cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6121] Updating to Jettison 1.3.7
Date Fri, 28 Nov 2014 22:15:28 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes d7dc4951b -> 10c8fb6e2


[CXF-6121] Updating to Jettison 1.3.7


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/10c8fb6e
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/10c8fb6e
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/10c8fb6e

Branch: refs/heads/3.0.x-fixes
Commit: 10c8fb6e2c772cf766578c9f87e5204e5c16b863
Parents: d7dc495
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri Nov 28 22:10:05 2014 +0000
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri Nov 28 22:15:00 2014 +0000

----------------------------------------------------------------------
 parent/pom.xml                                  |   2 +-
 .../cxf/jaxrs/provider/json/JSONProvider.java   |  11 +-
 .../jaxrs/provider/json/utils/JSONUtils.java    |   6 +-
 .../jaxrs/provider/json/JSONProviderTest.java   |  24 ++++-
 .../rs/security/oidc/common/UserIdToken.java    |  61 -----------
 .../cxf/rs/security/oidc/common/UserInfo.java   |  92 ++++++++++++++++
 .../rs/security/oidc/common/UserProfile.java    |  92 ----------------
 .../cxf/rs/security/oidc/common/UserToken.java  |  61 +++++++++++
 .../rs/security/oidc/rp/IdTokenValidator.java   |  47 --------
 .../cxf/rs/security/oidc/rp/OidcUtils.java      |  72 -------------
 .../rs/security/oidc/rp/UserInfoValidator.java  |  66 ++++++++++++
 .../security/oidc/rp/UserProfileValidator.java  |  66 ------------
 .../rs/security/oidc/rp/UserTokenValidator.java |  47 ++++++++
 .../security/oidc/rp/idp/UserInfoService.java   | 108 +++++++++++++++++++
 .../cxf/rs/security/oidc/utils/OidcUtils.java   |  72 +++++++++++++
 15 files changed, 484 insertions(+), 343 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/parent/pom.xml
----------------------------------------------------------------------
diff --git a/parent/pom.xml b/parent/pom.xml
index cbaac72..5693e99 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -122,7 +122,7 @@
         <cxf.jaxb.xjc.version>${cxf.jaxb21.xjc.version}</cxf.jaxb.xjc.version>
         <cxf.joda.time.version>2.2</cxf.joda.time.version>
         <cxf.jdom.version>1.0</cxf.jdom.version>
-        <cxf.jettison.version>1.3.6</cxf.jettison.version>
+        <cxf.jettison.version>1.3.7</cxf.jettison.version>
         <cxf.jetty.version>8.1.15.v20140411</cxf.jetty.version>
         <cxf.jetty.osgi.version>[7.6,8.2)</cxf.jetty.osgi.version>
         <cxf.jibx.version>1.2.5</cxf.jibx.version>

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/JSONProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/JSONProvider.java
b/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/JSONProvider.java
index c4a410a..ab90546 100644
--- a/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/JSONProvider.java
+++ b/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/JSONProvider.java
@@ -103,6 +103,7 @@ public class JSONProvider<T> extends AbstractJAXBProvider<T>
 {
     private List<String> primitiveArrayKeys;
     private boolean unwrapped;
     private String wrapperName;
+    private String namespaceSeparator;
     private Map<String, String> wrapperMap;
     private boolean dropRootElement;
     private boolean dropElementsInXmlStream = true;
@@ -288,7 +289,8 @@ public class JSONProvider<T> extends AbstractJAXBProvider<T>
 {
         } else {
             reader = JSONUtils.createStreamReader(is, 
                                                   readXsiType, 
-                                                  namespaceMap, 
+                                                  namespaceMap,
+                                                  namespaceSeparator,
                                                   primitiveArrayKeys,
                                                   getDepthProperties(), 
                                                   enc);
@@ -534,6 +536,9 @@ public class JSONProvider<T> extends AbstractJAXBProvider<T>
 {
                                           writeXsiType && !ignoreNamespaces,
                                           attributesToElements,
                                           typeConverter);
+        if (namespaceSeparator != null) {
+            config.setJsonNamespaceSeparator(namespaceSeparator);
+        }
         if (!dropElementsInXmlStreamProp && super.outDropElements != null) {
             config.setIgnoredElements(outDropElements);
         }
@@ -686,4 +691,8 @@ public class JSONProvider<T> extends AbstractJAXBProvider<T>
 {
     public void setEscapeForwardSlashesAlways(boolean escape) {
         this.escapeForwardSlashesAlways = escape;
     }
+
+    public void setNamespaceSeparator(String namespaceSeparator) {
+        this.namespaceSeparator = namespaceSeparator;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/utils/JSONUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/utils/JSONUtils.java
b/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/utils/JSONUtils.java
index b12d1db..4d833df 100644
--- a/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/utils/JSONUtils.java
+++ b/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/utils/JSONUtils.java
@@ -135,11 +135,12 @@ public final class JSONUtils {
     
