cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Trying to align various jose jwt abstract utility code
Date Fri, 14 Aug 2015 15:04:51 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 5f488ea70 -> fa612d157


Trying to align various jose jwt abstract utility code


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/fa612d15
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/fa612d15
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/fa612d15

Branch: refs/heads/master
Commit: fa612d1571b0b20593b1f028514a0870f9be8307
Parents: 5f488ea
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Fri Aug 14 16:04:36 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Fri Aug 14 16:04:36 2015 +0100

----------------------------------------------------------------------
 .../samples/jax_rs/basic_oidc/README.txt        |  4 +-
 .../release/samples/jax_rs/big_query/README.txt |  8 ++-
 .../java/demo/jaxrs/server/BigQueryServer.java  |  3 +
 .../rs/security/jose/AbstractJoseConsumer.java  |  8 +--
 .../rs/security/jose/AbstractJoseProducer.java  |  8 +--
 .../jose/jwt/AbstractJoseJwtConsumer.java       | 23 ++++--
 .../jose/jwt/AbstractJoseJwtProducer.java       | 19 ++++-
 .../provider/AbstractOAuthJoseJwtConsumer.java  | 76 ++++++++++++++++++++
 .../provider/AbstractOAuthJoseJwtProducer.java  | 55 ++++++--------
 .../AbstractOAuthServerJoseJwtProducer.java     | 65 +++++++++++++++++
 .../oidc/idp/IdTokenCodeResponseFilter.java     |  7 +-
 .../rs/security/oidc/idp/UserInfoService.java   | 13 +++-
 .../oidc/rp/AbstractTokenValidator.java         |  4 +-
 .../cxf/rs/security/oidc/rp/IdTokenReader.java  | 19 ++---
 .../oidc/rp/OidcClientCodeRequestFilter.java    |  6 +-
 .../oidc/rp/OidcIdTokenRequestFilter.java       |  2 +-
 .../cxf/rs/security/oidc/rp/UserInfoClient.java | 15 ++--
 17 files changed, 258 insertions(+), 77 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/distribution/src/main/release/samples/jax_rs/basic_oidc/README.txt
----------------------------------------------------------------------
diff --git a/distribution/src/main/release/samples/jax_rs/basic_oidc/README.txt b/distribution/src/main/release/samples/jax_rs/basic_oidc/README.txt
index 2315c03..bb5057e 100644
--- a/distribution/src/main/release/samples/jax_rs/basic_oidc/README.txt
+++ b/distribution/src/main/release/samples/jax_rs/basic_oidc/README.txt
@@ -13,6 +13,8 @@ Build the demo with "mvn install" and start it with
 
 mvn jetty:run-war -Dclient_id=${client_id}
 
-Then start a browser and go to "localhost:8080/user/simpleLogin.jsp"
+Then start a browser and go to 
+
+https://localhost:8080/user/simpleLogin.html
 
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/distribution/src/main/release/samples/jax_rs/big_query/README.txt
----------------------------------------------------------------------
diff --git a/distribution/src/main/release/samples/jax_rs/big_query/README.txt b/distribution/src/main/release/samples/jax_rs/big_query/README.txt
index 618e3b0..6c29c99 100644
--- a/distribution/src/main/release/samples/jax_rs/big_query/README.txt
+++ b/distribution/src/main/release/samples/jax_rs/big_query/README.txt
@@ -25,7 +25,9 @@ mvn jetty:run-war -Dclient_id=${client_id} -Dclient_secret=${client_secret}
-Dpr
 
 where ${client_id} and ${client_secret} are Client Id and Secret, and ${project_id} is the
id of your Google project.
 
-Then start a browser and go to "localhost:8080/bigquery/simpleLogin.jsp"
+Then start a browser and go to 
+
+https://localhost:8080/bigquery/simpleLogin.jsp
 
 2. Server to Server Flow.
 
@@ -36,9 +38,9 @@ choose "Generate New P12 Key" and save it to the local disk.
 
