cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/3] cxf git commit: Store the nonce + include it in the IdToken
Date Fri, 11 Dec 2015 15:42:05 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 358589c33 -> 6a328a5c0


Store the nonce + include it in the IdToken


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/86830481
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/86830481
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/86830481

Branch: refs/heads/3.1.x-fixes
Commit: 868304818c7b687d33cdf0ae1a620d06f2b9028f
Parents: 358589c
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Dec 11 11:55:52 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Dec 11 15:24:41 2015 +0000

----------------------------------------------------------------------
 .../oauth2/common/ServerAccessToken.java        |  9 +++
 .../oauth2/grants/AbstractGrantHandler.java     | 66 +++++++++++---------
 .../grants/code/AbstractCodeDataProvider.java   |  1 +
 .../code/AuthorizationCodeGrantHandler.java     | 38 ++++++++---
 .../code/ServerAuthorizationCodeGrant.java      |  9 +++
 .../provider/AbstractOAuthDataProvider.java     |  1 +
 .../oidc/idp/IdTokenResponseFilter.java         |  3 +
 7 files changed, 90 insertions(+), 37 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
index d5cc449..7c64a51 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/common/ServerAccessToken.java
@@ -37,6 +37,7 @@ public abstract class ServerAccessToken extends AccessToken {
     private UserSubject subject;
     private String audience;
     private String clientCodeVerifier;
+    private String nonce;
     
     protected ServerAccessToken() {
         
@@ -158,4 +159,12 @@ public abstract class ServerAccessToken extends AccessToken {
     public void setClientCodeVerifier(String clientCodeVerifier) {
         this.clientCodeVerifier = clientCodeVerifier;
     }
+
+    public String getNonce() {
+        return nonce;
+    }
+
+    public void setNonce(String nonce) {
+        this.nonce = nonce;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
index 38ab690..f107de7 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/AbstractGrantHandler.java
@@ -100,51 +100,39 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler
{
         return doCreateAccessToken(client, 
                                    subject, 
                                    OAuthUtils.parseScope(params.getFirst(OAuthConstants.SCOPE)),

-                                   null,
                                    params.getFirst(OAuthConstants.CLIENT_AUDIENCE));
     }
     
     protected ServerAccessToken doCreateAccessToken(Client client,
                                                     UserSubject subject,
-                                                    List<String> requestedScope) {
+                                                    List<String> requestedScopes) {
         
-        return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScope);
+        return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScopes);
     }
     
     protected ServerAccessToken doCreateAccessToken(Client client,
                                                     UserSubject subject,
-                                                    List<String> requestedScope,
-                                                    List<String> approvedScope,
+                                                    List<String> requestedScopes,
                                                     String audience) {
         
-        return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScope,

-                                   approvedScope, audience, null);
+        return doCreateAccessToken(client, subject, getSingleGrantType(), requestedScopes,

+                                   audience);
     }
     
     protected ServerAccessToken doCreateAccessToken(Client client,
                                                     UserSubject subject,
                                                     String requestedGrant,
-                                                    List<String> requestedScope) {
-        return doCreateAccessToken(client, subject, requestedGrant, requestedScope, null,
null, null);
+                                                    List<String> requestedScopes) {
+        return doCreateAccessToken(client, subject, requestedGrant, requestedScopes, null);
     }
+    
     protected ServerAccessToken doCreateAccessToken(Client client,
                                                     UserSubject subject,
                                                     String requestedGrant,
-                                                    List<String> requestedScope,
-                                                    List<String> approvedScope,
-                                                    String audience,
-                                                    String codeVerifier) {
-        if (!OAuthUtils.validateScopes(requestedScope, client.getRegisteredScopes(), 
-                                       partialMatchScopeValidation)) {
-            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE));
    
-        }
-        if (!OAuthUtils.validateAudience(audience, client.getRegisteredAudiences())) {
-            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_GRANT));
-        }
-        
-        // Check if a pre-authorized  token available
-        ServerAccessToken token = dataProvider.getPreauthorizedToken(
-                                     client, requestedScope, subject, requestedGrant);
+                                                    List<String> requestedScopes,
+                                                    String audience) {
+        ServerAccessToken token = getPreAuthorizedToken(client, subject, requestedGrant,
+                                                        requestedScopes, audience);
         if (token != null) {
             return token;
         }
@@ -154,16 +142,34 @@ public abstract class AbstractGrantHandler implements AccessTokenGrantHandler
{
         reg.setClient(client);
         reg.setGrantType(requestedGrant);
         reg.setSubject(subject);
-        reg.setRequestedScope(requestedScope);
-        if (approvedScope == null) {
-            approvedScope = Collections.emptyList();
-        }
-        reg.setApprovedScope(approvedScope);
+        reg.setRequestedScope(requestedScopes);
+        reg.setApprovedScope(Collections.emptyList());
         reg.setAudience(audience);
-        reg.setClientCodeVerifier(codeVerifier);
         return dataProvider.createAccessToken(reg);
     }
     