     public static XMLStreamReader createStreamReader(InputStream is, boolean readXsiType,
         ConcurrentHashMap<String, String> namespaceMap) throws Exception {
-        return createStreamReader(is, readXsiType, namespaceMap, null, null, "UTF-8");
+        return createStreamReader(is, readXsiType, namespaceMap, null, null, null, "UTF-8");
     }
     
     public static XMLStreamReader createStreamReader(InputStream is, boolean readXsiType,
         ConcurrentHashMap<String, String> namespaceMap,
+        String namespaceSeparator,
         List<String> primitiveArrayKeys,
         DocumentDepthProperties depthProps,
         String enc) throws Exception {
@@ -147,6 +148,9 @@ public final class JSONUtils {
             namespaceMap.putIfAbsent(XSI_URI, XSI_PREFIX);
         }
         Configuration conf = new Configuration(namespaceMap);
+        if (namespaceSeparator != null) {
+            conf.setJsonNamespaceSeparator(namespaceSeparator);
+        }
         if (primitiveArrayKeys != null) { 
             conf.setPrimitiveArrayKeys(
                 new HashSet<String>(primitiveArrayKeys));

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/extensions/providers/src/test/java/org/apache/cxf/jaxrs/provider/json/JSONProviderTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/extensions/providers/src/test/java/org/apache/cxf/jaxrs/provider/json/JSONProviderTest.java
b/rt/rs/extensions/providers/src/test/java/org/apache/cxf/jaxrs/provider/json/JSONProviderTest.java
index 040d90d..a2e1b77 100644
--- a/rt/rs/extensions/providers/src/test/java/org/apache/cxf/jaxrs/provider/json/JSONProviderTest.java
+++ b/rt/rs/extensions/providers/src/test/java/org/apache/cxf/jaxrs/provider/json/JSONProviderTest.java
@@ -431,11 +431,21 @@ public class JSONProviderTest extends Assert {
     
     @Test
     public void testReadFromQualifiedTag() throws Exception {
+        doTestReadFromQualifiedTag(".");
+    }
+    @Test
+    public void testReadFromQualifiedTagCustomNsSep() throws Exception {
+        doTestReadFromQualifiedTag("__");
+    }
+    private void doTestReadFromQualifiedTag(String nsSep) throws Exception {
         JSONProvider<TagVO2> p = new JSONProvider<TagVO2>();
         Map<String, String> namespaceMap = new HashMap<String, String>();
         namespaceMap.put("http://tags", "ns1");
         p.setNamespaceMap(namespaceMap);
-        byte[] bytes = "{\"ns1.thetag\":{\"group\":\"b\",\"name\":\"a\"}}"
+        if (!".".equals(nsSep)) {
+            p.setNamespaceSeparator(nsSep);
+        }
+        byte[] bytes = ("{\"ns1" + nsSep + "thetag\":{\"group\":\"b\",\"name\":\"a\"}}")
             .getBytes();
         Object tagsObject = p.readFrom(TagVO2.class, null, null, 
                                        null, null, new ByteArrayInputStream(bytes));
@@ -638,10 +648,20 @@ public class JSONProviderTest extends Assert {
     
