You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/05/25 11:57:51 UTC
[2/2] cxf git commit: Checking none and consent prompt values before
presenting an authorization consent screen
Checking none and consent prompt values before presenting an authorization consent screen
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2c51dc39
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2c51dc39
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2c51dc39
Branch: refs/heads/3.1.x-fixes
Commit: 2c51dc39c956f90ba50f01b7c230f8f9b33fe68b
Parents: 49e1943
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed May 25 12:47:45 2016 +0100
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed May 25 12:57:38 2016 +0100
----------------------------------------------------------------------
.../services/RedirectionBasedGrantService.java | 5 +--
.../oidc/idp/OidcAuthorizationCodeService.java | 36 +++++++++++--------
.../security/oidc/idp/OidcImplicitService.java | 37 ++++++++++++--------
.../cxf/rs/security/oidc/utils/OidcUtils.java | 15 ++++++++
4 files changed, 62 insertions(+), 31 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/2c51dc39/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index a6d5da8..8e45c36 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -200,7 +200,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
}
}
final boolean authorizationCanBeSkipped = preAuthorizationComplete
- || canAuthorizationBeSkipped(client, userSubject, requestedScope, requestedPermissions);
+ || canAuthorizationBeSkipped(params, client, userSubject, requestedScope, requestedPermissions);
// Populate the authorization challenge data
OAuthAuthorizationData data =
@@ -228,7 +228,8 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
public Set<String> getSupportedResponseTypes() {
return supportedResponseTypes;
}
- protected boolean canAuthorizationBeSkipped(Client client,
+ protected boolean canAuthorizationBeSkipped(MultivaluedMap<String, String> params,
+ Client client,
UserSubject userSubject,
List<String> requestedScope,
List<OAuthPermission> permissions) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/2c51dc39/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
index b616170..17f595d 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
@@ -36,14 +36,29 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService {
- private static final String PROMPT_PARAMETER = "prompt";
@Override
- protected boolean canAuthorizationBeSkipped(Client client,
+ protected boolean canAuthorizationBeSkipped(MultivaluedMap<String, String> params,
+ Client client,
UserSubject userSubject,
List<String> requestedScope,
List<OAuthPermission> permissions) {
- return super.canAuthorizationBeSkipped(client, userSubject, requestedScope, permissions);
+ List<String> promptValues = OidcUtils.getPromptValues(params);
+ if (promptValues.contains(OidcUtils.PROMPT_CONSENT_VALUE)) {
+ // Displaying the consent screen is preferred by the client
+ return false;
+ }
+ // Check the pre-configured consent
+ boolean preConfiguredConsentForScopes =
+ super.canAuthorizationBeSkipped(params, client, userSubject, requestedScope, permissions);
+ boolean nonePromptRequested = promptValues.contains(OidcUtils.PROMPT_NONE_VALUE);
+
+ if (nonePromptRequested && !preConfiguredConsentForScopes) {
+ // An error is returned if client does not have pre-configured consent for the requested scopes/claims
+ LOG.log(Level.FINE, "Prompt 'none' request can not be met");
+ throw new OAuthServiceException(new OAuthError(OidcUtils.CONSENT_REQUIRED_ERROR));
+ }
+ return !nonePromptRequested && preConfiguredConsentForScopes;
}
public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope) {
@@ -55,17 +70,10 @@ public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService
UserSubject userSubject,
Client client) {
// Validate the prompt - if it contains "none" then an error is returned with any other value
- String prompt = params.getFirst(PROMPT_PARAMETER);
- if (prompt != null) {
- String[] promptValues = prompt.trim().split(" ");
- if (promptValues.length > 1) {
- for (String promptValue : promptValues) {
- if ("none".equals(promptValue)) {
- LOG.log(Level.FINE, "The prompt value {} is invalid", prompt);
- throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
- }
- }
- }
+ List<String> promptValues = OidcUtils.getPromptValues(params);