 Build the demo with "mvn install" and start it with
 
-mvn exec:java -Dexec.args="/home/pathto/BigQueryProjectKey.p12 notasecret ${client_id} ${project_id}"
+mvn exec:java -Dexec.args="/home/pathto/BigQueryProjectKey.p12 notasecret ${client_email}
${project_id}"
 
-where ${client_id} is Client Id and ${project_id} is the id of your Google project.
+where ${client_email} is Service Account Client Email and ${project_id} is the id of your
Google project.
 
 
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryServer.java
----------------------------------------------------------------------
diff --git a/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryServer.java
b/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryServer.java
index f82fa7a..9a2c21c 100644
--- a/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryServer.java
+++ b/distribution/src/main/release/samples/jax_rs/big_query/src/main/java/demo/jaxrs/server/BigQueryServer.java
@@ -28,6 +28,7 @@ import java.util.List;
 
 import javax.ws.rs.core.MediaType;
 
+import org.apache.cxf.interceptor.LoggingInInterceptor;
 import org.apache.cxf.jaxrs.client.WebClient;
 import org.apache.cxf.jaxrs.provider.json.JsonMapObjectProvider;
 import org.apache.cxf.rs.security.jose.JoseType;
@@ -91,6 +92,8 @@ public final class BigQueryServer {
         WebClient accessTokenService = WebClient.create("https://www.googleapis.com/oauth2/v3/token",
                                                         Arrays.asList(new OAuthJSONProvider(),
                                                                       new AccessTokenGrantWriter()));
+        WebClient.getConfig(accessTokenService).getInInterceptors().add(new LoggingInInterceptor());
+        
         accessTokenService.type(MediaType.APPLICATION_FORM_URLENCODED).accept(MediaType.APPLICATION_JSON);
         
         return accessTokenService.post(grant, ClientAccessToken.class);

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java
index 64e5f16..98886ce 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseConsumer.java
@@ -35,17 +35,17 @@ public abstract class AbstractJoseConsumer {
         this.jwsVerifier = theJwsVerifier;
     }
 
-    protected JweDecryptionProvider getInitializedDecryptionProvider(boolean required) {
+    protected JweDecryptionProvider getInitializedDecryptionProvider() {
         if (jweDecryptor != null) {
             return jweDecryptor;    
         } 
-        return JweUtils.loadDecryptionProvider(required);
+        return JweUtils.loadDecryptionProvider(false);
     }
-    protected JwsSignatureVerifier getInitializedSignatureVerifier(boolean required) {
+    protected JwsSignatureVerifier getInitializedSignatureVerifier() {
         if (jwsVerifier != null) {
             return jwsVerifier;    
         } 
-        return JwsUtils.loadSignatureVerifier(required);
+        return JwsUtils.loadSignatureVerifier(false);
     }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java
index c590ef9..f506943 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/AbstractJoseProducer.java
@@ -27,18 +27,18 @@ public abstract class AbstractJoseProducer {
     private JwsSignatureProvider sigProvider;
     private JweEncryptionProvider encryptionProvider;
     
-    protected JwsSignatureProvider getInitializedSignatureProvider(boolean required) {
+    protected JwsSignatureProvider getInitializedSignatureProvider() {
         if (sigProvider != null) {
             return sigProvider;    
         } 
         
-        return JwsUtils.loadSignatureProvider(required);
+        return JwsUtils.loadSignatureProvider(false);
     }
-    protected JweEncryptionProvider getInitializedEncryptionProvider(boolean required) {
+    protected JweEncryptionProvider getInitializedEncryptionProvider() {
         if (encryptionProvider != null) {
             return encryptionProvider;    
         }
-        return JweUtils.loadEncryptionProvider(required);
+        return JweUtils.loadEncryptionProvider(false);
     }
 
     public void setEncryptionProvider(JweEncryptionProvider encryptionProvider) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
index 608f09e..4de976d 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtConsumer.java
@@ -28,21 +28,36 @@ public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer
{
     private boolean jwsRequired = true;
     private boolean jweRequired;
     
