You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2015/08/14 17:04:51 UTC
cxf git commit: Trying to align various jose jwt abstract utility code
Repository: cxf
Updated Branches:
refs/heads/master 5f488ea70 -> fa612d157
Trying to align various jose jwt abstract utility code
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/fa612d15
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/fa612d15
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/fa612d15
Branch: refs/heads/master
Commit: fa612d1571b0b20593b1f028514a0870f9be8307
Parents: 5f488ea
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Fri Aug 14 16:04:36 2015 +0100
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Fri Aug 14 16:04:36 2015 +0100
----------------------------------------------------------------------
.../samples/jax_rs/basic_oidc/README.txt | 4 +-
.../release/samples/jax_rs/big_query/README.txt | 8 ++-
.../java/demo/jaxrs/server/BigQueryServer.java | 3 +
.../rs/security/jose/AbstractJoseConsumer.java | 8 +--
.../rs/security/jose/AbstractJoseProducer.java | 8 +--
.../jose/jwt/AbstractJoseJwtConsumer.java | 23 ++++--
.../jose/jwt/AbstractJoseJwtProducer.java | 19 ++++-
.../provider/AbstractOAuthJoseJwtConsumer.java | 76 ++++++++++++++++++++
.../provider/AbstractOAuthJoseJwtProducer.java | 55 ++++++--------
.../AbstractOAuthServerJoseJwtProducer.java | 65 +++++++++++++++++
.../oidc/idp/IdTokenCodeResponseFilter.java | 7 +-
.../rs/security/oidc/idp/UserInfoService.java | 13 +++-
.../oidc/rp/AbstractTokenValidator.java | 4 +-
.../cxf/rs/security/oidc/rp/IdTokenReader.java | 19 ++---
.../oidc/rp/OidcClientCodeRequestFilter.java | 6 +-
.../oidc/rp/OidcIdTokenRequestFilter.java | 2 +-
.../cxf/rs/security/oidc/rp/UserInfoClient.java | 15 ++--
17 files changed, 258 insertions(+), 77 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/distribution/src/main/release/samples/jax_rs/basic_oidc/README.txt
----------------------------------------------------------------------
diff --git a/distribution/src/main/release/samples/jax_rs/basic_oidc/README.txt b/distribution/src/main/release/samples/jax_rs/basic_oidc/README.txt
index 2315c03..bb5057e 100644
--- a/distribution/src/main/release/samples/jax_rs/basic_oidc/README.txt
+++ b/distribution/src/main/release/samples/jax_rs/basic_oidc/README.txt
@@ -13,6 +13,8 @@ Build the demo with "mvn install" and start it with
mvn jetty:run-war -Dclient_id=${client_id}
-Then start a browser and go to "localhost:8080/user/simpleLogin.jsp"
+Then start a browser and go to
+
+https://localhost:8080/user/simpleLogin.html
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/distribution/src/main/release/samples/jax_rs/big_query/README.txt
----------------------------------------------------------------------
diff --git a/distribution/src/main/release/samples/jax_rs/big_query/README.txt b/distribution/src/main/release/samples/jax_rs/big_query/README.txt
index 618e3b0..6c29c99 100644
--- a/distribution/src/main/release/samples/jax_rs/big_query/README.txt
+++ b/distribution/src/main/release/samples/jax_rs/big_query/README.txt
@@ -25,7 +25,9 @@ mvn jetty:run-war -Dclient_id=${client_id} -Dclient_secret=${client_secret} -Dpr
where ${client_id} and ${client_secret} are Client Id and Secret, and ${project_id} is the id of your Google project.
-Then start a browser and go to "localhost:8080/bigquery/simpleLogin.jsp"
+Then start a browser and go to
+
+https://localhost:8080/bigquery/simpleLogin.jsp
2. Server to Server Flow.
@@ -36,9 +38,9 @@ choose "Generate New P12 Key" and save it to the local disk.
Build the demo with "mvn install" and start it with
-mvn exec:java -Dexec.args="/home/pathto/BigQueryProjectKey.p12 notasecret ${client_id} ${project_id}"
+mvn exec:java -Dexec.args="/home/pathto/BigQueryProjectKey.p12 notasecret ${client_email} ${project_id}"
-where ${client_id} is Client Id and ${project_id} is the id of your Google project.
+where ${client_email} is Service Account Client Email and ${project_id} is the id of your Google project.
