cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6487] Support for nonce and few other oidc authorization flow paraneters
Date Fri, 10 Jul 2015 11:45:57 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 332d930c5 -> 409f987dd


[CXF-6487] Support for nonce and few other oidc authorization flow paraneters


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/409f987d
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/409f987d
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/409f987d

Branch: refs/heads/master
Commit: 409f987dd9822b7ed0fca97cd795c9131882e07b
Parents: 332d930
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri Jul 10 12:45:37 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri Jul 10 12:45:37 2015 +0100

----------------------------------------------------------------------
 .../oauth2/client/ClientCodeRequestFilter.java  | 47 ++++++++---
 .../client/JoseClientCodeStateManager.java      | 46 ++++++++--
 .../oauth2/client/OAuthClientUtils.java         | 19 +++++
 .../cxf/rs/security/oidc/common/IdToken.java    | 14 ++++
 .../cxf/rs/security/oidc/common/UserInfo.java   |  4 +-
 .../cxf/rs/security/oidc/rp/IdTokenReader.java  |  4 +-
 .../oidc/rp/OidcClientCodeRequestFilter.java    | 88 +++++++++++++++++++-
 .../oidc/rp/OidcIdTokenRequestFilter.java       |  2 +-
 8 files changed, 196 insertions(+), 28 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
index 72b2655..0e66e96 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/ClientCodeRequestFilter.java
@@ -32,6 +32,7 @@ import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.SecurityContext;
+import javax.ws.rs.core.UriBuilder;
 import javax.ws.rs.core.UriInfo;
 
 import org.apache.cxf.jaxrs.client.WebClient;
@@ -63,7 +64,8 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter {
     private boolean decodeRequestParameters;
     private long expiryThreshold;
     private String redirectUri;
-    
+    private boolean setFormPostResponseMode;
+        
     @Override
     public void filter(ContainerRequestContext rc) throws IOException {
         checkSecurityContextStart(rc);
@@ -111,14 +113,24 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter
{
         String theState = redirectState != null ? redirectState.getFirst(OAuthConstants.STATE)
: null;
         String redirectScope = redirectState != null ? redirectState.getFirst(OAuthConstants.SCOPE)
: null;
         String theScope = redirectScope != null ? redirectScope : scopes;
-        URI uri = OAuthClientUtils.getAuthorizationURI(authorizationServiceUri, 
+        UriBuilder ub = OAuthClientUtils.getAuthorizationURIBuilder(authorizationServiceUri,

                                              consumer.getKey(), 
                                              getAbsoluteRedirectUri(ui).toString(), 
                                              theState, 
                                              theScope);
+        setAdditionalCodeRequestParams(ub, redirectState);
+        URI uri = ub.build();
         return Response.seeOther(uri).build();
     }
 
+    protected void setAdditionalCodeRequestParams(UriBuilder ub, MultivaluedMap<String,
String> redirectState) {
+        if (setFormPostResponseMode) {
+            // This property is described in OIDC OAuth 2.0 Form Post Response Mode which
is technically
+            // can be used without OIDC hence this is set in this filter as opposed to the
OIDC specific one.
+            ub.queryParam("response_mode", "form_post");
+        }
+    }
+
     private URI getAbsoluteRedirectUri(UriInfo ui) {
         if (redirectUri != null) {
             return URI.create(redirectUri);
@@ -146,19 +158,21 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter
{
     
     protected ClientTokenContext initializeClientTokenContext(ContainerRequestContext rc,

                                                               ClientAccessToken at, 
-                                                            MultivaluedMap<String, String>
params) {
-        ClientTokenContext tokenContext = createTokenContext(rc, at);
-        ((ClientTokenContextImpl)tokenContext).setToken(at);
+                                                              MultivaluedMap<String, String>
params) {
+        MultivaluedMap<String, String> state = null;
         if (clientStateManager != null) {
-            MultivaluedMap<String, String> state = clientStateManager.fromRedirectState(mc,
params);
-            ((ClientTokenContextImpl)tokenContext).setState(state);
+            state = clientStateManager.fromRedirectState(mc, params);
         }
-        
+        ClientTokenContext tokenContext = createTokenContext(rc, at, state);
+        ((ClientTokenContextImpl)tokenContext).setToken(at);
+        ((ClientTokenContextImpl)tokenContext).setState(state);
         return tokenContext;
         
