You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/02/11 13:31:35 UTC
cxf git commit: Splitting UserInfoProvider into two interfaces for
OidcImplicitService support the custom id token creation as opposed to users
having to do it in SubjectCreator/etc
Repository: cxf
Updated Branches:
refs/heads/master 5fb017cfd -> f32598d94
Splitting UserInfoProvider into two interfaces for OidcImplicitService support the custom id token creation as opposed to users having to do it in SubjectCreator/etc
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f32598d9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f32598d9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f32598d9
Branch: refs/heads/master
Commit: f32598d94cc4b95ebd464ebdde9f646caff18c59
Parents: 5fb017c
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Thu Feb 11 12:31:21 2016 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Thu Feb 11 12:31:21 2016 +0000
----------------------------------------------------------------------
.../rs/security/oidc/idp/IdTokenProvider.java | 28 ++++++++++++++++++++
.../oidc/idp/IdTokenResponseFilter.java | 11 ++++----
.../security/oidc/idp/OidcImplicitService.java | 24 +++++++++++++----
.../rs/security/oidc/idp/UserInfoProvider.java | 5 +---
.../rs/security/oidc/idp/UserInfoService.java | 6 ++---
5 files changed, 57 insertions(+), 17 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/f32598d9/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java
new file mode 100644
index 0000000..5bfb0ef
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenProvider.java
@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.idp;
+
+import java.util.List;
+
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oidc.common.IdToken;
+
+public interface IdTokenProvider {
+ IdToken getIdToken(String clientId, UserSubject authenticatedUser, List<String> scopes);
+}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f32598d9/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index 6e7bb92..963aab2 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -35,7 +35,7 @@ import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements AccessTokenResponseFilter {
- private UserInfoProvider userInfoProvider;
+ private IdTokenProvider idTokenProvider;
@Override
public void process(ClientAccessToken ct, ServerAccessToken st) {
// Only add an IdToken if the client has the "openid" scope
@@ -49,9 +49,10 @@ public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements
}
private String getProcessedIdToken(ServerAccessToken st) {
- if (userInfoProvider != null) {
+ if (idTokenProvider != null) {
IdToken idToken =
- userInfoProvider.getIdToken(st.getClient().getClientId(), st.getSubject(), st.getScopes());
+ idTokenProvider.getIdToken(st.getClient().getClientId(), st.getSubject(),
+ OAuthUtils.convertPermissionsToScopeList(st.getScopes()));
setAtHashAndNonce(idToken, st);
return super.processJwt(new JwtToken(idToken), st.getClient());
} else if (st.getSubject().getProperties().containsKey(OidcUtils.ID_TOKEN)) {
@@ -91,8 +92,8 @@ public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements
}
}
- public void setUserInfoProvider(UserInfoProvider userInfoProvider) {
- this.userInfoProvider = userInfoProvider;
+ public void setIdTokenProvider(IdTokenProvider idTokenProvider) {
+ this.idTokenProvider = idTokenProvider;
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f32598d9/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index 60b638d..359d172 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -46,6 +46,7 @@ public class OidcImplicitService extends ImplicitGrantService {
private static final String ID_TOKEN_AND_AT_RESPONSE_TYPE = "id_token token";
private boolean skipAuthorizationWithOidcScope;
private JoseJwtProducer idTokenHandler;
+ private IdTokenProvider idTokenProvider;
public OidcImplicitService() {
super(new HashSet<String>(Arrays.asList(ID_TOKEN_RESPONSE_TYPE,
@@ -97,31 +98,44 @@ public class OidcImplicitService extends ImplicitGrantService {
StringBuilder sb = getUriWithFragment(state.getRedirectUri());
- String idToken = getProcessedIdToken(state, userSubject);
+ String idToken = getProcessedIdToken(state, userSubject,
+ getApprovedScope(requestedScope, approvedScope));
if (idToken != null) {
sb.append(OidcUtils.ID_TOKEN).append("=").append(idToken);
}
return finalizeResponse(sb, state);
}
- private String getProcessedIdToken(OAuthRedirectionState state, UserSubject subject) {
+ private String getProcessedIdToken(OAuthRedirectionState state,
+ UserSubject subject,
+ List<String> scopes) {
if (subject.getProperties().containsKey(OidcUtils.ID_TOKEN)) {
return subject.getProperties().get(OidcUtils.ID_TOKEN);
+ } else if (idTokenProvider != null) {
+ IdToken idToken = idTokenProvider.getIdToken(state.getClientId(), subject, scopes);
+ idToken.setNonce(state.getNonce());
+ return processIdToken(idToken);
} else if (subject instanceof OidcUserSubject) {
OidcUserSubject sub = (OidcUserSubject)subject;
IdToken idToken = new IdToken(sub.getIdToken());
idToken.setAudience(state.getClientId());
idToken.setAuthorizedParty(state.getClientId());
idToken.setNonce(state.getNonce());
- JoseJwtProducer processor = idTokenHandler == null ? new JoseJwtProducer() : idTokenHandler;
- return processor.processJwt(new JwtToken(idToken));
+ return processIdToken(idToken);
} else {
return null;
}
}
+ protected String processIdToken(IdToken idToken) {
+ JoseJwtProducer processor = idTokenHandler == null ? new JoseJwtProducer() : idTokenHandler;
+ return processor.processJwt(new JwtToken(idToken));
+ }
+
public void setIdTokenJoseHandler(JoseJwtProducer idTokenJoseHandler) {
this.idTokenHandler = idTokenJoseHandler;
}
-
+ public void setIdTokenProvider(IdTokenProvider idTokenProvider) {
+ this.idTokenProvider = idTokenProvider;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f32598d9/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoProvider.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoProvider.java
index 0a3320a..f318a5b 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoProvider.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoProvider.java
@@ -20,12 +20,9 @@ package org.apache.cxf.rs.security.oidc.idp;
import java.util.List;
-import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.cxf.rs.security.oidc.common.UserInfo;
public interface UserInfoProvider {
- IdToken getIdToken(String clientId, UserSubject authenticatedUser, List<OAuthPermission> scopes);
- UserInfo getUserInfo(String clientId, UserSubject authenticatedUser, List<OAuthPermission> scopes);
+ UserInfo getUserInfo(String clientId, UserSubject authenticatedUser, List<String> scopes);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/f32598d9/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
index ae9a75a..9955bf9 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
@@ -30,6 +30,7 @@ import org.apache.cxf.rs.security.oauth2.common.OAuthContext;
import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServerJoseJwtProducer;
import org.apache.cxf.rs.security.oauth2.utils.OAuthContextUtils;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.cxf.rs.security.oidc.common.UserInfo;
@@ -46,9 +47,8 @@ public class UserInfoService extends OAuthServerJoseJwtProducer {
OAuthContext oauth = OAuthContextUtils.getContext(mc);
UserInfo userInfo = null;
if (userInfoProvider != null) {
- userInfo = userInfoProvider.getUserInfo(oauth.getClientId(),
- oauth.getSubject(),
- oauth.getPermissions());
+ userInfo = userInfoProvider.getUserInfo(oauth.getClientId(), oauth.getSubject(),
+ OAuthUtils.convertPermissionsToScopeList(oauth.getPermissions()));
} else if (oauth.getSubject() instanceof OidcUserSubject) {
OidcUserSubject oidcUserSubject = (OidcUserSubject)oauth.getSubject();
userInfo = oidcUserSubject.getUserInfo();