     @Test
     public void testWriteToSingleQualifiedTag() throws Exception {
+        doTestWriteToSingleQualifiedTag(".");
+    }
+    @Test
+    public void testWriteToSingleQualifiedTagCustomNsSep() throws Exception {
+        doTestWriteToSingleQualifiedTag("__");
+    }
+    private void doTestWriteToSingleQualifiedTag(String nsSep) throws Exception {
         JSONProvider<TagVO2> p = new JSONProvider<TagVO2>();
         Map<String, String> namespaceMap = new HashMap<String, String>();
         namespaceMap.put("http://tags", "ns1");
         p.setNamespaceMap(namespaceMap);
+        if (!".".equals(nsSep)) {
+            p.setNamespaceSeparator(nsSep);
+        }
         TagVO2 tag = createTag2("a", "b");
         
         ByteArrayOutputStream os = new ByteArrayOutputStream();
@@ -650,7 +670,7 @@ public class JSONProviderTest extends Assert {
                   MediaType.APPLICATION_JSON_TYPE, new MetadataMap<String, Object>(),
os);
         
         String s = os.toString();
-        assertEquals("{\"ns1.thetag\":{\"group\":\"b\",\"name\":\"a\"}}", s);
+        assertEquals("{\"ns1" + nsSep + "thetag\":{\"group\":\"b\",\"name\":\"a\"}}", s);
     }
     
