You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by re...@apache.org on 2016/05/26 21:46:08 UTC
[40/50] [abbrv] cxf git commit: Simplifying OIDC services a bit
Simplifying OIDC services a bit
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0182a290
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0182a290
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0182a290
Branch: refs/heads/master-jaxrs-2.1
Commit: 0182a29027e927abc170a7d6077aedeba7c974fb
Parents: 28f130c
Author: Sergey Beryozkin <sb...@gmail.com>
Authored: Wed May 25 10:59:17 2016 +0100
Committer: Sergey Beryozkin <sb...@gmail.com>
Committed: Wed May 25 10:59:17 2016 +0100
----------------------------------------------------------------------
.../services/AbstractImplicitGrantService.java | 1 +
.../services/AuthorizationCodeGrantService.java | 1 +
.../services/RedirectionBasedGrantService.java | 9 +++++-
.../oidc/idp/OidcAuthorizationCodeService.java | 29 +++-----------------
.../security/oidc/idp/OidcImplicitService.java | 23 +++-------------
5 files changed, 18 insertions(+), 45 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/0182a290/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
index 3a18a66..446f82c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
@@ -133,6 +133,7 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant
reg.setApprovedScope(getApprovedScope(requestedScope, approvedScope));
reg.setAudiences(Collections.singletonList(state.getAudience()));
reg.setNonce(state.getNonce());
+ reg.getExtraProperties().putAll(state.getExtraProperties());
return reg;
}
protected void finalizeResponse(StringBuilder sb, OAuthRedirectionState state) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/0182a290/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
index 5ec47d7..36c94f7 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
@@ -158,6 +158,7 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
codeReg.setAudience(state.getAudience());
codeReg.setNonce(state.getNonce());
codeReg.setClientCodeChallenge(state.getClientCodeChallenge());
+ codeReg.getExtraProperties().putAll(state.getExtraProperties());
return codeReg;
}
protected String processCodeGrant(Client client, String code, UserSubject endUser) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/0182a290/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index 5ed3e2c..a6d5da8 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -70,6 +70,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
private boolean matchRedirectUriWithApplicationUri;
private boolean hidePreauthorizedScopesInForm;
private AuthorizationRequestFilter authorizationFilter;
+ private List<String> scopesRequiringNoConsent;
protected RedirectionBasedGrantService(String supportedResponseType,
String supportedGrantType) {
@@ -231,7 +232,10 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
UserSubject userSubject,
List<String> requestedScope,
List<OAuthPermission> permissions) {
- return false;
+ return scopesRequiringNoConsent != null
+ && requestedScope != null
+ && requestedScope.size() == scopesRequiringNoConsent.size()
+ && requestedScope.containsAll(scopesRequiringNoConsent);
}
/**
@@ -554,4 +558,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
public void setAuthorizationFilter(AuthorizationRequestFilter authorizationFilter) {
this.authorizationFilter = authorizationFilter;
}
+ public void setScopesRequiringNoConsent(List<String> scopesRequiringNoConsent) {
+ this.scopesRequiringNoConsent = scopesRequiringNoConsent;
+ }
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/0182a290/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
index a4e9ed5..b616170 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
@@ -18,6 +18,7 @@
*/
package org.apache.cxf.rs.security.oidc.idp;
+import java.util.Collections;
import java.util.List;
import java.util.logging.Level;
@@ -28,9 +29,7 @@ import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.OAuthError;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
-import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeRegistration;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
@@ -39,20 +38,16 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService {
private static final String PROMPT_PARAMETER = "prompt";
- private boolean skipAuthorizationWithOidcScope;
@Override
protected boolean canAuthorizationBeSkipped(Client client,
UserSubject userSubject,
List<String> requestedScope,
List<OAuthPermission> permissions) {
- // No need to challenge the authenticated user with the authorization form
- // if all the client application redirecting a user needs is to get this user authenticated
- // with OIDC IDP
- return requestedScope.size() == 1 && permissions.size() == 1 && skipAuthorizationWithOidcScope
- && OidcUtils.OPENID_SCOPE.equals(requestedScope.get(0));
+ return super.canAuthorizationBeSkipped(client, userSubject, requestedScope, permissions);
}
+
public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope) {
- this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope;
+ super.setScopesRequiringNoConsent(Collections.singletonList(OidcUtils.OPENID_SCOPE));
}
@Override
@@ -76,22 +71,6 @@ public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService
return super.startAuthorization(params, userSubject, client);
}
- protected AuthorizationCodeRegistration createCodeRegistration(OAuthRedirectionState state,
- Client client,
- List<String> requestedScope,
- List<String> approvedScope,
- UserSubject userSubject,
- ServerAccessToken preauthorizedToken) {
- AuthorizationCodeRegistration codeReg = super.createCodeRegistration(state,
- client,
- requestedScope,
- approvedScope,
- userSubject,
- preauthorizedToken);
-
- codeReg.getExtraProperties().putAll(state.getExtraProperties());
- return codeReg;
- }
@Override
protected OAuthRedirectionState recreateRedirectionStateFromParams(
MultivaluedMap<String, String> params) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/0182a290/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index c35526c..d689c21 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -19,6 +19,7 @@
package org.apache.cxf.rs.security.oidc.idp;
import java.util.Arrays;
+import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Properties;
@@ -32,7 +33,6 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.OAuthError;
import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
@@ -51,7 +51,6 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
public class OidcImplicitService extends ImplicitGrantService {
private static final String PROMPT_PARAMETER = "prompt";
- private boolean skipAuthorizationWithOidcScope;
private OAuthJoseJwtProducer idTokenHandler;
private IdTokenProvider idTokenProvider;
@@ -100,14 +99,11 @@ public class OidcImplicitService extends ImplicitGrantService {
UserSubject userSubject,
List<String> requestedScope,
List<OAuthPermission> permissions) {
- // No need to challenge the authenticated user with the authorization form
- // if all the client application redirecting a user needs is to get this user authenticated
- // with OIDC IDP
- return requestedScope.size() == 1 && permissions.size() == 1 && skipAuthorizationWithOidcScope
- && OidcUtils.OPENID_SCOPE.equals(requestedScope.get(0));
+ return super.canAuthorizationBeSkipped(client, userSubject, requestedScope, permissions);
}
+
public void setSkipAuthorizationWithOidcScope(boolean skipAuthorizationWithOidcScope) {
- this.skipAuthorizationWithOidcScope = skipAuthorizationWithOidcScope;
+ super.setScopesRequiringNoConsent(Collections.singletonList(OidcUtils.OPENID_SCOPE));
}
@Override
@@ -161,17 +157,6 @@ public class OidcImplicitService extends ImplicitGrantService {
return state;
}
- @Override
- protected AccessTokenRegistration createTokenRegistration(OAuthRedirectionState state,
- Client client,
- List<String> requestedScope,
- List<String> approvedScope,
- UserSubject userSubject) {
- AccessTokenRegistration reg =
- super.createTokenRegistration(state, client, requestedScope, approvedScope, userSubject);
- reg.getExtraProperties().putAll(state.getExtraProperties());
- return reg;
- }
protected String processIdToken(OAuthRedirectionState state, IdToken idToken) {
OAuthJoseJwtProducer processor = idTokenHandler == null ? new OAuthJoseJwtProducer() : idTokenHandler;