cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Some oidc refactorings
Date Fri, 28 Nov 2014 22:24:11 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 10c8fb6e2 -> fd659c11e


Some oidc refactorings


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/fd659c11
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/fd659c11
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/fd659c11

Branch: refs/heads/3.0.x-fixes
Commit: fd659c11eaddce26d167f97fbc6e62007f83e00f
Parents: 10c8fb6
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri Nov 28 22:22:40 2014 +0000
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri Nov 28 22:23:49 2014 +0000

----------------------------------------------------------------------
 .../provider/AccessTokenResponseFilter.java     |  5 +-
 .../oauth2/services/AccessTokenService.java     |  7 +--
 .../oauth2/services/ImplicitGrantService.java   |  6 +-
 .../cxf/rs/security/oidc/common/UserInfo.java   |  6 +-
 .../cxf/rs/security/oidc/common/UserToken.java  |  6 +-
 .../rs/security/oidc/rp/UserInfoValidator.java  | 33 ++++++-----
 .../rs/security/oidc/rp/UserTokenValidator.java | 13 +++--
 .../oidc/rp/idp/UserInfoCodeResponseFilter.java | 17 +++---
 .../security/oidc/rp/idp/UserInfoProvider.java  | 11 ++--
 .../cxf/rs/security/oidc/utils/OidcUtils.java   | 59 +++++++++++++++++++-
 10 files changed, 109 insertions(+), 54 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/fd659c11/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java
index 02da169..f6058e6 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AccessTokenResponseFilter.java
@@ -18,10 +18,9 @@
  */
 package org.apache.cxf.rs.security.oauth2.provider;
 
-import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
-import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 
 public interface AccessTokenResponseFilter {
-    void process(Client client, ClientAccessToken ct, UserSubject endUser);
+    void process(ClientAccessToken ct, ServerAccessToken st);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd659c11/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
index d63a141..c2bf07d 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenService.java
@@ -36,7 +36,6 @@ import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.OAuthError;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
-import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeDataProvider;
 import org.apache.cxf.rs.security.oauth2.grants.code.AuthorizationCodeGrantHandler;
 import org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler;
@@ -121,16 +120,16 @@ public class AccessTokenService extends AbstractTokenService {
         
         // Extract the information to be of use for the client
         ClientAccessToken clientToken = OAuthUtils.toClientAccessToken(serverToken, isWriteOptionalParameters());
-        processClientAccessToken(client, clientToken, serverToken.getSubject());    
+        processClientAccessToken(clientToken, serverToken);    
         // Return it to the client
         return Response.ok(clientToken)
                        .header(HttpHeaders.CACHE_CONTROL, "no-store")
                        .header("Pragma", "no-cache")
                         .build();
     }
-    protected void processClientAccessToken(Client client, ClientAccessToken clientToken,
UserSubject endUser) {
+    protected void processClientAccessToken(ClientAccessToken clientToken, ServerAccessToken
serverToken) {
         for (AccessTokenResponseFilter filter : responseHandlers) {
-            filter.process(client, clientToken, endUser); 
+            filter.process(clientToken, serverToken); 
         }
     }
     protected void checkAudience(MultivaluedMap<String, String> params) { 

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd659c11/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
index df26c82..aa1e44b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java
@@ -80,7 +80,7 @@ public class ImplicitGrantService extends RedirectionBasedGrantService {
             token = preAuthorizedToken;
         }
         ClientAccessToken clientToken = OAuthUtils.toClientAccessToken(token, isWriteOptionalParameters());
-        processClientAccessToken(client, clientToken, token.getSubject());
+        processClientAccessToken(clientToken, token);
    
         // return the token by appending it as a fragment parameter to the redirect URI
         
@@ -112,9 +112,9 @@ public class ImplicitGrantService extends RedirectionBasedGrantService
{
         
         return Response.seeOther(URI.create(sb.toString())).build();
     }
-    protected void processClientAccessToken(Client client, ClientAccessToken clientToken,
UserSubject endUser) {
+    protected void processClientAccessToken(ClientAccessToken clientToken, ServerAccessToken
serverToken) {
         for (AccessTokenResponseFilter filter : responseHandlers) {
-            filter.process(client, clientToken, endUser); 
+            filter.process(clientToken, serverToken); 
         }
     }
     protected Response createErrorResponse(MultivaluedMap<String, String> params,