     @Test

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserIdToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserIdToken.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserIdToken.java
deleted file mode 100644
index 7db7991..0000000
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserIdToken.java
+++ /dev/null
@@ -1,61 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oidc.common;
-
-import java.util.Map;
-
-import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
-
-public class UserIdToken extends JwtClaims {
-    public static final String AUTH_TIME_CLAIM = "auth_time";
-    public static final String NONCE_CLAIM = "nonce";
-    public static final String ACR_CLAIM = "acr";
-    public static final String AZP_CLAIM = "azp";
-    
-    public UserIdToken() {
-    }
-    
-    public UserIdToken(Map<String, Object> claims) {
-        super(claims);
-    }
-    public void setAuthenticationTime(Long time) {
-        setProperty(AUTH_TIME_CLAIM, time);
-    }
-    public Long getAuthenticationTime() {
-        return getLongProperty(AUTH_TIME_CLAIM);
-    }
-    public void setNonce(String nonce) {
-        setProperty(NONCE_CLAIM, nonce);
-    }
-    public String getNonce() {
-        return (String)getProperty(NONCE_CLAIM);
-    }
-    public void setAuthenticationContextRef(String ref) {
-        setProperty(ACR_CLAIM, ref);
-    }
-    public String getAuthenticationContextRef() {
-        return (String)getProperty(ACR_CLAIM);
-    }
-    public void setAuthorizedParty(String azp) {
-        setProperty(AZP_CLAIM, azp);
-    }
-    public String getAuthorizedParty() {
-        return (String)getProperty(AZP_CLAIM);
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
new file mode 100644
index 0000000..944c399
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.common;
+
+import java.util.Map;
+
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+
+public class UserProfile extends JwtClaims {
+    public static final String NAME_CLAIM = "name";
+    public static final String PROFILE_CLAIM = "profile";
+    public static final String EMAIL_CLAIM = "email";
+    public static final String EMAIL_VERIFIED_CLAIM = "email_verified";
+    public static final String BIRTHDATE_CLAIM = "birthdate";
+    public static final String PHONE_CLAIM = "phone_number";
+    public static final String ADDRESS_CLAIM = "address";
+    public UserProfile() {
+    }
+    
+    public UserProfile(Map<String, Object> claims) {
+        super(claims);
+    }
+    
+    public void setName(String name) {
+        setProperty(NAME_CLAIM, name);
+    }
+    public String getName() {
+        return (String)getProperty(NAME_CLAIM);
+    }
+    public void setProfile(String name) {
+        setProperty(PROFILE_CLAIM, name);
+    }
+    public String getProfile() {
+        return (String)getProperty(PROFILE_CLAIM);
+    }
+    public void setEmail(String name) {
+        setProperty(EMAIL_CLAIM, name);
+    }
+    public String getEmail() {
+        return (String)getProperty(EMAIL_CLAIM);
+    }
+    public void setEmailVerified(Boolean verified) {
+        setProperty(EMAIL_VERIFIED_CLAIM, verified);
+    }
+    public Boolean getEmailVerified() {
+        return getBooleanProperty(EMAIL_VERIFIED_CLAIM);
+    }
+    public void setBirthDate(String date) {
+        setProperty(BIRTHDATE_CLAIM, date);
+    }
+    public String getBirthdate() {
+        return (String)getProperty(BIRTHDATE_CLAIM);
+    }
+    public String getPhoneNumber() {
+        return (String)getProperty(PHONE_CLAIM);
+    }
+    public void setPhoneNumber(String name) {
+        setProperty(PHONE_CLAIM, name);
+    }
+    public UserAddress getUserAddress() {
+        Object value = getProperty(ADDRESS_CLAIM);
+        if (value instanceof UserAddress) {
+            return (UserAddress)value;
+        } else if (value instanceof Map) {
+            Map<String, Object> map = CastUtils.cast((Map<?, ?>)value); 
+            return new UserAddress(map);
+        } else {
+            return null;
+        }
+    }
+    public void setUserAddressNumber(UserAddress address) {
+        setProperty(ADDRESS_CLAIM, address);
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserProfile.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserProfile.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserProfile.java
deleted file mode 100644
index 944c399..0000000
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserProfile.java
+++ /dev/null
@@ -1,92 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oidc.common;
-
-import java.util.Map;
-
-import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
-
-public class UserProfile extends JwtClaims {
-    public static final String NAME_CLAIM = "name";
-    public static final String PROFILE_CLAIM = "profile";
-    public static final String EMAIL_CLAIM = "email";
