You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by lq...@apache.org on 2016/02/09 17:31:03 UTC
svn commit: r1729406 - in
/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2:
./ cloudfoundry/ facebook/ github/ google/
Author: lquack
Date: Tue Feb 9 16:31:03 2016
New Revision: 1729406
URL: http://svn.apache.org/viewvc?rev=1729406&view=rev
Log:
QPID-7028: [Java Broker] OAuth2 improvements
* add pluggable Facebook and GitHub backend
Added:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/FacebookIdentityResolverService.java
- copied, changed from r1729297, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/package-info.java
- copied, changed from r1729297, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/GitHubOAuth2IdentityResolverService.java
- copied, changed from r1729297, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/package-info.java
- copied, changed from r1729297, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java
Removed:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2IdentityResolverServiceFactory.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/cloudfoundry/CloudFoundryOAuth2IdentityResolverServiceFactory.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverServiceFactory.java
Modified:
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2IdentityResolverService.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/cloudfoundry/CloudFoundryOAuth2IdentityResolverService.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java
qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java?rev=1729406&r1=1729405&r2=1729406&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProvider.java Tue Feb 9 16:31:03 2016
@@ -43,8 +43,9 @@ public interface OAuth2AuthenticationPro
@ManagedAttribute( description = "Identity resolver endpoint URI", mandatory = true )
URI getIdentityResolverEndpointURI();
- @ManagedAttribute( description = "The type of the IdentityResolverFactory", mandatory = true )
- String getIdentityResolverFactoryType();
+ @ManagedAttribute( description = "The type of the IdentityResolver", mandatory = true,
+ validValues = {"org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProviderImpl#validIdentityResolvers()"})
+ String getIdentityResolverType();
@ManagedAttribute( description = "Client ID to identify qpid to the OAuth endpoints", mandatory = true )
String getClientId();
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java?rev=1729406&r1=1729405&r2=1729406&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2AuthenticationProviderImpl.java Tue Feb 9 16:31:03 2016
@@ -26,10 +26,13 @@ import java.net.URI;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import javax.net.ssl.HttpsURLConnection;
import javax.security.sasl.SaslException;
@@ -41,10 +44,13 @@ import com.fasterxml.jackson.databind.Ob
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
+import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.server.plugin.QpidServiceLoader;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.manager.AbstractAuthenticationManager;
@@ -84,7 +90,7 @@ public class OAuth2AuthenticationProvide
private String _scope;
@ManagedAttributeField
- private String _identityResolverFactoryType;
+ private String _identityResolverType;
private OAuth2IdentityResolverService _identityResolverService;
@@ -99,9 +105,40 @@ public class OAuth2AuthenticationProvide
protected void onOpen()
{
super.onOpen();
- String type = getIdentityResolverFactoryType();
- OAuth2IdentityResolverServiceFactory factory = OAuth2IdentityResolverServiceFactory.FACTORIES.get(type);
- _identityResolverService = factory.createIdentityResolverService(this);
+ String type = getIdentityResolverType();
+ _identityResolverService = new QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(type);
+
+ }
+
+ @Override
+ protected void validateChange(final ConfiguredObject<?> proxyForValidation, final Set<String> changedAttributes)
+ {
+ super.validateChange(proxyForValidation, changedAttributes);
+ validateResolver((OAuth2AuthenticationProvider<?>)proxyForValidation);
+ }
+
+
+ @Override
+ public void onValidate()
+ {
+ super.onValidate();
+ validateResolver(this);
+ }
+
+
+ private void validateResolver(final OAuth2AuthenticationProvider<?> provider)
+ {
+ final OAuth2IdentityResolverService identityResolverService =
+ new QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).get(provider.getIdentityResolverType());
+
+ if(identityResolverService == null)
+ {
+ throw new IllegalConfigurationException("Unknown identity resolver " + provider.getType());
+ }
+ else
+ {
+ identityResolverService.validate(provider);
+ }
}
@Override
@@ -235,7 +272,7 @@ public class OAuth2AuthenticationProvide
{
try
{
- return new AuthenticationResult(new AuthenticatedPrincipal(_identityResolverService.getUserPrincipal(accessToken)));
+ return new AuthenticationResult(new AuthenticatedPrincipal(_identityResolverService.getUserPrincipal(this, accessToken)));
}
catch (IOException | IdentityResolverException e)
{
@@ -268,9 +305,9 @@ public class OAuth2AuthenticationProvide
}
@Override
- public String getIdentityResolverFactoryType()
+ public String getIdentityResolverType()
{
- return _identityResolverFactoryType;
+ return _identityResolverType;
}
@Override
@@ -308,7 +345,12 @@ public class OAuth2AuthenticationProvide
}
String accessToken = String.valueOf(accessTokenObject);
- return new AuthenticationResult(new AuthenticatedPrincipal(_identityResolverService.getUserPrincipal(accessToken)));
+ return new AuthenticationResult(new AuthenticatedPrincipal(_identityResolverService.getUserPrincipal(this, accessToken)));
+ }
+
+ public static Collection<String> validIdentityResolvers()
+ {
+ return new QpidServiceLoader().getInstancesByType(OAuth2IdentityResolverService.class).keySet();
}
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2IdentityResolverService.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2IdentityResolverService.java?rev=1729406&r1=1729405&r2=1729406&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2IdentityResolverService.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/OAuth2IdentityResolverService.java Tue Feb 9 16:31:03 2016
@@ -24,7 +24,13 @@ package org.apache.qpid.server.security.