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryServer.java
----------------------------------------------------------------------
diff --git a/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryServer.java b/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryServer.java
index f82fa7a..9a2c21c 100644
--- a/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryServer.java
+++ b/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryServer.java
@@ -28,6 +28,7 @@ import java.util.List;
import javax.ws.rs.core.MediaType;
+import org.apache.cxf.interceptor.LoggingInInterceptor;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider;
import org.apache.cxf.rs.security.jose.JoseType;
@@ -91,6 +92,8 @@ public final class BigQueryServer {
WebClient accessTokenService = WebClient.create("https://www.googleapis.com/oauth2/v3/token",
Arrays.asList(new OAuthJSONProvider(),
new AccessTokenGrantWriter()));
+ WebClient.getConfig(accessTokenService).getInInterceptors().add(new LoggingInInterceptor());
+
accessTokenService.type(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_JSON);
return accessTokenService.post(grant, ClientAccessToken.class);
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java
index 64e5f16..98886ce 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java
@@ -35,17 +35,17 @@ public abstract class AbstractJoseConsumer {
this.jwsVerifier = theJwsVerifier;
}
- protected JweDecryptionProvider getInitializedDecryptionProvider(boolean required) {
+ protected JweDecryptionProvider getInitializedDecryptionProvider() {
if (jweDecryptor != null) {
return jweDecryptor;
}
- return JweUtils.loadDecryptionProvider(required);
+ return JweUtils.loadDecryptionProvider(false);
}
- protected JwsSignatureVerifier getInitializedSignatureVerifier(boolean required) {
+ protected JwsSignatureVerifier getInitializedSignatureVerifier() {
if (jwsVerifier != null) {
return jwsVerifier;
}
- return JwsUtils.loadSignatureVerifier(required);
+ return JwsUtils.loadSignatureVerifier(false);
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java
index c590ef9..f506943 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java
@@ -27,18 +27,18 @@ public abstract class AbstractJoseProducer {
private JwsSignatureProvider sigProvider;
private JweEncryptionProvider encryptionProvider;
- protected JwsSignatureProvider getInitializedSignatureProvider(boolean required) {
+ protected JwsSignatureProvider getInitializedSignatureProvider() {
if (sigProvider != null) {
return sigProvider;
}
- return JwsUtils.loadSignatureProvider(required);
+ return JwsUtils.loadSignatureProvider(false);
}
- protected JweEncryptionProvider getInitializedEncryptionProvider(boolean required) {
+ protected JweEncryptionProvider getInitializedEncryptionProvider() {
if (encryptionProvider != null) {
return encryptionProvider;
}
- return JweUtils.loadEncryptionProvider(required);
+ return JweUtils.loadEncryptionProvider(false);
}
public void setEncryptionProvider(JweEncryptionProvider encryptionProvider) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
index 608f09e..4de976d 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
@@ -28,21 +28,36 @@ public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer {
private boolean jwsRequired = true;
private boolean jweRequired;
+
protected JwtToken getJwtToken(String wrappedJwtToken) {
+ return getJwtToken(wrappedJwtToken, null, null);
+ }
+ protected JwtToken getJwtToken(String wrappedJwtToken,
+ JweDecryptionProvider jweDecryptor,
+ JwsSignatureVerifier theSigVerifier) {
if (!isJwsRequired() && !isJweRequired()) {
throw new JwtException("Unable to process JWT");
}
- JweDecryptionProvider jweDecryptor = getInitializedDecryptionProvider(isJweRequired());
+ if (jweDecryptor == null) {
+ jweDecryptor = getInitializedDecryptionProvider();
+ }
if (jweDecryptor != null) {
if (!isJwsRequired()) {
return new JweJwtCompactConsumer(wrappedJwtToken).decryptWith(jweDecryptor);
}
wrappedJwtToken = jweDecryptor.decrypt(wrappedJwtToken).getContentText();
- }
+ } else if (isJweRequired()) {
+ throw new JwtException("Unable to decrypt JWT");
+ }
JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(wrappedJwtToken);
JwtToken jwt = jwtConsumer.getJwtToken();
- JwsSignatureVerifier theSigVerifier = getInitializedSignatureVerifier(jwt);
+ if (theSigVerifier == null) {
+ theSigVerifier = getInitializedSignatureVerifier(jwt);
+ }
+ if (theSigVerifier == null && isJwsRequired()) {
+ throw new JwtException("Unable to validate JWT");
+ }
if (!jwtConsumer.verifySignatureWith(theSigVerifier)) {
throw new JwtException("Invalid Signature");
}
@@ -50,7 +65,7 @@ public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer {
return jwt;
}
protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) {
