You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/12/14 12:07:40 UTC

cxf git commit: Setting the nonce if IdToken is already available on the subject, minor tweak to the scope conversions to avoid the extra space

Repository: cxf
Updated Branches:
  refs/heads/master 85c397f85 -> 8b805fa99


Setting the nonce if IdToken is already available on the subject, minor tweak to the scope conversions to avoid the extra space


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8b805fa9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8b805fa9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8b805fa9

Branch: refs/heads/master
Commit: 8b805fa9917a20e514b43a5fa3223452fb7be10e
Parents: 85c397f
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Mon Dec 14 11:07:26 2015 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Mon Dec 14 11:07:26 2015 +0000

----------------------------------------------------------------------
 .../cxf/rs/security/oauth2/utils/OAuthUtils.java       |  6 ++----
 .../rs/security/oidc/idp/IdTokenResponseFilter.java    | 13 +++++++------
 2 files changed, 9 insertions(+), 10 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/8b805fa9/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
index 4974760..d2ae2fa 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/OAuthUtils.java
@@ -130,15 +130,13 @@ public final class OAuthUtils {
     public static String convertPermissionsToScope(List<OAuthPermission> perms) {
         StringBuilder sb = new StringBuilder();
         for (OAuthPermission perm : perms) {
-            if (perm.isInvisibleToClient()) {
+            if (perm.isInvisibleToClient() || perm.getPermission() == null) {
                 continue;
             }
             if (sb.length() > 0) {
                 sb.append(" ");
             }
-            if (perm.getPermission() != null) {
-                sb.append(perm.getPermission());
-            }
+            sb.append(perm.getPermission());
         }
         return sb.toString();
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/8b805fa9/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index f7d6b9a..31b2666 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -49,23 +49,20 @@ public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer im
         if (userInfoProvider != null) {
             IdToken idToken = 
                 userInfoProvider.getIdToken(st.getClient().getClientId(), st.getSubject(), st.getScopes());
-            if (st.getNonce() != null) {
-                idToken.setNonce(st.getNonce());
-            }
-            setAtHash(idToken, st);
+            setAtHashAndNonce(idToken, st);
             return super.processJwt(new JwtToken(idToken), st.getClient());
         } else if (st.getSubject().getProperties().containsKey(OidcUtils.ID_TOKEN)) {
             return st.getSubject().getProperties().get(OidcUtils.ID_TOKEN);
         } else if (st.getSubject() instanceof OidcUserSubject) {
             OidcUserSubject sub = (OidcUserSubject)st.getSubject();
             IdToken idToken = new IdToken(sub.getIdToken());
-            setAtHash(idToken, st);
+            setAtHashAndNonce(idToken, st);
             return super.processJwt(new JwtToken(idToken), st.getClient());
         } else {
             return null;
         }
     }
-    private void setAtHash(IdToken idToken, ServerAccessToken st) {
+    private void setAtHashAndNonce(IdToken idToken, ServerAccessToken st) {
         Properties props = JwsUtils.loadSignatureOutProperties(false);
         SignatureAlgorithm sigAlgo = null;
         if (super.isSignWithClientSecret()) {
@@ -78,6 +75,10 @@ public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer im
             idToken.setAccessTokenHash(atHash);
         }
         
+        if (st.getNonce() != null) {
+            idToken.setNonce(st.getNonce());
+        }
+        
     }
     public void setUserInfoProvider(UserInfoProvider userInfoProvider) {
         this.userInfoProvider = userInfoProvider;