cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf-fediz git commit: [FEDIZ-134] Making sure the id token is set on UserSubject if the implicit grant is used
Date Thu, 19 Nov 2015 11:02:47 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master 22d7bdc04 -> 355dceb1d


[FEDIZ-134] Making sure the id token is set on UserSubject if the implicit grant is used


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/355dceb1
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/355dceb1
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/355dceb1

Branch: refs/heads/master
Commit: 355dceb1d2788dba9741fd683929c36d76bb3155
Parents: 22d7bdc
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Nov 19 11:02:19 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Nov 19 11:02:19 2015 +0000

----------------------------------------------------------------------
 .../fediz/service/oidc/OAuthDataManager.java    | 73 ++++++++++++--------
 1 file changed, 43 insertions(+), 30 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/355dceb1/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
index 5e3ff4f..a207b17 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
@@ -33,6 +33,7 @@ import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
+import org.apache.cxf.rs.security.oauth2.common.UserSubject;
 import org.apache.cxf.rs.security.oauth2.grants.code.AbstractCodeDataProvider;
 import org.apache.cxf.rs.security.oauth2.grants.code.ServerAuthorizationCodeGrant;
 import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
@@ -81,14 +82,7 @@ public class OAuthDataManager extends AbstractCodeDataProvider {
     // Grants
     @Override
     protected void saveCodeGrant(ServerAuthorizationCodeGrant grant) {
-        Principal principal = messageContext.getSecurityContext().getUserPrincipal();
-        
-        if (principal instanceof FedizPrincipal) {
-            String joseIdToken = getJoseIdToken((FedizPrincipal)principal, grant.getClient());
-            grant.getSubject().getProperties().put(OidcUtils.ID_TOKEN, joseIdToken);
-        } else {
-            throw new OAuthServiceException("Unsupported principal");
-        }
+        createIdToken(grant.getClient(), grant.getSubject());
         doSaveCodeGrant(grant);
     }
 
@@ -96,24 +90,7 @@ public class OAuthDataManager extends AbstractCodeDataProvider {
         codeGrants.put(grant.getCode(), grant);
         
     }
-
-    protected String getJoseIdToken(FedizPrincipal principal, Client client) {
-        IdToken idToken = tokenConverter.convertToIdToken(principal.getLoginToken(),
-                                                          principal.getName(), 
-                                                          principal.getClaims(),
-                                                          client.getClientId());
-        JwsJwtCompactProducer p = new JwsJwtCompactProducer(idToken);
-        return p.signWith(getJwsSignatureProvider(client));
-        // the JWS compact output may also need to be encrypted
-    }
-
-    protected JwsSignatureProvider getJwsSignatureProvider(Client client) {
-        if (signIdTokenWithClientSecret && client.isConfidential()) {
-            return OAuthUtils.getClientSecretSignatureProvider(client.getClientSecret());
-        } 
-        return JwsUtils.loadSignatureProvider(true);
-        
-    }
+    
 
     @Override
     public ServerAuthorizationCodeGrant removeCodeGrant(String code) throws OAuthServiceException
{
@@ -123,6 +100,11 @@ public class OAuthDataManager extends AbstractCodeDataProvider {
     // Access Tokens
     @Override
     protected void saveAccessToken(ServerAccessToken token) {
+        createIdToken(token.getClient(), token.getSubject());
+        doSaveAccessToken(token);
+    }
+    
+    protected void doSaveAccessToken(ServerAccessToken token) {
         accessTokens.put(token.getTokenKey(), token);
     }
 
@@ -174,10 +156,6 @@ public class OAuthDataManager extends AbstractCodeDataProvider {
         this.messageContext = messageContext;
     }
 
-    public void setTokenConverter(SamlTokenConverter tokenConverter) {
-        this.tokenConverter = tokenConverter;
-    }
-
     public void setScopes(Map<String, String> scopes) {
         for (Map.Entry<String, String> entry : scopes.entrySet()) {
             OAuthPermission permission = new OAuthPermission(entry.getKey(), entry.getValue());
@@ -188,6 +166,36 @@ public class OAuthDataManager extends AbstractCodeDataProvider {
         }
     }
 
+    protected void createIdToken(Client client, UserSubject subject) {
+        if (subject != null && !subject.getProperties().containsKey(OidcUtils.ID_TOKEN))
{
+            Principal principal = messageContext.getSecurityContext().getUserPrincipal();
+            
+            if (principal instanceof FedizPrincipal) {
+                String joseIdToken = getJoseIdToken((FedizPrincipal)principal, client);
+                subject.getProperties().put(OidcUtils.ID_TOKEN, joseIdToken);
+            }
+        }
+        
+    }
+    
+    protected String getJoseIdToken(FedizPrincipal principal, Client client) {
+        IdToken idToken = tokenConverter.convertToIdToken(principal.getLoginToken(),
+                                                          principal.getName(), 
+                                                          principal.getClaims(),
+                                                          client.getClientId());
+        JwsJwtCompactProducer p = new JwsJwtCompactProducer(idToken);
+        return p.signWith(getJwsSignatureProvider(client));
+        // the JWS compact output may also need to be encrypted
+    }
+
+    protected JwsSignatureProvider getJwsSignatureProvider(Client client) {
+        if (signIdTokenWithClientSecret && client.isConfidential()) {
+            return OAuthUtils.getClientSecretSignatureProvider(client.getClientSecret());
+        } 
+        return JwsUtils.loadSignatureProvider(true);
+        
+    }
+    
     /**
      * Enable the symmetric signature with the client secret. 
      * This property will be ignored if a client is public 
@@ -199,4 +207,9 @@ public class OAuthDataManager extends AbstractCodeDataProvider {
     public boolean isSignIdTokenWithClientSecret() {
         return signIdTokenWithClientSecret;
     }
+    
+    public void setTokenConverter(SamlTokenConverter tokenConverter) {
+        this.tokenConverter = tokenConverter;
+    }
+
 }


Mime
View raw message