You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/01/27 15:05:25 UTC
cxf git commit: Not persisting nonces if pre-authorized tokens are
supported
Repository: cxf
Updated Branches:
refs/heads/master a1710bdd7 -> 72653fd11
Not persisting nonces if pre-authorized tokens are supported
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/72653fd1
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/72653fd1
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/72653fd1
Branch: refs/heads/master
Commit: 72653fd113c3bbe0dd543200d982792802be2ae7
Parents: a1710bd
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed Jan 27 14:05:10 2016 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed Jan 27 14:05:10 2016 +0000
----------------------------------------------------------------------
.../grants/code/AbstractCodeDataProvider.java | 10 ++++--
.../code/DefaultEHCacheCodeDataProvider.java | 2 +-
.../provider/AbstractOAuthDataProvider.java | 36 ++++++++++++--------
.../oidc/idp/IdTokenResponseFilter.java | 25 +++++++-------
4 files changed, 43 insertions(+), 30 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/72653fd1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
index 12fd14e..b89c247 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
@@ -39,7 +39,7 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider
protected ServerAuthorizationCodeGrant doCreateCodeGrant(AuthorizationCodeRegistration reg)
throws OAuthServiceException {
- return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime);
+ return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime, !isSupportPreauthorizedTokens());
}
public void setCodeLifetime(long codeLifetime) {
@@ -50,7 +50,9 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider
removeCodeGrant(grant.getCode());
}
}
- public static ServerAuthorizationCodeGrant initCodeGrant(AuthorizationCodeRegistration reg, long lifetime) {
+ public static ServerAuthorizationCodeGrant initCodeGrant(AuthorizationCodeRegistration reg,
+ long lifetime,
+ boolean useNonce) {
ServerAuthorizationCodeGrant grant = new ServerAuthorizationCodeGrant(reg.getClient(), lifetime);
grant.setRedirectUri(reg.getRedirectUri());
grant.setSubject(reg.getSubject());
@@ -59,7 +61,9 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider
grant.setApprovedScopes(reg.getApprovedScope());
grant.setAudience(reg.getAudience());
grant.setClientCodeChallenge(reg.getClientCodeChallenge());
- grant.setNonce(reg.getNonce());
+ if (useNonce) {
+ grant.setNonce(reg.getNonce());
+ }
return grant;
}
protected abstract void saveCodeGrant(ServerAuthorizationCodeGrant grant);
http://git-wip-us.apache.org/repos/asf/cxf/blob/72653fd1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java
index 12edf9b..f43d69e 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/DefaultEHCacheCodeDataProvider.java
@@ -79,7 +79,7 @@ public class DefaultEHCacheCodeDataProvider extends DefaultEHCacheOAuthDataProvi
protected ServerAuthorizationCodeGrant doCreateCodeGrant(AuthorizationCodeRegistration reg)
throws OAuthServiceException {
- return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime);
+ return AbstractCodeDataProvider.initCodeGrant(reg, codeLifetime, !isSupportPreauthorizedTokens());
}
public List<ServerAuthorizationCodeGrant> getCodeGrants(Client c, UserSubject sub) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/72653fd1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index e27cf27..e508c7c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -61,17 +61,22 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
return at;
}
- protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration accessToken) {
- ServerAccessToken at = createNewAccessToken(accessToken.getClient());
- at.setAudiences(accessToken.getAudiences());
- at.setGrantType(accessToken.getGrantType());
- List<String> theScopes = accessToken.getApprovedScope();
+ protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration atReg) {
+ ServerAccessToken at = createNewAccessToken(atReg.getClient());
+ at.setAudiences(atReg.getAudiences());
+ at.setGrantType(atReg.getGrantType());
+ List<String> theScopes = atReg.getApprovedScope();
List<OAuthPermission> thePermissions =
- convertScopeToPermissions(accessToken.getClient(), theScopes);
+ convertScopeToPermissions(atReg.getClient(), theScopes);
at.setScopes(thePermissions);
- at.setSubject(accessToken.getSubject());
- at.setClientCodeVerifier(accessToken.getClientCodeVerifier());
- at.setNonce(accessToken.getNonce());
+ at.setSubject(atReg.getSubject());
+ at.setClientCodeVerifier(atReg.getClientCodeVerifier());
+ if (!isSupportPreauthorizedTokens()) {
+ // if the nonce is persisted and the same token is reused then in some cases
+ // (when ID token is returned) the old nonce will be copied to ID token which
+ // may cause the validation failure at the cliend side
+ at.setNonce(atReg.getNonce());
+ }
return at;
}
@@ -180,7 +185,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
List<String> requestedScopes,
UserSubject sub,
String grantType) throws OAuthServiceException {
- if (!supportPreauthorizedTokens) {
+ if (!isSupportPreauthorizedTokens()) {
return null;
}
@@ -196,6 +201,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
if (token != null
&& OAuthUtils.isExpired(token.getIssuedAt(), token.getExpiresIn())) {
revokeToken(client, token.getTokenKey(), OAuthConstants.ACCESS_TOKEN);
+ token = null;
}
return token;
@@ -343,12 +349,14 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
this.invisibleToClientScopes = invisibleToClientScopes;
}
+ public boolean isSupportPreauthorizedTokens() {
+ return supportPreauthorizedTokens;
+ }
+
public void setSupportPreauthorizedTokens(boolean supportPreauthorizedTokens) {
- // This property can be enabled by default as it is generally a good thing to check
- // if a token for a given client (+ user) pair exists but doing the queries on every
- // authorization request for all the client-user combinations might be not cheap,
- // hence this property is currently disabled by default
this.supportPreauthorizedTokens = supportPreauthorizedTokens;
}
+
+
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/72653fd1/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index 31b2666..ec3f364 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -63,19 +63,20 @@ public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer im
}
}
private void setAtHashAndNonce(IdToken idToken, ServerAccessToken st) {
- Properties props = JwsUtils.loadSignatureOutProperties(false);
- SignatureAlgorithm sigAlgo = null;
- if (super.isSignWithClientSecret()) {
- sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props);
- } else {
- sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256);
- }
- if (sigAlgo != SignatureAlgorithm.NONE) {
- String atHash = OidcUtils.calculateAccessTokenHash(st.getTokenKey(), sigAlgo);
- idToken.setAccessTokenHash(atHash);
+ if (idToken.getAccessTokenHash() != null) {
+ Properties props = JwsUtils.loadSignatureOutProperties(false);
+ SignatureAlgorithm sigAlgo = null;
+ if (super.isSignWithClientSecret()) {
+ sigAlgo = OAuthUtils.getClientSecretSignatureAlgorithm(props);
+ } else {
+ sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.RS256);
+ }
+ if (sigAlgo != SignatureAlgorithm.NONE) {
+ String atHash = OidcUtils.calculateAccessTokenHash(st.getTokenKey(), sigAlgo);
+ idToken.setAccessTokenHash(atHash);
+ }
}
-
- if (st.getNonce() != null) {
+ if (idToken.getNonce() == null && st.getNonce() != null) {
idToken.setNonce(st.getNonce());
}