+    
     protected JwtToken getJwtToken(String wrappedJwtToken) {
+        return getJwtToken(wrappedJwtToken, null, null);
+    }
+    protected JwtToken getJwtToken(String wrappedJwtToken,
+                                   JweDecryptionProvider jweDecryptor,
+                                   JwsSignatureVerifier theSigVerifier) {
         if (!isJwsRequired() && !isJweRequired()) {
             throw new JwtException("Unable to process JWT");
         }
-        JweDecryptionProvider jweDecryptor = getInitializedDecryptionProvider(isJweRequired());
+        if (jweDecryptor == null) {
+            jweDecryptor = getInitializedDecryptionProvider();
+        }
         if (jweDecryptor != null) {
             if (!isJwsRequired()) {
                 return new JweJwtCompactConsumer(wrappedJwtToken).decryptWith(jweDecryptor);
   
             }
             wrappedJwtToken = jweDecryptor.decrypt(wrappedJwtToken).getContentText();
-        } 
+        } else if (isJweRequired()) {
+            throw new JwtException("Unable to decrypt JWT");
+        }
 
         JwsJwtCompactConsumer jwtConsumer = new JwsJwtCompactConsumer(wrappedJwtToken);
         JwtToken jwt = jwtConsumer.getJwtToken();
-        JwsSignatureVerifier theSigVerifier = getInitializedSignatureVerifier(jwt);
+        if (theSigVerifier == null) {
+            theSigVerifier = getInitializedSignatureVerifier(jwt);
+        }
+        if (theSigVerifier == null && isJwsRequired()) {
+            throw new JwtException("Unable to validate JWT");
+        }
         if (!jwtConsumer.verifySignatureWith(theSigVerifier)) {
             throw new JwtException("Invalid Signature");
         }
@@ -50,7 +65,7 @@ public abstract class AbstractJoseJwtConsumer extends AbstractJoseConsumer
{
         return jwt; 
     }
     protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwt) {
-        return super.getInitializedSignatureVerifier(isJwsRequired());
+        return super.getInitializedSignatureVerifier();
     }
     protected void validateToken(JwtToken jwt) {
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
index b90b386..95dc586 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/AbstractJoseJwtProducer.java
@@ -30,14 +30,29 @@ public abstract class AbstractJoseJwtProducer extends AbstractJoseProducer
{
     private boolean jweRequired;
     
     protected String processJwt(JwtToken jwt) {
+        return processJwt(jwt, null, null);
+    }
+    protected String processJwt(JwtToken jwt,
+                                JweEncryptionProvider theEncProvider,
+                                JwsSignatureProvider theSigProvider) {
         if (!isJwsRequired() && !isJweRequired()) {
             throw new JwtException("Unable to secure JWT");
         }
         String data = null;
-        JweEncryptionProvider theEncProvider = getInitializedEncryptionProvider(isJweRequired());
+        if (theEncProvider == null) {
+            theEncProvider = getInitializedEncryptionProvider();
+        }
+        if (theEncProvider == null && isJweRequired()) {
+            throw new JwtException("Unable to encrypt JWT");
+        }
         if (isJwsRequired()) {
+            if (theSigProvider == null) {
+                theSigProvider = getInitializedSignatureProvider();
+            }
+            if (theSigProvider == null) {
+                throw new JwtException("Unable to sign JWT");
+            }
             JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwt); 
-            JwsSignatureProvider theSigProvider = getInitializedSignatureProvider(isJwsRequired());
             data = jws.signWith(theSigProvider);
             if (theEncProvider != null) {
                 data = theEncProvider.encrypt(StringUtils.toBytesUTF8(data), null);

