You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/12/11 16:24:13 UTC
[2/2] cxf git commit: Store the nonce + include it in the IdToken
Store the nonce + include it in the IdToken
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/68af1967
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/68af1967
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/68af1967
Branch: refs/heads/master
Commit: 68af1967f1e90f95c979490f5501031ebbacec7a
Parents: e5fa405
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Fri Dec 11 11:55:52 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Fri Dec 11 15:24:06 2015 +0000
----------------------------------------------------------------------
.../oauth2/common/ServerAccessToken.java | 9 +++
.../oauth2/grants/AbstractGrantHandler.java | 66 +++++++++++---------
.../grants/code/AbstractCodeDataProvider.java | 1 +
.../code/AuthorizationCodeGrantHandler.java | 38 ++++++++---
.../code/ServerAuthorizationCodeGrant.java | 9 +++
.../provider/AbstractOAuthDataProvider.java | 1 +
.../oidc/idp/IdTokenResponseFilter.java | 3 +
7 files changed, 90 insertions(+), 37 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/68af1967/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
index d5cc449..7c64a51 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
@@ -37,6 +37,7 @@ public abstract class ServerAccessToken extends AccessToken {
private UserSubject subject;
private String audience;
private String clientCodeVerifier;
+ private String nonce;
protected ServerAccessToken() {
@@ -158,4 +159,12 @@ public abstract class ServerAccessToken extends AccessToken {
public void setClientCodeVerifier(String clientCodeVerifier) {
this.clientCodeVerifier = clientCodeVerifier;
}
+
+ public String getNonce() {
+ return nonce;
+ }
+
+ public void setNonce(String nonce) {
+ this.nonce = nonce;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/68af1967/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
index 38ab690..f107de7 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
@@ -100,51 +100,39 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
return doCreateAccessToken(client,
subject,
OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE)),
- null,
params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
}
protected ServerAccessToken doCreateAccessToken(Client client,
UserSubject subject,
- List<String> requestedScope) {
+ List<String> requestedScopes) {
- return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScope);
+ return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScopes);
}
protected ServerAccessToken doCreateAccessToken(Client client,
UserSubject subject,
- List<String> requestedScope,
- List<String> approvedScope,
+ List<String> requestedScopes,
String audience) {
- return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScope,
- approvedScope, audience, null);
+ return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScopes,
+ audience);
}
protected ServerAccessToken doCreateAccessToken(Client client,
UserSubject subject,
String requestedGrant,
- List<String> requestedScope) {
- return doCreateAccessToken(client, subject, requestedGrant, requestedScope, null, null, null);
+ List<String> requestedScopes) {
+ return doCreateAccessToken(client, subject, requestedGrant, requestedScopes, null);
}
+
protected ServerAccessToken doCreateAccessToken(Client client,
UserSubject subject,
String requestedGrant,
- List<String> requestedScope,
- List<String> approvedScope,
- String audience,
- String codeVerifier) {
- if (!OAuthUtils.validateScopes(requestedScope, client.getRegisteredScopes(),
- partialMatchScopeValidation)) {
- throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE));
- }
- if (!OAuthUtils.validateAudience(audience, client.getRegisteredAudiences())) {
- throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_GRANT));
- }
-
- // Check if a pre-authorized token available
- ServerAccessToken token = dataProvider.getPreauthorizedToken(
- client, requestedScope, subject, requestedGrant);
+ List<String> requestedScopes,
+ String audience) {
+ ServerAccessToken token = getPreAuthorizedToken(client, subject, requestedGrant,
+ requestedScopes, audience);
if (token != null) {
return token;
}
@@ -154,16 +142,34 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler {
reg.setClient(client);
reg.setGrantType(requestedGrant);
reg.setSubject(subject);
- reg.setRequestedScope(requestedScope);
- if (approvedScope == null) {
- approvedScope = Collections.emptyList();
- }
- reg.setApprovedScope(approvedScope);
+ reg.setRequestedScope(requestedScopes);
+ reg.setApprovedScope(Collections.emptyList());
reg.setAudience(audience);
- reg.setClientCodeVerifier(codeVerifier);
return dataProvider.createAccessToken(reg);
}
+ protected ServerAccessToken getPreAuthorizedToken(Client client,
+ UserSubject subject,
