Return-Path: 
 <commits-return-39526-apmail-cxf-commits-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-commits-archive@www.apache.org
Delivered-To: apmail-cxf-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 15AC61841F
	for <apmail-cxf-commits-archive@www.apache.org>;
 Mon,  7 Dec 2015 17:25:33 +0000 (UTC)
Received: (qmail 12174 invoked by uid 500); 7 Dec 2015 17:25:26 -0000
Delivered-To: apmail-cxf-commits-archive@cxf.apache.org
Received: (qmail 12108 invoked by uid 500); 7 Dec 2015 17:25:25 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 12092 invoked by uid 99); 7 Dec 2015 17:25:23 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org)
 (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 07 Dec 2015 17:25:23 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at
 git1-us-west.apache.org, from userid 33)
	id 21AF9E0537; Mon,  7 Dec 2015 17:25:23 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: sergeyb@apache.org
To: commits@cxf.apache.org
Message-Id: <22de3d66a0f54d888e65ac49361c2189@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: cxf-fediz git commit: Initial try at postponing the id token sig/enc
 until AT is requested and moving JOSE code out of the data provider and
 letting the id token filter do it
Date: Mon,  7 Dec 2015 17:25:23 +0000 (UTC)

Repository: cxf-fediz
Updated Branches:
  refs/heads/master 0b98f2994 -> fcc0ac6dc


Initial try at postponing the id token sig/enc until AT is requested and moving JOSE code out of the data provider and letting the id token filter do it


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/fcc0ac6d
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/fcc0ac6d
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/fcc0ac6d

Branch: refs/heads/master
Commit: fcc0ac6dc6c687ef0c34632fc864c62eb0a6f811
Parents: 0b98f29
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Mon Dec 7 17:25:02 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Mon Dec 7 17:25:02 2015 +0000

----------------------------------------------------------------------
 .../service/oidc/ClientRegistrationService.java |  8 ++-
 .../fediz/service/oidc/OAuthDataManager.java    | 67 +++++++++++---------
 .../main/webapp/WEB-INF/applicationContext.xml  | 14 ++--
 .../src/main/webapp/WEB-INF/data-manager.xml    |  1 -
 4 files changed, 52 insertions(+), 38 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fcc0ac6d/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java
index d4269d7..bf93312 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/ClientRegistrationService.java
@@ -49,6 +49,8 @@ public class ClientRegistrationService {
             new ConcurrentHashMap<String, Collection<Client>>();
     private OAuthDataManager manager;
     private Map<String, String> homeRealms = new LinkedHashMap<String, String>();
+    private boolean protectIdTokenWithClientSecret;
+    
     @Context
     private SecurityContext sc;
     
@@ -99,7 +101,7 @@ public class ClientRegistrationService {
     
     protected String generateClientSecret() {
         // TODO: may need to be 384/8 or 512/8 if not a default HS256 but HS384 or HS512
-        int keySizeOctets = manager.isSignIdTokenWithClientSecret() ? 32 : 16; 
+        int keySizeOctets = protectIdTokenWithClientSecret ? 32 : 16; 
         return Base64UrlUtility.encode(CryptoUtils.generateSecureRandomBytes(keySizeOctets));
     }
     
@@ -143,5 +145,9 @@ public class ClientRegistrationService {
             getClientRegistrations(userName).add(c);
         }
     }
+    
+    public void setProtectIdTokenWithClientSecret(boolean protectIdTokenWithClientSecret) {
+        this.protectIdTokenWithClientSecret = protectIdTokenWithClientSecret;
+    }
 }
 

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fcc0ac6d/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
index 08db670..a48a865 100644
--- a/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
+++ b/services/oidc/src/main/java/org/apache/cxf/fediz/service/oidc/OAuthDataManager.java
@@ -41,6 +41,7 @@ import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
 import org.apache.cxf.rs.security.oidc.common.IdToken;
+import org.apache.cxf.rs.security.oidc.idp.OidcUserSubject;
 import org.apache.cxf.rs.security.oidc.utils.OidcUtils;
 
 public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
@@ -76,7 +77,12 @@ public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
     protected ServerAuthorizationCodeGrant doCreateCodeGrant(AuthorizationCodeRegistration reg) 
         throws OAuthServiceException {
         ServerAuthorizationCodeGrant grant = super.doCreateCodeGrant(reg);
-        createIdToken(grant.getClient(), grant.getSubject(), reg.getNonce());
+        OidcUserSubject oidcSub = createOidcSubject(grant.getClient(), 
+                                                    grant.getSubject(), 
+                                                    reg.getNonce());
+        if (oidcSub != null) {
+            grant.setSubject(oidcSub);
+        }
         return grant;
     }
     
@@ -84,7 +90,13 @@ public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
     protected ServerAccessToken doCreateAccessToken(AccessTokenRegistration reg)
         throws OAuthServiceException {
         ServerAccessToken token = super.doCreateAccessToken(reg);
-        createIdToken(token.getClient(), token.getSubject(), reg.getNonce());
+        OidcUserSubject oidcSub = null;
+        if (!(token.getSubject() instanceof OidcUserSubject)) {
+            oidcSub = createOidcSubject(token.getClient(), token.getSubject(), reg.getNonce());
+            if (oidcSub != null) {
+                token.setSubject(oidcSub);
+            }
+        }
         return token;
     }
     