import java.io.IOException;
import java.security.Principal;
-public interface OAuth2IdentityResolverService
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
+import org.apache.qpid.server.plugin.Pluggable;
+
+public interface OAuth2IdentityResolverService extends Pluggable
{
- Principal getUserPrincipal(String accessToken) throws IOException, IdentityResolverException;
+ void validate(final OAuth2AuthenticationProvider<?> authProvider) throws IllegalConfigurationException;
+
+ Principal getUserPrincipal(final OAuth2AuthenticationProvider<?> authProvider,
+ String accessToken) throws IOException, IdentityResolverException;
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/cloudfoundry/CloudFoundryOAuth2IdentityResolverService.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/cloudfoundry/CloudFoundryOAuth2IdentityResolverService.java?rev=1729406&r1=1729405&r2=1729406&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/cloudfoundry/CloudFoundryOAuth2IdentityResolverService.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/cloudfoundry/CloudFoundryOAuth2IdentityResolverService.java Tue Feb 9 16:31:03 2016
@@ -38,54 +38,60 @@ import com.fasterxml.jackson.databind.Ob
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.server.plugin.PluggableService;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.manager.oauth2.IdentityResolverException;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2IdentityResolverService;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2Utils;
+@PluggableService
public class CloudFoundryOAuth2IdentityResolverService implements OAuth2IdentityResolverService
{
private static final Logger LOGGER = LoggerFactory.getLogger(CloudFoundryOAuth2IdentityResolverService.class);
private static final String UTF8 = StandardCharsets.UTF_8.name();
- private final OAuth2AuthenticationProvider _authenticationProvider;
- private final URI _checkTokenEndpointURI;
- private final TrustStore _trustStore;
- private final String _clientId;
- private final String _clientSecret;
+ public static final String TYPE = "CloudFoundryIdentityResolver";
+
private final ObjectMapper _objectMapper = new ObjectMapper();
- public CloudFoundryOAuth2IdentityResolverService(final OAuth2AuthenticationProvider authenticationProvider)
+ @Override
+ public String getType()
{
- _authenticationProvider = authenticationProvider;
- _checkTokenEndpointURI = _authenticationProvider.getIdentityResolverEndpointURI();
- _trustStore = _authenticationProvider.getTrustStore();
- _clientId = _authenticationProvider.getClientId();
- _clientSecret = _authenticationProvider.getClientSecret();
+ return TYPE;
}
@Override
- public Principal getUserPrincipal(final String accessToken) throws IOException, IdentityResolverException
+ public void validate(final OAuth2AuthenticationProvider<?> authProvider) throws IllegalConfigurationException
{
- URL checkTokenEndpoint;
+ }
+
+ @Override
+ public Principal getUserPrincipal(final OAuth2AuthenticationProvider<?> authenticationProvider,
+ final String accessToken) throws IOException, IdentityResolverException
+ {
+ URI checkTokenEndpointURI = authenticationProvider.getIdentityResolverEndpointURI();
+ TrustStore trustStore = authenticationProvider.getTrustStore();
+ String clientId = authenticationProvider.getClientId();
+ String clientSecret = authenticationProvider.getClientSecret();
+ URL checkTokenEndpoint = checkTokenEndpointURI.toURL();
HttpsURLConnection connection;
- checkTokenEndpoint = _checkTokenEndpointURI.toURL();
LOGGER.debug("About to call identity service '{}'", checkTokenEndpoint);
connection = (HttpsURLConnection) checkTokenEndpoint.openConnection();
- if (_trustStore != null)
+ if (trustStore != null)
{
- OAuth2Utils.setTrustedCertificates(connection, _trustStore);
+ OAuth2Utils.setTrustedCertificates(connection, trustStore);
}
connection.setDoOutput(true); // makes sure to use POST
connection.setRequestProperty("Accept-Charset", UTF8);
connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=" + UTF8);