+ String requestedGrant,
+ List<String> requestedScopes,
+ String audience) {
+ if (!OAuthUtils.validateScopes(requestedScopes, client.getRegisteredScopes(),
+ partialMatchScopeValidation)) {
+ throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE));
+ }
+ if (!OAuthUtils.validateAudience(audience, client.getRegisteredAudiences())) {
+ throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_GRANT));
+ }
+
+ // Get a pre-authorized token if available
+ return dataProvider.getPreauthorizedToken(
+ client, requestedScopes, subject, requestedGrant);
+ }
+
+ public boolean isPartialMatchScopeValidation() {
+ return partialMatchScopeValidation;
+ }
+
public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) {
this.partialMatchScopeValidation = partialMatchScopeValidation;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/68af1967/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
index 6bed976..1b63bb3 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
@@ -55,6 +55,7 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider
grant.setApprovedScopes(reg.getApprovedScope());
grant.setAudience(reg.getAudience());
grant.setClientCodeChallenge(reg.getClientCodeChallenge());
+ grant.setNonce(reg.getNonce());
return grant;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/68af1967/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
index 9a6888a..6d7fc1a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
@@ -19,8 +19,11 @@
package org.apache.cxf.rs.security.oauth2.grants.code;
+import java.util.Collections;
+
import javax.ws.rs.core.MultivaluedMap;
+import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
@@ -78,13 +81,34 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
- return doCreateAccessToken(client,
- grant.getSubject(),
- getSingleGrantType(),
- grant.getRequestedScopes(),
- grant.getApprovedScopes(),
- grant.getAudience(),
- clientCodeVerifier);
+ return doCreateAccessToken(client, grant, getSingleGrantType(), clientCodeVerifier);
+ }
+
+ private ServerAccessToken doCreateAccessToken(Client client,
+ ServerAuthorizationCodeGrant grant,
+ String requestedGrant,
+ String codeVerifier) {
+ ServerAccessToken token = getPreAuthorizedToken(client, grant.getSubject(), requestedGrant,
+ grant.getRequestedScopes(), grant.getAudience());
+ if (token != null) {
+ return token;
+ }
+
+ // Delegate to the data provider to create the one
+ AccessTokenRegistration reg = new AccessTokenRegistration();
+ reg.setClient(client);
+ reg.setGrantType(requestedGrant);
+ reg.setSubject(grant.getSubject());
+ reg.setRequestedScope(grant.getRequestedScopes());
+ reg.setNonce(grant.getNonce());
+ if (grant.getApprovedScopes() != null) {
+ reg.setApprovedScope(grant.getApprovedScopes());
+ } else {
+ reg.setApprovedScope(Collections.emptyList());
+ }
+ reg.setAudience(grant.getAudience());
+ reg.setClientCodeVerifier(codeVerifier);
+ return getDataProvider().createAccessToken(reg);
}
private boolean compareCodeVerifierWithChallenge(Client c, String clientCodeVerifier,
http://git-wip-us.apache.org/repos/asf/cxf/blob/68af1967/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
index a1aba9f..5b8bca9 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
@@ -40,6 +40,7 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant {
private UserSubject subject;
private String audience;
private String clientCodeChallenge;
+ private String nonce;
public ServerAuthorizationCodeGrant() {
@@ -165,4 +166,12 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant {
public void setRequestedScopes(List<String> requestedScopes) {
this.requestedScopes = requestedScopes;
}
+
+ public String getNonce() {
+ return nonce;
+ }
+
+ public void setNonce(String nonce) {
+ this.nonce = nonce;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/68af1967/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 149bff1..9bb52ed 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -67,6 +67,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider, Cl
at.setScopes(thePermissions);
at.setSubject(accessToken.getSubject());
at.setClientCodeVerifier(accessToken.getClientCodeVerifier());
+ at.setNonce(accessToken.getNonce());
return at;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/68af1967/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index b8ab2b2..f7d6b9a 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -49,6 +49,9 @@ public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer im
if (userInfoProvider != null) {
IdToken idToken =
userInfoProvider.getIdToken(st.getClient().getClientId(), st.getSubject(), st.getScopes());
+ if (st.getNonce() != null) {
+ idToken.setNonce(st.getNonce());
+ }
setAtHash(idToken, st);
return super.processJwt(new JwtToken(idToken), st.getClient());
} else if (st.getSubject().getProperties().containsKey(OidcUtils.ID_TOKEN)) {