     }
 
-    protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken
at) {
+    protected ClientTokenContext createTokenContext(ContainerRequestContext rc, 
+                                                    ClientAccessToken at,
+                                                    MultivaluedMap<String, String>
state) {
         return new ClientTokenContextImpl();
     }
     
@@ -166,14 +180,17 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter
{
         JAXRSUtils.getCurrentMessage().setContent(ClientTokenContext.class, request);
     }
 
-    private MultivaluedMap<String, String> createRedirectState(ContainerRequestContext
rc, UriInfo ui) {
+    protected MultivaluedMap<String, String> createRedirectState(ContainerRequestContext
rc, UriInfo ui) {
         if (clientStateManager == null) {
             return null;
         }
-        return clientStateManager.toRedirectState(mc, toRequestState(rc, ui));
+        return clientStateManager.toRedirectState(mc, 
+                                                  toCodeRequestState(rc, ui));
     }
-
-    private MultivaluedMap<String, String> toRequestState(ContainerRequestContext rc,
UriInfo ui) {
+    protected MultivaluedMap<String, String> toCodeRequestState(ContainerRequestContext
rc, UriInfo ui) {
+        return toRequestState(rc, ui);
+    }
+    protected MultivaluedMap<String, String> toRequestState(ContainerRequestContext
rc, UriInfo ui) {
         MultivaluedMap<String, String> requestState = new MetadataMap<String, String>();
         requestState.putAll(ui.getQueryParameters(decodeRequestParameters));
         if (MediaType.APPLICATION_FORM_URLENCODED_TYPE.isCompatible(rc.getMediaType())) {
@@ -266,4 +283,8 @@ public class ClientCodeRequestFilter implements ContainerRequestFilter
{
         // Can be set to something like "postmessage" in some flows
         this.redirectUri = redirectUri;
     }
+
+    public void setSetFormPostResponseMode(boolean setFormPostResponseMode) {
+        this.setFormPostResponseMode = setFormPostResponseMode;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
index c3a7df4..4e90693 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.java
@@ -37,32 +37,52 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
+import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 
 public class JoseClientCodeStateManager implements ClientCodeStateManager {
-    
     private JwsSignatureProvider sigProvider;
     private JweEncryptionProvider encryptionProvider;
     private JweDecryptionProvider decryptionProvider;
     private JwsSignatureVerifier signatureVerifier;
     private JsonMapObjectReaderWriter jsonp = new JsonMapObjectReaderWriter();
+    private boolean generateNonce; 
+    private boolean storeInSession;
     @Override
     public MultivaluedMap<String, String> toRedirectState(MessageContext mc, 
                                                           MultivaluedMap<String, String>
requestState) {
+        JweEncryptionProvider theEncryptionProvider = getInitializedEncryptionProvider();
+        JwsSignatureProvider theSigProvider = getInitializedSigProvider(theEncryptionProvider);
+        if (theEncryptionProvider == null && theSigProvider == null) {
+            throw new OAuthServiceException("The state can not be protected");
+        }
         
+        if (generateNonce && theSigProvider != null) {
+            JwsCompactProducer nonceProducer = new JwsCompactProducer(OAuthUtils.generateRandomTokenKey());
+            String nonceParam = nonceProducer.signWith(theSigProvider);
+            requestState.putSingle("nonce", nonceParam);
+        }
         Map<String, Object> stateMap = CastUtils.cast((Map<?, ?>)requestState);
         String json = jsonp.toJson(stateMap);
         
-        JwsCompactProducer producer = new JwsCompactProducer(json);
-        JwsSignatureProvider theSigProvider = getInitializedSigProvider();
-        String stateParam = producer.signWith(theSigProvider);
+        String stateParam = null;
+        if (theSigProvider != null) {
+            JwsCompactProducer stateProducer = new JwsCompactProducer(json);
+            stateParam = stateProducer.signWith(theSigProvider);
+        }
         