- return super.getInitializedSignatureVerifier(isJwsRequired());
+ return super.getInitializedSignatureVerifier();
}
protected void validateToken(JwtToken jwt) {
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
index b90b386..95dc586 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
@@ -30,14 +30,29 @@ public abstract class AbstractJoseJwtProducer extends AbstractJoseProducer {
private boolean jweRequired;
protected String processJwt(JwtToken jwt) {
+ return processJwt(jwt, null, null);
+ }
+ protected String processJwt(JwtToken jwt,
+ JweEncryptionProvider theEncProvider,
+ JwsSignatureProvider theSigProvider) {
if (!isJwsRequired() && !isJweRequired()) {
throw new JwtException("Unable to secure JWT");
}
String data = null;
- JweEncryptionProvider theEncProvider = getInitializedEncryptionProvider(isJweRequired());
+ if (theEncProvider == null) {
+ theEncProvider = getInitializedEncryptionProvider();
+ }
+ if (theEncProvider == null && isJweRequired()) {
+ throw new JwtException("Unable to encrypt JWT");
+ }
if (isJwsRequired()) {
+ if (theSigProvider == null) {
+ theSigProvider = getInitializedSignatureProvider();
+ }
+ if (theSigProvider == null) {
+ throw new JwtException("Unable to sign JWT");
+ }
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwt);
- JwsSignatureProvider theSigProvider = getInitializedSignatureProvider(isJwsRequired());
data = jws.signWith(theSigProvider);
if (theEncProvider != null) {
data = theEncProvider.encrypt(StringUtils.toBytesUTF8(data), null);
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
new file mode 100644
index 0000000..a5eccc7
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
@@ -0,0 +1,76 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.provider;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
+import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
+import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
+import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rt.security.crypto.CryptoUtils;
+
+public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsumer {
+
+ private boolean decryptWithClientSecret;
+ private boolean verifyWithClientSecret;
+
+ protected JwtToken getJwtToken(String wrappedJwtToken, String clientSecret) {
+ return getJwtToken(wrappedJwtToken,
+ getInitializedDecryptionProvider(clientSecret),
+ getInitializedSignatureVerifier(clientSecret));
+ }
+
+ protected JwsSignatureVerifier getInitializedSignatureVerifier(String clientSecret) {
+ if (verifyWithClientSecret) {
+ byte[] hmac = CryptoUtils.decodeSequence(clientSecret);
+ return JwsUtils.getHmacSignatureVerifier(hmac, SignatureAlgorithm.HS256);
+ }
+ return super.getInitializedSignatureVerifier();
+ }
+ protected JweDecryptionProvider getInitializedDecryptionProvider(String clientSecret) {
+ JweDecryptionProvider theDecryptionProvider = null;
+ if (decryptWithClientSecret) {
+ SecretKey key = CryptoUtils.decodeSecretKey(clientSecret);
+ theDecryptionProvider = JweUtils.getDirectKeyJweDecryption(key, ContentAlgorithm.A128GCM);
+ }
+ if (theDecryptionProvider == null) {
+ theDecryptionProvider = super.getInitializedDecryptionProvider();
+ }
+ return theDecryptionProvider;
+
+ }
+
+ public void setDecryptWithClientSecret(boolean decryptWithClientSecret) {
+ if (verifyWithClientSecret) {
+ throw new SecurityException();
+ }
+ this.decryptWithClientSecret = verifyWithClientSecret;
+ }
+ public void setVerifyWithClientSecret(boolean verifyWithClientSecret) {
+ if (verifyWithClientSecret) {
+ throw new SecurityException();
+ }
+ this.verifyWithClientSecret = verifyWithClientSecret;
+ }
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
index aa85a53..e5bf012 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
@@ -18,62 +18,45 @@
*/
package org.apache.cxf.rs.security.oauth2.provider;
-import java.security.cert.X509Certificate;
-import java.security.interfaces.RSAPublicKey;
-
import javax.crypto.SecretKey;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
-import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer;
-import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rt.security.crypto.CryptoUtils;
public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProducer {
- private boolean encryptWithClientCertificates;
private boolean encryptWithClientSecret;
private boolean signWithClientSecret;
- protected JwsSignatureProvider getInitializedSignatureProvider(Client c, boolean required) {
+ protected String processJwt(JwtToken jwt, String clientSecret) {
+ return processJwt(jwt,
+ getInitializedEncryptionProvider(clientSecret),
+ getInitializedSignatureProvider(clientSecret));
+ }
+
+ protected JwsSignatureProvider getInitializedSignatureProvider(String clientSecret) {
if (signWithClientSecret) {
- byte[] hmac = CryptoUtils.decodeSequence(c.getClientSecret());
