cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Updating OAuth2 redirection based service to optionally skip the authorization
Date Tue, 20 Oct 2015 13:10:42 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 9f4fd059d -> ca1f38bcb


Updating OAuth2 redirection based service to optionally skip the authorization


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ca1f38bc
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ca1f38bc
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ca1f38bc

Branch: refs/heads/master
Commit: ca1f38bcbcc5097af7e537173cacb24806b4b490
Parents: 9f4fd05
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Tue Oct 20 14:10:23 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Tue Oct 20 14:10:23 2015 +0100

----------------------------------------------------------------------
 .../services/AuthorizationCodeGrantService.java |  4 +-
 .../services/RedirectionBasedGrantService.java  | 15 ++++---
 .../oidc/idp/IdTokenCodeResponseFilter.java     |  1 +
 .../oidc/idp/OidcAuthorizationCodeService.java  | 41 ++++++++++++++++++++
 4 files changed, 54 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/ca1f38bc/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
index 184d219..dbb2663 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java
@@ -69,9 +69,9 @@ public class AuthorizationCodeGrantService extends RedirectionBasedGrantService
                                                              String redirectUri,
                                                              UserSubject subject,
                                                              List<OAuthPermission>
perms,
-                                                             boolean preAuthorizedTokenAvailable)
{
+                                                             boolean authorizationCanBeSkipped)
{
         OAuthAuthorizationData data = 
-            super.createAuthorizationData(client, params, redirectUri, subject, perms, preAuthorizedTokenAvailable);
+            super.createAuthorizationData(client, params, redirectUri, subject, perms, authorizationCanBeSkipped);
         setCodeQualifier(data, params);
         return data;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/ca1f38bc/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index 821e70e..46a263f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -160,14 +160,15 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         // Request a new grant only if no pre-authorized token is available
         ServerAccessToken preAuthorizedToken = getDataProvider().getPreauthorizedToken(
             client, requestedScope, userSubject, supportedGrantType);
-        final boolean preAuthorizedTokenAvailable = preAuthorizedToken != null;
+        final boolean authorizationCanBeSkipped = 
+            preAuthorizedToken != null || canAuthorizationBeSkipped(client, permissions);
         
         // Populate the authorization challenge data 
         OAuthAuthorizationData data = 
             createAuthorizationData(client, params, redirectUri, userSubject, permissions,

-                                    preAuthorizedTokenAvailable);
+                                    authorizationCanBeSkipped);
         
-        if (preAuthorizedTokenAvailable) {
+        if (authorizationCanBeSkipped) {
             return createGrant(data,
                                client, 
                                requestedScope,
@@ -180,6 +181,10 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         
     }
     
+    protected boolean canAuthorizationBeSkipped(Client client, List<OAuthPermission>
permissions) {
+        return false;
+    }
+
     /**
      * Create the authorization challenge data 
      */
@@ -188,7 +193,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
                                                              String redirectUri, 
                                                              UserSubject subject,
                                                              List<OAuthPermission>
perms,
-                                                             boolean preAuthorizedTokenAvailable)
{
+                                                             boolean authorizationCanBeSkipped)
{
         
         OAuthAuthorizationData secData = new OAuthAuthorizationData();
         
@@ -197,7 +202,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         secData.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
         secData.setClientId(client.getClientId());
         secData.setProposedScope(params.getFirst(OAuthConstants.SCOPE));
-        if (!preAuthorizedTokenAvailable) {
+        if (!authorizationCanBeSkipped) {
             secData.setPermissions(perms);
             secData.setApplicationName(client.getApplicationName()); 
             secData.setApplicationWebUri(client.getApplicationWebUri());

http://git-wip-us.apache.org/repos/asf/cxf/blob/ca1f38bc/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
index 62902af..01b024e 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenCodeResponseFilter.java
@@ -31,6 +31,7 @@ public class IdTokenCodeResponseFilter extends AbstractOAuthServerJoseJwtProduce
     private String issuer;
     @Override
     public void process(ClientAccessToken ct, ServerAccessToken st) {
+        // This may also be done directly inside a data provider code creating the server
token
         IdToken token = 
             userInfoProvider.getIdToken(st.getClient().getClientId(), st.getSubject(), st.getScopes());
         token.setIssuer(issuer);

http://git-wip-us.apache.org/repos/asf/cxf/blob/ca1f38bc/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
new file mode 100644
index 0000000..77cd1a2
--- /dev/null
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcAuthorizationCodeService.java
@@ -0,0 +1,41 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oidc.idp;
+
+import java.util.List;
+
+import javax.ws.rs.Path;
+
+import org.apache.cxf.rs.security.oauth2.common.Client;
+import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
+import org.apache.cxf.rs.security.oauth2.services.AuthorizationCodeGrantService;
+
+@Path("/login")
+public class OidcAuthorizationCodeService extends AuthorizationCodeGrantService {
+    private static final String OPEN_ID_CONNECT_SCOPE = "openid";
+    @Override
+    protected boolean canAuthorizationBeSkipped(Client client, List<OAuthPermission>
permissions) {
+        // No need to challenge the authenticated user with the authorization form 
+        // if all the client application redirecting a user needs is to get this user authenticated
+        // with OIDC IDP
+        return permissions.size() == 1 
+            && OPEN_ID_CONNECT_SCOPE.equals(permissions.get(0).getPermission());
+    }
+    
+}


Mime
View raw message