@@ -101,7 +113,7 @@ public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
             list.add(permission);
         }
         if (!list.contains(OPENID_PERMISSION)) {
-            throw new OAuthServiceException("Default scope is missing");
+            throw new OAuthServiceException("Required scope is missing");
         }
         return list;
     }
@@ -122,28 +134,33 @@ public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
         }
     }
 
-    protected void createIdToken(Client client, UserSubject subject, String nonce) {
-        if (subject != null && !subject.getProperties().containsKey(OidcUtils.ID_TOKEN)) {
-            Principal principal = messageContext.getSecurityContext().getUserPrincipal();
-            
-            if (principal instanceof FedizPrincipal) {
-                String joseIdToken = getJoseIdToken((FedizPrincipal)principal, client, nonce);
-                subject.getProperties().put(OidcUtils.ID_TOKEN, joseIdToken);
-            }
+    protected OidcUserSubject createOidcSubject(Client client, UserSubject subject, String nonce) {
+        IdToken idToken = getIdToken(client, nonce);
+        if (idToken != null) {
+            OidcUserSubject oidcSub = new OidcUserSubject(subject);
+            oidcSub.setIdToken(idToken);
+            return oidcSub;
         }
-        
+        return null;
     }
-    
-    protected String getJoseIdToken(FedizPrincipal principal, Client client, String nonce) {
-        IdToken idToken = tokenConverter.convertToIdToken(principal.getLoginToken(),
-                                                          principal.getName(), 
-                                                          principal.getClaims(),
-                                                          client.getClientId(),
-                                                          nonce);
+    protected String getJoseIdToken(Client client, IdToken idToken) {
         JwsJwtCompactProducer p = new JwsJwtCompactProducer(idToken);
         return p.signWith(getJwsSignatureProvider(client));
         // the JWS compact output may also need to be encrypted
     }
+    protected IdToken getIdToken(Client client, String nonce) {
+        Principal principal = messageContext.getSecurityContext().getUserPrincipal();
+        
+        if (principal instanceof FedizPrincipal) {
+            FedizPrincipal fedizPrincipal = (FedizPrincipal)principal; 
+            return tokenConverter.convertToIdToken(fedizPrincipal.getLoginToken(),
+                                                   fedizPrincipal.getName(), 
+                                                   fedizPrincipal.getClaims(),
+                                                   client.getClientId(),
+                                                   nonce);
+        }
+        return null;
+    }
 
     protected JwsSignatureProvider getJwsSignatureProvider(Client client) {
         if (signIdTokenWithClientSecret && client.isConfidential()) {
@@ -153,18 +170,6 @@ public class OAuthDataManager extends DefaultEHCacheCodeDataProvider {
         
     }
     
-    /**
-     * Enable the symmetric signature with the client secret. 
-     * This property will be ignored if a client is public 
-     */
-    public void setSignIdTokenWithClientSecret(boolean signIdTokenWithClientSecret) {
-        this.signIdTokenWithClientSecret = signIdTokenWithClientSecret;
-    }
-
-    public boolean isSignIdTokenWithClientSecret() {
-        return signIdTokenWithClientSecret;
-    }
-    
     public void setTokenConverter(SamlTokenConverter tokenConverter) {
         this.tokenConverter = tokenConverter;
     }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fcc0ac6d/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
index 6702a0b..61cf6f4 100644
--- a/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/applicationContext.xml
@@ -50,10 +50,6 @@
         <jaxrs:providers>
             <ref bean="viewProvider"/>
         </jaxrs:providers>
-        <jaxrs:properties>
-            <entry key="rs.security.signature.properties" value="rs.security.properties"/>
-            <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
-        </jaxrs:properties>
     </jaxrs:server>
     
     <!-- 
@@ -105,7 +101,11 @@
        </property>
     </bean>
     
-    <bean id="idTokenFilter" class="org.apache.cxf.rs.security.oidc.idp.IdTokenResponseFilter"/>
+    <bean id="idTokenFilter" class="org.apache.cxf.rs.security.oidc.idp.IdTokenResponseFilter">
+      <!--
+        <property name="signWithClientSecret" value="true"/>
+      -->
+    </bean>
     <bean id="refreshTokenHandler" class="org.apache.cxf.rs.security.oauth2.grants.refresh.RefreshTokenGrantHandler">
         <property name="dataProvider" ref="oauthProvider"/>
     </bean>
@@ -135,6 +135,10 @@
         <jaxrs:providers>
            <ref bean="oauthJsonProvider"/>
         </jaxrs:providers>
+        <jaxrs:properties>
+            <entry key="rs.security.signature.properties" value="rs.security.properties"/>
+            <entry key="rs.security.signature.key.password.provider" value-ref="keyPasswordProvider"/>
+        </jaxrs:properties>
      </jaxrs:server>
      
 </beans>

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/fcc0ac6d/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
----------------------------------------------------------------------
diff --git a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
index 7440464..38ba86e 100644
--- a/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
+++ b/services/oidc/src/main/webapp/WEB-INF/data-manager.xml
@@ -39,7 +39,6 @@
         </property>
     -->
     <!--
-        <property name="signIdTokenWithClientSecret" value="true"/>
         <property name="accessTokenLifetime" value="3600"/>
     -->
         <property name="tokenConverter" ref="samlTokenConverter"/>