+ byte[] hmac = CryptoUtils.decodeSequence(clientSecret);
return JwsUtils.getHmacSignatureProvider(hmac, SignatureAlgorithm.HS256);
- }
- return super.getInitializedSignatureProvider(required);
- }
- protected JweEncryptionProvider getInitializedEncryptionProvider(Client c, boolean required) {
- JweEncryptionProvider theEncryptionProvider = null;
- if (encryptWithClientSecret) {
- SecretKey key = CryptoUtils.decodeSecretKey(c.getClientSecret());
- theEncryptionProvider = JweUtils.getDirectKeyJweEncryption(key, ContentAlgorithm.A128GCM);
- } else if (encryptWithClientCertificates) {
- X509Certificate cert =
- (X509Certificate)CryptoUtils.decodeCertificate(c.getApplicationCertificates().get(0));
- theEncryptionProvider = JweUtils.createJweEncryptionProvider((RSAPublicKey)cert.getPublicKey(),
- KeyAlgorithm.RSA_OAEP,
- ContentAlgorithm.A128GCM,
- null);
- }
- if (theEncryptionProvider == null) {
- theEncryptionProvider = super.getInitializedEncryptionProvider(required);
}
- return theEncryptionProvider;
-
+ return null;
}
-
- public void setEncryptWithClientCertificates(boolean encryptWithClientCertificates) {
+ protected JweEncryptionProvider getInitializedEncryptionProvider(String clientSecret) {
if (encryptWithClientSecret) {
- throw new SecurityException();
+ SecretKey key = CryptoUtils.decodeSecretKey(clientSecret);
+ return JweUtils.getDirectKeyJweEncryption(key, ContentAlgorithm.A128GCM);
}
- this.encryptWithClientCertificates = encryptWithClientCertificates;
+ return null;
}
+
public void setEncryptWithClientSecret(boolean encryptWithClientSecret) {
- if (signWithClientSecret || encryptWithClientCertificates) {
+ if (signWithClientSecret) {
throw new SecurityException();
}
this.encryptWithClientSecret = encryptWithClientSecret;
@@ -84,4 +67,10 @@ public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProduc
}
this.signWithClientSecret = signWithClientSecret;
}
+ public boolean isSignWithClientSecret() {
+ return signWithClientSecret;
+ }
+ public boolean isEncryptWithClientSecret() {
+ return encryptWithClientSecret;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java
new file mode 100644
index 0000000..31d8506
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java
@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.provider;
+
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPublicKey;
+
+import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
+import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
+import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweUtils;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rt.security.crypto.CryptoUtils;
+
+public abstract class AbstractOAuthServerJoseJwtProducer extends AbstractOAuthJoseJwtProducer {
+ private boolean encryptWithClientCertificates;
+
+ protected String processJwt(JwtToken jwt, Client client) {
+ return processJwt(jwt,
+ getInitializedEncryptionProvider(client),
+ getInitializedSignatureProvider(client.getClientSecret()));
+ }
+
+ protected JweEncryptionProvider getInitializedEncryptionProvider(Client c) {
+ JweEncryptionProvider theEncryptionProvider = null;
+ if (encryptWithClientCertificates) {
+ X509Certificate cert =
+ (X509Certificate)CryptoUtils.decodeCertificate(c.getApplicationCertificates().get(0));
+ theEncryptionProvider = JweUtils.createJweEncryptionProvider((RSAPublicKey)cert.getPublicKey(),
+ KeyAlgorithm.RSA_OAEP,
+ ContentAlgorithm.A128GCM,
+ null);
+ }
+ if (theEncryptionProvider == null) {
+ theEncryptionProvider = super.getInitializedEncryptionProvider(c.getClientSecret());
+ }
+ return theEncryptionProvider;
+
+ }
+
+ public void setEncryptWithClientCertificates(boolean encryptWithClientCertificates) {
+ if (isEncryptWithClientSecret()) {
+ throw new SecurityException();
+ }
+ this.encryptWithClientCertificates = encryptWithClientCertificates;
+ }
+
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
index 15b2c8a..62902af 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
@@ -21,12 +21,12 @@ package org.apache.cxf.rs.security.oidc.idp;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
-import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtProducer;
+import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthServerJoseJwtProducer;
import org.apache.cxf.rs.security.oauth2.provider.AccessTokenResponseFilter;
import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
-public class IdTokenCodeResponseFilter extends AbstractOAuthJoseJwtProducer implements AccessTokenResponseFilter {
+public class IdTokenCodeResponseFilter extends AbstractOAuthServerJoseJwtProducer implements AccessTokenResponseFilter {
private UserInfoProvider userInfoProvider;
private String issuer;
@Override
@@ -36,7 +36,8 @@ public class IdTokenCodeResponseFilter extends AbstractOAuthJoseJwtProducer impl