connection.setRequestProperty("Accept", "application/json");
- String encoded = DatatypeConverter.printBase64Binary((_clientId + ":" + _clientSecret).getBytes());
+ String encoded = DatatypeConverter.printBase64Binary((clientId + ":" + clientSecret).getBytes());
connection.setRequestProperty("Authorization", "Basic " + encoded);
final Map<String,String> requestParameters = Collections.singletonMap("token", accessToken);
@@ -96,7 +102,6 @@ public class CloudFoundryOAuth2IdentityR
{
output.write(OAuth2Utils.buildRequestQuery(requestParameters).getBytes(UTF8));
output.close();
-
try (InputStream input = connection.getInputStream())
{
int responseCode = connection.getResponseCode();
Copied: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/FacebookIdentityResolverService.java (from r1729297, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java)
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/FacebookIdentityResolverService.java?p2=qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/FacebookIdentityResolverService.java&p1=qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java&r1=1729297&r2=1729406&rev=1729406&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/FacebookIdentityResolverService.java Tue Feb 9 16:31:03 2016
@@ -19,11 +19,12 @@
*
*/
-package org.apache.qpid.server.security.auth.manager.oauth2.google;
+package org.apache.qpid.server.security.auth.manager.oauth2.facebook;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
+import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.Map;
@@ -32,11 +33,12 @@ import javax.net.ssl.HttpsURLConnection;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
-import com.google.common.collect.Sets;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.server.plugin.PluggableService;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.manager.oauth2.IdentityResolverException;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider;
@@ -44,47 +46,45 @@ import org.apache.qpid.server.security.a
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2Utils;
/**
- * An identity resolver that calls Google's userinfo endpoint https://www.googleapis.com/oauth2/v3/userinfo.
+ * An identity resolver that calls GitHubs's user API https://developer.github.com/v3/users/
*
- * It requires that the authentication request includes the scope 'profile' in order that 'sub'
- * (the user identifier) appears in userinfo's response.
+ * It requires that the authentication request includes the scope 'user'
*
- * For endpoint is documented:
- *
- * https://developers.google.com/identity/protocols/OpenIDConnect
*/
-public class GoogleOAuth2IdentityResolverService implements OAuth2IdentityResolverService
+@PluggableService
+public class FacebookIdentityResolverService implements OAuth2IdentityResolverService
{
- private static final Logger LOGGER = LoggerFactory.getLogger(GoogleOAuth2IdentityResolverService.class);
+ private static final Logger LOGGER = LoggerFactory.getLogger(FacebookIdentityResolverService.class);
private static final String UTF8 = StandardCharsets.UTF_8.name();
- private final OAuth2AuthenticationProvider _authenticationProvider;
- private final URI _userInfoEndpoint;
- private final TrustStore _trustStore;
+ public static final String TYPE = "Facebook";
+
private final ObjectMapper _objectMapper = new ObjectMapper();
- public GoogleOAuth2IdentityResolverService(final OAuth2AuthenticationProvider authenticationProvider)
+ @Override
+ public String getType()
{
- _authenticationProvider = authenticationProvider;
- _userInfoEndpoint = _authenticationProvider.getIdentityResolverEndpointURI();
- _trustStore = _authenticationProvider.getTrustStore();
+ return TYPE;
+ }
- if (!Sets.newHashSet(_authenticationProvider.getScope().split("\\s")).contains("profile"))
- {
- throw new IllegalArgumentException("This identity resolver requires that scope 'profile' is included in"
- + " the authentication request.");
- }
+ @Override
+ public void validate(final OAuth2AuthenticationProvider<?> authProvider) throws IllegalConfigurationException