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd659c11/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
index 944c399..9607b07 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
@@ -23,7 +23,7 @@ import java.util.Map;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 
-public class UserProfile extends JwtClaims {
+public class UserInfo extends JwtClaims {
     public static final String NAME_CLAIM = "name";
     public static final String PROFILE_CLAIM = "profile";
     public static final String EMAIL_CLAIM = "email";
@@ -31,10 +31,10 @@ public class UserProfile extends JwtClaims {
     public static final String BIRTHDATE_CLAIM = "birthdate";
     public static final String PHONE_CLAIM = "phone_number";
     public static final String ADDRESS_CLAIM = "address";
-    public UserProfile() {
+    public UserInfo() {
     }
     
-    public UserProfile(Map<String, Object> claims) {
+    public UserInfo(Map<String, Object> claims) {
         super(claims);
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd659c11/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserToken.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserToken.java
index 7db7991..7654b23 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserToken.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserToken.java
@@ -22,16 +22,16 @@ import java.util.Map;
 
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 
-public class UserIdToken extends JwtClaims {
+public class UserToken extends JwtClaims {
     public static final String AUTH_TIME_CLAIM = "auth_time";
     public static final String NONCE_CLAIM = "nonce";
     public static final String ACR_CLAIM = "acr";
     public static final String AZP_CLAIM = "azp";
     
-    public UserIdToken() {
+    public UserToken() {
     }
     
-    public UserIdToken(Map<String, Object> claims) {
+    public UserToken(Map<String, Object> claims) {
         super(claims);
     }
     public void setAuthenticationTime(Long time) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd659c11/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoValidator.java
index d1f6ffe..e3dec47 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoValidator.java
@@ -20,39 +20,38 @@ package org.apache.cxf.rs.security.oidc.rp;
 
 import org.apache.cxf.jaxrs.client.WebClient;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.oidc.common.UserIdToken;
-import org.apache.cxf.rs.security.oidc.common.UserProfile;
+import org.apache.cxf.rs.security.oidc.common.UserInfo;
+import org.apache.cxf.rs.security.oidc.common.UserToken;
 
-public class UserProfileValidator extends AbstractTokenValidator {
+public class UserInfoValidator extends AbstractTokenValidator {
     private boolean encryptedOnly;
     
-    public UserProfile getProfile(WebClient profileClient, UserIdToken idToken) {
+    public UserInfo getUserInfo(WebClient profileClient, UserToken idToken) {
         return getProfile(profileClient, idToken, false);
     }
-    public UserProfile getProfile(WebClient profileClient, UserIdToken idToken, boolean asJwt)
{
+    public UserInfo getProfile(WebClient profileClient, UserToken idToken, boolean asJwt)
{
         if (asJwt) {
             String jwt = profileClient.get(String.class);
-            return getProfileFromJwt(jwt, idToken);
+            return getUserInfoFromJwt(jwt, idToken);
         } else {
-            UserProfile profile = profileClient.get(UserProfile.class);
-            validateUserProfile(profile, idToken);
+            UserInfo profile = profileClient.get(UserInfo.class);
+            validateUserInfo(profile, idToken);
             return profile;
         }
-        
     }
-    public UserProfile getProfileFromJwt(String profileJwtToken, UserIdToken idToken) {
-        JwtToken jwt = getProfileJwtToken(profileJwtToken, idToken);
-        return getProfileFromJwt(jwt, idToken);
+    public UserInfo getUserInfoFromJwt(String profileJwtToken, UserToken idToken) {
+        JwtToken jwt = getUserInfoJwt(profileJwtToken, idToken);
+        return getUserInfoFromJwt(jwt, idToken);
     }
-    public UserProfile getProfileFromJwt(JwtToken jwt, UserIdToken idToken) {
-        UserProfile profile = new UserProfile(jwt.getClaims().asMap());
-        validateUserProfile(profile, idToken);
+    public UserInfo getUserInfoFromJwt(JwtToken jwt, UserToken idToken) {
+        UserInfo profile = new UserInfo(jwt.getClaims().asMap());
+        validateUserInfo(profile, idToken);
         return profile;
     }
-    public JwtToken getProfileJwtToken(String profileJwtToken, UserIdToken idToken) {
+    public JwtToken getUserInfoJwt(String profileJwtToken, UserToken idToken) {
         return getJwtToken(profileJwtToken, idToken.getAudience(), (String)idToken.getProperty("kid"),
encryptedOnly);
     }
-    public void validateUserProfile(UserProfile profile, UserIdToken idToken) {
+    public void validateUserInfo(UserInfo profile, UserToken idToken) {
         validateJwtClaims(profile, idToken.getAudience(), false);
         // validate subject
         if (!idToken.getSubject().equals(profile.getSubject())) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd659c11/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserTokenValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserTokenValidator.java
index 8bb116e..74d6b23 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserTokenValidator.java
@@ -20,21 +20,22 @@ package org.apache.cxf.rs.security.oidc.rp;
 