token.setIssuer(issuer);
token.setAudience(st.getClient().getClientId());
- String responseEntity = super.processJwt(new JwtToken(token));
+ String responseEntity = super.processJwt(new JwtToken(token),
+ st.getClient());
ct.getParameters().put(OidcUtils.ID_TOKEN, responseEntity);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
index 97ab548..7e3ef8f 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
@@ -27,13 +27,15 @@ import javax.ws.rs.core.Response;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.OAuthContext;
-import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtProducer;
+import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthServerJoseJwtProducer;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
import org.apache.cxf.rs.security.oauth2.utils.OAuthContextUtils;
import org.apache.cxf.rs.security.oidc.common.UserInfo;
@Path("/userinfo")
-public class UserInfoService extends AbstractOAuthJoseJwtProducer {
+public class UserInfoService extends AbstractOAuthServerJoseJwtProducer {
private UserInfoProvider userInfoProvider;
+ private OAuthDataProvider oauthDataProvider;
private String issuer;
@Context
@@ -50,7 +52,8 @@ public class UserInfoService extends AbstractOAuthJoseJwtProducer {
userInfo.setAudience(oauth.getClientId());
Object responseEntity = userInfo;
if (super.isJwsRequired() || super.isJweRequired()) {
- responseEntity = super.processJwt(new JwtToken(userInfo));
+ responseEntity = super.processJwt(new JwtToken(userInfo),
+ oauthDataProvider.getClient(oauth.getClientId()));
}
return Response.ok(responseEntity).build();
@@ -62,4 +65,8 @@ public class UserInfoService extends AbstractOAuthJoseJwtProducer {
public void setUserInfoProvider(UserInfoProvider userInfoProvider) {
this.userInfoProvider = userInfoProvider;
}
+
+ public void setOauthDataProvider(OAuthDataProvider oauthDataProvider) {
+ this.oauthDataProvider = oauthDataProvider;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index e79c4f0..f56651f 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -26,12 +26,12 @@ import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
-import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
+import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtConsumer;
-public abstract class AbstractTokenValidator extends AbstractJoseJwtConsumer {
+public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsumer {
private static final String SELF_ISSUED_ISSUER = "https://self-issued.me";
private String issuerId;
private int issuedAtRange;
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
index 63161d5..e5dc3c7 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
@@ -19,29 +19,30 @@
package org.apache.cxf.rs.security.oidc.rp;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.client.Consumer;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
public class IdTokenReader extends AbstractTokenValidator {
private boolean requireAtHash = true;
- public IdToken getIdToken(ClientAccessToken at, String clientId) {
- JwtToken jwt = getIdJwtToken(at, clientId);
+ public IdToken getIdToken(ClientAccessToken at, Consumer client) {
+ JwtToken jwt = getIdJwtToken(at, client);
return getIdTokenFromJwt(jwt);
}
- public IdToken getIdToken(String idJwtToken, String clientId) {
- JwtToken jwt = getIdJwtToken(idJwtToken, clientId);
+ public IdToken getIdToken(String idJwtToken, Consumer client) {
+ JwtToken jwt = getIdJwtToken(idJwtToken, client);
return getIdTokenFromJwt(jwt);
}
- public JwtToken getIdJwtToken(ClientAccessToken at, String clientId) {
+ public JwtToken getIdJwtToken(ClientAccessToken at, Consumer client) {
String idJwtToken = at.getParameters().get(OidcUtils.ID_TOKEN);
- JwtToken jwt = getIdJwtToken(idJwtToken, clientId);
+ JwtToken jwt = getIdJwtToken(idJwtToken, client);
OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash);
return jwt;
}
- public JwtToken getIdJwtToken(String idJwtToken, String clientId) {
- JwtToken jwt = getJwtToken(idJwtToken);
- validateJwtClaims(jwt.getClaims(), clientId, true);
+ public JwtToken getIdJwtToken(String idJwtToken, Consumer client) {
+ JwtToken jwt = getJwtToken(idJwtToken, client.getSecret());
+ validateJwtClaims(jwt.getClaims(), client.getKey(), true);
return jwt;
}
private IdToken getIdTokenFromJwt(JwtToken jwt) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
index aa34cf1..18d7e40 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
@@ -60,13 +60,15 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter {
}
OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl();
if (at != null) {
- IdToken idToken = idTokenReader.getIdToken(at, getConsumer().getKey());
+ IdToken idToken = idTokenReader.getIdToken(at, getConsumer());
// Validate the properties set up at the redirection time.