-    public static final String EMAIL_VERIFIED_CLAIM = "email_verified";
-    public static final String BIRTHDATE_CLAIM = "birthdate";
-    public static final String PHONE_CLAIM = "phone_number";
-    public static final String ADDRESS_CLAIM = "address";
-    public UserProfile() {
-    }
-    
-    public UserProfile(Map<String, Object> claims) {
-        super(claims);
-    }
-    
-    public void setName(String name) {
-        setProperty(NAME_CLAIM, name);
-    }
-    public String getName() {
-        return (String)getProperty(NAME_CLAIM);
-    }
-    public void setProfile(String name) {
-        setProperty(PROFILE_CLAIM, name);
-    }
-    public String getProfile() {
-        return (String)getProperty(PROFILE_CLAIM);
-    }
-    public void setEmail(String name) {
-        setProperty(EMAIL_CLAIM, name);
-    }
-    public String getEmail() {
-        return (String)getProperty(EMAIL_CLAIM);
-    }
-    public void setEmailVerified(Boolean verified) {
-        setProperty(EMAIL_VERIFIED_CLAIM, verified);
-    }
-    public Boolean getEmailVerified() {
-        return getBooleanProperty(EMAIL_VERIFIED_CLAIM);
-    }
-    public void setBirthDate(String date) {
-        setProperty(BIRTHDATE_CLAIM, date);
-    }
-    public String getBirthdate() {
-        return (String)getProperty(BIRTHDATE_CLAIM);
-    }
-    public String getPhoneNumber() {
-        return (String)getProperty(PHONE_CLAIM);
-    }
-    public void setPhoneNumber(String name) {
-        setProperty(PHONE_CLAIM, name);
-    }
-    public UserAddress getUserAddress() {
-        Object value = getProperty(ADDRESS_CLAIM);
-        if (value instanceof UserAddress) {
-            return (UserAddress)value;
-        } else if (value instanceof Map) {
-            Map<String, Object> map = CastUtils.cast((Map<?, ?>)value); 
-            return new UserAddress(map);
-        } else {
-            return null;
-        }
-    }
-    public void setUserAddressNumber(UserAddress address) {
-        setProperty(ADDRESS_CLAIM, address);
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserToken.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserToken.java
new file mode 100644
index 0000000..7db7991
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserToken.java
@@ -0,0 +1,61 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.common;
+
+import java.util.Map;
+
+import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
+
+public class UserIdToken extends JwtClaims {
+    public static final String AUTH_TIME_CLAIM = "auth_time";
+    public static final String NONCE_CLAIM = "nonce";
+    public static final String ACR_CLAIM = "acr";
+    public static final String AZP_CLAIM = "azp";
+    
+    public UserIdToken() {
+    }
+    
+    public UserIdToken(Map<String, Object> claims) {
+        super(claims);
+    }
+    public void setAuthenticationTime(Long time) {
+        setProperty(AUTH_TIME_CLAIM, time);
+    }
+    public Long getAuthenticationTime() {
+        return getLongProperty(AUTH_TIME_CLAIM);
+    }
+    public void setNonce(String nonce) {
+        setProperty(NONCE_CLAIM, nonce);
+    }
+    public String getNonce() {
+        return (String)getProperty(NONCE_CLAIM);
+    }
+    public void setAuthenticationContextRef(String ref) {
+        setProperty(ACR_CLAIM, ref);
+    }
+    public String getAuthenticationContextRef() {
+        return (String)getProperty(ACR_CLAIM);
+    }
+    public void setAuthorizedParty(String azp) {
+        setProperty(AZP_CLAIM, azp);
+    }
+    public String getAuthorizedParty() {
+        return (String)getProperty(AZP_CLAIM);
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java
deleted file mode 100644
index 8bb116e..0000000
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenValidator.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oidc.rp;
-
-import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
-import org.apache.cxf.rs.security.oidc.common.UserIdToken;
-
-public class IdTokenValidator extends AbstractTokenValidator {
-    private boolean requireAtHash = true;
-    
-    public UserIdToken getIdTokenFromJwt(ClientAccessToken at, String clientId) {
-        JwtToken jwt = getIdJwtToken(at, clientId);
-        return getIdTokenFromJwt(jwt, clientId);
-    }
-    public UserIdToken getIdTokenFromJwt(JwtToken jwt, String clientId) {
-        //TODO: do the extra validation if needed
-        return new UserIdToken(jwt.getClaims().asMap());
-    }
-    public JwtToken getIdJwtToken(ClientAccessToken at, String clientId) {
-        String idJwtToken = at.getParameters().get("id_token");
-        JwtToken jwt = getJwtToken(idJwtToken, clientId, null, false);
-        validateJwtClaims(jwt.getClaims(), clientId, true);
-        OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash);
-        return jwt;
-    }
-
-    public void setRequireAtHash(boolean requireAtHash) {