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
-import org.apache.cxf.rs.security.oidc.common.UserIdToken;
+import org.apache.cxf.rs.security.oidc.common.UserToken;
+import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
-public class IdTokenValidator extends AbstractTokenValidator {
+public class UserTokenValidator extends AbstractTokenValidator {
     private boolean requireAtHash = true;
     
-    public UserIdToken getIdTokenFromJwt(ClientAccessToken at, String clientId) {
+    public UserToken getIdTokenFromJwt(ClientAccessToken at, String clientId) {
         JwtToken jwt = getIdJwtToken(at, clientId);
         return getIdTokenFromJwt(jwt, clientId);
     }
-    public UserIdToken getIdTokenFromJwt(JwtToken jwt, String clientId) {
+    public UserToken getIdTokenFromJwt(JwtToken jwt, String clientId) {
         //TODO: do the extra validation if needed
-        return new UserIdToken(jwt.getClaims().asMap());
+        return new UserToken(jwt.getClaims().asMap());
     }
     public JwtToken getIdJwtToken(ClientAccessToken at, String clientId) {
-        String idJwtToken = at.getParameters().get("id_token");
+        String idJwtToken = at.getParameters().get(OidcUtils.ID_TOKEN);
         JwtToken jwt = getJwtToken(idJwtToken, clientId, null, false);
         validateJwtClaims(jwt.getClaims(), clientId, true);
         OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash);

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd659c11/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoCodeResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoCodeResponseFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoCodeResponseFilter.java
index 62be869..0a1375a 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoCodeResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoCodeResponseFilter.java
@@ -25,12 +25,11 @@ import org.apache.cxf.rs.security.jose.jwe.JweUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
-import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
-import org.apache.cxf.rs.security.oauth2.common.UserSubject;
+import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.provider.AccessTokenResponseFilter;
-import org.apache.cxf.rs.security.oidc.common.UserIdToken;
-import org.apache.cxf.rs.security.oidc.rp.OidcUtils;
+import org.apache.cxf.rs.security.oidc.common.UserToken;
+import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 public class UserInfoCodeResponseFilter implements AccessTokenResponseFilter {
     private JwsSignatureProvider sigProvider;
@@ -38,10 +37,11 @@ public class UserInfoCodeResponseFilter implements AccessTokenResponseFilter
{
     private UserInfoProvider userInfoProvider;
     private String issuer;
     @Override
-    public void process(Client client, ClientAccessToken ct, UserSubject endUser) {
-        UserIdToken token = userInfoProvider.getUserIdToken(endUser);
+    public void process(ClientAccessToken ct, ServerAccessToken st) {
+        UserToken token = 
+            userInfoProvider.getUserToken(st.getClient().getClientId(), st.getSubject(),
st.getScopes());
         token.setIssuer(issuer);
-        token.setAudience(client.getClientId());
+        token.setAudience(st.getClient().getClientId());
         
         JwsJwtCompactProducer producer = new JwsJwtCompactProducer(token);
         JoseHeaders headers = new JoseHeaders();
@@ -77,9 +77,6 @@ public class UserInfoCodeResponseFilter implements AccessTokenResponseFilter
{
     public void setIssuer(String issuer) {
         this.issuer = issuer;
     }
-    public UserInfoProvider getUserInfoProvider() {
-        return userInfoProvider;
-    }
     public void setUserInfoProvider(UserInfoProvider userInfoProvider) {
         this.userInfoProvider = userInfoProvider;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd659c11/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoProvider.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoProvider.java
index d36dec9..db58214 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoProvider.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoProvider.java
@@ -18,11 +18,14 @@
  */
 package org.apache.cxf.rs.security.oidc.rp.idp;
 