+ if (promptValues != null && promptValues.size() > 1 && promptValues.contains(OidcUtils.PROMPT_NONE_VALUE)) {
+ LOG.log(Level.FINE, "The prompt value {} is invalid", params.getFirst(OidcUtils.PROMPT_PARAMETER));
+ throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
}
return super.startAuthorization(params, userSubject, client);
http://git-wip-us.apache.org/repos/asf/cxf/blob/2c51dc39/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index d689c21..b0a8e05 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -49,8 +49,6 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
public class OidcImplicitService extends ImplicitGrantService {
- private static final String PROMPT_PARAMETER = "prompt";
-
private OAuthJoseJwtProducer idTokenHandler;
private IdTokenProvider idTokenProvider;
@@ -78,28 +76,37 @@ public class OidcImplicitService extends ImplicitGrantService {
}
// Validate the prompt - if it contains "none" then an error is returned with any other value
- String prompt = params.getFirst(PROMPT_PARAMETER);
- if (prompt != null) {
- String[] promptValues = prompt.trim().split(" ");
- if (promptValues.length > 1) {
- for (String promptValue : promptValues) {
- if ("none".equals(promptValue)) {
- LOG.log(Level.FINE, "The prompt value {} is invalid", prompt);
- throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
- }
- }
- }
+ List<String> promptValues = OidcUtils.getPromptValues(params);
+ if (promptValues.size() > 1 && promptValues.contains(OidcUtils.PROMPT_NONE_VALUE)) {
+ LOG.log(Level.FINE, "The prompt value {} is invalid", params.getFirst(OidcUtils.PROMPT_PARAMETER));
+ throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_REQUEST));
}
return super.startAuthorization(params, userSubject, client);
}
@Override
- protected boolean canAuthorizationBeSkipped(Client client,
+ protected boolean canAuthorizationBeSkipped(MultivaluedMap<String, String> params,
+ Client client,
UserSubject userSubject,
List<String> requestedScope,
List<OAuthPermission> permissions) {
- return super.canAuthorizationBeSkipped(client, userSubject, requestedScope, permissions);
+ List<String> promptValues = OidcUtils.getPromptValues(params);
+ if (promptValues.contains(OidcUtils.PROMPT_CONSENT_VALUE)) {
+ // Displaying the consent screen is preferred by the client
+ return false;
+ }
+ // Check the pre-configured consent
+ boolean preConfiguredConsentForScopes =
+ super.canAuthorizationBeSkipped(params, client, userSubject, requestedScope, permissions);
+ boolean nonePromptRequested = promptValues.contains(OidcUtils.PROMPT_NONE_VALUE);
+
+ if (nonePromptRequested && !preConfiguredConsentForScopes) {
+ // An error is returned if client does not have pre-configured consent for the requested scopes/claims
+ LOG.log(Level.FINE, "Prompt 'none' request can not be met");
+ throw new OAuthServiceException(new OAuthError(OidcUtils.CONSENT_REQUIRED_ERROR));
+ }
+ return !nonePromptRequested && preConfiguredConsentForScopes;
}
public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/2c51dc39/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
index 1f717c1..3bbc63a 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
@@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oidc.utils;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
+import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -67,6 +68,11 @@ public final class OidcUtils {
public static final String ENDPOINT_CLAIM_SOURCE_PROPERTY = "endpoint";
public static final String TOKEN_CLAIM_SOURCE_PROPERTY = "access_token";
+ public static final String PROMPT_PARAMETER = "prompt";
+ public static final String PROMPT_NONE_VALUE = "none";
+ public static final String PROMPT_CONSENT_VALUE = "consent";
+ public static final String CONSENT_REQUIRED_ERROR = "consent_required";
+
private static final Map<String, List<String>> SCOPES_MAP;
static {
SCOPES_MAP = new HashMap<String, List<String>>();
@@ -79,6 +85,15 @@ public final class OidcUtils {
private OidcUtils() {
}
+ public static List<String> getPromptValues(MultivaluedMap<String, String> params) {
+ String prompt = params.getFirst(PROMPT_PARAMETER);
+ if (prompt != null) {
+ return Arrays.asList(prompt.trim().split(" "));
+ } else {
+ return Collections.emptyList();
+ }
+ }
+
public static String getOpenIdScope() {
return OPENID_SCOPE;
}