+ {
}
@Override
- public Principal getUserPrincipal(String accessToken) throws IOException, IdentityResolverException
+ public Principal getUserPrincipal(final OAuth2AuthenticationProvider<?> authenticationProvider,
+ String accessToken) throws IOException, IdentityResolverException
{
- LOGGER.debug("About to call identity service '{}'", _userInfoEndpoint);
+ URI userInfoEndpoint = authenticationProvider.getIdentityResolverEndpointURI();
+
+ LOGGER.debug("About to call identity service '{}'", userInfoEndpoint);
- HttpsURLConnection connection = (HttpsURLConnection) _userInfoEndpoint.toURL().openConnection();
- if (_trustStore != null)
+ TrustStore trustStore = authenticationProvider.getTrustStore();
+ HttpsURLConnection connection = (HttpsURLConnection) userInfoEndpoint.toURL().openConnection();
+ if (trustStore != null)
{
- OAuth2Utils.setTrustedCertificates(connection, _trustStore);
+ OAuth2Utils.setTrustedCertificates(connection, trustStore);
}
connection.setRequestProperty("Accept-Charset", UTF8);
@@ -98,7 +98,7 @@ public class GoogleOAuth2IdentityResolve
{
int responseCode = connection.getResponseCode();
LOGGER.debug("Call to identity service '{}' complete, response code : {}",
- _userInfoEndpoint, responseCode);
+ userInfoEndpoint, responseCode);
Map<String, String> responseMap;
try
@@ -108,23 +108,23 @@ public class GoogleOAuth2IdentityResolve
catch (JsonProcessingException e)
{
throw new IOException(String.format("Identity resolver '%s' did not return json",
- _userInfoEndpoint), e);
+ userInfoEndpoint), e);
}
if (responseCode != 200)
{
throw new IdentityResolverException(String.format(
"Identity resolver '%s' failed, response code %d",
- _userInfoEndpoint, responseCode));
+ userInfoEndpoint, responseCode));
}
- final String googleId = responseMap.get("sub");
- if (googleId == null)
+ final String facebookId = responseMap.get("id");
+ if (facebookId == null)
{
throw new IdentityResolverException(String.format(
- "Identity resolver '%s' failed, response did not include 'sub'",
- _userInfoEndpoint));
+ "Identity resolver '%s' failed, response did not include 'id'",
+ userInfoEndpoint));
}
- return new UsernamePrincipal(googleId);
+ return new UsernamePrincipal(facebookId);
}
}
}
Copied: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/package-info.java (from r1729297, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java)
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/package-info.java?p2=qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/package-info.java&p1=qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java&r1=1729297&r2=1729406&rev=1729406&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/facebook/package-info.java Tue Feb 9 16:31:03 2016
@@ -20,25 +20,22 @@
*/
/**
- * Identity resolver utilising Google's OAuth 2.0 userinfo endpoint
+ * Identity resolver utilising Facebook's OAuth 2.0 API
* <p>
- * To use Google as an authentication provider, the OAuth2Authentication
+ * To use Facebook as an authentication provider, the OAuth2Authentication
* needs to be configured to co-operate with the identity resolver like so:
*
* <pre>
* "type" : "OAuth2",
- * "authorizationEndpointURI" : "https://accounts.google.com/o/oauth2/v2/auth",
- * "tokenEndpointURI" : "https://www.googleapis.com/oauth2/v4/token",
+ * "authorizationEndpointURI" : "https://www.facebook.com/dialog/oauth",
+ * "tokenEndpointURI" : "https://graph.facebook.com/v2.5/oauth/access_token",
* "tokenEndpointNeedsAuth" : false,
- * "identityResolverFactoryType" : "GoogleUserInfo",
- * "identityResolverEndpointURI" : "https://www.googleapis.com/oauth2/v3/userinfo",
+ * "identityResolverType" : "Facebook",
+ * "identityResolverEndpointURI" : "https://graph.facebook.com/v2.5/me",
* "clientId" : "......",
* "clientSecret" : "....",
- * "scope" : "profile"
* </pre>
*
- * Note that when configuring the Authorized redirect URIs in the Google Developer Console
- * include the trailing slash e.g. https://localhost:8080/.