-        this.requireAtHash = requireAtHash;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcUtils.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcUtils.java
deleted file mode 100644
index b978c4f..0000000
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcUtils.java
+++ /dev/null
@@ -1,72 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oidc.rp;
-
-import java.security.NoSuchAlgorithmException;
-
-import org.apache.cxf.common.util.Base64UrlUtility;
-import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.common.util.crypto.MessageDigestUtils;
-import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
-
-public final class OidcUtils {
-    public static final String ID_TOKEN = "id_token";
-    private OidcUtils() {
-        
-    }
-    public static void validateAccessTokenHash(ClientAccessToken at, JwtToken jwt) {
-        validateAccessTokenHash(at, jwt, true);
-    }
-    public static void validateAccessTokenHash(ClientAccessToken at, JwtToken jwt, boolean
required) {
-        validateHash(at.getTokenKey(),
-                     (String)jwt.getClaims().getClaim("at_hash"),
-                     jwt.getHeaders().getAlgorithm(),
-                     required);
-    }
-    public static void validateCodeHash(String code, JwtToken jwt) {
-        validateCodeHash(code, jwt, true);
-    }
-    public static void validateCodeHash(String code, JwtToken jwt, boolean required) {
-        validateHash(code,
-                     (String)jwt.getClaims().getClaim("c_hash"),
-                     jwt.getHeaders().getAlgorithm(),
-                     required);
-    }
-    private static void validateHash(String value, String theHash, String joseAlgo, boolean
required) {
-        String hash = calculateHash(value, joseAlgo);
-        if (!hash.equals(theHash)) {
-            throw new SecurityException("Invalid hash");
-        }
-    }
-    public static String calculateHash(String value, String joseAlgo) {
-        //TODO: map from the JOSE alg to a signature alg, 
-        // for example, RS256 -> SHA-256 
-        // and calculate the chunk size based on the algo key size
-        // for example SHA-256 -> 256/8 = 32 and 32/2 = 16 bytes
-        try {
-            byte[] atBytes = StringUtils.toBytesASCII(value);
-            byte[] digest = MessageDigestUtils.createDigest(atBytes,  MessageDigestUtils.ALGO_SHA_256);
-            return Base64UrlUtility.encodeChunk(digest, 0, 16);
-        } catch (NoSuchAlgorithmException ex) {
-            throw new SecurityException(ex);
-        }
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoValidator.java
new file mode 100644
index 0000000..d1f6ffe
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoValidator.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.rp;
+
+import org.apache.cxf.jaxrs.client.WebClient;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oidc.common.UserIdToken;
+import org.apache.cxf.rs.security.oidc.common.UserProfile;
+
+public class UserProfileValidator extends AbstractTokenValidator {
+    private boolean encryptedOnly;
+    
+    public UserProfile getProfile(WebClient profileClient, UserIdToken idToken) {
+        return getProfile(profileClient, idToken, false);
+    }
+    public UserProfile getProfile(WebClient profileClient, UserIdToken idToken, boolean asJwt)
{
+        if (asJwt) {
+            String jwt = profileClient.get(String.class);
+            return getProfileFromJwt(jwt, idToken);
+        } else {
+            UserProfile profile = profileClient.get(UserProfile.class);
+            validateUserProfile(profile, idToken);
+            return profile;
+        }
+        
+    }
+    public UserProfile getProfileFromJwt(String profileJwtToken, UserIdToken idToken) {
+        JwtToken jwt = getProfileJwtToken(profileJwtToken, idToken);
+        return getProfileFromJwt(jwt, idToken);
+    }
+    public UserProfile getProfileFromJwt(JwtToken jwt, UserIdToken idToken) {
+        UserProfile profile = new UserProfile(jwt.getClaims().asMap());
+        validateUserProfile(profile, idToken);
+        return profile;
+    }
+    public JwtToken getProfileJwtToken(String profileJwtToken, UserIdToken idToken) {
+        return getJwtToken(profileJwtToken, idToken.getAudience(), (String)idToken.getProperty("kid"),
encryptedOnly);
+    }
+    public void validateUserProfile(UserProfile profile, UserIdToken idToken) {
+        validateJwtClaims(profile, idToken.getAudience(), false);
+        // validate subject
+        if (!idToken.getSubject().equals(profile.getSubject())) {
+            throw new SecurityException("Invalid subject");
+        }
+    }
+    public void setEncryptedOnly(boolean encryptedOnly) {
+        this.encryptedOnly = encryptedOnly;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserProfileValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserProfileValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserProfileValidator.java