-        JweEncryptionProvider theEncryptionProvider = getInitializedEncryptionProvider();
         if (theEncryptionProvider != null) {
             stateParam = theEncryptionProvider.encrypt(StringUtils.toBytesUTF8(stateParam),
null);
         }
         MultivaluedMap<String, String> map = new MetadataMap<String, String>();
+        if (storeInSession) {
+            String sessionStateAttribute = OAuthUtils.generateRandomTokenKey();
+            OAuthUtils.setSessionToken(mc, stateParam, sessionStateAttribute, 0);
+            stateParam = sessionStateAttribute;
+        }
         map.putSingle(OAuthConstants.STATE, stateParam);
+        
         return map;
     }
 
@@ -72,6 +92,10 @@ public class JoseClientCodeStateManager implements ClientCodeStateManager
{
         
         String stateParam = redirectState.getFirst(OAuthConstants.STATE);
         
+        if (storeInSession) {
+            stateParam = OAuthUtils.getSessionToken(mc, stateParam);
+        }
+        
         JweDecryptionProvider jwe = getInitializedDecryptionProvider();
         if (jwe != null) {
             stateParam = jwe.decrypt(stateParam).getContentText();
@@ -92,12 +116,12 @@ public class JoseClientCodeStateManager implements ClientCodeStateManager
{
         this.sigProvider = signatureProvider;
     }
     
-    protected JwsSignatureProvider getInitializedSigProvider() {
+    protected JwsSignatureProvider getInitializedSigProvider(JweEncryptionProvider theEncryptionProvider)
{
         if (sigProvider != null) {
             return sigProvider;    
         } 
         JwsSignatureProvider theSigProvider = JwsUtils.loadSignatureProvider(false);
-        if (theSigProvider == null) {
+        if (theSigProvider == null && theEncryptionProvider != null) {
             theSigProvider = new NoneJwsSignatureProvider();
         }
         return theSigProvider;
@@ -130,5 +154,13 @@ public class JoseClientCodeStateManager implements ClientCodeStateManager
{
         } 
         return JweUtils.loadEncryptionProvider(false);
     }
+
+    public void setGenerateNonce(boolean generateNonce) {
+        this.generateNonce = generateNonce;
+    }
+
+    public void setStoreInSession(boolean storeInSession) {
+        this.storeInSession = storeInSession;
+    }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
index 9b503d9..4ee712c 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java
@@ -68,6 +68,8 @@ public final class OAuthClientUtils {
                                           String scope) {
         UriBuilder ub = getAuthorizationURIBuilder(authorizationServiceURI, 
                                                    clientId,
+                                                   redirectUri,
+                                                   state,
                                                    scope);
         if (redirectUri != null) {
             ub.queryParam(OAuthConstants.REDIRECT_URI, redirectUri);
@@ -78,6 +80,23 @@ public final class OAuthClientUtils {
         return ub.build();
     }
     
+    public static UriBuilder getAuthorizationURIBuilder(String authorizationServiceURI, 
+                                          String clientId,
+                                          String redirectUri,
+                                          String state,
+                                          String scope) {
+        UriBuilder ub = getAuthorizationURIBuilder(authorizationServiceURI, 
+                                                   clientId,
+                                                   scope);
+        if (redirectUri != null) {
+            ub.queryParam(OAuthConstants.REDIRECT_URI, redirectUri);
+        }
+        if (state != null) {
+            ub.queryParam(OAuthConstants.STATE, state);
+        }
+        return ub;
+    }
+    
     /**
      * Creates the builder for building OAuth AuthorizationService URIs
      * @param authorizationServiceURI the service endpoint address 

http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
index f805128..aaee746 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/IdToken.java
@@ -18,8 +18,10 @@
  */
 package org.apache.cxf.rs.security.oidc.common;
 
+import java.util.List;
 import java.util.Map;
 