* </p>
*/
-package org.apache.qpid.server.security.auth.manager.oauth2.google;
+package org.apache.qpid.server.security.auth.manager.oauth2.facebook;
Copied: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/GitHubOAuth2IdentityResolverService.java (from r1729297, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java)
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/GitHubOAuth2IdentityResolverService.java?p2=qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/GitHubOAuth2IdentityResolverService.java&p1=qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java&r1=1729297&r2=1729406&rev=1729406&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/GitHubOAuth2IdentityResolverService.java Tue Feb 9 16:31:03 2016
@@ -19,7 +19,7 @@
*
*/
-package org.apache.qpid.server.security.auth.manager.oauth2.google;
+package org.apache.qpid.server.security.auth.manager.oauth2.github;
import java.io.IOException;
import java.io.InputStream;
@@ -36,7 +36,9 @@ import com.google.common.collect.Sets;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.server.plugin.PluggableService;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.manager.oauth2.IdentityResolverException;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider;
@@ -44,53 +46,56 @@ import org.apache.qpid.server.security.a
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2Utils;
/**
- * An identity resolver that calls Google's userinfo endpoint https://www.googleapis.com/oauth2/v3/userinfo.
+ * An identity resolver that calls GitHubs's user API https://developer.github.com/v3/users/
*
- * It requires that the authentication request includes the scope 'profile' in order that 'sub'
- * (the user identifier) appears in userinfo's response.
+ * It requires that the authentication request includes the scope 'user'
*
- * For endpoint is documented:
- *
- * https://developers.google.com/identity/protocols/OpenIDConnect
*/
-public class GoogleOAuth2IdentityResolverService implements OAuth2IdentityResolverService
+@PluggableService
+public class GitHubOAuth2IdentityResolverService implements OAuth2IdentityResolverService
{
- private static final Logger LOGGER = LoggerFactory.getLogger(GoogleOAuth2IdentityResolverService.class);
+ private static final Logger LOGGER = LoggerFactory.getLogger(GitHubOAuth2IdentityResolverService.class);
private static final String UTF8 = StandardCharsets.UTF_8.name();
- private final OAuth2AuthenticationProvider _authenticationProvider;
- private final URI _userInfoEndpoint;
- private final TrustStore _trustStore;
+ public static final String TYPE = "GitHubUser";
+
private final ObjectMapper _objectMapper = new ObjectMapper();
- public GoogleOAuth2IdentityResolverService(final OAuth2AuthenticationProvider authenticationProvider)
+ @Override
+ public String getType()
{
- _authenticationProvider = authenticationProvider;
- _userInfoEndpoint = _authenticationProvider.getIdentityResolverEndpointURI();
- _trustStore = _authenticationProvider.getTrustStore();
+ return TYPE;
+ }
- if (!Sets.newHashSet(_authenticationProvider.getScope().split("\\s")).contains("profile"))
+ @Override
+ public void validate(final OAuth2AuthenticationProvider<?> authProvider) throws IllegalConfigurationException
+ {
+ if (!Sets.newHashSet(authProvider.getScope().split("\\s")).contains("user"))
{
- throw new IllegalArgumentException("This identity resolver requires that scope 'profile' is included in"
+ throw new IllegalConfigurationException("This identity resolver requires that scope 'user' is included in"
+ " the authentication request.");
}
}
@Override
- public Principal getUserPrincipal(String accessToken) throws IOException, IdentityResolverException
+ public Principal getUserPrincipal(final OAuth2AuthenticationProvider<?> authenticationProvider,
+ String accessToken) throws IOException, IdentityResolverException
{
- LOGGER.debug("About to call identity service '{}'", _userInfoEndpoint);
+ URI userInfoEndpoint = authenticationProvider.getIdentityResolverEndpointURI();