+    protected ServerAccessToken getPreAuthorizedToken(Client client,
+                                                      UserSubject subject,
+                                                      String requestedGrant,
+                                                      List<String> requestedScopes,
+                                                      String audience) {
+        if (!OAuthUtils.validateScopes(requestedScopes, client.getRegisteredScopes(), 
+                                       partialMatchScopeValidation)) {
+            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_SCOPE));
    
+        }
+        if (!OAuthUtils.validateAudience(audience, client.getRegisteredAudiences())) {
+            throw new OAuthServiceException(new OAuthError(OAuthConstants.INVALID_GRANT));
+        }
+        
+        // Get a pre-authorized token if available
+        return dataProvider.getPreauthorizedToken(
+                                     client, requestedScopes, subject, requestedGrant);
+    }
+    
+    public boolean isPartialMatchScopeValidation() {
+        return partialMatchScopeValidation;
+    }
+    
     public void setPartialMatchScopeValidation(boolean partialMatchScopeValidation) {
         this.partialMatchScopeValidation = partialMatchScopeValidation;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
index 6bed976..1b63bb3 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AbstractCodeDataProvider.java
@@ -55,6 +55,7 @@ public abstract class AbstractCodeDataProvider extends AbstractOAuthDataProvider
         grant.setApprovedScopes(reg.getApprovedScope());
         grant.setAudience(reg.getAudience());
         grant.setClientCodeChallenge(reg.getClientCodeChallenge());
+        grant.setNonce(reg.getNonce());
         return grant;
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
index 9a6888a..6d7fc1a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.java
@@ -19,8 +19,11 @@
 
 package org.apache.cxf.rs.security.oauth2.grants.code;
 
+import java.util.Collections;
+
 import javax.ws.rs.core.MultivaluedMap;
 
+import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
@@ -78,13 +81,34 @@ public class AuthorizationCodeGrantHandler extends AbstractGrantHandler
{
             throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
         }
         
-        return doCreateAccessToken(client, 
-                                   grant.getSubject(), 
-                                   getSingleGrantType(),
-                                   grant.getRequestedScopes(),
-                                   grant.getApprovedScopes(),
-                                   grant.getAudience(),
-                                   clientCodeVerifier);
+        return doCreateAccessToken(client, grant, getSingleGrantType(), clientCodeVerifier);
+    }
+    
+    private ServerAccessToken doCreateAccessToken(Client client,
+                                                  ServerAuthorizationCodeGrant grant,
+                                                  String requestedGrant,
+                                                  String codeVerifier) {
+        ServerAccessToken token = getPreAuthorizedToken(client, grant.getSubject(), requestedGrant,
+                                                        grant.getRequestedScopes(), grant.getAudience());
+        if (token != null) {
+            return token;
+        }
+        
+        // Delegate to the data provider to create the one
+        AccessTokenRegistration reg = new AccessTokenRegistration();
+        reg.setClient(client);
+        reg.setGrantType(requestedGrant);
+        reg.setSubject(grant.getSubject());
+        reg.setRequestedScope(grant.getRequestedScopes());
+        reg.setNonce(grant.getNonce());
+        if (grant.getApprovedScopes() != null) {
+            reg.setApprovedScope(grant.getApprovedScopes());
+        } else {
+            reg.setApprovedScope(Collections.emptyList());
+        }
+        reg.setAudience(grant.getAudience());
+        reg.setClientCodeVerifier(codeVerifier);
+        return getDataProvider().createAccessToken(reg);
     }
     
     private boolean compareCodeVerifierWithChallenge(Client c, String clientCodeVerifier,


http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
index a1aba9f..5b8bca9 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/ServerAuthorizationCodeGrant.java
@@ -40,6 +40,7 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant
{
     private UserSubject subject;
     private String audience;
     private String clientCodeChallenge;
+    private String nonce;
     
     public ServerAuthorizationCodeGrant() {
         
@@ -165,4 +166,12 @@ public class ServerAuthorizationCodeGrant extends AuthorizationCodeGrant
{
     public void setRequestedScopes(List<String> requestedScopes) {
         this.requestedScopes = requestedScopes;
     }
+
+    public String getNonce() {
+        return nonce;
+    }
+
+    public void setNonce(String nonce) {
+        this.nonce = nonce;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
index 149bff1..9bb52ed 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthDataProvider.java
@@ -67,6 +67,7 @@ public abstract class AbstractOAuthDataProvider implements OAuthDataProvider,
Cl
         at.setScopes(thePermissions);
         at.setSubject(accessToken.getSubject());
         at.setClientCodeVerifier(accessToken.getClientCodeVerifier());
+        at.setNonce(accessToken.getNonce());
         return at;
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/86830481/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
index b8ab2b2..f7d6b9a 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.java
@@ -49,6 +49,9 @@ public class IdTokenResponseFilter extends AbstractOAuthServerJoseJwtProducer
im
         if (userInfoProvider != null) {
             IdToken idToken = 
                 userInfoProvider.getIdToken(st.getClient().getClientId(), st.getSubject(),
st.getScopes());
+            if (st.getNonce() != null) {
+                idToken.setNonce(st.getNonce());
+            }
             setAtHash(idToken, st);
             return super.processJwt(new JwtToken(idToken), st.getClient());
         } else if (st.getSubject().getProperties().containsKey(OidcUtils.ID_TOKEN)) {


Mime
View raw message