+import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 
 public class IdToken extends JwtClaims {
@@ -27,10 +29,15 @@ public class IdToken extends JwtClaims {
     public static final String NONCE_CLAIM = "nonce";
     public static final String ACR_CLAIM = "acr";
     public static final String AZP_CLAIM = "azp";
+    public static final String AMR_CLAIM = "amr";
     
     public IdToken() {
     }
     
+    public IdToken(JwtClaims claims) {
+        this(claims.asMap());
+    }
+    
     public IdToken(Map<String, Object> claims) {
         super(claims);
     }
@@ -52,10 +59,17 @@ public class IdToken extends JwtClaims {
     public String getAuthenticationContextRef() {
         return (String)getProperty(ACR_CLAIM);
     }
+    public void setAuthenticationMethodRefs(List<String> refs) {
+        setProperty(AMR_CLAIM, refs);
+    }
+    public List<String> getAuthenticationMethodRefs() {
+        return CastUtils.cast((List<?>)getProperty(AMR_CLAIM));
+    }
     public void setAuthorizedParty(String azp) {
         setProperty(AZP_CLAIM, azp);
     }
     public String getAuthorizedParty() {
         return (String)getProperty(AZP_CLAIM);
     }
+    
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
index 9607b07..eae6614 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/common/UserInfo.java
@@ -33,7 +33,9 @@ public class UserInfo extends JwtClaims {
     public static final String ADDRESS_CLAIM = "address";
     public UserInfo() {
     }
-    
+    public UserInfo(JwtClaims claims) {
+        this(claims.asMap());
+    }
     public UserInfo(Map<String, Object> claims) {
         super(claims);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
index 35c2456..f0305cd 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
@@ -25,7 +25,6 @@ import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 public class IdTokenReader extends AbstractTokenValidator {
     private boolean requireAtHash = true;
-    
     public IdToken getIdToken(ClientAccessToken at, String clientId) {
         JwtToken jwt = getIdJwtToken(at, clientId);
         return getIdTokenFromJwt(jwt);
@@ -45,8 +44,7 @@ public class IdTokenReader extends AbstractTokenValidator {
         validateJwtClaims(jwt.getClaims(), clientId, true);
         return jwt;
     }
-    public IdToken getIdTokenFromJwt(JwtToken jwt) {
-        //TODO: do the extra validation if needed
+    private IdToken getIdTokenFromJwt(JwtToken jwt) {
         return new IdToken(jwt.getClaims().asMap());
     }
     public void setRequireAtHash(boolean requireAtHash) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
index 1e96b7d..c43e7f0 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
@@ -18,26 +18,50 @@
  */
 package org.apache.cxf.rs.security.oidc.rp;
 
+import java.util.Arrays;
+import java.util.List;
+
 import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.SecurityContext;
+import javax.ws.rs.core.UriBuilder;
+import javax.ws.rs.core.UriInfo;
 
+import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.jaxrs.utils.ExceptionUtils;
 import org.apache.cxf.rs.security.oauth2.client.ClientCodeRequestFilter;
 import org.apache.cxf.rs.security.oauth2.client.ClientTokenContext;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
+import org.apache.cxf.rs.security.oidc.common.IdToken;
 
 public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter {
-
+    
+    private static final String ACR_PARAMETER = "acr_values";
+    private static final String PROMPT_PARAMETER = "prompt";
+    private static final String MAX_AGE_PARAMETER = "max_age";
+    private static final List<String> PROMPTS = Arrays.asList("none", "consent", "login",
"select_account");
     private IdTokenReader idTokenReader;
+    private List<String> authenticationContextRef;
+    private String promptLogin;
+    private Long maxAgeOffset;
     
+    public void setAuthenticationContextRef(String acr) {
+        this.authenticationContextRef = Arrays.asList(StringUtils.split(acr, " "));
+    }
     @Override
-    protected ClientTokenContext createTokenContext(ContainerRequestContext rc, ClientAccessToken
at) {
+    protected ClientTokenContext createTokenContext(ContainerRequestContext rc, 
+                                                    ClientAccessToken at,
+                                                    MultivaluedMap<String, String>
state) {
         if (rc.getSecurityContext() instanceof OidcSecurityContext) {
             return ((OidcSecurityContext)rc.getSecurityContext()).getOidcContext();
         }
         OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl();
         if (at != null) {
-            ctx.setIdToken(idTokenReader.getIdToken(at, getConsumer().getKey()));
+            IdToken idToken = idTokenReader.getIdToken(at, getConsumer().getKey());
+            // Validate the properties set up at the redirection time.
+            validateIdToken(idToken, state);
+            
+            ctx.setIdToken(idToken);
             if (idTokenReader instanceof UserInfoClient) {
                 UserInfoClient userInfoClient = (UserInfoClient)idTokenReader;
                 ctx.setUserInfo(userInfoClient.getUserInfo(at, ctx.getIdToken()));
@@ -47,6 +71,36 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter
{
         