+ TrustStore trustStore = authenticationProvider.getTrustStore();
+
+ LOGGER.debug("About to call identity service '{}'", userInfoEndpoint);
- HttpsURLConnection connection = (HttpsURLConnection) _userInfoEndpoint.toURL().openConnection();
- if (_trustStore != null)
+ HttpsURLConnection connection = (HttpsURLConnection) userInfoEndpoint.toURL().openConnection();
+ if (trustStore != null)
{
- OAuth2Utils.setTrustedCertificates(connection, _trustStore);
+ OAuth2Utils.setTrustedCertificates(connection, trustStore);
}
connection.setRequestProperty("Accept-Charset", UTF8);
connection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=" + UTF8);
- connection.setRequestProperty("Accept", "application/json");
- connection.setRequestProperty("Authorization", "Bearer " + accessToken);
+ connection.setRequestProperty("Accept", "application/vnd.github.v3+json");
+ connection.setRequestProperty("Authorization", "token " + accessToken);
connection.connect();
@@ -98,7 +103,7 @@ public class GoogleOAuth2IdentityResolve
{
int responseCode = connection.getResponseCode();
LOGGER.debug("Call to identity service '{}' complete, response code : {}",
- _userInfoEndpoint, responseCode);
+ userInfoEndpoint, responseCode);
Map<String, String> responseMap;
try
@@ -108,23 +113,23 @@ public class GoogleOAuth2IdentityResolve
catch (JsonProcessingException e)
{
throw new IOException(String.format("Identity resolver '%s' did not return json",
- _userInfoEndpoint), e);
+ userInfoEndpoint), e);
}
if (responseCode != 200)
{
throw new IdentityResolverException(String.format(
"Identity resolver '%s' failed, response code %d",
- _userInfoEndpoint, responseCode));
+ userInfoEndpoint, responseCode));
}
- final String googleId = responseMap.get("sub");
- if (googleId == null)
+ final String githubId = responseMap.get("login");
+ if (githubId == null)
{
throw new IdentityResolverException(String.format(
- "Identity resolver '%s' failed, response did not include 'sub'",
- _userInfoEndpoint));
+ "Identity resolver '%s' failed, response did not include 'login'",
+ userInfoEndpoint));
}
- return new UsernamePrincipal(googleId);
+ return new UsernamePrincipal(githubId);
}
}
}
Copied: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/package-info.java (from r1729297, qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java)
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/package-info.java?p2=qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/package-info.java&p1=qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java&r1=1729297&r2=1729406&rev=1729406&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/github/package-info.java Tue Feb 9 16:31:03 2016
@@ -20,25 +20,23 @@
*/
/**
- * Identity resolver utilising Google's OAuth 2.0 userinfo endpoint
+ * Identity resolver utilising GitHub's OAuth 2.0 user API
* <p>
- * To use Google as an authentication provider, the OAuth2Authentication
+ * To use GitHub as an authentication provider, the OAuth2Authentication
* needs to be configured to co-operate with the identity resolver like so:
*
* <pre>
* "type" : "OAuth2",
- * "authorizationEndpointURI" : "https://accounts.google.com/o/oauth2/v2/auth",
- * "tokenEndpointURI" : "https://www.googleapis.com/oauth2/v4/token",
+ * "authorizationEndpointURI" : "https://github.com/login/oauth/authorize",
+ * "tokenEndpointURI" : "https://github.com/login/oauth/access_token",
* "tokenEndpointNeedsAuth" : false,
- * "identityResolverFactoryType" : "GoogleUserInfo",
- * "identityResolverEndpointURI" : "https://www.googleapis.com/oauth2/v3/userinfo",
+ * "identityResolverType" : "GitHubUser",
+ * "identityResolverEndpointURI" : "https://api.github.com/user",
* "clientId" : "......",
* "clientSecret" : "....",
- * "scope" : "profile"
+ * "scope" : "user"
* </pre>
*
- * Note that when configuring the Authorized redirect URIs in the Google Developer Console
- * include the trailing slash e.g. https://localhost:8080/.
