You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by se...@apache.org on 2016/02/03 12:02:47 UTC

cxf git commit: Updating OIDC RP filter to check if the context ID token has expired

Repository: cxf
Updated Branches:
  refs/heads/master a3023aa0d -> 2df002245


Updating OIDC RP filter to check if the context ID token has expired


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2df00224
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2df00224
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2df00224

Branch: refs/heads/master
Commit: 2df002245e1fdc60020e110d6d290d3d13d305ad
Parents: a3023aa
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed Feb 3 11:02:32 2016 +0000
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed Feb 3 11:02:32 2016 +0000

----------------------------------------------------------------------
 .../security/oidc/rp/OidcRpAuthenticationFilter.java  | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/2df00224/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
index 43950fe..3cead95 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationFilter.java
@@ -36,11 +36,15 @@ import javax.ws.rs.core.UriBuilder;
 
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.jaxrs.ext.MessageContextImpl;
 import org.apache.cxf.jaxrs.impl.MetadataMap;
 import org.apache.cxf.jaxrs.utils.FormUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
+import org.apache.cxf.rs.security.jose.jwt.JwtException;
+import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.cxf.rs.security.oauth2.client.ClientTokenContext;
 import org.apache.cxf.rs.security.oauth2.client.ClientTokenContextManager;
+import org.apache.cxf.rs.security.oidc.common.IdToken;
 
 @PreMatching
 @Priority(Priorities.AUTHENTICATION)
@@ -77,9 +81,17 @@ public class OidcRpAuthenticationFilter implements ContainerRequestFilter {
         if (tokenContext == null) {
             return false;
         }
+        IdToken idToken = tokenContext.getIdToken();
+        try {
+            // If ID token has expired then the context is no longer valid
+            JwtUtils.validateJwtExpiry(idToken, 0, idToken.getExpiryTime() != null);
+        } catch (JwtException ex) {
+            stateManager.removeClientTokenContext(new MessageContextImpl(JAXRSUtils.getCurrentMessage()));
+            return false;
+        }
         OidcClientTokenContextImpl newTokenContext = new OidcClientTokenContextImpl();
         newTokenContext.setToken(tokenContext.getToken());
-        newTokenContext.setIdToken(tokenContext.getIdToken());
+        newTokenContext.setIdToken(idToken);
         newTokenContext.setUserInfo(tokenContext.getUserInfo());
         newTokenContext.setState(toRequestState(rc));
         JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, newTokenContext);