deleted file mode 100644
index d1f6ffe..0000000
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserProfileValidator.java
+++ /dev/null
@@ -1,66 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.oidc.rp;
-
-import org.apache.cxf.jaxrs.client.WebClient;
-import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.oidc.common.UserIdToken;
-import org.apache.cxf.rs.security.oidc.common.UserProfile;
-
-public class UserProfileValidator extends AbstractTokenValidator {
-    private boolean encryptedOnly;
-    
-    public UserProfile getProfile(WebClient profileClient, UserIdToken idToken) {
-        return getProfile(profileClient, idToken, false);
-    }
-    public UserProfile getProfile(WebClient profileClient, UserIdToken idToken, boolean asJwt)
{
-        if (asJwt) {
-            String jwt = profileClient.get(String.class);
-            return getProfileFromJwt(jwt, idToken);
-        } else {
-            UserProfile profile = profileClient.get(UserProfile.class);
-            validateUserProfile(profile, idToken);
-            return profile;
-        }
-        
-    }
-    public UserProfile getProfileFromJwt(String profileJwtToken, UserIdToken idToken) {
-        JwtToken jwt = getProfileJwtToken(profileJwtToken, idToken);
-        return getProfileFromJwt(jwt, idToken);
-    }
-    public UserProfile getProfileFromJwt(JwtToken jwt, UserIdToken idToken) {
-        UserProfile profile = new UserProfile(jwt.getClaims().asMap());
-        validateUserProfile(profile, idToken);
-        return profile;
-    }
-    public JwtToken getProfileJwtToken(String profileJwtToken, UserIdToken idToken) {
-        return getJwtToken(profileJwtToken, idToken.getAudience(), (String)idToken.getProperty("kid"),
encryptedOnly);
-    }
-    public void validateUserProfile(UserProfile profile, UserIdToken idToken) {
-        validateJwtClaims(profile, idToken.getAudience(), false);
-        // validate subject
-        if (!idToken.getSubject().equals(profile.getSubject())) {
-            throw new SecurityException("Invalid subject");
-        }
-    }
-    public void setEncryptedOnly(boolean encryptedOnly) {
-        this.encryptedOnly = encryptedOnly;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserTokenValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserTokenValidator.java
new file mode 100644
index 0000000..8bb116e
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserTokenValidator.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.rp;
+
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+import org.apache.cxf.rs.security.oidc.common.UserIdToken;
+
+public class IdTokenValidator extends AbstractTokenValidator {
+    private boolean requireAtHash = true;
+    
+    public UserIdToken getIdTokenFromJwt(ClientAccessToken at, String clientId) {
+        JwtToken jwt = getIdJwtToken(at, clientId);
+        return getIdTokenFromJwt(jwt, clientId);
+    }
+    public UserIdToken getIdTokenFromJwt(JwtToken jwt, String clientId) {
+        //TODO: do the extra validation if needed
+        return new UserIdToken(jwt.getClaims().asMap());
+    }
+    public JwtToken getIdJwtToken(ClientAccessToken at, String clientId) {
+        String idJwtToken = at.getParameters().get("id_token");
+        JwtToken jwt = getJwtToken(idJwtToken, clientId, null, false);
+        validateJwtClaims(jwt.getClaims(), clientId, true);
+        OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash);
+        return jwt;
+    }
+
+    public void setRequireAtHash(boolean requireAtHash) {
+        this.requireAtHash = requireAtHash;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoService.java
new file mode 100644
index 0000000..dbe20f9
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/idp/UserInfoService.java
@@ -0,0 +1,108 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.rp.idp;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Response;
+
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.jaxrs.ext.MessageContext;
+import org.apache.cxf.rs.security.jose.JoseHeaders;
+import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweJwtCompactProducer;
+import org.apache.cxf.rs.security.jose.jwe.JweUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
+import org.apache.cxf.rs.security.oauth2.common.OAuthContext;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthContextUtils;
+import org.apache.cxf.rs.security.oidc.common.UserInfo;
+
+@Path("/userinfo")
+public class UserInfoService {
+    // TODO: review if it makes sense to do JWE and JWS at the out filter level instead
+    private JwsSignatureProvider sigProvider;
+    private JweEncryptionProvider encryptionProvider;
+    private UserInfoProvider userInfoProvider;
+    private String issuer;
+    
+    @Context
+    private MessageContext mc;
+    @GET