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
new file mode 100644
index 0000000..a5eccc7
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
@@ -0,0 +1,76 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.provider;
+
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
+import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
+import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweUtils;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
+import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rt.security.crypto.CryptoUtils;
+
+public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsumer {
+   
+    private boolean decryptWithClientSecret;
+    private boolean verifyWithClientSecret;
+    
+    protected JwtToken getJwtToken(String wrappedJwtToken, String clientSecret) {
+        return getJwtToken(wrappedJwtToken, 
+                           getInitializedDecryptionProvider(clientSecret),
+                           getInitializedSignatureVerifier(clientSecret));
+    }
+    
+    protected JwsSignatureVerifier getInitializedSignatureVerifier(String clientSecret) {
+        if (verifyWithClientSecret) {
+            byte[] hmac = CryptoUtils.decodeSequence(clientSecret);
+            return JwsUtils.getHmacSignatureVerifier(hmac, SignatureAlgorithm.HS256);
+        } 
+        return super.getInitializedSignatureVerifier();
+    }
+    protected JweDecryptionProvider getInitializedDecryptionProvider(String clientSecret)
{
+        JweDecryptionProvider theDecryptionProvider = null;
+        if (decryptWithClientSecret) {
+            SecretKey key = CryptoUtils.decodeSecretKey(clientSecret);
+            theDecryptionProvider = JweUtils.getDirectKeyJweDecryption(key, ContentAlgorithm.A128GCM);
+        }
+        if (theDecryptionProvider == null) {
+            theDecryptionProvider = super.getInitializedDecryptionProvider();
+        }
+        return theDecryptionProvider;
+        
+    }
+
+    public void setDecryptWithClientSecret(boolean decryptWithClientSecret) {
+        if (verifyWithClientSecret) {
+            throw new SecurityException();
+        }
+        this.decryptWithClientSecret = verifyWithClientSecret;
+    }
+    public void setVerifyWithClientSecret(boolean verifyWithClientSecret) {
+        if (verifyWithClientSecret) {
+            throw new SecurityException();
+        }
+        this.verifyWithClientSecret = verifyWithClientSecret;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
index aa85a53..e5bf012 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
@@ -18,62 +18,45 @@
  */
 package org.apache.cxf.rs.security.oauth2.provider;
 
-import java.security.cert.X509Certificate;
-import java.security.interfaces.RSAPublicKey;
-
 import javax.crypto.SecretKey;
 
 import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
-import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
 import org.apache.cxf.rs.security.jose.jwe.JweUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtProducer;
-import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rt.security.crypto.CryptoUtils;
 
 public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProducer {
-    private boolean encryptWithClientCertificates;
     private boolean encryptWithClientSecret;
     private boolean signWithClientSecret;
     
-    protected JwsSignatureProvider getInitializedSignatureProvider(Client c, boolean required)
{
+    protected String processJwt(JwtToken jwt, String clientSecret) {
+        return processJwt(jwt, 
+                         getInitializedEncryptionProvider(clientSecret),
+                         getInitializedSignatureProvider(clientSecret));
+    }
+    
+    protected JwsSignatureProvider getInitializedSignatureProvider(String clientSecret) {
         if (signWithClientSecret) {
-            byte[] hmac = CryptoUtils.decodeSequence(c.getClientSecret());
+            byte[] hmac = CryptoUtils.decodeSequence(clientSecret);
             return JwsUtils.getHmacSignatureProvider(hmac, SignatureAlgorithm.HS256);
-        } 
-        return super.getInitializedSignatureProvider(required);
-    }
-    protected JweEncryptionProvider getInitializedEncryptionProvider(Client c, boolean required)
{
-        JweEncryptionProvider theEncryptionProvider = null;
-        if (encryptWithClientSecret) {
-            SecretKey key = CryptoUtils.decodeSecretKey(c.getClientSecret());
-            theEncryptionProvider = JweUtils.getDirectKeyJweEncryption(key, ContentAlgorithm.A128GCM);
-        } else if (encryptWithClientCertificates) {
-            X509Certificate cert = 
-                (X509Certificate)CryptoUtils.decodeCertificate(c.getApplicationCertificates().get(0));
-            theEncryptionProvider = JweUtils.createJweEncryptionProvider((RSAPublicKey)cert.getPublicKey(),

-                                                                         KeyAlgorithm.RSA_OAEP,

-                                                                         ContentAlgorithm.A128GCM,