         return ctx;
     }
+    @Override
+    protected MultivaluedMap<String, String> toCodeRequestState(ContainerRequestContext
rc, UriInfo ui) {
+        MultivaluedMap<String, String> state = super.toCodeRequestState(rc, ui);
+        if (maxAgeOffset != null) {
+            state.putSingle(MAX_AGE_PARAMETER, Long.toString(System.currentTimeMillis() +
maxAgeOffset));
+        }
+        return state;
+    }
+    private void validateIdToken(IdToken idToken, MultivaluedMap<String, String> state)
{
+        
+        String nonce = state.getFirst("nonce");
+        String tokenNonce = idToken.getNonce();
+        if (nonce != null && (tokenNonce == null || !nonce.equals(tokenNonce))) {
+            throw ExceptionUtils.toNotAuthorizedException(null, null);
+        }
+        if (maxAgeOffset != null) {
+            Long authTime = Long.parseLong(state.getFirst(MAX_AGE_PARAMETER));
+            Long tokenAuthTime = idToken.getAuthenticationTime();
+            if (tokenAuthTime > authTime) {
+                throw ExceptionUtils.toNotAuthorizedException(null, null);
+            }
+        }
+        
+        String acr = idToken.getAuthenticationContextRef();
+        // Skip the check if the acr is not set given it is a voluntary claim
+        if (acr != null && authenticationContextRef != null && !authenticationContextRef.contains(acr))
{
+            throw ExceptionUtils.toNotAuthorizedException(null, null);
+        }
+        
+    }
     public void setIdTokenReader(IdTokenReader idTokenReader) {
         this.idTokenReader = idTokenReader;
     }
@@ -58,4 +112,32 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter
{
             throw ExceptionUtils.toNotAuthorizedException(null, null);
         }
     }
+    @Override
+    protected void setAdditionalCodeRequestParams(UriBuilder ub, MultivaluedMap<String,
String> redirectState) {
+        if (redirectState != null) {
+            if (redirectState.getFirst(IdToken.NONCE_CLAIM) != null) {
+                ub.queryParam(IdToken.NONCE_CLAIM, redirectState.getFirst(IdToken.NONCE_CLAIM));
+            }
+            if (redirectState.getFirst(MAX_AGE_PARAMETER) != null) {
+                ub.queryParam(MAX_AGE_PARAMETER, redirectState.getFirst(MAX_AGE_PARAMETER));
+            }
+        }
+        if (authenticationContextRef != null) {
+            ub.queryParam(ACR_PARAMETER, authenticationContextRef);
+        }
+        if (promptLogin != null) {
+            ub.queryParam(PROMPT_PARAMETER, promptLogin);
+        }
+    }
+    
+    public void setPromptLogin(String promptLogin) {
+        if (PROMPTS.contains(promptLogin)) {
+            this.promptLogin = promptLogin;
+        } else {
+            throw new IllegalArgumentException("Illegal prompt value");
+        }
+    }
+    public void setMaxAgeOffset(Long maxAgeOffset) {
+        this.maxAgeOffset = maxAgeOffset;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/409f987d/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
index d075b0b..cb7b25a 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
@@ -33,7 +33,7 @@ import org.apache.cxf.rs.security.oauth2.client.Consumer;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 
 public class OidcIdTokenRequestFilter implements ContainerRequestFilter {
-    private String tokenFormParameter = "idtoken"; 
+    private String tokenFormParameter = "id_token"; 
     private IdTokenReader idTokenReader;
     private Consumer consumer;
     


Mime
View raw message