You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cxf.apache.org by se...@apache.org on 2016/02/24 13:08:44 UTC

[1/2] cxf-fediz git commit: Updating the IdToken creation to have a principal id set as 'sub' and name - as preferresUserName with the config support to follow later

Repository: cxf-fediz
Updated Branches:
  refs/heads/master 72f0c939b -> 47a23b88c


Updating the IdToken creation to have a principal id set as 'sub' and name - as preferresUserName with the config support to follow later


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/24339411
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/24339411
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/24339411

Branch: refs/heads/master
Commit: 243394119ef2eb8fdb70cd923f93593e0ce108fd
Parents: 48b9eed
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed Feb 24 12:08:20 2016 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed Feb 24 12:08:20 2016 +0000

----------------------------------------------------------------------
 .../fediz/service/oidc/FedizSubjectCreator.java | 30 ++++++++++++++------
 1 file changed, 21 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/24339411/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
index f134039..0568cd2 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/FedizSubjectCreator.java
@@ -24,6 +24,7 @@ import javax.ws.rs.core.MultivaluedMap;
 
 import org.w3c.dom.Element;
 
+import org.apache.cxf.common.util.Base64UrlUtility;
 import org.apache.cxf.fediz.core.Claim;
 import org.apache.cxf.fediz.core.ClaimCollection;
 import org.apache.cxf.fediz.core.ClaimTypes;
@@ -34,6 +35,7 @@ import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.provider.SubjectCreator;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;
+import org.apache.cxf.rt.security.crypto.CryptoUtils;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.joda.time.DateTime;
@@ -58,30 +60,40 @@ public class FedizSubjectCreator implements SubjectCreator {
         FedizPrincipal fedizPrincipal = (FedizPrincipal)principal; 
         
         // In the future FedizPrincipal will likely have JWT claims already prepared,
-        // with IdToken being initialized here from those claims + client id 
+        // with IdToken being initialized here from those claims 
+        OidcUserSubject oidcSub = new OidcUserSubject();
+        oidcSub.setLogin(fedizPrincipal.getName());
+     
+        // Subject ID - a locally unique and never reassigned identifier allocated to the end user
+        // REVISIT: 
+        // Can it be allocated on per-session basis or is it something that is supposed to be created
+        // by the authentication system (IDP/STS) once and reported every time a given user signs in ?
+        oidcSub.setId(Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(16)));
         
         IdToken idToken = convertToIdToken(fedizPrincipal.getLoginToken(),
-                                           fedizPrincipal.getName(), 
+                                           oidcSub.getLogin(),
+                                           oidcSub.getId(),
                                            fedizPrincipal.getClaims());
-        
-        OidcUserSubject oidcSub = new OidcUserSubject();
-        oidcSub.setLogin(fedizPrincipal.getName());
         oidcSub.setIdToken(idToken);
         // UserInfo can be populated and set on OidcUserSubject too.
+        // UserInfoService will create it otherwise.
         
         return oidcSub;
     }
     
     public IdToken convertToIdToken(Element samlToken, 
-            String subjectName, 
+            String subjectName,
+            String subjectId,
             ClaimCollection claims) {
-        // The current SAML Assertion represents anauthentication record.
+        // The current SAML Assertion represents an authentication record.
         // It has to be translated into IdToken (JWT) so that it can be returned 
         // to client applications participating in various OIDC flows.
         
         IdToken idToken = new IdToken();
-        // Subject name is provided by FedizPrincipal which is initialized from the current SAML token 
-        idToken.setSubject(subjectName);
+        
+        //TODO: make the mapping between the subject name and IdToken claim configurable
+        idToken.setPreferredUserName(subjectName);
+        idToken.setSubject(subjectId);
         
         Assertion saml2Assertion = getSaml2Assertion(samlToken);
         if (saml2Assertion != null) {

[2/2] cxf-fediz git commit: Merge branch 'master' of https://git-wip-us.apache.org/repos/asf/cxf-fediz

Posted by se...@apache.org.

Merge branch 'master' of https://git-wip-us.apache.org/repos/asf/cxf-fediz


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/47a23b88
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/47a23b88
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/47a23b88

Branch: refs/heads/master
Commit: 47a23b88cd39386ca1fb9d1fa40ba04cd73ef331
Parents: 2433941 72f0c93
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed Feb 24 12:08:27 2016 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed Feb 24 12:08:27 2016 +0000

----------------------------------------------------------------------
 pom.xml                                         |   6 +-
 services/idp/pom.xml                            |   6 +-
 .../idp/beans/SigninParametersCacheAction.java  |  57 ++-
 .../TrustedIdpOIDCProtocolHandler.java          | 411 +++++++++++++++
 .../TrustedIdpSAMLProtocolHandler.java          |   1 -
 .../TrustedIdpWSFedProtocolHandler.java         |   4 +-
 .../flows/federation-signin-response.xml        |   6 +-
 .../flows/federation-validate-request.xml       |  17 +-
 systests/federation/oidc/pom.xml                | 287 +++++++++++
 .../cxf/fediz/integrationtests/OIDCTest.java    | 321 ++++++++++++
 .../oidc/src/test/resources/client.jks          | Bin 0 -> 2061 bytes
 .../oidc/src/test/resources/clienttrust.jks     | Bin 0 -> 1512 bytes
 .../oidc/src/test/resources/entities-realma.xml | 500 +++++++++++++++++++
 .../src/test/resources/fediz_config_oidc.xml    |  56 +++
 .../oidc/src/test/resources/realmb.cert         |   3 +
 .../oidc/src/test/resources/server.jks          | Bin 0 -> 3859 bytes
 systests/kerberos/pom.xml                       |   4 +-
 17 files changed, 1643 insertions(+), 36 deletions(-)
----------------------------------------------------------------------