-                                                                         null);
-        }
-        if (theEncryptionProvider == null) {
-            theEncryptionProvider = super.getInitializedEncryptionProvider(required);
         }
-        return theEncryptionProvider;
-        
+        return null;
     }
-
-    public void setEncryptWithClientCertificates(boolean encryptWithClientCertificates) {
+    protected JweEncryptionProvider getInitializedEncryptionProvider(String clientSecret)
{
         if (encryptWithClientSecret) {
-            throw new SecurityException();
+            SecretKey key = CryptoUtils.decodeSecretKey(clientSecret);
+            return JweUtils.getDirectKeyJweEncryption(key, ContentAlgorithm.A128GCM);
         }
-        this.encryptWithClientCertificates = encryptWithClientCertificates;
+        return null;
     }
+
     public void setEncryptWithClientSecret(boolean encryptWithClientSecret) {
-        if (signWithClientSecret || encryptWithClientCertificates) {
+        if (signWithClientSecret) {
             throw new SecurityException();
         }
         this.encryptWithClientSecret = encryptWithClientSecret;
@@ -84,4 +67,10 @@ public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProduc
         }
         this.signWithClientSecret = signWithClientSecret;
     }
+    public boolean isSignWithClientSecret() {
+        return signWithClientSecret;
+    }
+    public boolean isEncryptWithClientSecret() {
+        return encryptWithClientSecret;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java
new file mode 100644
index 0000000..31d8506
--- /dev/null
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthServerJoseJwtProducer.java
@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.provider;
+
+import java.security.cert.X509Certificate;
+import java.security.interfaces.RSAPublicKey;
+
+import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
+import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
+import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweUtils;
+import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rt.security.crypto.CryptoUtils;
+
+public abstract class AbstractOAuthServerJoseJwtProducer extends AbstractOAuthJoseJwtProducer
{
+    private boolean encryptWithClientCertificates;
+    
+    protected String processJwt(JwtToken jwt, Client client) {
+        return processJwt(jwt, 
+                         getInitializedEncryptionProvider(client),
+                         getInitializedSignatureProvider(client.getClientSecret()));
+    }
+    
+    protected JweEncryptionProvider getInitializedEncryptionProvider(Client c) {
+        JweEncryptionProvider theEncryptionProvider = null;
+        if (encryptWithClientCertificates) {
+            X509Certificate cert = 
+                (X509Certificate)CryptoUtils.decodeCertificate(c.getApplicationCertificates().get(0));
+            theEncryptionProvider = JweUtils.createJweEncryptionProvider((RSAPublicKey)cert.getPublicKey(),

+                                                                         KeyAlgorithm.RSA_OAEP,

+                                                                         ContentAlgorithm.A128GCM,

+                                                                         null);
+        }
+        if (theEncryptionProvider == null) {
+            theEncryptionProvider = super.getInitializedEncryptionProvider(c.getClientSecret());
+        }
+        return theEncryptionProvider;
+        
+    }
+
+    public void setEncryptWithClientCertificates(boolean encryptWithClientCertificates) {
+        if (isEncryptWithClientSecret()) {
+            throw new SecurityException();
+        }
+        this.encryptWithClientCertificates = encryptWithClientCertificates;
+    }
+    
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
index 15b2c8a..62902af 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
@@ -21,12 +21,12 @@ package org.apache.cxf.rs.security.oidc.idp;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
-import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtProducer;
+import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthServerJoseJwtProducer;
 import org.apache.cxf.rs.security.oauth2.provider.AccessTokenResponseFilter;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
-public class IdTokenCodeResponseFilter extends AbstractOAuthJoseJwtProducer implements AccessTokenResponseFilter
{
+public class IdTokenCodeResponseFilter extends AbstractOAuthServerJoseJwtProducer implements
AccessTokenResponseFilter {
     private UserInfoProvider userInfoProvider;
     private String issuer;
     @Override
@@ -36,7 +36,8 @@ public class IdTokenCodeResponseFilter extends AbstractOAuthJoseJwtProducer
impl
         token.setIssuer(issuer);
         token.setAudience(st.getClient().getClientId());
         
-        String responseEntity = super.processJwt(new JwtToken(token));
+        String responseEntity = super.processJwt(new JwtToken(token), 
+                                                 st.getClient());
         ct.getParameters().put(OidcUtils.ID_TOKEN, responseEntity);
         
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
index 97ab548..7e3ef8f 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/UserInfoService.java
@@ -27,13 +27,15 @@ import javax.ws.rs.core.Response;
 import org.apache.cxf.jaxrs.ext.MessageContext;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.oauth2.common.OAuthContext;
-import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtProducer;
+import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthServerJoseJwtProducer;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthDataProvider;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthContextUtils;
 import org.apache.cxf.rs.security.oidc.common.UserInfo;
 
