You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/07/17 17:03:58 UTC
[cxf] 04/05: CXF-7797 - Refreshed access tokens are not issued in
JWT format when setUseJwtFormatForAccessTokens is set
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 81466c273d7262183e9a96ade22480f032db53f4
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Jul 17 15:54:28 2018 +0100
CXF-7797 - Refreshed access tokens are not issued in JWT format when setUseJwtFormatForAccessTokens is set
---
.../oauth2/provider/AbstractOAuthDataProvider.java | 38 +++++++++++++---------
1 file changed, 23 insertions(+), 15 deletions(-)
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 89a45b1..41289ed 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -59,7 +59,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
private OAuthJoseJwtProducer jwtAccessTokenProducer;
private Map<String, String> jwtAccessTokenClaimMap;
private ProviderAuthenticationStrategy authenticationStrategy;
-
+
protected AbstractOAuthDataProvider() {
}
@@ -96,7 +96,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
at.getExtraProperties().put(JoseConstants.HEADER_X509_THUMBPRINT_SHA256, certCnf);
}
}
-
+
if (isUseJwtFormatForAccessTokens()) {
JwtClaims claims = createJwtAccessToken(at);
String jose = processJwtAccessToken(claims);
@@ -151,8 +151,8 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
Map<String, String> actualExtraProps = new HashMap<String, String>();
for (Map.Entry<String, String> entry : at.getExtraProperties().entrySet()) {
if (JoseConstants.HEADER_X509_THUMBPRINT_SHA256.equals(entry.getKey())) {
- claims.setClaim(JwtConstants.CLAIM_CONFIRMATION,
- Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256,
+ claims.setClaim(JwtConstants.CLAIM_CONFIRMATION,
+ Collections.singletonMap(JoseConstants.HEADER_X509_THUMBPRINT_SHA256,
entry.getValue()));
} else {
actualExtraProps.put(entry.getKey(), entry.getValue());
@@ -279,7 +279,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
throw new OAuthServiceException("Requested scopes can not be mapped");
}
-
+
protected void checkRequestedScopes(Client client, List<String> requestedScopes) {
if (requiredScopes != null && !requestedScopes.containsAll(requiredScopes)) {
throw new OAuthServiceException("Required scopes are missing");
@@ -309,7 +309,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
for (ServerAccessToken at : getAccessTokens(client, sub)) {
if (at.getClient().getClientId().equals(client.getClientId())
&& at.getGrantType().equals(grantType)
- && (sub == null && at.getSubject() == null
+ && (sub == null && at.getSubject() == null
|| sub != null && at.getSubject().getLogin().equals(sub.getLogin()))) {
token = at;
break;
@@ -337,7 +337,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
protected MultivaluedMap<String, String> getCurrentTokenRequestParams() {
if (messageContext != null) {
@SuppressWarnings("unchecked")
- MultivaluedMap<String, String> params =
+ MultivaluedMap<String, String> params =
(MultivaluedMap<String, String>)messageContext.get(OAuthConstants.TOKEN_REQUEST_PARAMS);
return params;
}
@@ -398,6 +398,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
at.setSubject(oldRefreshToken.getSubject());
at.setNonce(oldRefreshToken.getNonce());
at.setClientCodeVerifier(oldRefreshToken.getClientCodeVerifier());
+ at.getExtraProperties().putAll(oldRefreshToken.getExtraProperties());
if (restrictedScopes.isEmpty()) {
at.setScopes(oldRefreshToken.getScopes() != null
? new ArrayList<OAuthPermission>(oldRefreshToken.getScopes()) : null);
@@ -409,6 +410,13 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
throw new OAuthServiceException("Invalid scopes");
}
}
+
+ if (isUseJwtFormatForAccessTokens()) {
+ JwtClaims claims = createJwtAccessToken(at);
+ String jose = processJwtAccessToken(claims);
+ at.setTokenKey(jose);
+ }
+
return at;
}
@@ -428,7 +436,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
public boolean isRecycleRefreshTokens() {
return this.recycleRefreshTokens;
}
-
+
public void init() {
for (OAuthPermission perm : permissionMap.values()) {
if (defaultScopes != null && defaultScopes.contains(perm.getPermission())) {
@@ -491,14 +499,14 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
doRemoveClient(c);
return c;
}
-
+
@Override
public Client getClient(String clientId) {
Client client = doGetClient(clientId);
if (client != null) {
return client;
}
-
+
String grantType = getCurrentRequestedGrantType();
if (OAuthConstants.CLIENT_CREDENTIALS_GRANT.equals(grantType)) {
String clientSecret = getCurrentClientSecret();
@@ -512,12 +520,12 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
public void setAuthenticationStrategy(ProviderAuthenticationStrategy authenticationStrategy) {
this.authenticationStrategy = authenticationStrategy;
}
-
+
protected boolean authenticateUnregisteredClient(String clientId, String clientSecret) {
return authenticationStrategy != null
&& authenticationStrategy.authenticate(clientId, clientSecret);
}
-
+
protected Client createClientCredentialsClient(String clientId, String password) {
if (authenticateUnregisteredClient(clientId, password)) {
Client c = new Client(clientId, password, true);
@@ -526,7 +534,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
}
return null;
}
-
+
protected ServerAccessToken revokeAccessToken(String accessTokenKey) {
ServerAccessToken at = getAccessToken(accessTokenKey);
if (at != null) {
@@ -548,9 +556,9 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
protected abstract void doRevokeAccessToken(ServerAccessToken accessToken);
protected abstract void doRevokeRefreshToken(RefreshToken refreshToken);
protected abstract RefreshToken getRefreshToken(String refreshTokenKey);
-
+
protected abstract Client doGetClient(String clientId);
-
+
protected abstract void doRemoveClient(Client c);
public List<String> getDefaultScopes() {