validateIdToken(idToken, state);
ctx.setIdToken(idToken);
if (userInfoClient != null) {
- ctx.setUserInfo(userInfoClient.getUserInfo(at, ctx.getIdToken()));
+ ctx.setUserInfo(userInfoClient.getUserInfo(at,
+ ctx.getIdToken(),
+ getConsumer()));
}
rc.setSecurityContext(new OidcSecurityContext(ctx));
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
index cb7b25a..0cc0db4 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
@@ -46,7 +46,7 @@ public class OidcIdTokenRequestFilter implements ContainerRequestFilter {
return;
}
- IdToken idToken = idTokenReader.getIdToken(idTokenParamValue, consumer.getKey());
+ IdToken idToken = idTokenReader.getIdToken(idTokenParamValue, consumer);
JAXRSUtils.getCurrentMessage().setContent(IdToken.class, idToken);
requestContext.setSecurityContext(new OidcSecurityContext(idToken));
http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
index 058867c..62ff26c 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
@@ -22,6 +22,7 @@ import javax.ws.rs.core.Form;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.client.Consumer;
import org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oidc.common.IdToken;
@@ -31,12 +32,12 @@ public class UserInfoClient extends AbstractTokenValidator {
private boolean sendTokenAsFormParameter;
private WebClient profileClient;
private boolean getUserInfoFromJwt;
- public UserInfo getUserInfo(ClientAccessToken at, IdToken idToken) {
+ public UserInfo getUserInfo(ClientAccessToken at, IdToken idToken, Consumer client) {
if (!sendTokenAsFormParameter) {
OAuthClientUtils.setAuthorizationHeader(profileClient, at);
if (getUserInfoFromJwt) {
String jwt = profileClient.get(String.class);
- return getUserInfoFromJwt(jwt, idToken);
+ return getUserInfoFromJwt(jwt, idToken, client);
} else {
UserInfo profile = profileClient.get(UserInfo.class);
validateUserInfo(profile, idToken);
@@ -46,7 +47,7 @@ public class UserInfoClient extends AbstractTokenValidator {
Form form = new Form().param("access_token", at.getTokenKey());
if (getUserInfoFromJwt) {
String jwt = profileClient.form(form).readEntity(String.class);
- return getUserInfoFromJwt(jwt, idToken);
+ return getUserInfoFromJwt(jwt, idToken, client);
} else {
UserInfo profile = profileClient.form(form).readEntity(UserInfo.class);
validateUserInfo(profile, idToken);
@@ -54,8 +55,10 @@ public class UserInfoClient extends AbstractTokenValidator {
}
}
}
- public UserInfo getUserInfoFromJwt(String profileJwtToken, IdToken idToken) {
- JwtToken jwt = getUserInfoJwt(profileJwtToken);
+ public UserInfo getUserInfoFromJwt(String profileJwtToken,
+ IdToken idToken,
+ Consumer client) {
+ JwtToken jwt = getUserInfoJwt(profileJwtToken, client);
return getUserInfoFromJwt(jwt, idToken);
}
public UserInfo getUserInfoFromJwt(JwtToken jwt, IdToken idToken) {
@@ -63,7 +66,7 @@ public class UserInfoClient extends AbstractTokenValidator {
validateUserInfo(profile, idToken);
return profile;
}
- public JwtToken getUserInfoJwt(String profileJwtToken) {
+ public JwtToken getUserInfoJwt(String profileJwtToken, Consumer client) {
return getJwtToken(profileJwtToken);
}
public void validateUserInfo(UserInfo profile, IdToken idToken) {