 @Path("/userinfo")
-public class UserInfoService extends AbstractOAuthJoseJwtProducer {
+public class UserInfoService extends AbstractOAuthServerJoseJwtProducer {
     private UserInfoProvider userInfoProvider;
+    private OAuthDataProvider oauthDataProvider;
     private String issuer;
     
     @Context
@@ -50,7 +52,8 @@ public class UserInfoService extends AbstractOAuthJoseJwtProducer {
         userInfo.setAudience(oauth.getClientId());
         Object responseEntity = userInfo;
         if (super.isJwsRequired() || super.isJweRequired()) {
-            responseEntity = super.processJwt(new JwtToken(userInfo));
+            responseEntity = super.processJwt(new JwtToken(userInfo),
+                                              oauthDataProvider.getClient(oauth.getClientId()));
         }
         return Response.ok(responseEntity).build();
         
@@ -62,4 +65,8 @@ public class UserInfoService extends AbstractOAuthJoseJwtProducer {
     public void setUserInfoProvider(UserInfoProvider userInfoProvider) {
         this.userInfoProvider = userInfoProvider;
     }
+
+    public void setOauthDataProvider(OAuthDataProvider oauthDataProvider) {
+        this.oauthDataProvider = oauthDataProvider;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index e79c4f0..f56651f 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -26,12 +26,12 @@ import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
 import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 import org.apache.cxf.rs.security.jose.jws.JwsUtils;
-import org.apache.cxf.rs.security.jose.jwt.AbstractJoseJwtConsumer;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
+import org.apache.cxf.rs.security.oauth2.provider.AbstractOAuthJoseJwtConsumer;
 
-public abstract class AbstractTokenValidator extends AbstractJoseJwtConsumer {
+public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsumer {
     private static final String SELF_ISSUED_ISSUER = "https://self-issued.me";
     private String issuerId;
     private int issuedAtRange;

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
index 63161d5..e5dc3c7 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
@@ -19,29 +19,30 @@
 package org.apache.cxf.rs.security.oidc.rp;
 
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.client.Consumer;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
 import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 public class IdTokenReader extends AbstractTokenValidator {
     private boolean requireAtHash = true;
-    public IdToken getIdToken(ClientAccessToken at, String clientId) {
-        JwtToken jwt = getIdJwtToken(at, clientId);
+    public IdToken getIdToken(ClientAccessToken at, Consumer client) {
+        JwtToken jwt = getIdJwtToken(at, client);
         return getIdTokenFromJwt(jwt);
     }
-    public IdToken getIdToken(String idJwtToken, String clientId) {
-        JwtToken jwt = getIdJwtToken(idJwtToken, clientId);
+    public IdToken getIdToken(String idJwtToken, Consumer client) {
+        JwtToken jwt = getIdJwtToken(idJwtToken, client);
         return getIdTokenFromJwt(jwt);
     }
-    public JwtToken getIdJwtToken(ClientAccessToken at, String clientId) {
+    public JwtToken getIdJwtToken(ClientAccessToken at, Consumer client) {
         String idJwtToken = at.getParameters().get(OidcUtils.ID_TOKEN);
-        JwtToken jwt = getIdJwtToken(idJwtToken, clientId); 
+        JwtToken jwt = getIdJwtToken(idJwtToken, client); 
         OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash);
         return jwt;
     }
-    public JwtToken getIdJwtToken(String idJwtToken, String clientId) {
-        JwtToken jwt = getJwtToken(idJwtToken);
-        validateJwtClaims(jwt.getClaims(), clientId, true);
+    public JwtToken getIdJwtToken(String idJwtToken, Consumer client) {
+        JwtToken jwt = getJwtToken(idJwtToken, client.getSecret());
+        validateJwtClaims(jwt.getClaims(), client.getKey(), true);
         return jwt;
     }
     private IdToken getIdTokenFromJwt(JwtToken jwt) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
index aa34cf1..18d7e40 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.java
@@ -60,13 +60,15 @@ public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter
{
         }
         OidcClientTokenContextImpl ctx = new OidcClientTokenContextImpl();
         if (at != null) {
-            IdToken idToken = idTokenReader.getIdToken(at, getConsumer().getKey());
+            IdToken idToken = idTokenReader.getIdToken(at, getConsumer());
             // Validate the properties set up at the redirection time.
             validateIdToken(idToken, state);
             
