You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/07/17 17:03:58 UTC
[cxf] 04/05: CXF-7797 - Refreshed access tokens are not issued in JWT format when setUseJwtFormatForAccessTokens is set

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 81466c273d7262183e9a96ade22480f032db53f4
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Jul 17 15:54:28 2018 +0100

    CXF-7797 - Refreshed access tokens are not issued in JWT format when setUseJwtFormatForAccessTokens is set
---
 .../oauth2/provider/AbstractOAuthDataProvider.java | 38 +++++++++++++---------
 1 file changed, 23 insertions(+), 15 deletions(-)

diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 89a45b1..41289ed 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -59,7 +59,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
     private OAuthJoseJwtProducer jwtAccessTokenProducer;
     private Map<String, String> jwtAccessTokenClaimMap;
     private ProviderAuthenticationStrategy authenticationStrategy;
-    
+
     protected AbstractOAuthDataProvider() {
     }
 
@@ -96,7 +96,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
                 at.getExtraProperties().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf);
             }
         }
-        
+
         if (isUseJwtFormatForAccessTokens()) {
             JwtClaims claims = createJwtAccessToken(at);
             String jose = processJwtAccessToken(claims);
@@ -151,8 +151,8 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
             Map<String, String> actualExtraProps = new HashMap<String, String>();
             for (Map.Entry<String, String> entry : at.getExtraProperties().entrySet()) {
                 if (JoseConstants.HEADER_X509_THUMBPRINT_SHA256.equals(entry.getKey())) {
-                    claims.setClaim(JwtConstants.CLAIM_CONFIRMATION, 
-                        Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, 
+                    claims.setClaim(JwtConstants.CLAIM_CONFIRMATION,
+                        Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256,
                                                  entry.getValue()));
                 } else {
                     actualExtraProps.put(entry.getKey(), entry.getValue());
@@ -279,7 +279,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
         throw new OAuthServiceException("Requested scopes can not be mapped");
 
     }
-    
+
     protected void checkRequestedScopes(Client client, List<String> requestedScopes) {
         if (requiredScopes != null && !requestedScopes.containsAll(requiredScopes)) {
             throw new OAuthServiceException("Required scopes are missing");
@@ -309,7 +309,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
         for (ServerAccessToken at : getAccessTokens(client, sub)) {
             if (at.getClient().getClientId().equals(client.getClientId())
                 && at.getGrantType().equals(grantType)
-                && (sub == null && at.getSubject() == null 
+                && (sub == null && at.getSubject() == null
                 || sub != null && at.getSubject().getLogin().equals(sub.getLogin()))) {
                 token = at;
                 break;
@@ -337,7 +337,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
     protected MultivaluedMap<String, String> getCurrentTokenRequestParams() {
         if (messageContext != null) {
             @SuppressWarnings("unchecked")
-            MultivaluedMap<String, String> params = 
+            MultivaluedMap<String, String> params =
                 (MultivaluedMap<String, String>)messageContext.get(OAuthConstants.TOKEN_REQUEST_PARAMS);
             return params;
         }
@@ -398,6 +398,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
         at.setSubject(oldRefreshToken.getSubject());
         at.setNonce(oldRefreshToken.getNonce());
         at.setClientCodeVerifier(oldRefreshToken.getClientCodeVerifier());
+        at.getExtraProperties().putAll(oldRefreshToken.getExtraProperties());
         if (restrictedScopes.isEmpty()) {
             at.setScopes(oldRefreshToken.getScopes() != null
                     ? new ArrayList<OAuthPermission>(oldRefreshToken.getScopes()) : null);
@@ -409,6 +410,13 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
                 throw new OAuthServiceException("Invalid scopes");
             }
         }
+
+        if (isUseJwtFormatForAccessTokens()) {
+            JwtClaims claims = createJwtAccessToken(at);
+            String jose = processJwtAccessToken(claims);
+            at.setTokenKey(jose);
+        }
+
         return at;
     }
 
@@ -428,7 +436,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
     public boolean isRecycleRefreshTokens() {
         return this.recycleRefreshTokens;
     }
-    
+
     public void init() {
         for (OAuthPermission perm : permissionMap.values()) {
             if (defaultScopes != null && defaultScopes.contains(perm.getPermission())) {
@@ -491,14 +499,14 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
         doRemoveClient(c);
         return c;
     }
-    
+
     @Override
     public Client getClient(String clientId) {
         Client client = doGetClient(clientId);
         if (client != null) {
             return client;
         }
-        
+
         String grantType = getCurrentRequestedGrantType();
         if (OAuthConstants.CLIENT_CREDENTIALS_GRANT.equals(grantType)) {
             String clientSecret = getCurrentClientSecret();
@@ -512,12 +520,12 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
     public void setAuthenticationStrategy(ProviderAuthenticationStrategy authenticationStrategy) {
         this.authenticationStrategy = authenticationStrategy;
     }
-    
+
     protected boolean authenticateUnregisteredClient(String clientId, String clientSecret) {
         return authenticationStrategy != null
             && authenticationStrategy.authenticate(clientId, clientSecret);
     }
-    
+
     protected Client createClientCredentialsClient(String clientId, String password) {
         if (authenticateUnregisteredClient(clientId, password)) {
             Client c = new Client(clientId, password, true);
@@ -526,7 +534,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
         }
         return null;
     }
-    
+
     protected ServerAccessToken revokeAccessToken(String accessTokenKey) {
         ServerAccessToken at = getAccessToken(accessTokenKey);
         if (at != null) {
@@ -548,9 +556,9 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
     protected abstract void doRevokeAccessToken(ServerAccessToken accessToken);
     protected abstract void doRevokeRefreshToken(RefreshToken  refreshToken);
     protected abstract RefreshToken getRefreshToken(String refreshTokenKey);
-    
+
     protected abstract Client doGetClient(String clientId);
-    
+
     protected abstract void doRemoveClient(Client c);
 
     public List<String> getDefaultScopes() {