* </p>
*/
-package org.apache.qpid.server.security.auth.manager.oauth2.google;
+package org.apache.qpid.server.security.auth.manager.oauth2.github;
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java?rev=1729406&r1=1729405&r2=1729406&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/GoogleOAuth2IdentityResolverService.java Tue Feb 9 16:31:03 2016
@@ -36,7 +36,9 @@ import com.google.common.collect.Sets;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.TrustStore;
+import org.apache.qpid.server.plugin.PluggableService;
import org.apache.qpid.server.security.auth.UsernamePrincipal;
import org.apache.qpid.server.security.auth.manager.oauth2.IdentityResolverException;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider;
@@ -53,38 +55,46 @@ import org.apache.qpid.server.security.a
*
* https://developers.google.com/identity/protocols/OpenIDConnect
*/
+@PluggableService
public class GoogleOAuth2IdentityResolverService implements OAuth2IdentityResolverService
{
private static final Logger LOGGER = LoggerFactory.getLogger(GoogleOAuth2IdentityResolverService.class);
private static final String UTF8 = StandardCharsets.UTF_8.name();
- private final OAuth2AuthenticationProvider _authenticationProvider;
- private final URI _userInfoEndpoint;
- private final TrustStore _trustStore;
+ public static final String TYPE = "GoogleUserInfo";
+
private final ObjectMapper _objectMapper = new ObjectMapper();
- public GoogleOAuth2IdentityResolverService(final OAuth2AuthenticationProvider authenticationProvider)
+ @Override
+ public String getType()
{
- _authenticationProvider = authenticationProvider;
- _userInfoEndpoint = _authenticationProvider.getIdentityResolverEndpointURI();
- _trustStore = _authenticationProvider.getTrustStore();
+ return TYPE;
+ }
- if (!Sets.newHashSet(_authenticationProvider.getScope().split("\\s")).contains("profile"))
+ @Override
+ public void validate(final OAuth2AuthenticationProvider<?> authProvider) throws IllegalConfigurationException
+ {
+ if (!Sets.newHashSet(authProvider.getScope().split("\\s")).contains("profile"))
{
- throw new IllegalArgumentException("This identity resolver requires that scope 'profile' is included in"
+ throw new IllegalConfigurationException("This identity resolver requires that scope 'profile' is included in"
+ " the authentication request.");
}
}
@Override
- public Principal getUserPrincipal(String accessToken) throws IOException, IdentityResolverException
+ public Principal getUserPrincipal(final OAuth2AuthenticationProvider<?> authenticationProvider,
+ String accessToken) throws IOException, IdentityResolverException
{
- LOGGER.debug("About to call identity service '{}'", _userInfoEndpoint);
- HttpsURLConnection connection = (HttpsURLConnection) _userInfoEndpoint.toURL().openConnection();
- if (_trustStore != null)
+ URI userInfoEndpoint = authenticationProvider.getIdentityResolverEndpointURI();
+ TrustStore trustStore = authenticationProvider.getTrustStore();
+
+ LOGGER.debug("About to call identity service '{}'", userInfoEndpoint);
+
+ HttpsURLConnection connection = (HttpsURLConnection) userInfoEndpoint.toURL().openConnection();
+ if (trustStore != null)
{
- OAuth2Utils.setTrustedCertificates(connection, _trustStore);
+ OAuth2Utils.setTrustedCertificates(connection, trustStore);
}
connection.setRequestProperty("Accept-Charset", UTF8);
@@ -98,7 +108,7 @@ public class GoogleOAuth2IdentityResolve
{
int responseCode = connection.getResponseCode();
LOGGER.debug("Call to identity service '{}' complete, response code : {}",
- _userInfoEndpoint, responseCode);
+ userInfoEndpoint, responseCode);
Map<String, String> responseMap;
try
@@ -108,13 +118,13 @@ public class GoogleOAuth2IdentityResolve
catch (JsonProcessingException e)
{
throw new IOException(String.format("Identity resolver '%s' did not return json",
- _userInfoEndpoint), e);
+ userInfoEndpoint), e);
}
if (responseCode != 200)
{
throw new IdentityResolverException(String.format(
"Identity resolver '%s' failed, response code %d",
- _userInfoEndpoint, responseCode));
+ userInfoEndpoint, responseCode));
}
final String googleId = responseMap.get("sub");
@@ -122,7 +132,7 @@ public class GoogleOAuth2IdentityResolve
{
throw new IdentityResolverException(String.format(
"Identity resolver '%s' failed, response did not include 'sub'",
- _userInfoEndpoint));
+ userInfoEndpoint));
}
return new UsernamePrincipal(googleId);
}
Modified: qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java
URL: http://svn.apache.org/viewvc/qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java?rev=1729406&r1=1729405&r2=1729406&view=diff
==============================================================================
--- qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java (original)
+++ qpid/java/trunk/broker-core/src/main/java/org/apache/qpid/server/security/auth/manager/oauth2/google/package-info.java Tue Feb 9 16:31:03 2016
@@ -30,7 +30,7 @@
* "authorizationEndpointURI" : "https://accounts.google.com/o/oauth2/v2/auth",
* "tokenEndpointURI" : "https://www.googleapis.com/oauth2/v4/token",
* "tokenEndpointNeedsAuth" : false,
- * "identityResolverFactoryType" : "GoogleUserInfo",
+ * "identityResolverType" : "GoogleUserInfo",
* "identityResolverEndpointURI" : "https://www.googleapis.com/oauth2/v3/userinfo",
* "clientId" : "......",
* "clientSecret" : "....",
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org