+    @Produces({"application/json", "application/jwt" })
+    public Response getUserInfo() {
+        OAuthContext oauth = OAuthContextUtils.getContext(mc);
+        UserInfo userInfo = 
+            userInfoProvider.getUserInfo(oauth.getClientId(), oauth.getSubject(), oauth.getPermissions());
+        if (userInfo != null) {
+            userInfo.setIssuer(issuer);
+        }
+        userInfo.setAudience(oauth.getClientId());
+        
+        Object responseEntity = userInfo;
+        
+        JwsJwtCompactProducer producer = new JwsJwtCompactProducer(userInfo);
+        JoseHeaders headers = new JoseHeaders();
+        JwsSignatureProvider theSigProvider = getInitializedSigProvider(headers);
+        JweEncryptionProvider theEncryptionProvider = getInitializedEncryptionProvider();
+        if (theSigProvider != null) {
+            String userInfoString = producer.signWith(theSigProvider);
+            if (theEncryptionProvider != null) {
+                userInfoString = theEncryptionProvider.encrypt(StringUtils.toBytesUTF8(userInfoString),
null);
+            }
+            responseEntity = userInfoString;
+        } else if (theEncryptionProvider != null) {
+            JweJwtCompactProducer jwe = new JweJwtCompactProducer(userInfo);
+            responseEntity = jwe.encryptWith(theEncryptionProvider);
+        }
+        return Response.ok(responseEntity).build();
+        
+    }
+    public void setSignatureProvider(JwsSignatureProvider signatureProvider) {
+        this.sigProvider = signatureProvider;
+    }
+    
+    protected JwsSignatureProvider getInitializedSigProvider(JoseHeaders headers) {
+        if (sigProvider != null) {
+            return sigProvider;    
+        } 
+        JwsSignatureProvider theSigProvider = JwsUtils.loadSignatureProvider(false); 
+        headers.setAlgorithm(theSigProvider.getAlgorithm());
+        return theSigProvider;
+    }
+    protected JweEncryptionProvider getInitializedEncryptionProvider() {
+        if (encryptionProvider != null) {
+            return encryptionProvider;    
+        } 
+        return JweUtils.loadEncryptionProvider(false);
+    }
+
+    public void setIssuer(String issuer) {
+        this.issuer = issuer;
+    }
+    public UserInfoProvider getUserInfoProvider() {
+        return userInfoProvider;
+    }
+    public void setUserInfoProvider(UserInfoProvider userInfoProvider) {
+        this.userInfoProvider = userInfoProvider;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/10c8fb6e/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
new file mode 100644
index 0000000..b978c4f
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/utils/OidcUtils.java
@@ -0,0 +1,72 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.rp;
+
+import java.security.NoSuchAlgorithmException;
+
+import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.common.util.crypto.MessageDigestUtils;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+
+public final class OidcUtils {
+    public static final String ID_TOKEN = "id_token";
+    private OidcUtils() {
+        
+    }
+    public static void validateAccessTokenHash(ClientAccessToken at, JwtToken jwt) {
+        validateAccessTokenHash(at, jwt, true);
+    }
+    public static void validateAccessTokenHash(ClientAccessToken at, JwtToken jwt, boolean
required) {
+        validateHash(at.getTokenKey(),
+                     (String)jwt.getClaims().getClaim("at_hash"),
+                     jwt.getHeaders().getAlgorithm(),
+                     required);
+    }
+    public static void validateCodeHash(String code, JwtToken jwt) {
+        validateCodeHash(code, jwt, true);
+    }
+    public static void validateCodeHash(String code, JwtToken jwt, boolean required) {
+        validateHash(code,
+                     (String)jwt.getClaims().getClaim("c_hash"),
+                     jwt.getHeaders().getAlgorithm(),
+                     required);
+    }
+    private static void validateHash(String value, String theHash, String joseAlgo, boolean
required) {
+        String hash = calculateHash(value, joseAlgo);
+        if (!hash.equals(theHash)) {
+            throw new SecurityException("Invalid hash");
+        }
+    }
+    public static String calculateHash(String value, String joseAlgo) {
+        //TODO: map from the JOSE alg to a signature alg, 
+        // for example, RS256 -> SHA-256 
+        // and calculate the chunk size based on the algo key size
+        // for example SHA-256 -> 256/8 = 32 and 32/2 = 16 bytes
+        try {
+            byte[] atBytes = StringUtils.toBytesASCII(value);
+            byte[] digest = MessageDigestUtils.createDigest(atBytes,  MessageDigestUtils.ALGO_SHA_256);
+            return Base64UrlUtility.encodeChunk(digest, 0, 16);
+        } catch (NoSuchAlgorithmException ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    
+}


Mime
View raw message