             ctx.setIdToken(idToken);
             if (userInfoClient != null) {
-                ctx.setUserInfo(userInfoClient.getUserInfo(at, ctx.getIdToken()));
+                ctx.setUserInfo(userInfoClient.getUserInfo(at, 
+                                                           ctx.getIdToken(),
+                                                           getConsumer()));
             }
             rc.setSecurityContext(new OidcSecurityContext(ctx));
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
index cb7b25a..0cc0db4 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcIdTokenRequestFilter.java
@@ -46,7 +46,7 @@ public class OidcIdTokenRequestFilter implements ContainerRequestFilter
{
             return;
         }
         
-        IdToken idToken = idTokenReader.getIdToken(idTokenParamValue, consumer.getKey());
+        IdToken idToken = idTokenReader.getIdToken(idTokenParamValue, consumer);
         JAXRSUtils.getCurrentMessage().setContent(IdToken.class, idToken);
         requestContext.setSecurityContext(new OidcSecurityContext(idToken));
         

http://git-wip-us.apache.org/repos/asf/cxf/blob/fa612d15/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
index 058867c..62ff26c 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
@@ -22,6 +22,7 @@ import javax.ws.rs.core.Form;
 
 import org.apache.cxf.jaxrs.client.WebClient;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
+import org.apache.cxf.rs.security.oauth2.client.Consumer;
 import org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils;
 import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
@@ -31,12 +32,12 @@ public class UserInfoClient extends AbstractTokenValidator {
     private boolean sendTokenAsFormParameter;
     private WebClient profileClient;
     private boolean getUserInfoFromJwt;
-    public UserInfo getUserInfo(ClientAccessToken at, IdToken idToken) {
+    public UserInfo getUserInfo(ClientAccessToken at, IdToken idToken, Consumer client) {
         if (!sendTokenAsFormParameter) {
             OAuthClientUtils.setAuthorizationHeader(profileClient, at);
             if (getUserInfoFromJwt) {
                 String jwt = profileClient.get(String.class);
-                return getUserInfoFromJwt(jwt, idToken);
+                return getUserInfoFromJwt(jwt, idToken, client);
             } else {
                 UserInfo profile = profileClient.get(UserInfo.class);
                 validateUserInfo(profile, idToken);
@@ -46,7 +47,7 @@ public class UserInfoClient extends AbstractTokenValidator {
             Form form = new Form().param("access_token", at.getTokenKey());
             if (getUserInfoFromJwt) {
                 String jwt = profileClient.form(form).readEntity(String.class);
-                return getUserInfoFromJwt(jwt, idToken);
+                return getUserInfoFromJwt(jwt, idToken, client);
             } else {
                 UserInfo profile = profileClient.form(form).readEntity(UserInfo.class);
                 validateUserInfo(profile, idToken);
@@ -54,8 +55,10 @@ public class UserInfoClient extends AbstractTokenValidator {
             }
         }
     }
-    public UserInfo getUserInfoFromJwt(String profileJwtToken, IdToken idToken) {
-        JwtToken jwt = getUserInfoJwt(profileJwtToken);
+    public UserInfo getUserInfoFromJwt(String profileJwtToken, 
+                                       IdToken idToken,
+                                       Consumer client) {
+        JwtToken jwt = getUserInfoJwt(profileJwtToken, client);
         return getUserInfoFromJwt(jwt, idToken);
     }
     public UserInfo getUserInfoFromJwt(JwtToken jwt, IdToken idToken) {
@@ -63,7 +66,7 @@ public class UserInfoClient extends AbstractTokenValidator {
         validateUserInfo(profile, idToken);
         return profile;
     }
-    public JwtToken getUserInfoJwt(String profileJwtToken) {
+    public JwtToken getUserInfoJwt(String profileJwtToken, Consumer client) {
         return getJwtToken(profileJwtToken);
     }
     public void validateUserInfo(UserInfo profile, IdToken idToken) {


Mime
View raw message