+import java.util.List;
+
+import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.common.UserSubject;
-import org.apache.cxf.rs.security.oidc.common.UserIdToken;
-import org.apache.cxf.rs.security.oidc.common.UserProfile;
+import org.apache.cxf.rs.security.oidc.common.UserInfo;
+import org.apache.cxf.rs.security.oidc.common.UserToken;
 
 public interface UserInfoProvider {
-    UserIdToken getUserIdToken(UserSubject authenticatedUser);
-    UserProfile getUserProfile(UserSubject authenticatedUser);
+    UserToken getUserToken(String clientId, UserSubject authenticatedUser, List<OAuthPermission>
scopes);
+    UserInfo getUserInfo(String clientId, UserSubject authenticatedUser, List<OAuthPermission>
scopes);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fd659c11/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
index b978c4f..42e94da 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
@@ -16,21 +16,78 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.apache.cxf.rs.security.oidc.rp;
+package org.apache.cxf.rs.security.oidc.utils;
 
 import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 
 import org.apache.cxf.common.util.Base64UrlUtility;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.common.util.crypto.MessageDigestUtils;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+import org.apache.cxf.rs.security.oidc.common.UserInfo;
 
 public final class OidcUtils {
     public static final String ID_TOKEN = "id_token";
+    public static final String OIDC_SCOPE = "oidc";
+    public static final String PROFILE_SCOPE = "profile";
+    public static final String EMAIL_SCOPE = "email";
+    public static final String ADDRESS_SCOPE = "address";
+    public static final String PHONE_SCOPE = "phone";
+    public static final List<String> PROFILE_CLAIMS = Arrays.asList(UserInfo.NAME_CLAIM,

+                                                                    UserInfo.PROFILE_CLAIM);
+    public static final List<String> EMAIL_CLAIMS = Arrays.asList(UserInfo.EMAIL_CLAIM,

+                                                                  UserInfo.EMAIL_VERIFIED_CLAIM);
+    public static final List<String> ADDRESS_CLAIMS = Arrays.asList(UserInfo.ADDRESS_CLAIM);
+    public static final List<String> PHONE_CLAIMS = Arrays.asList(UserInfo.PHONE_CLAIM);
+    private static final Map<String, List<String>> SCOPES_MAP;
+    static {
+        SCOPES_MAP = new HashMap<String, List<String>>();
+        SCOPES_MAP.put(PHONE_SCOPE, PHONE_CLAIMS);
+        SCOPES_MAP.put(EMAIL_SCOPE, EMAIL_CLAIMS);
+        SCOPES_MAP.put(ADDRESS_SCOPE, ADDRESS_CLAIMS);
+        SCOPES_MAP.put(PROFILE_SCOPE, PROFILE_CLAIMS);
+    }
+    
     private OidcUtils() {
         
     }
+    public static String getOidcScope() {
+        return OIDC_SCOPE;
+    }
+    public static String getProfileScope() {
+        return getScope(OIDC_SCOPE, PROFILE_SCOPE);
+    }
+    public static String getEmailScope() {
+        return getScope(OIDC_SCOPE, EMAIL_SCOPE);
+    }
+    public static String getAddressScope() {
+        return getScope(OIDC_SCOPE, ADDRESS_SCOPE);
+    }
+    public static String getPhoneScope() {
+        return getScope(OIDC_SCOPE, PHONE_SCOPE);
+    }
+    public static String getAllScopes() {
+        return getScope(OIDC_SCOPE, PROFILE_SCOPE, EMAIL_SCOPE, ADDRESS_SCOPE, PHONE_SCOPE);
+    }
+    public static List<String> getScopeProperties(String scope) {
+        return SCOPES_MAP.get(scope);
+    }
+    
+    private static String getScope(String... scopes) {
+        StringBuilder sb = new StringBuilder();
+        for (String scope : scopes) {
+            if (sb.length() > 0) {
+                sb.append(" ");
+            }
+            sb.append(scope);
+        }
+        return sb.toString();
+    }
     public static void validateAccessTokenHash(ClientAccessToken at, JwtToken jwt) {
         validateAccessTokenHash(at, jwt, true);
     }


Mime
View raw message