session basis or is it something that is supposed to be created
+ // by the authentication system (IDP/STS) once and reported every time a given user signs in ?
+ oidcSub.setId(Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(16)));
IdToken idToken = convertToIdToken(fedizPrincipal.getLoginToken(),
- fedizPrincipal.getName(),
+ oidcSub.getLogin(),
+ oidcSub.getId(),
fedizPrincipal.getClaims());
-
- OidcUserSubject oidcSub = new OidcUserSubject();
- oidcSub.setLogin(fedizPrincipal.getName());
oidcSub.setIdToken(idToken);
// UserInfo can be populated and set on OidcUserSubject too.
+ // UserInfoService will create it otherwise.
return oidcSub;
}
public IdToken convertToIdToken(Element samlToken,
- String subjectName,
+ String subjectName,
+ String subjectId,
ClaimCollection claims) {
- // The current SAML Assertion represents anauthentication record.
+ // The current SAML Assertion represents an authentication record.
// It has to be translated into IdToken (JWT) so that it can be returned
// to client applications participating in various OIDC flows.
IdToken idToken = new IdToken();
- // Subject name is provided by FedizPrincipal which is initialized from the current SAML token
- idToken.setSubject(subjectName);
+
+ //TODO: make the mapping between the subject name and IdToken claim configurable
+ idToken.setPreferredUserName(subjectName);
+ idToken.setSubject(subjectId);
Assertion saml2Assertion = getSaml2Assertion(samlToken);
if (saml2Assertion != null) {
[2/2] cxf-fediz git commit: Merge branch 'master' of
https://git-wip-us.apache.org/repos/asf/cxf-fediz
Posted by se...@apache.org.
Merge branch 'master' of https://git-wip-us.apache.org/repos/asf/cxf-fediz
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/47a23b88
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/47a23b88
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/47a23b88
Branch: refs/heads/master
Commit: 47a23b88cd39386ca1fb9d1fa40ba04cd73ef331
Parents: 2433941 72f0c93
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed Feb 24 12:08:27 2016 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed Feb 24 12:08:27 2016 +0000
----------------------------------------------------------------------
pom.xml | 6 +-
services/idp/pom.xml | 6 +-
.../idp/beans/SigninParametersCacheAction.java | 57 ++-
.../TrustedIdpOIDCProtocolHandler.java | 411 +++++++++++++++
.../TrustedIdpSAMLProtocolHandler.java | 1 -
.../TrustedIdpWSFedProtocolHandler.java | 4 +-
.../flows/federation-signin-response.xml | 6 +-
.../flows/federation-validate-request.xml | 17 +-
systests/federation/oidc/pom.xml | 287 +++++++++++
.../cxf/fediz/integrationtests/OIDCTest.java | 321 ++++++++++++
.../oidc/src/test/resources/client.jks | Bin 0 -> 2061 bytes
.../oidc/src/test/resources/clienttrust.jks | Bin 0 -> 1512 bytes
.../oidc/src/test/resources/entities-realma.xml | 500 +++++++++++++++++++
.../src/test/resources/fediz_config_oidc.xml | 56 +++
.../oidc/src/test/resources/realmb.cert | 3 +
.../oidc/src/test/resources/server.jks | Bin 0 -> 3859 bytes
systests/kerberos/pom.xml | 4 +-
17 files changed, 1643 insertions(+), 36 deletions(-)
----------------------------------------------------------------------