cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] cxf git commit: Fix the implicit flow for OIDC when returning both a access token + id token
Date Mon, 14 Dec 2015 14:17:07 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 16c42c7e8 -> 2d3592e66


Fix the implicit flow for OIDC when returning both a access token + id token


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ad1822e1
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ad1822e1
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ad1822e1

Branch: refs/heads/3.1.x-fixes
Commit: ad1822e1bdcd842c8f9fdb2f5833e73202455086
Parents: 16c42c7
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Mon Dec 14 13:56:07 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Mon Dec 14 14:14:53 2015 +0000

----------------------------------------------------------------------
 .../security/oauth2/common/OAuthAuthorizationData.java   |  9 +++++++++
 .../rs/security/oauth2/common/OAuthRedirectionState.java | 11 +++++++++++
 .../oauth2/services/AbstractImplicitGrantService.java    |  6 ++++--
 .../oauth2/services/RedirectionBasedGrantService.java    |  2 ++
 .../cxf/rs/security/oidc/idp/OidcImplicitService.java    |  8 ++++++--
 5 files changed, 32 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/ad1822e1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
index 05dc72c..8a29946 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthAuthorizationData.java
@@ -39,6 +39,7 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements
Ser
     private String endUserName;
     private String authenticityToken;
     private String replyTo;
+    private String responseType;
     
     private String applicationName;
     private String applicationWebUri;
@@ -201,4 +202,12 @@ public class OAuthAuthorizationData extends OAuthRedirectionState implements
Ser
     public void setImplicitFlow(boolean implicitFlow) {
         this.implicitFlow = implicitFlow;
     }
+
+    public String getResponseType() {
+        return responseType;
+    }
+
+    public void setResponseType(String responseType) {
+        this.responseType = responseType;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/ad1822e1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java
index 4acc109..0ff4d47 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/OAuthRedirectionState.java
@@ -30,6 +30,7 @@ public class OAuthRedirectionState implements Serializable {
     private String audience;
     private String nonce;
     private String clientCodeChallenge;
+    private String responseType;
     
     public OAuthRedirectionState() {
     }
@@ -123,4 +124,14 @@ public class OAuthRedirectionState implements Serializable {
     public void setNonce(String nonce) {
         this.nonce = nonce;
     }
+
+
+    public String getResponseType() {
+        return responseType;
+    }
+
+
+    public void setResponseType(String responseType) {
+        this.responseType = responseType;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/ad1822e1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
index cee77da..5ee52cc 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AbstractImplicitGrantService.java
@@ -64,7 +64,7 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant
         boolean tokenCanBeReturned = preAuthorizedToken != null;
         ServerAccessToken token = null;
         if (preAuthorizedToken == null) {
-            tokenCanBeReturned = canAccessTokenBeReturned(requestedScope, approvedScope);
+            tokenCanBeReturned = canAccessTokenBeReturned(state, requestedScope, approvedScope);
             if (tokenCanBeReturned) {
                 AccessTokenRegistration reg = new AccessTokenRegistration();
                 reg.setClient(client);
@@ -135,7 +135,9 @@ public abstract class AbstractImplicitGrantService extends RedirectionBasedGrant
         
         return Response.seeOther(URI.create(sb.toString())).build();
     }
-    protected boolean canAccessTokenBeReturned(List<String> requestedScope, List<String>
approvedScope) {
+    protected boolean canAccessTokenBeReturned(OAuthRedirectionState state,
+                                               List<String> requestedScope, 
+                                               List<String> approvedScope) {
         return true;
     }
     protected void processRefreshToken(StringBuilder sb, String refreshToken) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/ad1822e1/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
index 53cedaf..85b4b44 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/RedirectionBasedGrantService.java
@@ -214,6 +214,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
         secData.setAudience(params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
         secData.setNonce(params.getFirst(OAuthConstants.NONCE));
         secData.setClientId(client.getClientId());
+        secData.setResponseType(params.getFirst(OAuthConstants.RESPONSE_TYPE));
         if (requestedScope != null && !requestedScope.isEmpty()) {
             StringBuilder builder = new StringBuilder();
             for (String scope : requestedScope) {
@@ -256,6 +257,7 @@ public abstract class RedirectionBasedGrantService extends AbstractOAuthService
             state.setProposedScope(params.getFirst(OAuthConstants.SCOPE));
             state.setState(params.getFirst(OAuthConstants.STATE));
             state.setNonce(params.getFirst(OAuthConstants.NONCE));
+            state.setResponseType(params.getFirst(OAuthConstants.RESPONSE_TYPE));
         }
         return state;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/ad1822e1/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
index 66e5e8b..908d141 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/OidcImplicitService.java
@@ -24,6 +24,7 @@ import java.util.List;
 
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.OAuthPermission;
+import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
 import org.apache.cxf.rs.security.oauth2.services.ImplicitGrantService;
 
 
@@ -39,8 +40,11 @@ public class OidcImplicitService extends ImplicitGrantService {
     }
     
     @Override
-    protected boolean canAccessTokenBeReturned(List<String> requestedScope, List<String>
approvedScope) {
-        return requestedScope.contains(ID_TOKEN_AND_AT_RESPONSE_TYPE);
+    protected boolean canAccessTokenBeReturned(OAuthRedirectionState state, 
+                                               List<String> requestedScope, 
+                                               List<String> approvedScope) {
+        return state.getResponseType() != null 
+            && state.getResponseType().contains(ID_TOKEN_AND_AT_RESPONSE_TYPE);
     }
     
     @Override


Mime
View raw message